Add initial withCertManager input toggle

This change adds a new input toggle to enable using a cert-manager service.
The operator currently only setup a selfSigned CA.

Change-Id: Ifc63768a87f9508c66e4414d5286bae2969985e7
changes/40/718840/10
Tristan Cacqueray 3 years ago
parent f75f52fa8d
commit 20f634230d

@ -20,6 +20,7 @@
nodeset: ubuntu-bionic
vars:
namespace: 'default'
withCertManager: true
- job:
description: Image and buildset registry job

@ -100,5 +100,5 @@ ansible-playbook -e use_local_role=true ...
To wipe your namespace run this command:
```bash
kubectl delete $(for obj in statefulset deployment service secret; do kubectl get $obj -o name; done)
kubectl delete $(for obj in issuer certificate statefulset deployment service secret; do kubectl get $obj -o name; done)
```

@ -0,0 +1,64 @@
{- A local cert manager package that extends the Kubernetes binding
TODO: Use union combinaison once it is available, see https://github.com/dhall-lang/dhall-lang/issues/175
TODO: Check with the dhall kubernetes community if the new type could be contributed,
though it currently only covers what is needed for zuul.
-}
let Kubernetes = ./Kubernetes.dhall
let IssuerSpec =
{ Type = { selfSigned : Optional {}, ca : Optional { secretName : Text } }
, default = { selfSigned = None {}, ca = None { secretName : Text } }
}
let Issuer =
{ Type =
{ apiVersion : Text
, kind : Text
, metadata : Kubernetes.ObjectMeta.Type
, spec : IssuerSpec.Type
}
, default = { apiVersion = "cert-manager.io/v1alpha2", kind = "Issuer" }
}
let CertificateSpec =
{ Type =
{ secretName : Text
, isCA : Optional Bool
, usages : Optional (List Text)
, commonName : Optional Text
, dnsNames : Optional (List Text)
, issuerRef : { name : Text, kind : Text, group : Text }
}
, default =
{ isCA = None Bool
, usages = None (List Text)
, commonName = None Text
, dnsNames = None (List Text)
}
}
let Certificate =
{ Type =
{ apiVersion : Text
, kind : Text
, metadata : Kubernetes.ObjectMeta.Type
, spec : CertificateSpec.Type
}
, default =
{ apiVersion = "cert-manager.io/v1alpha3", kind = "Certificate" }
}
let Union =
< Kubernetes : Kubernetes.Resource
| Issuer : Issuer.Type
| Certificate : Certificate.Type
>
in { IssuerSpec = IssuerSpec
, Issuer = Issuer
, CertificateSpec = CertificateSpec
, Certificate = Certificate
, Union = Union
}

@ -149,6 +149,7 @@ let Input =
, externalConfig : Schemas.ExternalConfigs.Type
, connections : Schemas.Connections.Type
, jobVolumes : Optional (List JobVolume)
, withCertManager : Bool
}
, default =
{ database = None UserSecret
@ -162,6 +163,7 @@ let Input =
, launcher = Schemas.Launcher.default
, connections = Schemas.Connections.default
, jobVolumes = None (List JobVolume)
, withCertManager = True
}
}

@ -31,6 +31,8 @@ let Prelude = ../Prelude.dhall
let Kubernetes = ../Kubernetes.dhall
let CertManager = ../CertManager.dhall
let Schemas = ./input.dhall
let F = ./functions.dhall
@ -177,7 +179,55 @@ in \(input : Input)
}
let Components =
{ Backend =
{ CertManager =
let issuer =
{ kind = "Issuer"
, group = "cert-manager.io"
, name = "${input.name}-ca"
}
in { Issuers =
[ CertManager.Issuer::{
, metadata =
F.mkObjectMeta
"${input.name}-selfsigning"
( F.mkComponentLabel
input.name
"issuer-selfsigning"
)
, spec = CertManager.IssuerSpec::{
, selfSigned = Some {=}
}
}
, CertManager.Issuer::{
, metadata =
F.mkObjectMeta
"${input.name}-ca"
(F.mkComponentLabel input.name "issuer-ca")
, spec = CertManager.IssuerSpec::{
, ca = Some { secretName = "${input.name}-ca" }
}
}
]
, Certificates =
[ CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-ca"
(F.mkComponentLabel input.name "cert-ca")
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-ca"
, isCA = Some True
, commonName = Some "selfsigned-root-ca"
, issuerRef =
issuer // { name = "${input.name}-selfsigning" }
, usages = Some
[ "server auth", "client auth", "cert sign" ]
}
}
]
}
, Backend =
{ Database =
merge
{ None =
@ -434,25 +484,56 @@ in \(input : Input)
}
component.Deployment
let {- This function transform the Kubernetes.Resources type into the new Union
that combines Kubernetes and CertManager resources
-} transformKubernetesResource =
Prelude.List.map
Kubernetes.Resource
CertManager.Union
( \(resource : Kubernetes.Resource)
-> CertManager.Union.Kubernetes resource
)
let {- if cert-manager is enabled, then includes and transforms the CertManager types
into the new Union that combines Kubernetes and CertManager resources
-} all-certificates =
if input.withCertManager
then Prelude.List.map
CertManager.Issuer.Type
CertManager.Union
CertManager.Union.Issuer
Components.CertManager.Issuers
# Prelude.List.map
CertManager.Certificate.Type
CertManager.Union
CertManager.Union.Certificate
Components.CertManager.Certificates
else [] : List CertManager.Union
in { Components = Components
, List =
{ apiVersion = "v1"
, kind = "List"
, items =
Prelude.List.map
Volume.Type
Kubernetes.Resource
mkSecret
( zk-conf
# [ etc-zuul, etc-nodepool, etc-zuul-registry ]
all-certificates
# transformKubernetesResource
( Prelude.List.map
Volume.Type
Kubernetes.Resource
mkSecret
( zk-conf
# [ etc-zuul, etc-nodepool, etc-zuul-registry ]
)
# mkUnion Components.Backend.Database
# mkUnion Components.Backend.ZooKeeper
# mkUnion Components.Zuul.Scheduler
# mkUnion Components.Zuul.Executor
# mkUnion Components.Zuul.Web
# mkUnion Components.Zuul.Merger
# mkUnion Components.Zuul.Registry
# mkUnion Components.Nodepool.Launcher
)
# mkUnion Components.Backend.Database
# mkUnion Components.Backend.ZooKeeper
# mkUnion Components.Zuul.Scheduler
# mkUnion Components.Zuul.Executor
# mkUnion Components.Zuul.Web
# mkUnion Components.Zuul.Merger
# mkUnion Components.Zuul.Registry
# mkUnion Components.Nodepool.Launcher
}
}

@ -86,6 +86,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---

@ -41,3 +41,4 @@ jobVolumes:
# extra
name: zuul
web: {}
withCertManager: true

@ -3,6 +3,7 @@
---
namespace: default
zuul_app_path: "/home/fedora/src/opendev.org/zuul/zuul-operator/conf/zuul"
withCertManager: true
zuul:
projects:
'opendev.org/zuul/zuul-operator':

@ -6,6 +6,8 @@
command: "bash -c 'kubectl describe {{ item }} > ~/zuul-output/logs/describe-{{ item }}.txt'"
ignore_errors: yes
loop:
- issuer
- certificate
- pods
- deployments
- statefulsets

@ -20,3 +20,11 @@
until: _api_ready.rc == 0
retries: 6
delay: 10
- name: Setup cert-manager
command: "kubectl {{ item }}"
when:
- withCertManager
loop:
- create namespace cert-manager
- apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.yaml

@ -134,6 +134,7 @@
key: kube.config
registry:
count: 1
withCertManager: "{{ withCertManager }}"
- name: Wait maximum 4 minutes for the scheduler deployment
shell: |
@ -167,6 +168,10 @@
pause:
minutes: 2
- name: Look for the cert-manager issuer
command: kubectl get Issuers zuul-ca -o yaml
when: withCertManager
- name: Test the registry
block:
- name: Get registry service ip

@ -98,6 +98,7 @@
hostPath:
path: /run/dbus
type: DirectoryOrCreate
withCertManager: "{{ withCertManager }}"
- name: ensure a job is running
when: skip_check is not defined

@ -12,3 +12,4 @@ spec_defaults:
web: {}
registry: {}
externalConfig: {}
withCertManager: true

Loading…
Cancel
Save