zuul
/
zuul-operator
Code Issues Proposed changes

Prefix managed resources with instance name 

This change is the last in the cycle, renaming the cert-manager,
zookeeper, and PXC related resources s.t. they use the instance name
of the cluster being deployed to separate them from different
clusters.

Change-Id: I175dc16bb7ba1a8461b5219b82b7d517310e9f46
This commit is contained in:
Michael Kelly 2022-12-15 23:19:35 -08:00
parent 2857cd387f
commit 511cfb78b7
No known key found for this signature in database
GPG Key ID: 77F7FE93040ECF3E
12 changed files with 76 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/zuul-operator-functional/tasks/test_cert_manager.yaml
View File

@ -1,2 +1,2 @@
- name: Look for the cert-manager issuer
command: kubectl get Issuers ca-issuer -o yaml
command: kubectl get Issuers my-ca-issuer -o yaml

4
zuul_operator/certmanager.py
View File

@ -39,9 +39,9 @@ class CertManager:
def install(self):
utils.apply_file(self.api, 'cert-manager.yaml', _adopt=False)
def create_ca(self):
def create_ca(self, instance_name):
utils.apply_file(self.api, 'cert-authority.yaml',
namespace=self.namespace)
namespace=self.namespace, instance_name=instance_name)
def wait_for_webhook(self):
while True:

21
zuul_operator/pxc.py
View File

@ -22,10 +22,11 @@ from . import utils
class PXC:
def __init__(self, api, namespace, logger):
def __init__(self, api, namespace, logger, name):
self.api = api
self.namespace = namespace
self.log = logger
self.name = name
def is_installed(self):
kind = objects.get_object('apiextensions.k8s.io/v1',
@ -50,7 +51,7 @@ class PXC:
kw = {'namespace': self.namespace}
kw['anti_affinity_key'] = small and 'none' or 'kubernetes.io/hostname'
kw['allow_unsafe'] = small and True or False
kw['instance_name'] = self.name
utils.apply_file(self.api, 'pxc-cluster.yaml', **kw)
def wait_for_cluster(self):
@ -58,7 +59,8 @@ class PXC:
count = 0
for obj in objects.Pod.objects(self.api).filter(
namespace=self.namespace,
selector={'app.kubernetes.io/instance': 'db-cluster',
selector={'app.kubernetes.io/instance':
f'{self.name}-db-cluster',
'app.kubernetes.io/component': 'pxc',
'app.kubernetes.io/name':
'percona-xtradb-cluster'}):
@ -74,7 +76,7 @@ class PXC:
def get_root_password(self):
obj = objects.Secret.objects(self.api).\
filter(namespace=self.namespace).\
get(name="db-cluster-secrets")
get(name=f'{self.name}-db-cluster-secrets')
pw = base64.b64decode(obj.obj['data']['root']).decode('utf8')
return pw
@ -86,20 +88,21 @@ class PXC:
utils.apply_file(self.api, 'pxc-create-db.yaml',
namespace=self.namespace,
root_password=root_pw,
zuul_password=zuul_pw)
zuul_password=zuul_pw,
instance_name=self.name)
while True:
obj = objects.Job.objects(self.api).\
filter(namespace=self.namespace).\
get(name='create-database')
get(name=f'{self.name}-create-database')
if obj.obj['status'].get('succeeded'):
break
time.sleep(2)
obj.delete(propagation_policy="Foreground")
dburi = f'mysql+pymysql://zuul:{zuul_pw}@db-cluster-haproxy/zuul'
utils.update_secret(self.api, self.namespace, 'zuul-db',
db_host = f'{self.name}-db-cluster-haproxy'
dburi = f'mysql+pymysql://zuul:{zuul_pw}@{db_host}/zuul'
utils.update_secret(self.api, self.namespace, f'{self.name}-zuul-db',
string_data={'dburi': dburi})
return dburi

12
zuul_operator/templates/cert-authority.yaml
View File

@ -2,17 +2,17 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
name: {{ instance_name }}-selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ca-cert
name: {{ instance_name }}-ca-cert
spec:
# Secret names are always required.
secretName: ca-cert
secretName: {{ instance_name }}-ca-cert
duration: 87600h # 10y
renewBefore: 360h # 15d
isCA: true
@ -26,12 +26,12 @@ spec:
- caroot
# Issuer references are always required.
issuerRef:
name: selfsigned-issuer
name: {{ instance_name }}-selfsigned-issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ca-issuer
name: {{ instance_name }}-ca-issuer
spec:
ca:
secretName: ca-cert
secretName: {{ instance_name }}-ca-cert

2
zuul_operator/templates/nodepool-launcher.yaml
View File

@ -50,7 +50,7 @@ spec:
secretName: {{ nodepool_config_secret_name }}
- name: zookeeper-client-tls
secret:
secretName: zookeeper-client-tls
secretName: {{ instance_name }}-zookeeper-client-tls
{%- for name, c in external_config.items() %}
- name: {{ name }}
secret:

12
zuul_operator/templates/pxc-cluster.yaml
View File

@ -2,7 +2,7 @@
apiVersion: pxc.percona.com/v1-11-0
kind: PerconaXtraDBCluster
metadata:
name: db-cluster
name: {{ instance_name }}-db-cluster
finalizers:
- delete-pxc-pods-in-order
# - delete-proxysql-pvc
@ -11,11 +11,11 @@ metadata:
# percona.com/issue-vault-token: "true"
spec:
crVersion: 1.11.0
secretsName: db-cluster-secrets
vaultSecretName: keyring-secret-vault
sslSecretName: db-cluster-ssl
sslInternalSecretName: db-cluster-ssl-internal
logCollectorSecretName: db-log-collector-secrets
secretsName: {{ instance_name }}-db-cluster-secrets
vaultSecretName: {{ instance_name }}-keyring-secret-vault
sslSecretName: {{ instance_name }}-db-cluster-ssl
sslInternalSecretName: {{ instance_name }}-db-cluster-ssl-internal
logCollectorSecretName: {{ instance_name }}-db-log-collector-secrets
# initImage: percona/percona-xtradb-cluster-operator:1.11.0
# enableCRValidationWebhook: true
# tls:

4
zuul_operator/templates/pxc-create-db.yaml
View File

@ -1,7 +1,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-database
name: {{ instance_name }}-create-database
spec:
template:
spec:
@ -11,7 +11,7 @@ spec:
command:
- "mysql"
- "-h"
- "db-cluster-haproxy"
- "{{ instance_name }}-db-cluster-haproxy"
- "-uroot"
- "-p{{ root_password }}"
- "mysql"

46
zuul_operator/templates/zookeeper.yaml
View File

@ -2,11 +2,11 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: zookeeper-server
name: {{ spec.instance_name }}-zookeeper-server
spec:
privateKey:
encoding: PKCS8
secretName: zookeeper-server-tls
secretName: {{ spec.instance_name }}-zookeeper-server-tls
commonName: server
usages:
- digital signature
@ -14,42 +14,45 @@ spec:
- server auth
- client auth
dnsNames:
- zookeeper-0.zookeeper-headless.{{ namespace }}.svc.cluster.local
- zookeeper-0
- zookeeper-1.zookeeper-headless.{{ namespace }}.svc.cluster.local
- zookeeper-1
- zookeeper-2.zookeeper-headless.{{ namespace }}.svc.cluster.local
- zookeeper-2
- {{ spec.instance_name }}-zookeeper-0.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
- {{ spec.instance_name }}-zookeeper-0
- {{ spec.instance_name }}-zookeeper-1.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
- {{ spec.instance_name }}-zookeeper-1
- {{ spec.instance_name }}-zookeeper-2.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
- {{ spec.instance_name }}-zookeeper-2
issuerRef:
name: ca-issuer
name: {{ spec.instance_name }}-ca-issuer
kind: Issuer
---
# Source: zookeeper/templates/poddisruptionbudget.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: zookeeper
name: {{ spec.instance_name }}-zookeeper
labels:
app: zookeeper
release: zookeeper
component: server
instance: {{ spec.instance_name }}
spec:
selector:
matchLabels:
app: zookeeper
release: zookeeper
component: server
instance: {{ spec.instance_name }}
maxUnavailable: 1
---
# Source: zookeeper/templates/config-script.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: zookeeper
name: {{ spec.instance_name }}-zookeeper
labels:
app: zookeeper
release: zookeeper
component: server
instance: {{ spec.instance_name }}
data:
ok: |
#!/bin/sh
@ -188,10 +191,11 @@ data:
apiVersion: v1
kind: Service
metadata:
name: zookeeper-headless
name: {{ spec.instance_name }}-zookeeper-headless
labels:
app: zookeeper
release: zookeeper
instance: {{ spec.instance_name }}
spec:
clusterIP: None
publishNotReadyAddresses: true
@ -211,15 +215,17 @@ spec:
selector:
app: zookeeper
release: zookeeper
instance: {{ spec.instance_name }}
---
# Source: zookeeper/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: zookeeper
name: {{ spec.instance_name }}-zookeeper
labels:
app: zookeeper
release: zookeeper
instance: {{ spec.instance_name }}
spec:
type: ClusterIP
ports:
@ -230,24 +236,27 @@ spec:
selector:
app: zookeeper
release: zookeeper
instance: {{ spec.instance_name }}
---
# Source: zookeeper/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: zookeeper
name: {{ spec.instance_name }}-zookeeper
labels:
app: zookeeper
release: zookeeper
component: server
instance: {{ spec.instance_name }}
spec:
serviceName: zookeeper-headless
serviceName: {{ spec.instance_name }}-zookeeper-headless
replicas: 3
selector:
matchLabels:
app: zookeeper
release: zookeeper
component: server
instance: {{ spec.instance_name }}
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
@ -257,6 +266,7 @@ spec:
app: zookeeper
release: zookeeper
component: server
instance: {{ spec.instance_name }}
spec:
terminationGracePeriodSeconds: 1800
securityContext:
@ -346,14 +356,14 @@ spec:
volumes:
- name: config
configMap:
name: zookeeper
name: {{ spec.instance_name }}-zookeeper
defaultMode: 0555
- name: zookeeper-server-tls
secret:
secretName: zookeeper-server-tls
secretName: {{ spec.instance_name }}-zookeeper-server-tls
- name: zookeeper-client-tls
secret:
secretName: zookeeper-server-tls
secretName: {{ spec.instance_name }}-zookeeper-server-tls
volumeClaimTemplates:
- metadata:
name: data

2
zuul_operator/templates/zuul-registry.yaml
View File

@ -19,7 +19,7 @@ spec:
- server auth
- client auth
issuerRef:
name: ca-issuer
name: {{ instance_name }}-ca-issuer
kind: Issuer
{%- endif %}
---

10
zuul_operator/templates/zuul.yaml
View File

@ -11,7 +11,7 @@ metadata:
app.kubernetes.io/component: zookeeper-client-certificate
spec:
keyEncoding: pkcs8
secretName: zookeeper-client-tls
secretName: {{ instance_name }}-zookeeper-client-tls
commonName: client
usages:
- digital signature
@ -19,7 +19,7 @@ spec:
- server auth
- client auth
issuerRef:
name: ca-issuer
name: {{ instance_name }}-ca-issuer
kind: Issuer
{%- endif %}
---
@ -152,7 +152,7 @@ spec:
secretName: {{ zuul_tenant_secret }}
- name: zookeeper-client-tls
secret:
secretName: zookeeper-client-tls
secretName: {{ instance_name }}-zookeeper-client-tls
{%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %}
- name: connection-{{ connection_name }}
@ -220,7 +220,7 @@ spec:
secretName: {{ instance_name }}-zuul-config
- name: zookeeper-client-tls
secret:
secretName: zookeeper-client-tls
secretName: {{ instance_name }}-zookeeper-client-tls
---
apiVersion: apps/v1
kind: Deployment
@ -268,7 +268,7 @@ spec:
secretName: {{ instance_name }}-zuul-config
- name: zookeeper-client-tls
secret:
secretName: zookeeper-client-tls
secretName: {{ instance_name }}-zookeeper-client-tls
---
apiVersion: apps/v1
kind: StatefulSet

3
zuul_operator/zookeeper.py
View File

@ -35,7 +35,8 @@ class ZooKeeper:
for obj in objects.Pod.objects(self.api).filter(
namespace=self.namespace,
selector={'app': 'zookeeper',
'component': 'server'}):
'component': 'server',
'instance': self.spec['instance_name']}):
if obj.obj['status']['phase'] == 'Running':
count += 1
if count == 3:

17
zuul_operator/zuul.py
View File

@ -42,7 +42,7 @@ class Zuul:
self.db_secret = db_secret
self.manage_db = False
else:
self.db_secret = 'zuul-db'
self.db_secret = f'{self.name}-zuul-db'
self.manage_db = True
self.nodepool_secret = spec.get('launcher', {}).get('config', {}).\
@ -54,9 +54,9 @@ class Zuul:
if zk_str:
self.manage_zk = False
else:
zk_str = f'zookeeper.{self.namespace}:2281'
zk_str = f'{self.name}-zookeeper.{self.namespace}:2281'
zk_spec['hosts'] = zk_str
zk_spec['secretName'] = 'zookeeper-client-tls'
zk_spec['secretName'] = f'{self.name}-zookeeper-client-tls'
self.manage_zk = True
zk_spec['tls_ca'] = '/tls/client/ca.crt'
@ -124,14 +124,17 @@ class Zuul:
self.cert_manager.wait_for_webhook()
def create_cert_manager_ca(self):
self.cert_manager.create_ca()
self.cert_manager.create_ca(instance_name=self.name)
def install_zk(self):
if not self.manage_zk:
self.log.info("ZK is externally managed")
return
zk_spec = copy.deepcopy(self.spec['zookeeper'])
zk_spec['instance_name'] = self.name
self.zk = zookeeper.ZooKeeper(self.api, self.namespace, self.log,
self.spec['zookeeper'])
zk_spec)
self.zk.create()
def wait_for_zk(self):
@ -150,7 +153,7 @@ class Zuul:
small = self.spec.get('database', {}).get('allowUnsafeConfig', False)
self.log.info("DB is internally managed")
self.pxc = pxc.PXC(self.api, self.namespace, self.log)
self.pxc = pxc.PXC(self.api, self.namespace, self.log, self.name)
if not self.pxc.is_installed():
self.log.info("Installing PXC operator")
self.pxc.create_operator()
@ -180,7 +183,7 @@ class Zuul:
return None
def get_keystore_password(self):
secret_name = 'zuul-keystore'
secret_name = f'{self.name}-zuul-keystore'
secret_key = 'password'
try:
obj = objects.Secret.objects(self.api).\