From 0d4965fd608302f2cc2d08455eaf769fc60afbcf Mon Sep 17 00:00:00 2001 From: Gabriel Cuba Date: Sun, 6 Nov 2022 19:39:02 -0500 Subject: [PATCH] Feature 10947 Cert-manager installation for gRPC authentication It includes: - Cert-manager installation - Custom CA bootstrap - Mount CA in LCM pod Change-Id: I8e6d73fb0c179df130f7f4a7f8829bd781713d51 Signed-off-by: Gabriel Cuba --- installers/docker/osm_pods/ca_setup.yaml | 46 ++++++++++++++++++++++++ installers/docker/osm_pods/lcm.yaml | 13 +++++++ installers/install_kubeadm_cluster.sh | 33 ++++++++++++++++- 3 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 installers/docker/osm_pods/ca_setup.yaml diff --git a/installers/docker/osm_pods/ca_setup.yaml b/installers/docker/osm_pods/ca_setup.yaml new file mode 100644 index 00000000..6a3ee654 --- /dev/null +++ b/installers/docker/osm_pods/ca_setup.yaml @@ -0,0 +1,46 @@ +# Copyright 2022 Whitestack +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: osm-selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: osm-ca-certificate + namespace: osm +spec: + isCA: true + commonName: osm + secretName: osm-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: osm-selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: ca-issuer +spec: + ca: + secretName: osm-ca \ No newline at end of file diff --git a/installers/docker/osm_pods/lcm.yaml b/installers/docker/osm_pods/lcm.yaml index 54725189..3e5a271d 100644 --- a/installers/docker/osm_pods/lcm.yaml +++ b/installers/docker/osm_pods/lcm.yaml @@ -60,3 +60,16 @@ spec: envFrom: - secretRef: name: lcm-secret + volumeMounts: + - mountPath: /etc/ssl/certs/osm-ca.crt + name: osm-ca + readOnly: true + subPath: osm-ca.crt + volumes: + - name: osm-ca + secret: + defaultMode: 420 + items: + - key: tls.crt + path: osm-ca.crt + secretName: osm-ca diff --git a/installers/install_kubeadm_cluster.sh b/installers/install_kubeadm_cluster.sh index 9c0fa2f5..648a1be0 100755 --- a/installers/install_kubeadm_cluster.sh +++ b/installers/install_kubeadm_cluster.sh @@ -184,6 +184,20 @@ function install_helm_metallb() { [ -z "${DEBUG_INSTALL}" ] || DEBUG end of function } +#installs cert-manager +function install_helm_certmanager() { + [ -z "${DEBUG_INSTALL}" ] || DEBUG beginning of function + echo "Installing cert-manager" + CERTMANAGER_VERSION="v1.9.1" + helm repo add jetstack https://charts.jetstack.io + helm repo update + helm install cert-manager --create-namespace --namespace cert-manager jetstack/cert-manager \ + --version ${CERTMANAGER_VERSION} --set installCRDs=true --set prometheus.enabled=false \ + --set clusterResourceNamespace=osm \ + --set extraArgs="{--enable-certificate-owner-ref=true}" + [ -z "${DEBUG_INSTALL}" ] || DEBUG end of function +} + #checks openebs and metallb readiness function check_for_readiness() { [ -z "${DEBUG_INSTALL}" ] || DEBUG beginning of function @@ -220,6 +234,13 @@ function check_for_readiness() { COUNT_METALLB_READY=$(echo "${METALLB_READY}" | grep -v -e '^$' | wc -l) COUNT_METALLB_NOT_READY=$(echo "${METALLB_NOT_READY}" | grep -v -e '^$' | wc -l) + # State of CertManager + CERTMANAGER_STATE=$(kubectl get pod -n ${CERTMANAGER_NAMESPACE} --no-headers 2>&1) + CERTMANAGER_READY=$(echo "${CERTMANAGER_STATE}" | awk '$2=="1/1" || $2=="2/2" {printf ("%s\t%s\t\n", $1, $2)}') + CERTMANAGER_NOT_READY=$(echo "${CERTMANAGER_STATE}" | awk '$2!="1/1" && $2!="2/2" {printf ("%s\t%s\t\n", $1, $2)}') + COUNT_CERTMANAGER_READY=$(echo "${CERTMANAGER_READY}" | grep -v -e '^$' | wc -l) + COUNT_CERTMANAGER_NOT_READY=$(echo "${CERTMANAGER_NOT_READY}" | grep -v -e '^$' | wc -l) + # OK sample if [[ $((${COUNT_OPENEBS_NOT_READY}+${COUNT_METALLB_NOT_READY})) -eq 0 ]] then @@ -241,13 +262,21 @@ function check_for_readiness() { echo fi - # Reports failed statefulsets + # Reports failed pods in MetalLB if [[ "${COUNT_METALLB_NOT_READY}" -ne 0 ]] then echo "MetalLB: Waiting for ${COUNT_METALLB_NOT_READY} of $((${COUNT_METALLB_NOT_READY}+${COUNT_METALLB_READY})) pods to be ready:" echo "${METALLB_NOT_READY}" echo fi + + # Reports failed pods in CertManager + if [[ "${COUNT_CERTMANAGER_NOT_READY}" -ne 0 ]] + then + echo "CertManager: Waiting for ${COUNT_CERTMANAGER_NOT_READY} of $((${COUNT_CERTMANAGER_NOT_READY}+${COUNT_CERTMANAGER_READY})) pods to be ready:" + echo "${CERTMANAGER_NOT_READY}" + echo + fi fi #------------ NEXT SAMPLE @@ -342,6 +371,8 @@ install_k8s_storageclass track k8scluster k8s_storageclass_ok install_helm_metallb track k8scluster k8s_metallb_ok +install_helm_certmanager +track k8scluster k8s_certmanager_ok check_for_readiness track k8scluster k8s_ready_ok -- 2.25.1