zuul/zuul-operator
Code Issues Proposed changes

Add registry tls secret provided by cert-manager

Browse Source 
This change adds a Cerficiate resource to manage
the registry tls secret with the cert-manager service.

This change also splits the registry rw user to a
dedicated secret to enable separate creation of the passwords.

Change-Id: I673ea8db31fd2926c82a4288fd9362f225794da8
This commit is contained in:
Tristan Cacqueray 2020-04-11 14:09:25 +00:00
parent 5196ced54b
commit 62b5ca9ad8
5 changed files with 100 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/zuul/components/Registry.dhall
View File

@ -23,7 +23,7 @@ let registry-env =
( \(key : Text) ( \(key : Text)
-> { name = "ZUUL_REGISTRY_${key}" -> { name = "ZUUL_REGISTRY_${key}"
, key = key , key = key
, secret = app-name ++ "-registry-tls" , secret = "${app-name}-registry-user-rw"
} }
) )
[ "secret", "username", "password" ] [ "secret", "username", "password" ]

4
conf/zuul/files/registry.yaml.dhall
View File

@ -7,8 +7,8 @@
address: '0.0.0.0' address: '0.0.0.0'
port: 9000 port: 9000
public-url: ${public-url} public-url: ${public-url}
tls-cert: /etc/zuul-registry/cert.pem tls-cert: /etc/zuul-registry/tls.crt
tls-key: /etc/zuul-registry/cert.key tls-key: /etc/zuul-registry/tls.key
secret: "%(ZUUL_REGISTRY_secret)" secret: "%(ZUUL_REGISTRY_secret)"
storage: storage:
driver: filesystem driver: filesystem

101
conf/zuul/resources.dhall
View File

@ -10,21 +10,28 @@ Unless cert-manager usage is enabled, the resources expect those secrets to be a
* `tls.crt` * `tls.crt`
* `tls.key` * `tls.key`
* `${name}-registry-tls` with:
* `tls.crt`
* `tls.key`
The resources expect those secrets to be available: The resources expect those secrets to be available:
* `${name}-zookeeper-tls` with: * `${name}-zookeeper-tls` with:
* `ca.crt` * `ca.crt`
* `tls.crt` * `tls.crt`
* `tls.key` * `tls.key`
* `zk.pem` the keystore * `zk.pem` the keystore
* `${name}-registry-tls` with: * `${name}-registry-user-rw` with:
* `cert.pem`
* `cert.key`
* `secret` a password * `secret` a password
* `username` the user name with write access * `username` the user name with write access
* `password` the user password * `password` the user password
Unless the input.database db uri is provided, the resources expect this secret to be available: Unless the input.database db uri is provided, the resources expect this secret to be available:
* `${name}-database-password` the internal database password. * `${name}-database-password` the internal database password.
@ -188,6 +195,33 @@ in \(input : Input)
, name = "${input.name}-ca" , name = "${input.name}-ca"
} }
let registry-enabled =
Natural/isZero (F.defaultNat input.registry.count 0)
== False
let registry-cert =
if registry-enabled
then [ CertManager.Certificate::{
, metadata =
F.mkObjectMeta
"${input.name}-registry-tls"
( F.mkComponentLabel
input.name
"cert-registry"
)
, spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-registry-tls"
, issuerRef = issuer
, dnsNames = Some [ "registry" ]
, usages = Some
[ "server auth", "client auth" ]
}
}
]
else [] : List CertManager.Certificate.Type
in { Issuers = in { Issuers =
[ CertManager.Issuer::{ [ CertManager.Issuer::{
, metadata = , metadata =
@ -212,34 +246,39 @@ in \(input : Input)
} }
] ]
, Certificates = , Certificates =
[ CertManager.Certificate::{ [ CertManager.Certificate::{
, metadata = , metadata =
F.mkObjectMeta F.mkObjectMeta
"${input.name}-ca" "${input.name}-ca"
(F.mkComponentLabel input.name "cert-ca") (F.mkComponentLabel input.name "cert-ca")
, spec = CertManager.CertificateSpec::{ , spec = CertManager.CertificateSpec::{
, secretName = "${input.name}-ca" , secretName = "${input.name}-ca"
, isCA = Some True , isCA = Some True
, commonName = Some "selfsigned-root-ca" , commonName = Some "selfsigned-root-ca"
, issuerRef = , issuerRef =
issuer // { name = "${input.name}-selfsigning" } issuer
, usages = Some // { name = "${input.name}-selfsigning" }
[ "server auth", "client auth", "cert sign" ] , usages = Some
} [ "server auth", "client auth", "cert sign" ]
} }
, CertManager.Certificate::{ }
, metadata = , CertManager.Certificate::{
F.mkObjectMeta , metadata =
"${input.name}-gearman-tls" F.mkObjectMeta
(F.mkComponentLabel input.name "cert-gearman") "${input.name}-gearman-tls"
, spec = CertManager.CertificateSpec::{ ( F.mkComponentLabel
, secretName = "${input.name}-gearman-tls" input.name
, issuerRef = issuer "cert-gearman"
, dnsNames = Some [ "gearman" ] )
, usages = Some [ "server auth", "client auth" ] , spec = CertManager.CertificateSpec::{
} , secretName = "${input.name}-gearman-tls"
} , issuerRef = issuer
] , dnsNames = Some [ "gearman" ]
, usages = Some [ "server auth", "client auth" ]
}
}
]
# registry-cert
} }
, Backend = , Backend =
{ Database = { Database =

2
playbooks/zuul-operator-functional/run.yaml
View File

@ -186,7 +186,7 @@
line: "{{ _registry_ip.stdout_lines[0] }} registry" line: "{{ _registry_ip.stdout_lines[0] }} registry"
- name: Get registry password - name: Get registry password
command: kubectl get secret zuul-registry-tls -o "jsonpath={.data.password}" command: kubectl get secret zuul-registry-user-rw -o "jsonpath={.data.password}"
register: _registry_password register: _registry_password
- name: Test registry login - name: Test registry login

33
roles/zuul-ensure-registry-tls/tasks/main.yaml
View File

@ -3,12 +3,10 @@
registry_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-registry-tls') }}" registry_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-registry-tls') }}"
- name: Generate and store certs - name: Generate and store certs
when: registry_certs.data is not defined when:
- not cert_manager
- registry_certs.data is not defined
block: block:
- name: Generate temporary CA
when: cert_manager
command: "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
- name: Generate certs - name: Generate certs
command: "{{ item }}" command: "{{ item }}"
loop: loop:
@ -29,5 +27,26 @@
username: "zuul" username: "zuul"
password: "{{ lookup('password', '/dev/null') }}" password: "{{ lookup('password', '/dev/null') }}"
secret: "{{ lookup('password', '/dev/null') }}" secret: "{{ lookup('password', '/dev/null') }}"
cert.key: "{{ lookup('file', 'registry-' + zuul_name + '.key') }}" tls.key: "{{ lookup('file', 'registry-' + zuul_name + '.key') }}"
cert.pem: "{{ lookup('file', 'registry-' + zuul_name + '.pem') }}" tls.crt: "{{ lookup('file', 'registry-' + zuul_name + '.pem') }}"
- name: Check if registry rw user exists
set_fact:
registry_user_rw: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-registry-user-rw') }}"
- name: Generate and store user
when: registry_user_rw.data is not defined
block:
- name: Create k8s secret
k8s:
state: "{{ state }}"
namespace: "{{ namespace }}"
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ zuul_name }}-registry-user-rw"
stringData:
username: "zuul"
password: "{{ lookup('password', '/dev/null') }}"
secret: "{{ lookup('password', '/dev/null') }}"