zuul/zuul-operator
Code Issues Proposed changes

Add registry tls secret provided by cert-manager

Browse Source 
This change adds a Cerficiate resource to manage
the registry tls secret with the cert-manager service.

This change also splits the registry rw user to a
dedicated secret to enable separate creation of the passwords.

Change-Id: I673ea8db31fd2926c82a4288fd9362f225794da8
This commit is contained in:
Tristan Cacqueray 2020-04-11 14:09:25 +00:00
parent 5196ced54b
commit 62b5ca9ad8
5 changed files with 100 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/zuul/components/Registry.dhall
View File

@ -23,7 +23,7 @@ let registry-env =
( \(key : Text)
-> { name = "ZUUL_REGISTRY_${key}"
, key = key
, secret = app-name ++ "-registry-tls"
, secret = "${app-name}-registry-user-rw"
}
)
[ "secret", "username", "password" ]

4
conf/zuul/files/registry.yaml.dhall
View File

@ -7,8 +7,8 @@
address: '0.0.0.0'
port: 9000
public-url: ${public-url}
tls-cert: /etc/zuul-registry/cert.pem
tls-key: /etc/zuul-registry/cert.key
tls-cert: /etc/zuul-registry/tls.crt
tls-key: /etc/zuul-registry/tls.key
secret: "%(ZUUL_REGISTRY_secret)"
storage:
driver: filesystem

101
conf/zuul/resources.dhall
View File

@ -10,21 +10,28 @@ Unless cert-manager usage is enabled, the resources expect those secrets to be a
* `tls.crt`
* `tls.key`
* `${name}-registry-tls` with:
* `tls.crt`
* `tls.key`
The resources expect those secrets to be available:
* `${name}-zookeeper-tls` with:
* `ca.crt`
* `tls.crt`
* `tls.key`
* `zk.pem` the keystore
* `${name}-registry-tls` with:
* `cert.pem`
* `cert.key`
* `${name}-registry-user-rw` with:
* `secret` a password
* `username` the user name with write access
* `password` the user password
Unless the input.database db uri is provided, the resources expect this secret to be available:
* `${name}-database-password` the internal database password.
@ -188,6 +195,33 @@ in \(input : Input)
, name = "${input.name}-ca"
}
let registry-enabled =
Natural/isZero (F.defaultNat input.registry.count 0)
== False
let registry-cert =
if registry-enabled
then [ CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-registry-tls"
( F.mkComponentLabel
input.name
"cert-registry"
)
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-registry-tls"
, issuerRef = issuer
, dnsNames = Some [ "registry" ]
, usages = Some
[ "server auth", "client auth" ]
}
}
]
else [] : List CertManager.Certificate.Type
in { Issuers =
[ CertManager.Issuer::{
, metadata =
@ -212,34 +246,39 @@ in \(input : Input)
}
]
, Certificates =
[ CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-ca"
(F.mkComponentLabel input.name "cert-ca")
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-ca"
, isCA = Some True
, commonName = Some "selfsigned-root-ca"
, issuerRef =
issuer // { name = "${input.name}-selfsigning" }
, usages = Some
[ "server auth", "client auth", "cert sign" ]
}
}
, CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-gearman-tls"
(F.mkComponentLabel input.name "cert-gearman")
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-gearman-tls"
, issuerRef = issuer
, dnsNames = Some [ "gearman" ]
, usages = Some [ "server auth", "client auth" ]
}
}
]
[ CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-ca"
(F.mkComponentLabel input.name "cert-ca")
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-ca"
, isCA = Some True
, commonName = Some "selfsigned-root-ca"
, issuerRef =
issuer
// { name = "${input.name}-selfsigning" }
, usages = Some
[ "server auth", "client auth", "cert sign" ]
}
}
, CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-gearman-tls"
( F.mkComponentLabel
input.name
"cert-gearman"
)
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-gearman-tls"
, issuerRef = issuer
, dnsNames = Some [ "gearman" ]
, usages = Some [ "server auth", "client auth" ]
}
}
]
# registry-cert
}
, Backend =
{ Database =

2
playbooks/zuul-operator-functional/run.yaml
View File

@ -186,7 +186,7 @@
line: "{{ _registry_ip.stdout_lines[0] }} registry"
- name: Get registry password
command: kubectl get secret zuul-registry-tls -o "jsonpath={.data.password}"
command: kubectl get secret zuul-registry-user-rw -o "jsonpath={.data.password}"
register: _registry_password
- name: Test registry login

33
roles/zuul-ensure-registry-tls/tasks/main.yaml
View File

@ -3,12 +3,10 @@
registry_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-registry-tls') }}"
- name: Generate and store certs
when: registry_certs.data is not defined
when:
- not cert_manager
- registry_certs.data is not defined
block:
- name: Generate temporary CA
when: cert_manager
command: "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
- name: Generate certs
command: "{{ item }}"
loop:
@ -29,5 +27,26 @@
username: "zuul"
password: "{{ lookup('password', '/dev/null') }}"
secret: "{{ lookup('password', '/dev/null') }}"
cert.key: "{{ lookup('file', 'registry-' + zuul_name + '.key') }}"
cert.pem: "{{ lookup('file', 'registry-' + zuul_name + '.pem') }}"
tls.key: "{{ lookup('file', 'registry-' + zuul_name + '.key') }}"
tls.crt: "{{ lookup('file', 'registry-' + zuul_name + '.pem') }}"
- name: Check if registry rw user exists
set_fact:
registry_user_rw: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-registry-user-rw') }}"
- name: Generate and store user
when: registry_user_rw.data is not defined
block:
- name: Create k8s secret
k8s:
state: "{{ state }}"
namespace: "{{ namespace }}"
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ zuul_name }}-registry-user-rw"
stringData:
username: "zuul"
password: "{{ lookup('password', '/dev/null') }}"
secret: "{{ lookup('password', '/dev/null') }}"