Prefix managed resources with instance name
This change is the last in the cycle, renaming the cert-manager, zookeeper, and PXC related resources s.t. they use the instance name of the cluster being deployed to separate them from different clusters. Change-Id: I175dc16bb7ba1a8461b5219b82b7d517310e9f46
This commit is contained in:
parent
02ca9bd546
commit
ae83e678b2
|
@ -1,2 +1,2 @@
|
|||
- name: Look for the cert-manager issuer
|
||||
command: kubectl get Issuers ca-issuer -o yaml
|
||||
command: kubectl get Issuers my-ca-issuer -o yaml
|
||||
|
|
|
@ -39,9 +39,9 @@ class CertManager:
|
|||
def install(self):
|
||||
utils.apply_file(self.api, 'cert-manager.yaml', _adopt=False)
|
||||
|
||||
def create_ca(self):
|
||||
def create_ca(self, instance_name):
|
||||
utils.apply_file(self.api, 'cert-authority.yaml',
|
||||
namespace=self.namespace)
|
||||
namespace=self.namespace, instance_name=instance_name)
|
||||
|
||||
def wait_for_webhook(self):
|
||||
while True:
|
||||
|
|
|
@ -22,10 +22,11 @@ from . import utils
|
|||
|
||||
|
||||
class PXC:
|
||||
def __init__(self, api, namespace, logger):
|
||||
def __init__(self, api, namespace, logger, name):
|
||||
self.api = api
|
||||
self.namespace = namespace
|
||||
self.log = logger
|
||||
self.name = name
|
||||
|
||||
def is_installed(self):
|
||||
kind = objects.get_object('apiextensions.k8s.io/v1',
|
||||
|
@ -50,7 +51,7 @@ class PXC:
|
|||
kw = {'namespace': self.namespace}
|
||||
kw['anti_affinity_key'] = small and 'none' or 'kubernetes.io/hostname'
|
||||
kw['allow_unsafe'] = small and True or False
|
||||
|
||||
kw['instance_name'] = self.name
|
||||
utils.apply_file(self.api, 'pxc-cluster.yaml', **kw)
|
||||
|
||||
def wait_for_cluster(self):
|
||||
|
@ -58,7 +59,8 @@ class PXC:
|
|||
count = 0
|
||||
for obj in objects.Pod.objects(self.api).filter(
|
||||
namespace=self.namespace,
|
||||
selector={'app.kubernetes.io/instance': 'db-cluster',
|
||||
selector={'app.kubernetes.io/instance':
|
||||
f'{self.name}-db-cluster',
|
||||
'app.kubernetes.io/component': 'pxc',
|
||||
'app.kubernetes.io/name':
|
||||
'percona-xtradb-cluster'}):
|
||||
|
@ -74,7 +76,7 @@ class PXC:
|
|||
def get_root_password(self):
|
||||
obj = objects.Secret.objects(self.api).\
|
||||
filter(namespace=self.namespace).\
|
||||
get(name="db-cluster-secrets")
|
||||
get(name=f'{self.name}-db-cluster-secrets')
|
||||
|
||||
pw = base64.b64decode(obj.obj['data']['root']).decode('utf8')
|
||||
return pw
|
||||
|
@ -86,20 +88,21 @@ class PXC:
|
|||
utils.apply_file(self.api, 'pxc-create-db.yaml',
|
||||
namespace=self.namespace,
|
||||
root_password=root_pw,
|
||||
zuul_password=zuul_pw)
|
||||
zuul_password=zuul_pw,
|
||||
instance_name=self.name)
|
||||
|
||||
while True:
|
||||
obj = objects.Job.objects(self.api).\
|
||||
filter(namespace=self.namespace).\
|
||||
get(name='create-database')
|
||||
get(name=f'{self.name}-create-database')
|
||||
if obj.obj['status'].get('succeeded'):
|
||||
break
|
||||
time.sleep(2)
|
||||
|
||||
obj.delete(propagation_policy="Foreground")
|
||||
|
||||
dburi = f'mysql+pymysql://zuul:{zuul_pw}@db-cluster-haproxy/zuul'
|
||||
utils.update_secret(self.api, self.namespace, 'zuul-db',
|
||||
db_host = f'{self.name}-db-cluster-haproxy'
|
||||
dburi = f'mysql+pymysql://zuul:{zuul_pw}@{db_host}/zuul'
|
||||
utils.update_secret(self.api, self.namespace, f'{self.name}-zuul-db',
|
||||
string_data={'dburi': dburi})
|
||||
|
||||
return dburi
|
||||
|
|
|
@ -2,17 +2,17 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: selfsigned-issuer
|
||||
name: {{ instance_name }}-selfsigned-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: ca-cert
|
||||
name: {{ instance_name }}-ca-cert
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: ca-cert
|
||||
secretName: {{ instance_name }}-ca-cert
|
||||
duration: 87600h # 10y
|
||||
renewBefore: 360h # 15d
|
||||
isCA: true
|
||||
|
@ -26,12 +26,12 @@ spec:
|
|||
- caroot
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: selfsigned-issuer
|
||||
name: {{ instance_name }}-selfsigned-issuer
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: ca-issuer
|
||||
name: {{ instance_name }}-ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: ca-cert
|
||||
secretName: {{ instance_name }}-ca-cert
|
||||
|
|
|
@ -50,7 +50,7 @@ spec:
|
|||
secretName: {{ nodepool_config_secret_name }}
|
||||
- name: zookeeper-client-tls
|
||||
secret:
|
||||
secretName: zookeeper-client-tls
|
||||
secretName: {{ instance_name }}-zookeeper-client-tls
|
||||
{%- for name, c in external_config.items() %}
|
||||
- name: {{ name }}
|
||||
secret:
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
apiVersion: pxc.percona.com/v1-11-0
|
||||
kind: PerconaXtraDBCluster
|
||||
metadata:
|
||||
name: db-cluster
|
||||
name: {{ instance_name }}-db-cluster
|
||||
finalizers:
|
||||
- delete-pxc-pods-in-order
|
||||
# - delete-proxysql-pvc
|
||||
|
@ -11,11 +11,11 @@ metadata:
|
|||
# percona.com/issue-vault-token: "true"
|
||||
spec:
|
||||
crVersion: 1.11.0
|
||||
secretsName: db-cluster-secrets
|
||||
vaultSecretName: keyring-secret-vault
|
||||
sslSecretName: db-cluster-ssl
|
||||
sslInternalSecretName: db-cluster-ssl-internal
|
||||
logCollectorSecretName: db-log-collector-secrets
|
||||
secretsName: {{ instance_name }}-db-cluster-secrets
|
||||
vaultSecretName: {{ instance_name }}-keyring-secret-vault
|
||||
sslSecretName: {{ instance_name }}-db-cluster-ssl
|
||||
sslInternalSecretName: {{ instance_name }}-db-cluster-ssl-internal
|
||||
logCollectorSecretName: {{ instance_name }}-db-log-collector-secrets
|
||||
# initImage: percona/percona-xtradb-cluster-operator:1.11.0
|
||||
# enableCRValidationWebhook: true
|
||||
# tls:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: create-database
|
||||
name: {{ instance_name }}-create-database
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
|
@ -11,7 +11,7 @@ spec:
|
|||
command:
|
||||
- "mysql"
|
||||
- "-h"
|
||||
- "db-cluster-haproxy"
|
||||
- "{{ instance_name }}-db-cluster-haproxy"
|
||||
- "-uroot"
|
||||
- "-p{{ root_password }}"
|
||||
- "mysql"
|
||||
|
|
|
@ -2,11 +2,11 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: zookeeper-server
|
||||
name: {{ spec.instance_name }}-zookeeper-server
|
||||
spec:
|
||||
privateKey:
|
||||
encoding: PKCS8
|
||||
secretName: zookeeper-server-tls
|
||||
secretName: {{ spec.instance_name }}-zookeeper-server-tls
|
||||
commonName: server
|
||||
usages:
|
||||
- digital signature
|
||||
|
@ -14,42 +14,45 @@ spec:
|
|||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
- zookeeper-0.zookeeper-headless.{{ namespace }}.svc.cluster.local
|
||||
- zookeeper-0
|
||||
- zookeeper-1.zookeeper-headless.{{ namespace }}.svc.cluster.local
|
||||
- zookeeper-1
|
||||
- zookeeper-2.zookeeper-headless.{{ namespace }}.svc.cluster.local
|
||||
- zookeeper-2
|
||||
- {{ spec.instance_name }}-zookeeper-0.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
|
||||
- {{ spec.instance_name }}-zookeeper-0
|
||||
- {{ spec.instance_name }}-zookeeper-1.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
|
||||
- {{ spec.instance_name }}-zookeeper-1
|
||||
- {{ spec.instance_name }}-zookeeper-2.{{ spec.instance_name }}-zookeeper-headless.{{ namespace }}.svc.cluster.local
|
||||
- {{ spec.instance_name }}-zookeeper-2
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
name: {{ spec.instance_name }}-ca-issuer
|
||||
kind: Issuer
|
||||
---
|
||||
# Source: zookeeper/templates/poddisruptionbudget.yaml
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: zookeeper
|
||||
name: {{ spec.instance_name }}-zookeeper
|
||||
labels:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
component: server
|
||||
instance: {{ spec.instance_name }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
component: server
|
||||
instance: {{ spec.instance_name }}
|
||||
maxUnavailable: 1
|
||||
---
|
||||
# Source: zookeeper/templates/config-script.yaml
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: zookeeper
|
||||
name: {{ spec.instance_name }}-zookeeper
|
||||
labels:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
component: server
|
||||
instance: {{ spec.instance_name }}
|
||||
data:
|
||||
ok: |
|
||||
#!/bin/sh
|
||||
|
@ -188,10 +191,11 @@ data:
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: zookeeper-headless
|
||||
name: {{ spec.instance_name }}-zookeeper-headless
|
||||
labels:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
instance: {{ spec.instance_name }}
|
||||
spec:
|
||||
clusterIP: None
|
||||
publishNotReadyAddresses: true
|
||||
|
@ -211,15 +215,17 @@ spec:
|
|||
selector:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
instance: {{ spec.instance_name }}
|
||||
---
|
||||
# Source: zookeeper/templates/service.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: zookeeper
|
||||
name: {{ spec.instance_name }}-zookeeper
|
||||
labels:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
instance: {{ spec.instance_name }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
|
@ -230,24 +236,27 @@ spec:
|
|||
selector:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
instance: {{ spec.instance_name }}
|
||||
---
|
||||
# Source: zookeeper/templates/statefulset.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: zookeeper
|
||||
name: {{ spec.instance_name }}-zookeeper
|
||||
labels:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
component: server
|
||||
instance: {{ spec.instance_name }}
|
||||
spec:
|
||||
serviceName: zookeeper-headless
|
||||
serviceName: {{ spec.instance_name }}-zookeeper-headless
|
||||
replicas: 3
|
||||
selector:
|
||||
matchLabels:
|
||||
app: zookeeper
|
||||
release: zookeeper
|
||||
component: server
|
||||
instance: {{ spec.instance_name }}
|
||||
podManagementPolicy: Parallel
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
|
@ -257,6 +266,7 @@ spec:
|
|||
app: zookeeper
|
||||
release: zookeeper
|
||||
component: server
|
||||
instance: {{ spec.instance_name }}
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 1800
|
||||
securityContext:
|
||||
|
@ -346,14 +356,14 @@ spec:
|
|||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: zookeeper
|
||||
name: {{ spec.instance_name }}-zookeeper
|
||||
defaultMode: 0555
|
||||
- name: zookeeper-server-tls
|
||||
secret:
|
||||
secretName: zookeeper-server-tls
|
||||
secretName: {{ spec.instance_name }}-zookeeper-server-tls
|
||||
- name: zookeeper-client-tls
|
||||
secret:
|
||||
secretName: zookeeper-server-tls
|
||||
secretName: {{ spec.instance_name }}-zookeeper-server-tls
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
|||
- server auth
|
||||
- client auth
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
name: {{ instance_name }}-ca-issuer
|
||||
kind: Issuer
|
||||
{%- endif %}
|
||||
---
|
||||
|
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
app.kubernetes.io/component: zookeeper-client-certificate
|
||||
spec:
|
||||
keyEncoding: pkcs8
|
||||
secretName: zookeeper-client-tls
|
||||
secretName: {{ instance_name }}-zookeeper-client-tls
|
||||
commonName: client
|
||||
usages:
|
||||
- digital signature
|
||||
|
@ -19,7 +19,7 @@ spec:
|
|||
- server auth
|
||||
- client auth
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
name: {{ instance_name }}-ca-issuer
|
||||
kind: Issuer
|
||||
{%- endif %}
|
||||
---
|
||||
|
@ -152,7 +152,7 @@ spec:
|
|||
secretName: {{ zuul_tenant_secret }}
|
||||
- name: zookeeper-client-tls
|
||||
secret:
|
||||
secretName: zookeeper-client-tls
|
||||
secretName: {{ instance_name }}-zookeeper-client-tls
|
||||
{%- for connection_name, connection in connections.items() %}
|
||||
{%- if 'secretName' in connection %}
|
||||
- name: connection-{{ connection_name }}
|
||||
|
@ -220,7 +220,7 @@ spec:
|
|||
secretName: {{ instance_name }}-zuul-config
|
||||
- name: zookeeper-client-tls
|
||||
secret:
|
||||
secretName: zookeeper-client-tls
|
||||
secretName: {{ instance_name }}-zookeeper-client-tls
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
@ -268,7 +268,7 @@ spec:
|
|||
secretName: {{ instance_name }}-zuul-config
|
||||
- name: zookeeper-client-tls
|
||||
secret:
|
||||
secretName: zookeeper-client-tls
|
||||
secretName: {{ instance_name }}-zookeeper-client-tls
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
|
|
|
@ -35,7 +35,8 @@ class ZooKeeper:
|
|||
for obj in objects.Pod.objects(self.api).filter(
|
||||
namespace=self.namespace,
|
||||
selector={'app': 'zookeeper',
|
||||
'component': 'server'}):
|
||||
'component': 'server',
|
||||
'instance': self.spec['instance_name']}):
|
||||
if obj.obj['status']['phase'] == 'Running':
|
||||
count += 1
|
||||
if count == 3:
|
||||
|
|
|
@ -42,7 +42,7 @@ class Zuul:
|
|||
self.db_secret = db_secret
|
||||
self.manage_db = False
|
||||
else:
|
||||
self.db_secret = 'zuul-db'
|
||||
self.db_secret = f'{self.name}-zuul-db'
|
||||
self.manage_db = True
|
||||
|
||||
self.nodepool_secret = spec.get('launcher', {}).get('config', {}).\
|
||||
|
@ -54,9 +54,9 @@ class Zuul:
|
|||
if zk_str:
|
||||
self.manage_zk = False
|
||||
else:
|
||||
zk_str = f'zookeeper.{self.namespace}:2281'
|
||||
zk_str = f'{self.name}-zookeeper.{self.namespace}:2281'
|
||||
zk_spec['hosts'] = zk_str
|
||||
zk_spec['secretName'] = 'zookeeper-client-tls'
|
||||
zk_spec['secretName'] = f'{self.name}-zookeeper-client-tls'
|
||||
self.manage_zk = True
|
||||
|
||||
zk_spec['tls_ca'] = '/tls/client/ca.crt'
|
||||
|
@ -124,14 +124,17 @@ class Zuul:
|
|||
self.cert_manager.wait_for_webhook()
|
||||
|
||||
def create_cert_manager_ca(self):
|
||||
self.cert_manager.create_ca()
|
||||
self.cert_manager.create_ca(instance_name=self.name)
|
||||
|
||||
def install_zk(self):
|
||||
if not self.manage_zk:
|
||||
self.log.info("ZK is externally managed")
|
||||
return
|
||||
|
||||
zk_spec = copy.deepcopy(self.spec['zookeeper'])
|
||||
zk_spec['instance_name'] = self.name
|
||||
self.zk = zookeeper.ZooKeeper(self.api, self.namespace, self.log,
|
||||
self.spec['zookeeper'])
|
||||
zk_spec)
|
||||
self.zk.create()
|
||||
|
||||
def wait_for_zk(self):
|
||||
|
@ -150,7 +153,7 @@ class Zuul:
|
|||
small = self.spec.get('database', {}).get('allowUnsafeConfig', False)
|
||||
|
||||
self.log.info("DB is internally managed")
|
||||
self.pxc = pxc.PXC(self.api, self.namespace, self.log)
|
||||
self.pxc = pxc.PXC(self.api, self.namespace, self.log, self.name)
|
||||
if not self.pxc.is_installed():
|
||||
self.log.info("Installing PXC operator")
|
||||
self.pxc.create_operator()
|
||||
|
@ -180,7 +183,7 @@ class Zuul:
|
|||
return None
|
||||
|
||||
def get_keystore_password(self):
|
||||
secret_name = 'zuul-keystore'
|
||||
secret_name = f'{self.name}-zuul-keystore'
|
||||
secret_key = 'password'
|
||||
try:
|
||||
obj = objects.Secret.objects(self.api).\
|
||||
|
|
Loading…
Reference in New Issue