-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #96 from JPinkney/cert-deployments
Rework cert generation so that it uses two deployments
- Loading branch information
Showing
11 changed files
with
247 additions
and
320 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
FROM golang:1.13.7-alpine3.11 as builder | ||
|
||
WORKDIR /che-workspace-operator | ||
|
||
# Populate the module cache based on the go.{mod,sum} files. | ||
COPY go.mod . | ||
COPY go.sum . | ||
RUN go mod download | ||
|
||
# copy the rest of the sources code | ||
COPY . . | ||
# compile workspace controller binaries | ||
RUN CGO_ENABLED=0 GOOS=linux go build \ | ||
-o _output/bin/che-workspace-controller-cert-gen \ | ||
-gcflags all=-trimpath=/ \ | ||
-asmflags all=-trimpath=/ \ | ||
cert-generation/main.go | ||
|
||
FROM registry.access.redhat.com/ubi8-minimal:8.1-279 | ||
COPY --from=builder /che-workspace-operator/_output/bin/che-workspace-controller-cert-gen /usr/local/bin/che-workspace-controller-cert-gen | ||
|
||
ENV USER_UID=1001 \ | ||
USER_NAME=che-workspace-controller-cert-gen | ||
|
||
COPY build/bin /usr/local/bin | ||
RUN /usr/local/bin/user_setup | ||
|
||
USER ${USER_UID} | ||
|
||
ENTRYPOINT ["/usr/local/bin/entrypoint"] | ||
CMD /usr/local/bin/che-workspace-controller-cert-gen |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
// | ||
// Copyright (c) 2019-2020 Red Hat, Inc. | ||
// This program and the accompanying materials are made | ||
// available under the terms of the Eclipse Public License 2.0 | ||
// which is available at https://www.eclipse.org/legal/epl-2.0/ | ||
// | ||
// SPDX-License-Identifier: EPL-2.0 | ||
// | ||
// Contributors: | ||
// Red Hat, Inc. - initial API and implementation | ||
// | ||
|
||
package main | ||
|
||
import ( | ||
"io/ioutil" | ||
"log" | ||
"os" | ||
|
||
"k8s.io/apimachinery/pkg/api/errors" | ||
"k8s.io/apimachinery/pkg/util/intstr" | ||
|
||
corev1 "k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/client-go/kubernetes" | ||
"k8s.io/client-go/rest" | ||
) | ||
|
||
const ( | ||
secureServiceName = "workspace-controller" | ||
certConfigMapName = "che-workspace-controller-secure-service" | ||
certSecretName = "workspace-controller" | ||
webhookServerName = "webhook-server" | ||
) | ||
|
||
func main() { | ||
log.SetOutput(os.Stdout) | ||
|
||
config, err := rest.InClusterConfig() | ||
if err != nil { | ||
log.Fatal("Failed when attempting to retrieve in cluster config: ", err) | ||
} | ||
|
||
clientset, err := kubernetes.NewForConfig(config) | ||
if err != nil { | ||
log.Fatal("Failed when attempting to retrieve in cluster config: ", err) | ||
} | ||
|
||
namespaceByte, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace") | ||
if err != nil { | ||
log.Fatal("Could not retrieve namespace: ", err) | ||
} | ||
|
||
namespace := string(namespaceByte) | ||
configMapData := make(map[string]string, 0) | ||
configMap := &corev1.ConfigMap{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: certConfigMapName, | ||
Namespace: namespace, | ||
Annotations: map[string]string{ | ||
"service.beta.openshift.io/inject-cabundle": "true", | ||
}, | ||
}, | ||
Data: configMapData, | ||
} | ||
|
||
// Create the configmap or update if it already exists | ||
if _, err := clientset.CoreV1().ConfigMaps(namespace).Get(certConfigMapName, metav1.GetOptions{}); errors.IsNotFound(err) { | ||
_, err = clientset.CoreV1().ConfigMaps(namespace).Create(configMap) | ||
if err != nil { | ||
log.Fatal("Failed when attempting to create configmap: ", err) | ||
} | ||
} else { | ||
_, err = clientset.CoreV1().ConfigMaps(namespace).Update(configMap) | ||
if err != nil { | ||
log.Fatal("Failed when attempting to update configmap: ", err) | ||
} | ||
} | ||
|
||
label := map[string]string{"app": "che-workspace-controller"} | ||
|
||
port := int32(443) | ||
service := &corev1.Service{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: secureServiceName, | ||
Namespace: namespace, | ||
Labels: label, | ||
Annotations: map[string]string{ | ||
"service.beta.openshift.io/serving-cert-secret-name": certSecretName, | ||
}, | ||
}, | ||
Spec: corev1.ServiceSpec{ | ||
Ports: []corev1.ServicePort{ | ||
{ | ||
Port: port, | ||
Protocol: "TCP", | ||
TargetPort: intstr.FromString(webhookServerName), | ||
}, | ||
}, | ||
Selector: label, | ||
}, | ||
} | ||
|
||
// Create secure service or update it if it already exists | ||
if clusterService, err := clientset.CoreV1().Services(namespace).Get(secureServiceName, metav1.GetOptions{}); errors.IsNotFound(err) { | ||
_, err = clientset.CoreV1().Services(namespace).Create(service) | ||
if err != nil { | ||
log.Fatal("Failed when attempting to create service: ", err) | ||
} | ||
} else { | ||
// Cannot naively copy spec, as clusterIP is unmodifiable | ||
clusterIP := clusterService.Spec.ClusterIP | ||
service.Spec = clusterService.Spec | ||
service.Spec.ClusterIP = clusterIP | ||
service.ResourceVersion = clusterService.ResourceVersion | ||
|
||
_, err = clientset.CoreV1().Services(namespace).Update(service) | ||
if err != nil { | ||
log.Fatal("Failed when attempting to update service: ", err) | ||
} | ||
} | ||
|
||
// Wait until it's cleaned up by the workspace-controller | ||
log.Println("Certs have been successfully created. Waiting to be cleaned up by devworkspace controller") | ||
for { | ||
} | ||
} |
22 changes: 22 additions & 0 deletions
22
deploy/os/che-workspace-controller-cert-gen-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: che-workspace-controller-cert-gen | ||
namespace: che-workspace-controller | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: che-workspace-controller-cert-gen | ||
template: | ||
metadata: | ||
labels: | ||
app: che-workspace-controller-cert-gen | ||
annotations: | ||
kubectl.kubernetes.io/restartedAt: "" | ||
spec: | ||
serviceAccountName: che-workspace-controller | ||
containers: | ||
- name: che-workspace-controller-cert-gen | ||
image: quay.io/che-incubator/che-workspace-controller-cert-gen:latest | ||
imagePullPolicy: Always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.