Allow DNS resolution of the runner in all k8s setup

syalioune · Aug 6, 2023 · e107963 · e107963
1 parent 7a638d5
commit e107963
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 10 deletions.
diff --git a/api/v1alpha2/terraform_types.go b/api/v1alpha2/terraform_types.go
@@ -19,6 +19,7 @@ package v1alpha2
 import (
 	"bytes"
 	"fmt"
+	"net"
 	"strings"
 	"time"
 	"unicode/utf8"
@@ -866,9 +867,13 @@ func (in *Terraform) FromBytes(b []byte, scheme *runtime.Scheme) error {
 		), b, in)
 }
 
-func (in *Terraform) GetRunnerHostname(ip string, clusterDomain string) string {
-	prefix := strings.ReplaceAll(ip, ".", "-")
-	return fmt.Sprintf("%s.%s.pod.%s", prefix, in.Namespace, clusterDomain)
+func (in *Terraform) GetRunnerHostname(target string, clusterDomain string) string {
+	if net.ParseIP(target) != nil {
+		prefix := strings.ReplaceAll(target, ".", "-")
+		return fmt.Sprintf("%s.%s.pod.%s", prefix, in.Namespace, clusterDomain)
+	} else {
+		return fmt.Sprintf("%s.tf-runner.%s.svc.%s", target, in.Namespace, clusterDomain)
+	}
 }
 
 func (in *TerraformSpec) GetAlwaysCleanupRunnerPod() bool {

diff --git a/charts/tf-controller/templates/runner-discovery-service.yaml b/charts/tf-controller/templates/runner-discovery-service.yaml
@@ -0,0 +1,16 @@
+{{- range include "tf-controller.runner.allowedNamespaces" . | fromJsonArray }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tf-runner
+  namespace: {{ . }}
+spec:
+  clusterIP: None
+  ports:
+  - name: grpc
+    port: 30000
+  selector:
+    app.kubernetes.io/created-by: tf-controller
+		app.kubernetes.io/name: tf-runner
+{{- end }}
diff --git a/controllers/tf_controller_runner.go b/controllers/tf_controller_runner.go
@@ -94,8 +94,9 @@ func (r *TerraformReconciler) LookupOrCreateRunner(ctx context.Context, terrafor
 			traceLog.Error(err, "Hit an error")
 			return nil, nil, err
 		}
-		traceLog.Info("Get pod hostname", "pod-ip", podIP)
-		hostname = terraform.GetRunnerHostname(podIP, r.ClusterDomain)
+		traceLog.Info("Get pod ip", "pod-ip", podIP)
+		traceLog.Info("Get pod hostname", "pod-hostname", terraform.Name)
+		hostname = terraform.GetRunnerHostname(terraform.Name, r.ClusterDomain)
 	}
 
 	traceLog.Info("Pod hostname set", "hostname", hostname)
@@ -233,6 +234,8 @@ func (r *TerraformReconciler) runnerPodSpec(terraform infrav1.Terraform, tlsSecr
 	}
 
 	return v1.PodSpec{
+		Hostname:                      terraform.Name,
+		Subdomain:                     "tf-runner",
 		TerminationGracePeriodSeconds: gracefulTermPeriod,
 		InitContainers:                terraform.Spec.RunnerPodTemplate.Spec.InitContainers,
 		Containers: []v1.Container{

diff --git a/mtls/rotator.go b/mtls/rotator.go
@@ -455,7 +455,7 @@ func (cr *CertRotator) refreshCertsInMemory() error {
 	}
 
 	// create controller-side certificate
-	cert, key, err := cr.createCertPEM(caArtifacts, cr.DNSName, begin, end)
+	cert, key, err := cr.createCertPEM(caArtifacts, []string{cr.DNSName}, begin, end)
 	if err != nil {
 		return err
 	}
@@ -571,8 +571,8 @@ func (cr *CertRotator) createCACert(begin, end time.Time) (*KeyPairArtifacts, er
 
 // createCertPEM takes the results of createCACert and uses it to create the
 // PEM-encoded public certificate and private key, respectively.
-func (cr *CertRotator) createCertPEM(ca *KeyPairArtifacts, hostname string, begin, end time.Time) ([]byte, []byte, error) {
-	dnsNames := []string{hostname}
+func (cr *CertRotator) createCertPEM(ca *KeyPairArtifacts, hostnames []string, begin, end time.Time) ([]byte, []byte, error) {
+	dnsNames := hostnames
 	if os.Getenv("INSECURE_LOCAL_RUNNER") == "1" {
 		dnsNames = append(dnsNames, "localhost")
 	}
@@ -643,8 +643,11 @@ func (cr *CertRotator) generateNamespaceTLS(namespace string) (*corev1.Secret, e
 	artifactCache := cr.artifactCaches[n-1]
 	caArtifacts := artifactCache.ca
 
-	hostname := fmt.Sprintf("*.%s.pod.%s", namespace, cr.ClusterDomain)
-	cert, key, err := cr.createCertPEM(caArtifacts, hostname, time.Now().Add(-1*time.Hour), caArtifacts.validUntil)
+	hostnames := []string{
+		fmt.Sprintf("*.%s.pod.%s", namespace, cr.ClusterDomain),
+		fmt.Sprintf("*.tf-runner.%s.svc.%s", namespace, cr.ClusterDomain),
+	}
+	cert, key, err := cr.createCertPEM(caArtifacts, hostnames, time.Now().Add(-1*time.Hour), caArtifacts.validUntil)
 	if err != nil {
 		return nil, err
 	}