zuul
/
zuul-operator
Code Issues Proposed changes

Prefix managed resources with instance name 

This change is the last in the cycle, renaming the cert-manager,
zookeeper, and PXC related resources s.t. they use the instance name
of the cluster being deployed to separate them from different
clusters.

Change-Id: I175dc16bb7ba1a8461b5219b82b7d517310e9f46
This commit is contained in:
Michael Kelly 2022-12-15 23:19:35 -08:00
parent 110f8be95a
commit 7913d251df
No known key found for this signature in database
GPG Key ID: 77F7FE93040ECF3E
12 changed files with 76 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/zuul-operator-functional/tasks/test_cert_manager.yaml
View File

@ -1,2 +1,2 @@
- name: Look for the cert-manager issuer - name: Look for the cert-manager issuer
command: kubectl get Issuers ca-issuer -o yaml command: kubectl get Issuers my-ca-issuer -o yaml

4
zuul_operator/certmanager.py
View File

@ -39,9 +39,9 @@ class CertManager:
def install(self): def install(self):
utils.apply_file(self.api, 'cert-manager.yaml', _adopt=False) utils.apply_file(self.api, 'cert-manager.yaml', _adopt=False)
def create_ca(self): def create_ca(self, instance_name):
utils.apply_file(self.api, 'cert-authority.yaml', utils.apply_file(self.api, 'cert-authority.yaml',
namespace=self.namespace) namespace=self.namespace, instance_name=instance_name)
def wait_for_webhook(self): def wait_for_webhook(self):
while True: while True:

21
zuul_operator/pxc.py
View File

@ -22,10 +22,11 @@ from . import utils
class PXC: class PXC:
def __init__(self, api, namespace, logger): def __init__(self, api, namespace, logger, name):
self.api = api self.api = api
self.namespace = namespace self.namespace = namespace
self.log = logger self.log = logger
self.name = name
def is_installed(self): def is_installed(self):
kind = objects.get_object('apiextensions.k8s.io/v1', kind = objects.get_object('apiextensions.k8s.io/v1',
@ -50,7 +51,7 @@ class PXC:
kw = {'namespace': self.namespace} kw = {'namespace': self.namespace}
kw['anti_affinity_key'] = small and 'none' or 'kubernetes.io/hostname' kw['anti_affinity_key'] = small and 'none' or 'kubernetes.io/hostname'
kw['allow_unsafe'] = small and True or False kw['allow_unsafe'] = small and True or False
kw['instance_name'] = self.name
utils.apply_file(self.api, 'pxc-cluster.yaml', **kw) utils.apply_file(self.api, 'pxc-cluster.yaml', **kw)
def wait_for_cluster(self): def wait_for_cluster(self):
@ -58,7 +59,8 @@ class PXC:
count = 0 count = 0
for obj in objects.Pod.objects(self.api).filter( for obj in objects.Pod.objects(self.api).filter(
namespace=self.namespace, namespace=self.namespace,
selector={'app.kubernetes.io/instance': 'db-cluster', selector={'app.kubernetes.io/instance':
f'{self.name}-db-cluster',
'app.kubernetes.io/component': 'pxc', 'app.kubernetes.io/component': 'pxc',
'app.kubernetes.io/name': 'app.kubernetes.io/name':
'percona-xtradb-cluster'}): 'percona-xtradb-cluster'}):
@ -74,7 +76,7 @@ class PXC:
def get_root_password(self): def get_root_password(self):
obj = objects.Secret.objects(self.api).\ obj = objects.Secret.objects(self.api).\
filter(namespace=self.namespace).\ filter(namespace=self.namespace).\
get(name="db-cluster-secrets") get(name=f'{self.name}-db-cluster-secrets')
pw = base64.b64decode(obj.obj['data']['root']).decode('utf8') pw = base64.b64decode(obj.obj['data']['root']).decode('utf8')
return pw return pw
@ -86,20 +88,21 @@ class PXC:
utils.apply_file(self.api, 'pxc-create-db.yaml', utils.apply_file(self.api, 'pxc-create-db.yaml',
namespace=self.namespace, namespace=self.namespace,
root_password=root_pw, root_password=root_pw,
zuul_password=zuul_pw) zuul_password=zuul_pw,
instance_name=self.name)
while True: while True:
obj = objects.Job.objects(self.api).\ obj = objects.Job.objects(self.api).\
filter(namespace=self.namespace).\ filter(namespace=self.namespace).\
get(name='create-database') get(name=f'{self.name}-create-database')
if obj.obj['status'].get('succeeded'): if obj.obj['status'].get('succeeded'):
break break
time.sleep(2) time.sleep(2)
obj.delete(propagation_policy="Foreground") obj.delete(propagation_policy="Foreground")
db_host = f'{self.name}-db-cluster-haproxy'
dburi = f'mysql+pymysql://zuul:{zuul_pw}@db-cluster-haproxy/zuul' dburi = f'mysql+pymysql://zuul:{zuul_pw}@{db_host}/zuul'
utils.update_secret(self.api, self.namespace, 'zuul-db', utils.update_secret(self.api, self.namespace, f'{self.name}-zuul-db',
string_data={'dburi': dburi}) string_data={'dburi': dburi})
return dburi return dburi

12
zuul_operator/templates/cert-authority.yaml
View File

@ -2,17 +2,17 @@
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
metadata: metadata:
name: selfsigned-issuer name: {{ instance_name }}-selfsigned-issuer
spec: spec:
selfSigned: {} selfSigned: {}
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: ca-cert name: {{ instance_name }}-ca-cert
spec: spec:
# Secret names are always required. # Secret names are always required.
secretName: ca-cert secretName: {{ instance_name }}-ca-cert
duration: 87600h # 10y duration: 87600h # 10y
renewBefore: 360h # 15d renewBefore: 360h # 15d
isCA: true isCA: true
@ -26,12 +26,12 @@ spec:
- caroot - caroot
# Issuer references are always required. # Issuer references are always required.
issuerRef: issuerRef:
name: selfsigned-issuer name: {{ instance_name }}-selfsigned-issuer
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
metadata: metadata:
name: ca-issuer name: {{ instance_name }}-ca-issuer
spec: spec:
ca: ca:
secretName: ca-cert secretName: {{ instance_name }}-ca-cert

2
zuul_operator/templates/nodepool-launcher.yaml
View File

@ -50,7 +50,7 @@ spec:
secretName: {{ nodepool_config_secret_name }} secretName: {{ nodepool_config_secret_name }}
- name: zookeeper-client-tls - name: zookeeper-client-tls
secret: secret:
secretName: zookeeper-client-tls secretName: {{ instance_name }}-zookeeper-client-tls
{%- for name, c in external_config.items() %} {%- for name, c in external_config.items() %}
- name: {{ name }} - name: {{ name }}
secret: secret:

12
zuul_operator/templates/pxc-cluster.yaml
View File

@ -2,7 +2,7 @@
apiVersion: pxc.percona.com/v1-11-0 apiVersion: pxc.percona.com/v1-11-0
kind: PerconaXtraDBCluster kind: PerconaXtraDBCluster
metadata: metadata:
name: db-cluster name: {{ instance_name }}-db-cluster
finalizers: finalizers:
- delete-pxc-pods-in-order - delete-pxc-pods-in-order
# - delete-proxysql-pvc # - delete-proxysql-pvc
@ -11,11 +11,11 @@ metadata:
# percona.com/issue-vault-token: "true" # percona.com/issue-vault-token: "true"
spec: spec:
crVersion: 1.11.0 crVersion: 1.11.0
secretsName: db-cluster-secrets secretsName: {{ instance_name }}-db-cluster-secrets
vaultSecretName: keyring-secret-vault vaultSecretName: {{ instance_name }}-keyring-secret-vault
sslSecretName: db-cluster-ssl sslSecretName: {{ instance_name }}-db-cluster-ssl
sslInternalSecretName: db-cluster-ssl-internal sslInternalSecretName: {{ instance_name }}-db-cluster-ssl-internal
logCollectorSecretName: db-log-collector-secrets logCollectorSecretName: {{ instance_name }}-db-log-collector-secrets
# initImage: percona/percona-xtradb-cluster-operator:1.11.0 # initImage: percona/percona-xtradb-cluster-operator:1.11.0
# enableCRValidationWebhook: true # enableCRValidationWebhook: true
# tls: # tls:

4
zuul_operator/templates/pxc-create-db.yaml
View File

@ -1,7 +1,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: create-database name: {{ instance_name }}-create-database
spec: spec:
template: template:
spec: spec:
@ -11,7 +11,7 @@ spec:
command: command:
- "mysql" - "mysql"
- "-h" - "-h"
- "db-cluster-haproxy" - "{{ instance_name }}-db-cluster-haproxy"
- "-uroot" - "-uroot"
- "-p{{ root_password }}" - "-p{{ root_password }}"
- "mysql" - "mysql"

46
zuul_operator/templates/zookeeper.yaml
View File

@ -2,11 +2,11 @@
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: zookeeper-server name: {{ spec.instance_name }}-zookeeper-server
spec: spec:
privateKey: privateKey:
encoding: PKCS8 encoding: PKCS8
secretName: zookeeper-server-tls secretName: {{ spec.instance_name }}-zookeeper-server-tls
commonName: server commonName: server
usages: usages:
- digital signature - digital signature
@ -14,42 +14,45 @@ spec:
- server auth - server auth
- client auth - client auth
dnsNames: dnsNames:
- zookeeper-0.zookeeper-headless.{{ namespace }}.svc.cluster.local - {{ spec.instance_name }}-zookeeper-0.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
- zookeeper-0 - {{ spec.instance_name }}-zookeeper-0
- zookeeper-1.zookeeper-headless.{{ namespace }}.svc.cluster.local - {{ spec.instance_name }}-zookeeper-1.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
- zookeeper-1 - {{ spec.instance_name }}-zookeeper-1
- zookeeper-2.zookeeper-headless.{{ namespace }}.svc.cluster.local - {{ spec.instance_name }}-zookeeper-2.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
- zookeeper-2 - {{ spec.instance_name }}-zookeeper-2
issuerRef: issuerRef:
name: ca-issuer name: {{ spec.instance_name }}-ca-issuer
kind: Issuer kind: Issuer
--- ---
# Source: zookeeper/templates/poddisruptionbudget.yaml # Source: zookeeper/templates/poddisruptionbudget.yaml
apiVersion: policy/v1 apiVersion: policy/v1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: zookeeper name: {{ spec.instance_name }}-zookeeper
labels: labels:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
component: server component: server
instance: {{ spec.instance_name }}
spec: spec:
selector: selector:
matchLabels: matchLabels:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
component: server component: server
instance: {{ spec.instance_name }}
maxUnavailable: 1 maxUnavailable: 1
--- ---
# Source: zookeeper/templates/config-script.yaml # Source: zookeeper/templates/config-script.yaml
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: zookeeper name: {{ spec.instance_name }}-zookeeper
labels: labels:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
component: server component: server
instance: {{ spec.instance_name }}
data: data:
ok: | ok: |
#!/bin/sh #!/bin/sh
@ -188,10 +191,11 @@ data:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: zookeeper-headless name: {{ spec.instance_name }}-zookeeper-headless
labels: labels:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
instance: {{ spec.instance_name }}
spec: spec:
clusterIP: None clusterIP: None
publishNotReadyAddresses: true publishNotReadyAddresses: true
@ -211,15 +215,17 @@ spec:
selector: selector:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
instance: {{ spec.instance_name }}
--- ---
# Source: zookeeper/templates/service.yaml # Source: zookeeper/templates/service.yaml
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: zookeeper name: {{ spec.instance_name }}-zookeeper
labels: labels:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
instance: {{ spec.instance_name }}
spec: spec:
type: ClusterIP type: ClusterIP
ports: ports:
@ -230,24 +236,27 @@ spec:
selector: selector:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
instance: {{ spec.instance_name }}
--- ---
# Source: zookeeper/templates/statefulset.yaml # Source: zookeeper/templates/statefulset.yaml
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: zookeeper name: {{ spec.instance_name }}-zookeeper
labels: labels:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
component: server component: server
instance: {{ spec.instance_name }}
spec: spec:
serviceName: zookeeper-headless serviceName: {{ spec.instance_name }}-zookeeper-headless
replicas: 3 replicas: 3
selector: selector:
matchLabels: matchLabels:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
component: server component: server
instance: {{ spec.instance_name }}
podManagementPolicy: Parallel podManagementPolicy: Parallel
updateStrategy: updateStrategy:
type: RollingUpdate type: RollingUpdate
@ -257,6 +266,7 @@ spec:
app: zookeeper app: zookeeper
release: zookeeper release: zookeeper
component: server component: server
instance: {{ spec.instance_name }}
spec: spec:
terminationGracePeriodSeconds: 1800 terminationGracePeriodSeconds: 1800
securityContext: securityContext:
@ -346,14 +356,14 @@ spec:
volumes: volumes:
- name: config - name: config
configMap: configMap:
name: zookeeper name: {{ spec.instance_name }}-zookeeper
defaultMode: 0555 defaultMode: 0555
- name: zookeeper-server-tls - name: zookeeper-server-tls
secret: secret:
secretName: zookeeper-server-tls secretName: {{ spec.instance_name }}-zookeeper-server-tls
- name: zookeeper-client-tls - name: zookeeper-client-tls
secret: secret:
secretName: zookeeper-server-tls secretName: {{ spec.instance_name }}-zookeeper-server-tls
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: data name: data

2
zuul_operator/templates/zuul-registry.yaml
View File

@ -19,7 +19,7 @@ spec:
- server auth - server auth
- client auth - client auth
issuerRef: issuerRef:
name: ca-issuer name: {{ instance_name }}-ca-issuer
kind: Issuer kind: Issuer
{%- endif %} {%- endif %}
--- ---

10
zuul_operator/templates/zuul.yaml
View File

@ -11,7 +11,7 @@ metadata:
app.kubernetes.io/component: zookeeper-client-certificate app.kubernetes.io/component: zookeeper-client-certificate
spec: spec:
keyEncoding: pkcs8 keyEncoding: pkcs8
secretName: zookeeper-client-tls secretName: {{ instance_name }}-zookeeper-client-tls
commonName: client commonName: client
usages: usages:
- digital signature - digital signature
@ -19,7 +19,7 @@ spec:
- server auth - server auth
- client auth - client auth
issuerRef: issuerRef:
name: ca-issuer name: {{ instance_name }}-ca-issuer
kind: Issuer kind: Issuer
{%- endif %} {%- endif %}
--- ---
@ -152,7 +152,7 @@ spec:
secretName: {{ zuul_tenant_secret }} secretName: {{ zuul_tenant_secret }}
- name: zookeeper-client-tls - name: zookeeper-client-tls
secret: secret:
secretName: zookeeper-client-tls secretName: {{ instance_name }}-zookeeper-client-tls
{%- for connection_name, connection in connections.items() %} {%- for connection_name, connection in connections.items() %}
{%- if 'secretName' in connection %} {%- if 'secretName' in connection %}
- name: connection-{{ connection_name }} - name: connection-{{ connection_name }}
@ -220,7 +220,7 @@ spec:
secretName: {{ instance_name }}-zuul-config secretName: {{ instance_name }}-zuul-config
- name: zookeeper-client-tls - name: zookeeper-client-tls
secret: secret:
secretName: zookeeper-client-tls secretName: {{ instance_name }}-zookeeper-client-tls
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@ -268,7 +268,7 @@ spec:
secretName: {{ instance_name }}-zuul-config secretName: {{ instance_name }}-zuul-config
- name: zookeeper-client-tls - name: zookeeper-client-tls
secret: secret:
secretName: zookeeper-client-tls secretName: {{ instance_name }}-zookeeper-client-tls
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet

3
zuul_operator/zookeeper.py
View File

@ -35,7 +35,8 @@ class ZooKeeper:
for obj in objects.Pod.objects(self.api).filter( for obj in objects.Pod.objects(self.api).filter(
namespace=self.namespace, namespace=self.namespace,
selector={'app': 'zookeeper', selector={'app': 'zookeeper',
'component': 'server'}): 'component': 'server',
'instance': self.spec['instance_name']}):
if obj.obj['status']['phase'] == 'Running': if obj.obj['status']['phase'] == 'Running':
count += 1 count += 1
if count == 3: if count == 3:

17
zuul_operator/zuul.py
View File

@ -42,7 +42,7 @@ class Zuul:
self.db_secret = db_secret self.db_secret = db_secret
self.manage_db = False self.manage_db = False
else: else:
self.db_secret = 'zuul-db' self.db_secret = f'{self.name}-zuul-db'
self.manage_db = True self.manage_db = True
self.nodepool_secret = spec.get('launcher', {}).get('config', {}).\ self.nodepool_secret = spec.get('launcher', {}).get('config', {}).\
@ -54,9 +54,9 @@ class Zuul:
if zk_str: if zk_str:
self.manage_zk = False self.manage_zk = False
else: else:
zk_str = f'zookeeper.{self.namespace}:2281' zk_str = f'{self.name}-zookeeper.{self.namespace}:2281'
zk_spec['hosts'] = zk_str zk_spec['hosts'] = zk_str
zk_spec['secretName'] = 'zookeeper-client-tls' zk_spec['secretName'] = f'{self.name}-zookeeper-client-tls'
self.manage_zk = True self.manage_zk = True
zk_spec['tls_ca'] = '/tls/client/ca.crt' zk_spec['tls_ca'] = '/tls/client/ca.crt'
@ -126,14 +126,17 @@ class Zuul:
self.cert_manager.wait_for_webhook() self.cert_manager.wait_for_webhook()
def create_cert_manager_ca(self): def create_cert_manager_ca(self):
self.cert_manager.create_ca() self.cert_manager.create_ca(instance_name=self.name)
def install_zk(self): def install_zk(self):
if not self.manage_zk: if not self.manage_zk:
self.log.info("ZK is externally managed") self.log.info("ZK is externally managed")
return return
zk_spec = copy.deepcopy(self.spec['zookeeper'])
zk_spec['instance_name'] = self.name
self.zk = zookeeper.ZooKeeper(self.api, self.namespace, self.log, self.zk = zookeeper.ZooKeeper(self.api, self.namespace, self.log,
self.spec['zookeeper']) zk_spec)
self.zk.create() self.zk.create()
def wait_for_zk(self): def wait_for_zk(self):
@ -152,7 +155,7 @@ class Zuul:
small = self.spec.get('database', {}).get('allowUnsafeConfig', False) small = self.spec.get('database', {}).get('allowUnsafeConfig', False)
self.log.info("DB is internally managed") self.log.info("DB is internally managed")
self.pxc = pxc.PXC(self.api, self.namespace, self.log) self.pxc = pxc.PXC(self.api, self.namespace, self.log, self.name)
if not self.pxc.is_installed(): if not self.pxc.is_installed():
self.log.info("Installing PXC operator") self.log.info("Installing PXC operator")
self.pxc.create_operator() self.pxc.create_operator()
@ -182,7 +185,7 @@ class Zuul:
return None return None
def get_keystore_password(self): def get_keystore_password(self):
secret_name = 'zuul-keystore' secret_name = f'{self.name}-zuul-keystore'
secret_key = 'password' secret_key = 'password'
try: try:
obj = objects.Secret.objects(self.api).\ obj = objects.Secret.objects(self.api).\