TLSPK components installed

amcginlay · Dec 18, 2023 · 1aa88da · 1aa88da
1 parent 854fc2d
commit 1aa88da
Show file tree

Hide file tree

Showing 2 changed files with 94 additions and 54 deletions.
diff --git a/v2/cfn-tlspk-cluster-bootstrapper.yaml b/v2/cfn-tlspk-cluster-bootstrapper.yaml
@@ -71,12 +71,13 @@ Resources:
               export TLSPK_SA_USER_ID=dummy # TODO remove
               export TLSPK_SA_USER_SECRET=dummy # TODO remove
 
-              export TLSPK_CLUSTER_NAME=$(cut -c-17 <<< ${AWS::StackName})-$(cut -c-13 <<< $(date +"%y%m%d%H%M%N")) # date suffixed to ensure TLSPK doesn't consider it a dupe
+              export TLSPK_CLUSTER_NAME=$(cut -c-17 <<< ${AWS::StackName})-$(cut -c-13 <<< $(date +"%y%m%d%H%M%N")) # date suffixed to ensure TLSPK v1 doesn't consider it a dupe
               curl -fsSLO https://${EcosystemBucket}.s3.amazonaws.com/tlspk/v2/tlspk-helper.sh && chmod 700 tlspk-helper.sh
 
               ./tlspk-helper.sh install-dependencies       --auto-approve
               ./tlspk-helper.sh create-local-k8s-cluster   --auto-approve
               ./tlspk-helper.sh deploy-agent-v2            --auto-approve
+              ./tlspk-helper.sh deploy-components-v2       --auto-approve
 
               /opt/aws/bin/cfn-signal -e 0 --stack ${AWS::StackName} --resource K8sCluster --region ${AWS::Region}
             EOF

diff --git a/v2/tlspk-helper.sh b/v2/tlspk-helper.sh
@@ -2,11 +2,14 @@
 
 SCRIPT_NAME="tlspk-helper.sh"
 SCRIPT_VERSION="2.0"
+AGENT_VERSION_DEFAULT="0.2.1"               # (legacy) gcrane ls eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent
+OPERATOR_VERSION_DEFAULT="v0.0.1-alpha.26"  # (legacy) gcrane ls eu.gcr.io/jetstack-secure-enterprise/charts/js-operator
 
-VENCTL_VERSION_DEFAULT="1.2.1"              # https://gitlab.com/venafi/vaas/applications/tls-protect-for-k8s/venctl/-/releases
-AGENT_VERSION_DEFAULT="0.2.1"               # gcrane ls eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent
-OPERATOR_VERSION_DEFAULT="v0.0.1-alpha.26"  # gcrane ls eu.gcr.io/jetstack-secure-enterprise/charts/js-operator
-KUBECTL_VERSION_DEFAULT="1.25.7/2023-03-17"
+KUBECTL_VERSION_DEFAULT="1.27.7/2023-11-14"
+VENCTL_VERSION_DEFAULT="1.3.0"              # https://gitlab.com/venafi/vaas/applications/tls-protect-for-k8s/venctl/-/releases
+CERT_MANAGER_VERSION_DEFAULT="v1.13.3"
+VEI_VERSION_DEFAULT="v0.11.0"
+OWNING_TEAM=k8s-cluster-discovery-demo-team
 
 MISSING_ENV_VAR_MSG="The following REQUIRED environment variables are missing:"
 MISSING_PACKAGE_DEPENDENCIES_MSG="The following REQUIRED package dependencies are missing:"
@@ -381,7 +384,7 @@ check-deployed() {
   return 1 # not an error, but still an exit condition
 }
 
-deploy-agent() {
+deploy-agent() { # (legacy)
   local missing_packages=($(get-missing-package-dependencies "kubectl" "helm"))
   if [[ ${#missing_packages[@]} -gt 0 ]]; then
     log-error "${MISSING_PACKAGE_DEPENDENCIES_MSG} ${missing_packages[*]}"
@@ -416,38 +419,7 @@ deploy-agent() {
   log-info "If TLSPK agent is running, this cluster will show in TLSPK as ${tlkps_cluster_name_adj}"
 }
 
-deploy-agent-v2() {
-  local owning_team=k8s-cluster-discovery-demo-team
-
-  log-info "Ensuring ${owning_team} is available in VCP"
-  local url=https://$(get-regional-url)/v1/teams
-  if [ "$(curl -X GET ${url} \
-            --no-progress-meter \
-            -H "accept: application/json" \
-            -H "tppl-api-key: ${VCP_APIKEY}" \
-            -H "Content-Type: application/json" | jq --arg t "${owning_team}" '.teams | all(.name != $t)')" = "true" ]; then
-    log-info "${owning_team} missing, creating ..."
-    curl -X POST ${url} \
-      --no-progress-meter \
-      -H "accept: application/json" \
-      -H "tppl-api-key: ${VCP_APIKEY}" \
-      -H "Content-Type: application/json" \
-      -d "{\"name\":\"${owning_team}\",\"members\":[],\"owners\":[],\"role\":\"SYSTEM_ADMIN\",\"userMatchingRules\":[]}"
-    log-info "${owning_team} successfully created"
-  else
-    log-info "${owning_team} already present, not creating"
-  fi
-
-  log-info "Installing agent using venctl ${VENCTL_VERSION}"
-  venctl installation cluster connect \
-    --name ${TLSPK_CLUSTER_NAME} \
-    --vcp-region ${VCP_REGION} \
-    --api-key ${VCP_APIKEY} \
-    --owning-team ${owning_team} \
-    --no-prompts
-}
-
-install-operator() {
+install-operator() { # (legacy)
   local missing_packages=($(get-missing-package-dependencies "kubectl" "helm"))
   if [[ ${#missing_packages[@]} -gt 0 ]]; then
     log-error "${MISSING_PACKAGE_DEPENDENCIES_MSG} ${missing_packages[*]}"
@@ -478,7 +450,7 @@ install-operator() {
   sleep 5 && kubectl -n jetstack-secure wait --for=condition=Available=True --all deployments --timeout=300s
 }
 
-deploy-operator-components() {
+deploy-operator-components() { # (legacy)
   local missing_packages=($(get-missing-package-dependencies "kubectl"))
   if [[ ${#missing_packages[@]} -gt 0 ]]; then
     log-error "${MISSING_PACKAGE_DEPENDENCIES_MSG} ${missing_packages[*]}"
@@ -513,6 +485,59 @@ EOF
   kubectl -n jetstack-secure wait pod -l app=webhook --for=condition=Ready --timeout=300s
 }
 
+deploy-agent-v2() {
+  log-info "Ensuring ${OWNING_TEAM} is available in VCP"
+  local url=https://$(get-regional-url)/v1/teams
+  if [ "$(curl -X GET ${url} \
+            --no-progress-meter \
+            -H "accept: application/json" \
+            -H "tppl-api-key: ${VCP_APIKEY}" \
+            -H "Content-Type: application/json" | jq --arg t "${OWNING_TEAM}" '.teams | all(.name != $t)')" = "true" ]; then
+    log-info "${OWNING_TEAM} missing, creating ..."
+    curl -X POST ${url} \
+      --no-progress-meter \
+      -H "accept: application/json" \
+      -H "tppl-api-key: ${VCP_APIKEY}" \
+      -H "Content-Type: application/json" \
+      -d "{\"name\":\"${OWNING_TEAM}\",\"members\":[],\"owners\":[],\"role\":\"SYSTEM_ADMIN\",\"userMatchingRules\":[]}"
+    log-info "${OWNING_TEAM} successfully created"
+  else
+    log-info "${OWNING_TEAM} already present, not creating"
+  fi
+
+  log-info "Installing agent using venctl ${VENCTL_VERSION}"
+  venctl installation cluster connect \
+    --name ${TLSPK_CLUSTER_NAME} \
+    --vcp-region ${VCP_REGION} \
+    --api-key ${VCP_APIKEY} \
+    --owning-team ${OWNING_TEAM} \
+    --no-prompts
+}
+
+deploy-components-v2() {
+  log-info "Ensuring image pull secret is available in VCP"
+  venctl iam service-account registry create \
+    --name ${TLSPK_CLUSTER_NAME}-ips \
+    --vcp-region ${VCP_REGION} \
+    --api-key ${VCP_APIKEY} \
+    --owning-team ${OWNING_TEAM} \
+    --no-prompts \
+    --image-pull-secret-file venafi_registry_docker_config.json \
+    --image-pull-secret-format dockerconfig \
+    --scopes enterprise-cert-manager,enterprise-venafi-issuer,enterprise-approver-policy \
+
+  log-info "Storing image pull secret in local cluster"
+  kubectl create namespace venafi 2>/dev/null || true
+  kubectl -n venafi create secret docker-registry venafi-image-pull-secret \
+    --from-file .dockerconfigjson=venafi_registry_docker_config.json
+
+  log-info "Installing components using venctl ${VENCTL_VERSION} (cert-manager=${CERT_MANAGER_VERSION} vei=${VEI_VERSION})"
+  venctl components kubernetes manifest generate \
+    --cert-manager --cert-manager-version ${CERT_MANAGER_VERSION} \
+    --venafi-enhanced-issuer --venafi-enhanced-issuer-version ${VEI_VERSION} | \
+    venctl components kubernetes manifest tool sync -f -
+}
+
 create-safe-tls-secrets() {
   local missing_packages=($(get-missing-package-dependencies "kubectl"))
   if [[ ${#missing_packages[@]} -gt 0 ]]; then
@@ -580,20 +605,23 @@ usage() {
   echo "  get-dockerconfig           Obtains Docker-compatible registry config / image pull secret (as used with 'helm upgrade --registry-config')"
   echo "  create-local-k8s-cluster   Create a new k8s cluster on localhost (uses k3d)"
   echo "  discover-tls-secrets       Scan the current cluster for TLS secrets"
-  echo "  deploy-agent               Deploys the TLSPK agent component"
+  echo "  deploy-agent               Deploys the TLSPK agent component (legacy)"
+  echo "  install-operator           Installs the TLSPK operator (legacy)"
+  echo "  deploy-operator-components Deploys minimal operator components, incluing cert-manager (legacy)"
   echo "  deploy-agent-v2            Deploys the TLSPK agent component"
-  echo "  install-operator           Installs the TLSPK operator"
-  echo "  deploy-operator-components Deploys minimal operator components, incluing cert-manager"
+  echo "  deploy-components-v2       Installs the TLSPK components"
   echo "  create-unsafe-tls-secrets  Define TLS Secrets in the demo-certs namespace (NOT protected by cert-manager)"
   echo "  create-safe-tls-secrets    Use cert-manager Certificate CRD to define a collection of self-signed certificates in the demo-certs namespace"
   echo
   echo "Flags:"
-  echo "  --auto-approve             Suppress prompts regarding potentially destructive operations"
-  echo "  --venctl-version <value>   Optional for deploy-agent-v2 (default is ${VENCTL_VERSION_DEFAULT})"
-  echo "  --agent-version <value>    Optional for deploy-agent (default is ${AGENT_VERSION_DEFAULT})"
-  echo "  --operator-version <value> Optional for install-operator (default is ${OPERATOR_VERSION_DEFAULT})"
-  echo "  --kubectl-version <value>  Optional (default is ${KUBECTL_VERSION_DEFAULT})"
-  echo "  --cluster-name <value>     Optional for create-local-k8s-cluster (default is autogenerated or derived from 'kubectl config current-context')"
+  echo "  --auto-approve                 Suppress prompts regarding potentially destructive operations"
+  echo "  --kubectl-version <value>      Optional (default is ${KUBECTL_VERSION_DEFAULT})"
+  echo "  --venctl-version <value>       Optional for v2 operations (default is ${VENCTL_VERSION_DEFAULT})"
+  echo "  --cert-manager-version <value> Optional for v2 operations (default is ${CERT_MANAGER_VERSION_DEFAULT})"
+  echo "  --vei-version <value>          Optional for v2 operations (default is ${VEI_VERSION_DEFAULT})"
+  echo "  --cluster-name <value>         Optional for create-local-k8s-cluster (default is autogenerated or derived from 'kubectl config current-context')"
+  echo "  --agent-version <value>        (legacy) Optional for deploy-agent (default is ${AGENT_VERSION_DEFAULT})"
+  echo "  --operator-version <value>     (legacy) Optional for install-operator (default is ${OPERATOR_VERSION_DEFAULT})"
 }
 
 # ----- MAIN -----
@@ -620,27 +648,36 @@ while [[ $# -gt 0 ]]; do
     create-local-k8s-cluster | \
     discover-tls-secrets | \
     deploy-agent | \
-    deploy-agent-v2 | \
     install-operator | \
     deploy-operator-components | \
+    deploy-agent-v2 | \
+    deploy-components-v2 | \
     create-unsafe-tls-secrets | \
     create-safe-tls-secrets )
       COMMAND=$1
       ;;
     --auto-approve )
       : ${APPROVED:="y"}
       ;;
+    --kubectl-version )
+      shift
+      : ${KUBECTL_VERSION:="${1}"}
+      ;;
     --venctl-version )
       shift
       : ${VENCTL_VERSION:="${1}"}
       ;;
-    --operator-version )
+    --cert-manager-version )
       shift
-      : ${OPERATOR_VERSION:="${1}"}
+      : ${CERT_MANAGER_VERSION:="${1}"}
       ;;
-    --kubectl-version )
+    --vei-version )
       shift
-      : ${KUBECTL_VERSION:="${1}"}
+      : ${VEI_VERSION:="${1}"}
+      ;;
+    --operator-version ) # (legacy)
+      shift
+      : ${OPERATOR_VERSION:="${1}"}
       ;;
     --cluster-name )
       shift
@@ -654,10 +691,12 @@ while [[ $# -gt 0 ]]; do
   shift
 done
 
+: ${KUBECTL_VERSION:=${KUBECTL_VERSION_DEFAULT}}
 : ${VENCTL_VERSION:=${VENCTL_VERSION_DEFAULT}}
+: ${CERT_MANAGER_VERSION:=${CERT_MANAGER_VERSION_DEFAULT}}
+: ${VEI_VERSION:=${VEI_VERSION_DEFAULT}}
 : ${AGENT_VERSION:=${AGENT_VERSION_DEFAULT}}
 : ${OPERATOR_VERSION:=${OPERATOR_VERSION_DEFAULT}}
-: ${KUBECTL_VERSION:=${KUBECTL_VERSION_DEFAULT}}
 
 if ! [[ "${COMMAND}" == "create-local-k8s-cluster" ]] && kubectl config current-context >/dev/null 2>&1; then
   : ${TLSPK_CLUSTER_NAME:=$(kubectl config current-context | tr '@' '.' | cut -c-21)-$(date +"%y%m%d%H%M")}