From 20f634230d198ab8655e15cdaa5083448615f1a3 Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Fri, 10 Apr 2020 00:16:50 +0000 Subject: [PATCH] Add initial withCertManager input toggle This change adds a new input toggle to enable using a cert-manager service. The operator currently only setup a selfSigned CA. Change-Id: Ifc63768a87f9508c66e4414d5286bae2969985e7 --- .zuul.yaml | 1 + CONTRIBUTE.md | 2 +- conf/CertManager.dhall | 64 ++++++++++ conf/zuul/input.dhall | 2 + conf/zuul/resources.dhall | 111 +++++++++++++++--- deploy/rbac.yaml | 12 ++ playbooks/files/cr_spec.yaml | 1 + playbooks/files/local-vars.yaml | 1 + playbooks/zuul-operator-functional/post.yaml | 2 + .../zuul-operator-functional/pre-k8s.yaml | 8 ++ playbooks/zuul-operator-functional/run.yaml | 5 + playbooks/zuul-operator-functional/test.yaml | 1 + roles/zuul/defaults/main.yaml | 1 + 13 files changed, 195 insertions(+), 16 deletions(-) create mode 100644 conf/CertManager.dhall diff --git a/.zuul.yaml b/.zuul.yaml index d349687..43e4bff 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -20,6 +20,7 @@ nodeset: ubuntu-bionic vars: namespace: 'default' + withCertManager: true - job: description: Image and buildset registry job diff --git a/CONTRIBUTE.md b/CONTRIBUTE.md index c329871..6c8629a 100644 --- a/CONTRIBUTE.md +++ b/CONTRIBUTE.md @@ -100,5 +100,5 @@ ansible-playbook -e use_local_role=true ... To wipe your namespace run this command: ```bash -kubectl delete $(for obj in statefulset deployment service secret; do kubectl get $obj -o name; done) +kubectl delete $(for obj in issuer certificate statefulset deployment service secret; do kubectl get $obj -o name; done) ``` diff --git a/conf/CertManager.dhall b/conf/CertManager.dhall new file mode 100644 index 0000000..9dfa026 --- /dev/null +++ b/conf/CertManager.dhall @@ -0,0 +1,64 @@ +{- A local cert manager package that extends the Kubernetes binding + +TODO: Use union combinaison once it is available, see https://github.com/dhall-lang/dhall-lang/issues/175 +TODO: Check with the dhall kubernetes community if the new type could be contributed, + though it currently only covers what is needed for zuul. +-} + +let Kubernetes = ./Kubernetes.dhall + +let IssuerSpec = + { Type = { selfSigned : Optional {}, ca : Optional { secretName : Text } } + , default = { selfSigned = None {}, ca = None { secretName : Text } } + } + +let Issuer = + { Type = + { apiVersion : Text + , kind : Text + , metadata : Kubernetes.ObjectMeta.Type + , spec : IssuerSpec.Type + } + , default = { apiVersion = "cert-manager.io/v1alpha2", kind = "Issuer" } + } + +let CertificateSpec = + { Type = + { secretName : Text + , isCA : Optional Bool + , usages : Optional (List Text) + , commonName : Optional Text + , dnsNames : Optional (List Text) + , issuerRef : { name : Text, kind : Text, group : Text } + } + , default = + { isCA = None Bool + , usages = None (List Text) + , commonName = None Text + , dnsNames = None (List Text) + } + } + +let Certificate = + { Type = + { apiVersion : Text + , kind : Text + , metadata : Kubernetes.ObjectMeta.Type + , spec : CertificateSpec.Type + } + , default = + { apiVersion = "cert-manager.io/v1alpha3", kind = "Certificate" } + } + +let Union = + < Kubernetes : Kubernetes.Resource + | Issuer : Issuer.Type + | Certificate : Certificate.Type + > + +in { IssuerSpec = IssuerSpec + , Issuer = Issuer + , CertificateSpec = CertificateSpec + , Certificate = Certificate + , Union = Union + } diff --git a/conf/zuul/input.dhall b/conf/zuul/input.dhall index cf93d59..dc1d298 100644 --- a/conf/zuul/input.dhall +++ b/conf/zuul/input.dhall @@ -149,6 +149,7 @@ let Input = , externalConfig : Schemas.ExternalConfigs.Type , connections : Schemas.Connections.Type , jobVolumes : Optional (List JobVolume) + , withCertManager : Bool } , default = { database = None UserSecret @@ -162,6 +163,7 @@ let Input = , launcher = Schemas.Launcher.default , connections = Schemas.Connections.default , jobVolumes = None (List JobVolume) + , withCertManager = True } } diff --git a/conf/zuul/resources.dhall b/conf/zuul/resources.dhall index f45f6f3..0177448 100644 --- a/conf/zuul/resources.dhall +++ b/conf/zuul/resources.dhall @@ -31,6 +31,8 @@ let Prelude = ../Prelude.dhall let Kubernetes = ../Kubernetes.dhall +let CertManager = ../CertManager.dhall + let Schemas = ./input.dhall let F = ./functions.dhall @@ -177,7 +179,55 @@ in \(input : Input) } let Components = - { Backend = + { CertManager = + let issuer = + { kind = "Issuer" + , group = "cert-manager.io" + , name = "${input.name}-ca" + } + + in { Issuers = + [ CertManager.Issuer::{ + , metadata = + F.mkObjectMeta + "${input.name}-selfsigning" + ( F.mkComponentLabel + input.name + "issuer-selfsigning" + ) + , spec = CertManager.IssuerSpec::{ + , selfSigned = Some {=} + } + } + , CertManager.Issuer::{ + , metadata = + F.mkObjectMeta + "${input.name}-ca" + (F.mkComponentLabel input.name "issuer-ca") + , spec = CertManager.IssuerSpec::{ + , ca = Some { secretName = "${input.name}-ca" } + } + } + ] + , Certificates = + [ CertManager.Certificate::{ + , metadata = + F.mkObjectMeta + "${input.name}-ca" + (F.mkComponentLabel input.name "cert-ca") + , spec = CertManager.CertificateSpec::{ + , secretName = "${input.name}-ca" + , isCA = Some True + , commonName = Some "selfsigned-root-ca" + , issuerRef = + issuer // { name = "${input.name}-selfsigning" } + , usages = Some + [ "server auth", "client auth", "cert sign" ] + } + } + ] + } + , Backend = { Database = merge { None = @@ -434,25 +484,56 @@ in \(input : Input) } component.Deployment + let {- This function transform the Kubernetes.Resources type into the new Union + that combines Kubernetes and CertManager resources + -} transformKubernetesResource = + Prelude.List.map + Kubernetes.Resource + CertManager.Union + ( \(resource : Kubernetes.Resource) + -> CertManager.Union.Kubernetes resource + ) + + let {- if cert-manager is enabled, then includes and transforms the CertManager types + into the new Union that combines Kubernetes and CertManager resources + -} all-certificates = + if input.withCertManager + + then Prelude.List.map + CertManager.Issuer.Type + CertManager.Union + CertManager.Union.Issuer + Components.CertManager.Issuers + # Prelude.List.map + CertManager.Certificate.Type + CertManager.Union + CertManager.Union.Certificate + Components.CertManager.Certificates + + else [] : List CertManager.Union + in { Components = Components , List = { apiVersion = "v1" , kind = "List" , items = - Prelude.List.map - Volume.Type - Kubernetes.Resource - mkSecret - ( zk-conf - # [ etc-zuul, etc-nodepool, etc-zuul-registry ] + all-certificates + # transformKubernetesResource + ( Prelude.List.map + Volume.Type + Kubernetes.Resource + mkSecret + ( zk-conf + # [ etc-zuul, etc-nodepool, etc-zuul-registry ] + ) + # mkUnion Components.Backend.Database + # mkUnion Components.Backend.ZooKeeper + # mkUnion Components.Zuul.Scheduler + # mkUnion Components.Zuul.Executor + # mkUnion Components.Zuul.Web + # mkUnion Components.Zuul.Merger + # mkUnion Components.Zuul.Registry + # mkUnion Components.Nodepool.Launcher ) - # mkUnion Components.Backend.Database - # mkUnion Components.Backend.ZooKeeper - # mkUnion Components.Zuul.Scheduler - # mkUnion Components.Zuul.Executor - # mkUnion Components.Zuul.Web - # mkUnion Components.Zuul.Merger - # mkUnion Components.Zuul.Registry - # mkUnion Components.Nodepool.Launcher } } diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index 979df6c..337974b 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -86,6 +86,18 @@ rules: - patch - update - watch +- apiGroups: + - cert-manager.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- diff --git a/playbooks/files/cr_spec.yaml b/playbooks/files/cr_spec.yaml index 31ef297..781e26b 100644 --- a/playbooks/files/cr_spec.yaml +++ b/playbooks/files/cr_spec.yaml @@ -41,3 +41,4 @@ jobVolumes: # extra name: zuul web: {} +withCertManager: true diff --git a/playbooks/files/local-vars.yaml b/playbooks/files/local-vars.yaml index 8a5a64c..8653479 100644 --- a/playbooks/files/local-vars.yaml +++ b/playbooks/files/local-vars.yaml @@ -3,6 +3,7 @@ --- namespace: default zuul_app_path: "/home/fedora/src/opendev.org/zuul/zuul-operator/conf/zuul" +withCertManager: true zuul: projects: 'opendev.org/zuul/zuul-operator': diff --git a/playbooks/zuul-operator-functional/post.yaml b/playbooks/zuul-operator-functional/post.yaml index dcc500f..bba0562 100644 --- a/playbooks/zuul-operator-functional/post.yaml +++ b/playbooks/zuul-operator-functional/post.yaml @@ -6,6 +6,8 @@ command: "bash -c 'kubectl describe {{ item }} > ~/zuul-output/logs/describe-{{ item }}.txt'" ignore_errors: yes loop: + - issuer + - certificate - pods - deployments - statefulsets diff --git a/playbooks/zuul-operator-functional/pre-k8s.yaml b/playbooks/zuul-operator-functional/pre-k8s.yaml index facd90a..ade7324 100644 --- a/playbooks/zuul-operator-functional/pre-k8s.yaml +++ b/playbooks/zuul-operator-functional/pre-k8s.yaml @@ -20,3 +20,11 @@ until: _api_ready.rc == 0 retries: 6 delay: 10 + + - name: Setup cert-manager + command: "kubectl {{ item }}" + when: + - withCertManager + loop: + - create namespace cert-manager + - apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.yaml diff --git a/playbooks/zuul-operator-functional/run.yaml b/playbooks/zuul-operator-functional/run.yaml index 904bf42..fe96f51 100644 --- a/playbooks/zuul-operator-functional/run.yaml +++ b/playbooks/zuul-operator-functional/run.yaml @@ -134,6 +134,7 @@ key: kube.config registry: count: 1 + withCertManager: "{{ withCertManager }}" - name: Wait maximum 4 minutes for the scheduler deployment shell: | @@ -167,6 +168,10 @@ pause: minutes: 2 + - name: Look for the cert-manager issuer + command: kubectl get Issuers zuul-ca -o yaml + when: withCertManager + - name: Test the registry block: - name: Get registry service ip diff --git a/playbooks/zuul-operator-functional/test.yaml b/playbooks/zuul-operator-functional/test.yaml index 86b7a61..c6c84d5 100644 --- a/playbooks/zuul-operator-functional/test.yaml +++ b/playbooks/zuul-operator-functional/test.yaml @@ -98,6 +98,7 @@ hostPath: path: /run/dbus type: DirectoryOrCreate + withCertManager: "{{ withCertManager }}" - name: ensure a job is running when: skip_check is not defined diff --git a/roles/zuul/defaults/main.yaml b/roles/zuul/defaults/main.yaml index 84c5fab..71e86bc 100644 --- a/roles/zuul/defaults/main.yaml +++ b/roles/zuul/defaults/main.yaml @@ -12,3 +12,4 @@ spec_defaults: web: {} registry: {} externalConfig: {} + withCertManager: true