Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CA certificate bundle distributor to conduit install #675

Merged
merged 6 commits into from
Jun 21, 2018
Merged

Add CA certificate bundle distributor to conduit install #675

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c00d70a
Add CA certificate bundle distributor to conduit install
klingerf Mar 28, 2018
c57ac90
Update ca-distributor to use shared informers
klingerf Jun 13, 2018
82f0230
Only install CA distributor when --enable-tls flag is set
klingerf Jun 13, 2018
f36e61a
Only copy CA bundle into namespaces where inject pods have the same c…
klingerf Jun 13, 2018
85dc6dc
Update API config to only watch pods and configmaps
klingerf Jun 14, 2018
7fcd7a2
Address review feedback
klingerf Jun 14, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions Gopkg.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion cli/Dockerfile-bin
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## compile binaries
FROM gcr.io/runconduit/go-deps:c934e1ab as golang
FROM gcr.io/runconduit/go-deps:bca359b1 as golang
WORKDIR /go/src/github.com/runconduit/conduit
COPY cli cli
COPY controller/k8s controller/k8s
Expand Down
12 changes: 12 additions & 0 deletions cli/cmd/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ type installConfig struct {
CreatedByAnnotation string
ProxyAPIPort uint
EnableTLS bool
CertificateBundleName string
}

type installOptions struct {
Expand Down Expand Up @@ -105,6 +106,7 @@ func validateAndBuildConfig(options *installOptions) (*installConfig, error) {
CreatedByAnnotation: k8s.CreatedByAnnotation,
ProxyAPIPort: options.proxyAPIPort,
EnableTLS: options.enableTLS,
CertificateBundleName: k8s.CertificateBundleName,
}, nil
}

Expand All @@ -118,6 +120,16 @@ func render(config installConfig, w io.Writer, options *installOptions) error {
if err != nil {
return err
}
if config.EnableTLS {
tlsTemplate, err := template.New("conduit").Parse(install.TlsTemplate)
if err != nil {
return err
}
err = tlsTemplate.Execute(buf, config)
if err != nil {
return err
}
}
injectOptions := newInjectOptions()
injectOptions.proxyConfigOptions = options.proxyConfigOptions
return InjectYAML(buf, w, injectOptions)
Expand Down
1 change: 1 addition & 0 deletions cli/cmd/install_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ func TestRender(t *testing.T) {
CreatedByAnnotation: "CreatedByAnnotation",
ProxyAPIPort: 123,
EnableTLS: true,
CertificateBundleName: "CertificateBundleName",
}

testCases := []struct {
Expand Down
6 changes: 2 additions & 4 deletions cli/cmd/testdata/install_default.golden
100755 → 100644
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ metadata:
name: conduit-controller
namespace: conduit

### RBAC ###
### Controller RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -31,7 +31,6 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-controller
namespace: conduit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand All @@ -49,7 +48,7 @@ metadata:
name: conduit-prometheus
namespace: conduit

### RBAC ###
### Prometheus RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -65,7 +64,6 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-prometheus
namespace: conduit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand Down
135 changes: 131 additions & 4 deletions cli/cmd/testdata/install_output.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ metadata:
name: conduit-controller
namespace: Namespace

### RBAC ###
### Controller RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -31,7 +31,6 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-controller
namespace: Namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand All @@ -49,7 +48,7 @@ metadata:
name: conduit-prometheus
namespace: Namespace

### RBAC ###
### Prometheus RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -65,7 +64,6 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-prometheus
namespace: Namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand Down Expand Up @@ -789,4 +787,133 @@ data:
options:
path: /var/lib/grafana/dashboards
homeDashboardId: conduit-top-line

### Service Account CA ###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: conduit-ca
namespace: Namespace

### CA RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-ca
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: [CertificateBundleName]
verbs: ["update"]
- apiGroups: [""]
resources: ["pods", "configmaps"]
verbs: ["list", "get", "watch"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-ca
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: conduit-ca
subjects:
- kind: ServiceAccount
name: conduit-ca
namespace: Namespace

### CA Distributor ###
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
CreatedByAnnotation: CliVersion
creationTimestamp: null
labels:
ControllerComponentLabel: ca-bundle-distributor
name: ca-bundle-distributor
namespace: Namespace
spec:
replicas: 1
strategy: {}
template:
metadata:
annotations:
CreatedByAnnotation: CliVersion
conduit.io/created-by: conduit/cli undefined
conduit.io/proxy-version: undefined
creationTimestamp: null
labels:
ControllerComponentLabel: ca-bundle-distributor
conduit.io/control-plane-ns: Namespace
conduit.io/proxy-deployment: ca-bundle-distributor
spec:
containers:
- args:
- ca-distributor
- -controller-namespace=Namespace
- -log-level=ControllerLogLevel
- -logtostderr=true
image: ControllerImage
imagePullPolicy: ImagePullPolicy
name: ca-distributor
resources: {}
- env:
- name: CONDUIT_PROXY_LOG
value: warn,conduit_proxy=info
- name: CONDUIT_PROXY_BIND_TIMEOUT
value: 10s
- name: CONDUIT_PROXY_CONTROL_URL
value: tcp://proxy-api.Namespace.svc.cluster.local:8086
- name: CONDUIT_PROXY_CONTROL_LISTENER
value: tcp://0.0.0.0:4190
- name: CONDUIT_PROXY_METRICS_LISTENER
value: tcp://0.0.0.0:4191
- name: CONDUIT_PROXY_PRIVATE_LISTENER
value: tcp://127.0.0.1:4140
- name: CONDUIT_PROXY_PUBLIC_LISTENER
value: tcp://0.0.0.0:4143
- name: CONDUIT_PROXY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: gcr.io/runconduit/proxy:undefined
imagePullPolicy: IfNotPresent
name: conduit-proxy
ports:
- containerPort: 4143
name: conduit-proxy
- containerPort: 4191
name: conduit-metrics
resources: {}
securityContext:
runAsUser: 2102
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/runconduit/proxy-init:undefined
imagePullPolicy: IfNotPresent
name: conduit-init
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
serviceAccount: conduit-ca
status: {}
---
79 changes: 75 additions & 4 deletions cli/install/template.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ metadata:
name: conduit-controller
namespace: {{.Namespace}}

### RBAC ###
### Controller RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -34,7 +34,6 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-controller
namespace: {{.Namespace}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what's motivation for removal of namespace:?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It turns out ClusterRoleBinding resources aren't namespaced, so including one is a bit deceiving, since it has no effect. I realized this while adding the conduit-ca binding, and decided to update it everywhere.

roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand All @@ -52,7 +51,7 @@ metadata:
name: conduit-prometheus
namespace: {{.Namespace}}

### RBAC ###
### Prometheus RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -68,7 +67,6 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-prometheus
namespace: {{.Namespace}}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand Down Expand Up @@ -564,3 +562,76 @@ data:
path: /var/lib/grafana/dashboards
homeDashboardId: conduit-top-line
`

const TlsTemplate = `
### Service Account CA ###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: conduit-ca
namespace: {{.Namespace}}

### CA RBAC ###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-ca
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: [{{.CertificateBundleName}}]
verbs: ["update"]
- apiGroups: [""]
resources: ["pods", "configmaps"]
verbs: ["list", "get", "watch"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: conduit-ca
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: conduit-ca
subjects:
- kind: ServiceAccount
name: conduit-ca
namespace: {{.Namespace}}

### CA Distributor ###
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: ca-bundle-distributor
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: ca-bundle-distributor
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
replicas: {{.ControllerReplicas}}
template:
metadata:
labels:
{{.ControllerComponentLabel}}: ca-bundle-distributor
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
serviceAccount: conduit-ca
containers:
- name: ca-distributor
image: {{.ControllerImage}}
imagePullPolicy: {{.ImagePullPolicy}}
args:
- "ca-distributor"
- "-controller-namespace={{.Namespace}}"
- "-log-level={{.ControllerLogLevel}}"
- "-logtostderr=true"
`
2 changes: 1 addition & 1 deletion controller/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## compile controller services
FROM gcr.io/runconduit/go-deps:c934e1ab as golang
FROM gcr.io/runconduit/go-deps:bca359b1 as golang
WORKDIR /go/src/github.com/runconduit/conduit
COPY controller/gen controller/gen
COPY pkg pkg
Expand Down
Loading