zuul/zuul-operator
Code Issues Proposed changes

Add gearman tls secret provided by cert-manager

Browse Source 
This change adds a Certificate resource to manage
the gearman tls secret with the cert-manager service.

To keep things simple, this change also merges the client
and server certificates into one secret.

Change-Id: I26e1075ccc5d9ff18bd5d2c68ffdf97244f3f87c
This commit is contained in:
Tristan Cacqueray 2020-04-10 21:28:47 +00:00
parent 20f634230d
commit 5196ced54b
6 changed files with 44 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
conf/zuul/files/zuul.conf.dhall
View File

@ -151,15 +151,15 @@ TODO: replace input schemas by the required attributes.
in '' in ''
[gearman] [gearman]
server=scheduler server=scheduler
ssl_ca=/etc/zuul-gearman/ca.pem ssl_ca=/etc/zuul-gearman/ca.crt
ssl_cert=/etc/zuul-gearman/client.pem ssl_cert=/etc/zuul-gearman/tls.crt
ssl_key=/etc/zuul-gearman/client.key ssl_key=/etc/zuul-gearman/tls.key
[gearman_server] [gearman_server]
start=true start=true
ssl_ca=/etc/zuul-gearman/ca.pem ssl_ca=/etc/zuul-gearman/ca.crt
ssl_cert=/etc/zuul-gearman/server.pem ssl_cert=/etc/zuul-gearman/tls.crt
ssl_key=/etc/zuul-gearman/server.key ssl_key=/etc/zuul-gearman/tls.key
[zookeeper] [zookeeper]
${zk-hosts} ${zk-hosts}

28
conf/zuul/resources.dhall
View File

@ -3,14 +3,14 @@
The evaluation of that file is a function that takes the cr inputs as an argument, The evaluation of that file is a function that takes the cr inputs as an argument,
and returns the list of kubernetes of objects. and returns the list of kubernetes of objects.
The resources expect secrets to be created by the zuul ansible role: Unless cert-manager usage is enabled, the resources expect those secrets to be available:
* `${name}-gearman-tls` with: * `${name}-gearman-tls` with:
* `ca.pem` * `ca.crt`
* `server.pem` * `tls.crt`
* `server.key` * `tls.key`
* `client.pem`
* `client.key` The resources expect those secrets to be available:
* `${name}-zookeeper-tls` with: * `${name}-zookeeper-tls` with:
* `ca.crt` * `ca.crt`
@ -25,7 +25,9 @@ The resources expect secrets to be created by the zuul ansible role:
* `username` the user name with write access * `username` the user name with write access
* `password` the user password * `password` the user password
* `${name}-database-password` with a `password` key, (unless an input.database db uri is provided). Unless the input.database db uri is provided, the resources expect this secret to be available:
* `${name}-database-password` the internal database password.
-} -}
let Prelude = ../Prelude.dhall let Prelude = ../Prelude.dhall
@ -225,6 +227,18 @@ in \(input : Input)
[ "server auth", "client auth", "cert sign" ] [ "server auth", "client auth", "cert sign" ]
} }
} }
, CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-gearman-tls"
(F.mkComponentLabel input.name "cert-gearman")
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-gearman-tls"
, issuerRef = issuer
, dnsNames = Some [ "gearman" ]
, usages = Some [ "server auth", "client auth" ]
}
}
] ]
} }
, Backend = , Backend =

21
roles/zuul-ensure-gearman-tls/tasks/main.yaml
View File

@ -3,16 +3,15 @@
gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}" gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}"
- name: Generate and store certs - name: Generate and store certs
when: gearman_certs.data is not defined when:
- not cert_manager
- gearman_certs.data is not defined
block: block:
- name: Generate certs - name: Generate certs
command: "{{ item }}" command: "{{ item }}"
loop: loop:
# CA # CA
- "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'" - "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
# Server
- "openssl req -new -newkey rsa:2048 -nodes -keyout server-{{ zuul_name }}.key -out server-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=server-{{ zuul_name }}'"
- "openssl x509 -req -days 3650 -in server-{{ zuul_name }}.csr -out server-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
# Client # Client
- "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'" - "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'"
- "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial" - "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
@ -27,11 +26,9 @@
metadata: metadata:
name: "{{ zuul_name }}-gearman-tls" name: "{{ zuul_name }}-gearman-tls"
stringData: stringData:
ca.pem: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}" ca.crt: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
server.key: "{{ lookup('file', 'server-' + zuul_name + '.key') }}" tls.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
server.pem: "{{ lookup('file', 'server-' + zuul_name + '.pem') }}" tls.crt: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"
client.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
client.pem: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"
- name: Write client certs locally - name: Write client certs locally
when: gearman_certs.data is defined when: gearman_certs.data is defined
@ -39,6 +36,6 @@
content: "{{ gearman_certs.data[item] | b64decode }}" content: "{{ gearman_certs.data[item] | b64decode }}"
dest: "{{ item }}" dest: "{{ item }}"
loop: loop:
- ca.pem - ca.crt
- client.key - tls.key
- client.pem - tls.crt

4
roles/zuul-ensure-registry-tls/tasks/main.yaml
View File

@ -5,6 +5,10 @@
- name: Generate and store certs - name: Generate and store certs
when: registry_certs.data is not defined when: registry_certs.data is not defined
block: block:
- name: Generate temporary CA
when: cert_manager
command: "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
- name: Generate certs - name: Generate certs
command: "{{ item }}" command: "{{ item }}"
loop: loop:

2
roles/zuul-restart-when-zuul-conf-changed/module_utils/gearlib.py
View File

@ -21,7 +21,7 @@ import gear # type: ignore
def connect(host : str) -> Any: def connect(host : str) -> Any:
client = gear.Client() client = gear.Client()
client.addServer(host, 4730, 'client.key', 'client.pem', 'ca.pem') client.addServer(host, 4730, 'tls.key', 'tls.crt', 'ca.crt')
client.waitForServer(timeout=10) client.waitForServer(timeout=10)
return client return client

3
roles/zuul/defaults/main.yaml
View File

@ -7,6 +7,9 @@ zuul_app_path: "/opt/ansible/conf/zuul"
# see: https://github.com/operator-framework/operator-sdk/issues/1770 # see: https://github.com/operator-framework/operator-sdk/issues/1770
raw_spec: "{{ vars['_operator_zuul-ci_org_zuul_spec'] | default(spec) }}" raw_spec: "{{ vars['_operator_zuul-ci_org_zuul_spec'] | default(spec) }}"
# Let optional withCertManager bool value
cert_manager: "{{ (raw_spec['withCertManager'] | default(true)) | bool }}"
# Provide sensible default for non optional attributes: # Provide sensible default for non optional attributes:
spec_defaults: spec_defaults:
web: {} web: {}