fix: correct konnectivity certs (#83)

bedag · Apr 17, 2023 · 54e2a51 · 54e2a51
1 parent beef8c3
commit 54e2a51
Show file tree

Hide file tree

Showing 14 changed files with 68 additions and 49 deletions.
diff --git a/charts/vcluster/Chart.yaml b/charts/vcluster/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: vcluster
 description: Virtual Kubernetes Cluster
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: 0.1.0
 keywords:
   - vcluster

diff --git a/charts/vcluster/README.md b/charts/vcluster/README.md
@@ -2,7 +2,7 @@
 
 __This Chart is under active development! We try to improve documentation and values consistency over time__
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Virtual Kubernetes Cluster
 
@@ -152,35 +152,38 @@ We use a lifecycle Job/Cronjob to manage certain configurations within the vclus
 | lifecycle.cilium.enabled | bool | `true` | Install Cilium CNI |
 | lifecycle.cilium.on_install | bool | `true` | Install only on chart install (First install) |
 | lifecycle.cilium.version | string | `"1.9.18"` | Cilium version |
-| lifecycle.cleanup.enabled | bool | `true` | Enable/Disable Cleanup |
+| lifecycle.cleanup.annotations | object | `{"helm.sh/hook":"pre-delete","helm.sh/hook-delete-policy":"before-hook-creation"}` | Job Annotations |
+| lifecycle.cleanup.enabled | bool | `false` | Enable/Disable Cleanup |
+| lifecycle.cleanup.labels | object | `{}` | Job Labels |
+| lifecycle.current.cleanupScript | string | `nil` | Additional configuration script for the vcluster during cleanup (supports templating) |
 | lifecycle.current.extraManifests | object | See values.yaml | These manifests will be applied inside the cluster (supports templating) |
 | lifecycle.current.extraManifestsOnInstall | object | See values.yaml | These manifests will be applied inside the cluster, but only on $.Release.Install and wont be touched again (supports templating) |
-| lifecycle.current.script | string | `nil` | Additional configuration script for the current cluster (supports templating) |
-| lifecycle.job.affinity | object | `{}` | Affinity |
-| lifecycle.job.annotations | object | `{"helm.sh/hook":"post-install,post-upgrade","helm.sh/hook-delete-policy":"before-hook-creation"}` | Job Annotations |
-| lifecycle.job.extraVolumeMounts | list | `[]` | Additional Pod VolumeMounts |
-| lifecycle.job.extraVolumes | list | `[]` | Additional Pod Volumes |
-| lifecycle.job.failedJobsHistoryLimit | int | `3` | Cronjob failed jobs history limit |
-| lifecycle.job.image | object | `{"digest":"","pullPolicy":"Always","pullSecrets":[],"registry":"registry-group.mgmtbi.ch","repository":"sre/gitops/cluster_bootstrap","tag":"dev.clusterbuild"}` | Run Installer Jobs again (Only execute on Helm install) |
-| lifecycle.job.labels | object | `{}` | Job Labels |
-| lifecycle.job.nodeSelector | object | `{}` | Node Selector |
-| lifecycle.job.podAnnotations | object | `{}` | Pod Annotations |
-| lifecycle.job.podLabels | object | `{}` | Pod Labels |
-| lifecycle.job.podSecurityContext | object | `{"enabled":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod Security Context |
-| lifecycle.job.priorityClassName | string | `""` | Pod PriorityClassName |
-| lifecycle.job.reconciler | bool | `true` | Deploy as Cronjob to run periodically |
-| lifecycle.job.resources | object | `{}` | Resources configuration |
-| lifecycle.job.schedule | string | `"0 0 1 */6 *"` | Cronjob Schedule |
-| lifecycle.job.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"privileged":false,"runAsGroup":20000,"runAsUser":20000}` | Container Security Context |
-| lifecycle.job.successfulJobsHistoryLimit | int | `3` | Cronjob successful jobs history limit |
-| lifecycle.job.tolerations | list | `[]` | Tolerations |
-| lifecycle.job.topologySpreadConstraints | list | `[]` | TopologySpreadConstraints |
+| lifecycle.current.setupScript | string | `nil` | Additional configuration script for the current cluster (supports templating) |
+| lifecycle.jobs.affinity | object | `{}` | Affinity |
+| lifecycle.jobs.extraVolumeMounts | list | `[]` | Additional Pod VolumeMounts |
+| lifecycle.jobs.extraVolumes | list | `[]` | Additional Pod Volumes |
+| lifecycle.jobs.nodeSelector | object | `{}` | Node Selector |
+| lifecycle.jobs.podAnnotations | object | `{}` | Pod Annotations |
+| lifecycle.jobs.podLabels | object | `{}` | Pod Labels |
+| lifecycle.jobs.podSecurityContext | object | `{"enabled":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod Security Context |
+| lifecycle.jobs.priorityClassName | string | `""` | Pod PriorityClassName |
+| lifecycle.jobs.resources | object | `{}` | Resources configuration |
+| lifecycle.jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"privileged":false,"runAsGroup":20000,"runAsUser":20000}` | Container Security Context |
+| lifecycle.jobs.tolerations | list | `[]` | Tolerations |
+| lifecycle.jobs.topologySpreadConstraints | list | `[]` | TopologySpreadConstraints |
 | lifecycle.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | lifecycle.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | lifecycle.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| lifecycle.setup.annotations | object | `{"helm.sh/hook":"post-install,post-upgrade","helm.sh/hook-delete-policy":"before-hook-creation"}` | Job Annotations |
+| lifecycle.setup.cronjob | bool | `true` | Deploy as Cronjob to run periodically |
+| lifecycle.setup.failedJobsHistoryLimit | int | `3` | Cronjob failed jobs history limit |
+| lifecycle.setup.labels | object | `{}` | Job Labels |
+| lifecycle.setup.schedule | string | `"0 0 1 */6 *"` | Cronjob Schedule |
+| lifecycle.setup.successfulJobsHistoryLimit | int | `3` | Cronjob successful jobs history limit |
+| lifecycle.vcluster.cleanupScript | string | `nil` | Additional configuration script for the vcluster during cleanup (supports templating) |
 | lifecycle.vcluster.extraManifests | object | See values.yaml | These manifests will be applied inside the vcluster (supports templating) |
 | lifecycle.vcluster.extraManifestsOnInstall | object | See values.yaml | These manifests will be applied inside the vcluster, but only on $.Release.Install and wont be touched again (supports templating) |
-| lifecycle.vcluster.script | string | `nil` | Additional configuration script for the vcluster (supports templating) |
+| lifecycle.vcluster.setupScript | string | `nil` | Additional configuration script for the vcluster during reconciler (supports templating) |
 
 ## Machine Values
 

diff --git a/charts/vcluster/ci/test-values.yaml → charts/vcluster/ci/components-values.yaml b/charts/vcluster/ci/test-values.yaml → charts/vcluster/ci/components-values.yaml
diff --git a/charts/vcluster/ci/konnectivity-default-values.yaml b/charts/vcluster/ci/konnectivity-default-values.yaml
@@ -0,0 +1,14 @@
+kubernetes:
+  enabled: true
+  apiServer:
+    service:
+      type: LoadBalancer
+  controlPlane:
+    endpoint: 0.0.0.0
+  konnectivity:
+    server:
+      enabled: true
+      service:
+        type: LoadBalancer
+    agent:
+      enabled: true
diff --git a/charts/vcluster/manifests/kubernetes/konnectivity-agent.yaml b/charts/vcluster/manifests/kubernetes/konnectivity-agent.yaml
@@ -1,5 +1,5 @@
+{{- $kubernetes := $.Values.kubernetes -}}
 {{- if and $kubernetes.konnectivity.enabled $kubernetes.konnectivity.agent.enabled }}
-  {{- $kubernetes := $.Values.kubernetes -}}
   {{- $fullName := include "kubernetes.fullname" . -}}
 ---
 apiVersion: v1
@@ -115,23 +115,27 @@ spec:
         - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token
 
         {{- if not (hasKey $kubernetes.konnectivity.agent.args "proxy-server-host") }}
-        {{- if and (eq $kubernetes.konnectivity.server.mode "HTTPConnect") $kubernetes.konnectivity.server.service.loadBalancerIP }}
+          {{- if and $kubernetes.konnectivity.server.sidecar (include "kubernetes.api.endpointIP" $) }}
+        - --proxy-server-host={{ include "kubernetes.api.endpointIP" $ }}
+          {{- else if and (eq $kubernetes.konnectivity.server.mode "HTTPConnect") $kubernetes.konnectivity.server.service.loadBalancerIP }}
         - --proxy-server-host={{ $kubernetes.konnectivity.server.service.loadBalancerIP }}
-        {{- else if and (eq $kubernetes.konnectivity.server.mode "GRPC") $kubernetes.apiServer.service.loadBalancerIP }}
+          {{- else if and (eq $kubernetes.konnectivity.server.mode "GRPC") $kubernetes.apiServer.service.loadBalancerIP }}
         - --proxy-server-host={{ $kubernetes.apiServer.service.loadBalancerIP }}
-        {{- else }}
-        {{- fail "kubernetes.konnectivity.agent.args.proxy-server-host must be specified!" }}
-        {{- end }}
+          {{- else }}
+            {{- fail "kubernetes.konnectivity.agent.args.proxy-server-host must be specified!" }}
+          {{- end }}
         {{- end }}
 
         {{- if not (hasKey $kubernetes.konnectivity.agent.args "proxy-server-port") }}
-        {{- if eq $kubernetes.konnectivity.server.service.type "LoadBalancer" }}
+          {{- if and $kubernetes.konnectivity.server.sidecar (include "kubernetes.api.endpointPort" $) }}
+        - --proxy-server-port={{ include "kubernetes.api.endpointPort" $ }}
+          {{- else if eq $kubernetes.konnectivity.server.service.type "LoadBalancer" }}
         - --proxy-server-port={{ $kubernetes.konnectivity.server.service.ports.agent }}
-        {{- else if $kubernetes.konnectivity.server.service.NodePort }}
+          {{- else if $kubernetes.konnectivity.server.service.NodePort }}
         - --proxy-server-port={{ $kubernetes.konnectivity.server.service.nodePorts.agent }}
-        {{- else }}
-        {{- fail "kubernetes.konnectivity.agent.args.proxy-server-port must be specified!" }}
-        {{- end }}
+          {{- else }}
+            {{- fail "kubernetes.konnectivity.agent.args.proxy-server-port must be specified!" }}
+          {{- end }}
         {{- end }}
         - --admin-server-port={{ $kubernetes.konnectivity.agent.ports.admin }}
         - --health-server-port={{ $kubernetes.konnectivity.agent.ports.health }}

diff --git a/charts/vcluster/templates/components/kubernetes/apiserver/certs.yaml b/charts/vcluster/templates/components/kubernetes/apiserver/certs.yaml
@@ -25,8 +25,7 @@ spec:
   - "cert sign"
   isCA: true
   issuerRef:
-    name: "{{ $fullName }}-selfsigning-issuer"
-    kind: Issuer
+    {{- include "pkg.components.certificates.issuer" $ | nindent 4 }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer

diff --git a/charts/vcluster/templates/components/kubernetes/etcd/certs.yaml b/charts/vcluster/templates/components/kubernetes/etcd/certs.yaml
@@ -25,8 +25,7 @@ spec:
   - "cert sign"
   isCA: true
   issuerRef:
-    name: "{{ $fullName }}-selfsigning-issuer"
-    kind: Issuer
+    {{- include "pkg.components.certificates.issuer" $ | nindent 4 }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer

diff --git a/charts/vcluster/templates/components/kubernetes/konnectivity/certs.yaml b/charts/vcluster/templates/components/kubernetes/konnectivity/certs.yaml
@@ -26,8 +26,7 @@ spec:
   - "cert sign"
   isCA: true
   issuerRef:
-    name: "{{ $fullName }}-selfsigning-issuer"
-    kind: Issuer
+    {{- include "pkg.components.certificates.issuer" $ | nindent 4 }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer

diff --git a/charts/vcluster/templates/components/kubernetes/konnectivity/manifests.yaml b/charts/vcluster/templates/components/kubernetes/konnectivity/manifests.yaml
@@ -1,6 +1,5 @@
-{{/* Always deploy manifests (required for removals */}}
+{{- $kubernetes := $.Values.kubernetes -}}
 {{- if (include "kubernetes.enabled" $) -}}
-  {{- $kubernetes := $.Values.kubernetes -}}
   {{- $fullName := include "kubernetes.fullname" . -}}
   {{- $component_name := "konnectivity" -}}
   {{- if $kubernetes.konnectivity.enabled -}}

diff --git a/charts/vcluster/templates/components/kubernetes/kubernetes-certs.yaml b/charts/vcluster/templates/components/kubernetes/kubernetes-certs.yaml
@@ -59,7 +59,7 @@ spec:
   - "cert sign"
   isCA: true
   issuerRef:
-    name: "{{ $fullName }}-selfsigning-issuer"
+    name: "{{ $fullName }}-issuer"
     kind: Issuer
 ---
 {{- $svcName1 := printf "%s-controller-manager" $fullName }}

diff --git a/...luster/templates/ingress/certificate.yaml → ...cluster/templates/expose/certificate.yaml b/...luster/templates/ingress/certificate.yaml → ...cluster/templates/expose/certificate.yaml
diff --git a/...ts/vcluster/templates/ingress/issuer.yaml → charts/vcluster/templates/expose/issuer.yaml b/...ts/vcluster/templates/ingress/issuer.yaml → charts/vcluster/templates/expose/issuer.yaml
@@ -3,7 +3,7 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name:  {{ include "vcluster.fullname" $ }}-self-signed
+  name:  {{ include "pkg.components.certificates.default_issuer" $ }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "vcluster.labels" $  | nindent 4 }}

diff --git a/charts/vcluster/templates/lifecycle/cronjob.yaml b/charts/vcluster/templates/lifecycle/cronjob.yaml
@@ -30,5 +30,6 @@ spec:
         {{- end }}
     spec:
       template:
-      {{- (include (print $.Template.BasePath "/lifecycle/job.yaml") . | fromYaml ).spec.template | toYaml | nindent 8 }}
+      {{- (include (print $.Template.BasePath "/lifecycle/setup.yaml") . | fromYaml ).spec.template | toYaml | nindent 8 }}
 {{- end -}}
+
diff --git a/charts/vcluster/templates/pkg/_components.tpl b/charts/vcluster/templates/pkg/_components.tpl
@@ -208,17 +208,18 @@
   {{- end -}}
 {{- end -}}
 
+{{- define "pkg.components.certificates.default_issuer" -}}
+{{ include "pkg.cluster.name" $ }}-self-signed
+{{- end -}}
 
 
 
-$.Values.global.components.admission.expose
-
 {{- define "pkg.components.certificates.issuer" -}}
   {{- $components := $.Values.global.components -}}
   {{- with $components.exposure.certificates.issuer }}
     {{- if .selfSigned }}
 kind: Issuer
-name: {{ include "vcluster.fullname" $ }}-self-signed
+name: {{ include "pkg.components.certificates.default_issuer" $ }}
     {{- else }}
 kind: {{ .kind }}
 name: {{ default (include "vcluster.fullname" $) .name }}