Add gearman tls secret provided by cert-manager

This change adds a Certificate resource to manage the gearman tls secret with the cert-manager service. To keep things simple, this change also merges the client and server certificates into one secret. Change-Id: I26e1075ccc5d9ff18bd5d2c68ffdf97244f3f87c
2020-04-10 21:28:47 +00:00 · 2020-04-10 21:28:47 +00:00 · 5196ced54b
commit 5196ced54b
parent 20f634230d
6 changed files with 44 additions and 26 deletions
--- a/conf/zuul/files/zuul.conf.dhall
+++ b/conf/zuul/files/zuul.conf.dhall
@ -151,15 +151,15 @@ TODO: replace input schemas by the required attributes.
    in      ''
            [gearman]
            server=scheduler
-            ssl_ca=/etc/zuul-gearman/ca.pem
-            ssl_cert=/etc/zuul-gearman/client.pem
-            ssl_key=/etc/zuul-gearman/client.key
+            ssl_ca=/etc/zuul-gearman/ca.crt
+            ssl_cert=/etc/zuul-gearman/tls.crt
+            ssl_key=/etc/zuul-gearman/tls.key

            [gearman_server]
            start=true
-            ssl_ca=/etc/zuul-gearman/ca.pem
-            ssl_cert=/etc/zuul-gearman/server.pem
-            ssl_key=/etc/zuul-gearman/server.key
+            ssl_ca=/etc/zuul-gearman/ca.crt
+            ssl_cert=/etc/zuul-gearman/tls.crt
+            ssl_key=/etc/zuul-gearman/tls.key

            [zookeeper]
            ${zk-hosts}
--- a/conf/zuul/resources.dhall
+++ b/conf/zuul/resources.dhall
@ -3,14 +3,14 @@
 The evaluation of that file is a function that takes the cr inputs as an argument,
 and returns the list of kubernetes of objects.

-The resources expect secrets to be created by the zuul ansible role:
+Unless cert-manager usage is enabled, the resources expect those secrets to be available:

 * `${name}-gearman-tls` with:
-  * `ca.pem`
-  * `server.pem`
-  * `server.key`
-  * `client.pem`
-  * `client.key`
+  * `ca.crt`
+  * `tls.crt`
+  * `tls.key`
+
+The resources expect those secrets to be available:

 * `${name}-zookeeper-tls` with:
  * `ca.crt`
@ -25,7 +25,9 @@ The resources expect secrets to be created by the zuul ansible role:
  * `username` the user name with write access
  * `password` the user password

-* `${name}-database-password` with a `password` key, (unless an input.database db uri is provided).
+Unless the input.database db uri is provided, the resources expect this secret to be available:
+
+* `${name}-database-password` the internal database password.
 -}
 let Prelude = ../Prelude.dhall

@ -225,6 +227,18 @@ in      \(input : Input)
                              [ "server auth", "client auth", "cert sign" ]
                            }
                          }
+                        , CertManager.Certificate::{
+                          , metadata =
+                              F.mkObjectMeta
+                                "${input.name}-gearman-tls"
+                                (F.mkComponentLabel input.name "cert-gearman")
+                          , spec = CertManager.CertificateSpec::{
+                            , secretName = "${input.name}-gearman-tls"
+                            , issuerRef = issuer
+                            , dnsNames = Some [ "gearman" ]
+                            , usages = Some [ "server auth", "client auth" ]
+                            }
+                          }
                        ]
                      }
              , Backend =
--- a/roles/zuul-ensure-gearman-tls/tasks/main.yaml
+++ b/roles/zuul-ensure-gearman-tls/tasks/main.yaml
@ -3,16 +3,15 @@
    gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}"

 - name: Generate and store certs
-  when: gearman_certs.data is not defined
+  when:
+    - not cert_manager
+    - gearman_certs.data is not defined
  block:
    - name: Generate certs
      command: "{{ item }}"
      loop:
        # CA
        - "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
-        # Server
-        - "openssl req -new -newkey rsa:2048 -nodes -keyout server-{{ zuul_name }}.key -out server-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=server-{{ zuul_name }}'"
-        - "openssl x509 -req -days 3650 -in server-{{ zuul_name }}.csr -out server-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
        # Client
        - "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'"
        - "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
@ -27,11 +26,9 @@
          metadata:
            name: "{{ zuul_name }}-gearman-tls"
          stringData:
-            ca.pem: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
-            server.key: "{{ lookup('file', 'server-' + zuul_name + '.key') }}"
-            server.pem: "{{ lookup('file', 'server-' + zuul_name + '.pem') }}"
-            client.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
-            client.pem: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"
+            ca.crt: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
+            tls.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
+            tls.crt: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"

 - name: Write client certs locally
  when: gearman_certs.data is defined
@ -39,6 +36,6 @@
    content: "{{ gearman_certs.data[item] | b64decode }}"
    dest: "{{ item }}"
  loop:
-    - ca.pem
-    - client.key
-    - client.pem
+    - ca.crt
+    - tls.key
+    - tls.crt
--- a/roles/zuul-ensure-registry-tls/tasks/main.yaml
+++ b/roles/zuul-ensure-registry-tls/tasks/main.yaml
@ -5,6 +5,10 @@
 - name: Generate and store certs
  when: registry_certs.data is not defined
  block:
+    - name: Generate temporary CA
+      when: cert_manager
+      command: "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
+
    - name: Generate certs
      command: "{{ item }}"
      loop:
--- a/roles/zuul-restart-when-zuul-conf-changed/module_utils/gearlib.py
+++ b/roles/zuul-restart-when-zuul-conf-changed/module_utils/gearlib.py
@ -21,7 +21,7 @@ import gear  # type: ignore

 def connect(host : str) -> Any:
    client = gear.Client()
-    client.addServer(host, 4730, 'client.key', 'client.pem', 'ca.pem')
+    client.addServer(host, 4730, 'tls.key', 'tls.crt', 'ca.crt')
    client.waitForServer(timeout=10)
    return client

--- a/roles/zuul/defaults/main.yaml
+++ b/roles/zuul/defaults/main.yaml
@ -7,6 +7,9 @@ zuul_app_path: "/opt/ansible/conf/zuul"
 # see: https://github.com/operator-framework/operator-sdk/issues/1770
 raw_spec: "{{ vars['_operator_zuul-ci_org_zuul_spec'] | default(spec) }}"

+# Let optional withCertManager bool value
+cert_manager: "{{ (raw_spec['withCertManager'] | default(true)) | bool }}"
+
 # Provide sensible default for non optional attributes:
 spec_defaults:
  web: {}