From 2c7f99bb4261e5e5c0c5be15fad1a402f76cd85c Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 21 Mar 2024 09:25:28 -0500 Subject: [PATCH 01/10] feat: change namespace creation from a component Each component and operator includes some bits to create the namespace it lives in. For ArgoCD, we don't need a component to create the namespace but instead use it's functionality to create the namespaces. --- apps/components/argo-events.yaml | 2 ++ apps/components/argo-workflows.yaml | 2 ++ apps/components/dexidp.yaml | 2 ++ apps/components/ironic.yaml | 6 ++++++ apps/components/keystone.yaml | 6 ++++++ apps/components/kustomization.yaml | 1 - apps/components/mariadb.yaml | 2 ++ apps/components/memcached.yaml | 2 ++ apps/components/namespaces.yaml | 16 ---------------- apps/components/nautobot-redis.yaml | 2 ++ apps/components/nautobot.yaml | 2 ++ apps/components/postgres-db.yaml | 2 ++ apps/components/rabbitmq-cluster.yaml | 2 ++ apps/operators/mariadb-operator.yaml | 1 + apps/operators/messaging-topology-operator.yaml | 1 + apps/operators/postgres-operator.yaml | 1 + apps/operators/rabbitmq-operator.yaml | 1 + components/00-namespaces/argo-workflows.yaml | 8 -------- components/00-namespaces/dexidp.yaml | 5 ----- components/00-namespaces/kustomization.yaml | 8 -------- components/00-namespaces/nautobot.yaml | 5 ----- components/00-namespaces/openstack.yaml | 8 -------- docs/install-understack-ubuntu-k3s.md | 3 ++- 23 files changed, 36 insertions(+), 52 deletions(-) delete mode 100644 apps/components/namespaces.yaml delete mode 100644 components/00-namespaces/argo-workflows.yaml delete mode 100644 components/00-namespaces/dexidp.yaml delete mode 100644 components/00-namespaces/kustomization.yaml delete mode 100644 components/00-namespaces/nautobot.yaml delete mode 100644 components/00-namespaces/openstack.yaml diff --git a/apps/components/argo-events.yaml b/apps/components/argo-events.yaml index e897c450d..d9110cd76 100644 --- a/apps/components/argo-events.yaml +++ b/apps/components/argo-events.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/argo-workflows.yaml b/apps/components/argo-workflows.yaml index 515d4d805..7d9d35bc4 100644 --- a/apps/components/argo-workflows.yaml +++ b/apps/components/argo-workflows.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/dexidp.yaml b/apps/components/dexidp.yaml index ace7d1229..374a76a89 100644 --- a/apps/components/dexidp.yaml +++ b/apps/components/dexidp.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/ironic.yaml b/apps/components/ironic.yaml index e2fe211f0..17da098fd 100644 --- a/apps/components/ironic.yaml +++ b/apps/components/ironic.yaml @@ -14,3 +14,9 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true + managedNamespaceMetadata: + labels: + kubernetes.io/metadata.name: openstack + name: openstack diff --git a/apps/components/keystone.yaml b/apps/components/keystone.yaml index f87b2d3e9..72617b098 100644 --- a/apps/components/keystone.yaml +++ b/apps/components/keystone.yaml @@ -14,3 +14,9 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true + managedNamespaceMetadata: + labels: + kubernetes.io/metadata.name: openstack + name: openstack diff --git a/apps/components/kustomization.yaml b/apps/components/kustomization.yaml index 912f9d7a7..bb0a3e5e2 100644 --- a/apps/components/kustomization.yaml +++ b/apps/components/kustomization.yaml @@ -5,7 +5,6 @@ namespace: argocd resources: - argocd-understack-project.yaml - - namespaces.yaml - mariadb.yaml - rabbitmq-cluster.yaml - memcached.yaml diff --git a/apps/components/mariadb.yaml b/apps/components/mariadb.yaml index 7a7cb092b..a266ef3a3 100644 --- a/apps/components/mariadb.yaml +++ b/apps/components/mariadb.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/memcached.yaml b/apps/components/memcached.yaml index 1ae5ff004..de1628be0 100644 --- a/apps/components/memcached.yaml +++ b/apps/components/memcached.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/namespaces.yaml b/apps/components/namespaces.yaml deleted file mode 100644 index b5e740961..000000000 --- a/apps/components/namespaces.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: namespaces -spec: - project: understack - source: - repoURL: https://github.com/rackerlabs/understack.git - path: components/00-namespaces/ - targetRevision: HEAD - destination: - server: "https://kubernetes.default.svc" - namespace: nautobot - syncPolicy: - automated: - selfHeal: true diff --git a/apps/components/nautobot-redis.yaml b/apps/components/nautobot-redis.yaml index b3aef3bb3..1234b85f5 100644 --- a/apps/components/nautobot-redis.yaml +++ b/apps/components/nautobot-redis.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/nautobot.yaml b/apps/components/nautobot.yaml index 447f9bb8a..82182dbd3 100644 --- a/apps/components/nautobot.yaml +++ b/apps/components/nautobot.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/postgres-db.yaml b/apps/components/postgres-db.yaml index 7d2a11a75..d438e0a34 100644 --- a/apps/components/postgres-db.yaml +++ b/apps/components/postgres-db.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/components/rabbitmq-cluster.yaml b/apps/components/rabbitmq-cluster.yaml index 3a02a8f51..5537668f2 100644 --- a/apps/components/rabbitmq-cluster.yaml +++ b/apps/components/rabbitmq-cluster.yaml @@ -14,3 +14,5 @@ spec: syncPolicy: automated: selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/operators/mariadb-operator.yaml b/apps/operators/mariadb-operator.yaml index aa82c312f..da3781280 100644 --- a/apps/operators/mariadb-operator.yaml +++ b/apps/operators/mariadb-operator.yaml @@ -15,4 +15,5 @@ spec: automated: selfHeal: true syncOptions: + - CreateNamespace=true - ServerSideApply=true diff --git a/apps/operators/messaging-topology-operator.yaml b/apps/operators/messaging-topology-operator.yaml index ca56c735b..e2629e783 100644 --- a/apps/operators/messaging-topology-operator.yaml +++ b/apps/operators/messaging-topology-operator.yaml @@ -15,4 +15,5 @@ spec: automated: selfHeal: true syncOptions: + - CreateNamespace=true - ServerSideApply=true diff --git a/apps/operators/postgres-operator.yaml b/apps/operators/postgres-operator.yaml index f49316b5e..465e39697 100644 --- a/apps/operators/postgres-operator.yaml +++ b/apps/operators/postgres-operator.yaml @@ -15,4 +15,5 @@ spec: automated: selfHeal: true syncOptions: + - CreateNamespace=true - ServerSideApply=true diff --git a/apps/operators/rabbitmq-operator.yaml b/apps/operators/rabbitmq-operator.yaml index 0c96cfd22..eafa59eb1 100644 --- a/apps/operators/rabbitmq-operator.yaml +++ b/apps/operators/rabbitmq-operator.yaml @@ -15,4 +15,5 @@ spec: automated: selfHeal: true syncOptions: + - CreateNamespace=true - ServerSideApply=true diff --git a/components/00-namespaces/argo-workflows.yaml b/components/00-namespaces/argo-workflows.yaml deleted file mode 100644 index 078e6e77c..000000000 --- a/components/00-namespaces/argo-workflows.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: argo - labels: - kubernetes.io/metadata.name: argo - name: argo diff --git a/components/00-namespaces/dexidp.yaml b/components/00-namespaces/dexidp.yaml deleted file mode 100644 index 833e4181d..000000000 --- a/components/00-namespaces/dexidp.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: dex diff --git a/components/00-namespaces/kustomization.yaml b/components/00-namespaces/kustomization.yaml deleted file mode 100644 index e4aa59b76..000000000 --- a/components/00-namespaces/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - nautobot.yaml - - openstack.yaml - - argo-workflows.yaml - - dexidp.yaml diff --git a/components/00-namespaces/nautobot.yaml b/components/00-namespaces/nautobot.yaml deleted file mode 100644 index fc11e6b6c..000000000 --- a/components/00-namespaces/nautobot.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: nautobot diff --git a/components/00-namespaces/openstack.yaml b/components/00-namespaces/openstack.yaml deleted file mode 100644 index 1d7d0ff66..000000000 --- a/components/00-namespaces/openstack.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: openstack - labels: - kubernetes.io/metadata.name: openstack - name: openstack diff --git a/docs/install-understack-ubuntu-k3s.md b/docs/install-understack-ubuntu-k3s.md index ebda95b44..376c0f535 100644 --- a/docs/install-understack-ubuntu-k3s.md +++ b/docs/install-understack-ubuntu-k3s.md @@ -128,7 +128,8 @@ Generate secrets: ./scripts/easy-secrets-gen.sh # make the namespaces where the secrets will live -kubectl apply -k components/00-namespaces/ +kubectl create ns openstack +kubectl create ns nautobot # load the secrets kubectl apply -k components/01-secrets/ From a3b77679848aa37f89cce1b2751bceb3c31bbdd1 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 21 Mar 2024 21:53:55 -0500 Subject: [PATCH 02/10] fix: create nautobot pieces together Create the nautobot pieces in one application. --- apps/components/kustomization.yaml | 1 - apps/components/nautobot-redis.yaml | 18 ------------------ apps/components/nautobot.yaml | 11 +++++++---- 3 files changed, 7 insertions(+), 23 deletions(-) delete mode 100644 apps/components/nautobot-redis.yaml diff --git a/apps/components/kustomization.yaml b/apps/components/kustomization.yaml index bb0a3e5e2..df750c397 100644 --- a/apps/components/kustomization.yaml +++ b/apps/components/kustomization.yaml @@ -9,7 +9,6 @@ resources: - rabbitmq-cluster.yaml - memcached.yaml - postgres-db.yaml - - nautobot-redis.yaml - nautobot.yaml - keystone.yaml - argo-workflows.yaml diff --git a/apps/components/nautobot-redis.yaml b/apps/components/nautobot-redis.yaml deleted file mode 100644 index 1234b85f5..000000000 --- a/apps/components/nautobot-redis.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: nautobot-redis -spec: - project: understack - source: - repoURL: https://github.com/rackerlabs/understack.git - path: components/08-nautobot-redis/ - targetRevision: HEAD - destination: - server: "https://kubernetes.default.svc" - namespace: nautobot - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/apps/components/nautobot.yaml b/apps/components/nautobot.yaml index 82182dbd3..e1ebc1e25 100644 --- a/apps/components/nautobot.yaml +++ b/apps/components/nautobot.yaml @@ -4,10 +4,13 @@ metadata: name: nautobot spec: project: understack - source: - repoURL: https://github.com/rackerlabs/understack.git - path: components/09-nautobot/ - targetRevision: HEAD + sources: + - repoURL: https://github.com/rackerlabs/understack.git + path: components/08-nautobot-redis/ + targetRevision: HEAD + - repoURL: https://github.com/rackerlabs/understack.git + path: components/09-nautobot/ + targetRevision: HEAD destination: server: "https://kubernetes.default.svc" namespace: nautobot From 2a650d9973d71f2afa93621d13131ded60db0685 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 21 Mar 2024 20:52:22 -0500 Subject: [PATCH 03/10] fix: allow deploys into the dex namespace Allow the understack project to deploy into the dex namespace. --- apps/components/argocd-understack-project.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/components/argocd-understack-project.yaml b/apps/components/argocd-understack-project.yaml index 21992f0ac..2182259ca 100644 --- a/apps/components/argocd-understack-project.yaml +++ b/apps/components/argocd-understack-project.yaml @@ -16,6 +16,8 @@ spec: server: '*' - namespace: 'argo-events' server: '*' + - namespace: 'dex' + server: '*' clusterResourceWhitelist: - group: '*' kind: '*' From f188c7d7472037f7eed66216f53f9d812651d31f Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 1 Apr 2024 12:40:49 -0500 Subject: [PATCH 04/10] fix: don't create keystone-credential-keys This secret is actually in a different format and managed by jobs and cronjobs that rotate out the value in keystone. The fact that we create this is wrong and the value is wrong. This will result in jobs failing to rotate values. --- components/01-secrets/README.md | 5 ----- scripts/easy-secrets-gen.sh | 6 ------ 2 files changed, 11 deletions(-) diff --git a/components/01-secrets/README.md b/components/01-secrets/README.md index 2594bdb0c..bdb86641f 100644 --- a/components/01-secrets/README.md +++ b/components/01-secrets/README.md @@ -124,11 +124,6 @@ kubectl --namespace openstack \ --type Opaque \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ --dry-run -o yaml > secret-keystone-admin.yaml -kubectl --namespace openstack \ - create secret generic keystone-credential-keys \ - --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml > secret-keystone-credential-keys.yaml ``` Now let's seal them. diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index ad306fe35..b77754229 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -74,12 +74,6 @@ kubectl --namespace openstack \ --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ --dry-run=client -o yaml \ > secret-keystone-admin.yaml -kubectl --namespace openstack \ - create secret generic keystone-credential-keys \ - --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run=client -o yaml \ - > secret-keystone-credential-keys.yaml # ironic credentials kubectl --namespace openstack \ From 87858f20aaac92700720a885d17d3d553cb98736 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 25 Mar 2024 12:58:50 -0500 Subject: [PATCH 05/10] fix: disable OpenStack Helm's helm.sh/hooks We don't want to enable OpenStack Helm's helm.sh/hooks because they set them as post-install,post-upgrade which in ArgoCD maps to PostSync. However the deployments and statefulsets in OpenStack Helm depend on the jobs to complete, which they can't if they set to deploy in PostSync --- components/10-keystone/aio-values.yaml | 13 +++++++++---- components/13-ironic/aio-values.yaml | 9 +++++++++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/components/10-keystone/aio-values.yaml b/components/10-keystone/aio-values.yaml index 63565df6a..f0e7a6180 100644 --- a/components/10-keystone/aio-values.yaml +++ b/components/10-keystone/aio-values.yaml @@ -1,4 +1,13 @@ --- +# we don't want to enable OpenStack Helm's +# helm.sh/hooks because they set them as +# post-install,post-upgrade which in ArgoCD +# maps to PostSync. However the deployments +# and statefulsets in OpenStack Helm +# depend on the jobs to complete, which they +# can't if they set to deploy in PostSync +helm3_hook: false + labels: api: node_selector_key: openstack-control-plane @@ -12,10 +21,6 @@ labels: release_group: null -# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2 -# Set to false to upgrade using helm2 -helm3_hook: true - bootstrap: enabled: true ks_user: admin diff --git a/components/13-ironic/aio-values.yaml b/components/13-ironic/aio-values.yaml index ef58cb9be..c2be93e5a 100644 --- a/components/13-ironic/aio-values.yaml +++ b/components/13-ironic/aio-values.yaml @@ -1,5 +1,14 @@ --- +# we don't want to enable OpenStack Helm's +# helm.sh/hooks because they set them as +# post-install,post-upgrade which in ArgoCD +# maps to PostSync. However the deployments +# and statefulsets in OpenStack Helm +# depend on the jobs to complete, which they +# can't if they set to deploy in PostSync +helm3_hook: false + bootstrap: image: enabled: false From af6d1a72fc7b458ba2d39693799f267b55ee6896 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 25 Mar 2024 17:09:44 -0500 Subject: [PATCH 06/10] fix: configure OpenStack Helm to use our ingress We're not using the ingress controller that OpenStack Helm has for their deployment so we need to set the "use_external_ingress_controller" flag. --- components/10-keystone/aio-values.yaml | 5 +++++ components/13-ironic/aio-values.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/components/10-keystone/aio-values.yaml b/components/10-keystone/aio-values.yaml index f0e7a6180..e1bb71d0c 100644 --- a/components/10-keystone/aio-values.yaml +++ b/components/10-keystone/aio-values.yaml @@ -49,6 +49,11 @@ network: enabled: false port: 30357 + # configure OpenStack Helm to use Undercloud's ingress + # instead of expecting the ingress controller provided + # by OpenStack Helm + use_external_ingress_controller: true + dependencies: dynamic: common: diff --git a/components/13-ironic/aio-values.yaml b/components/13-ironic/aio-values.yaml index c2be93e5a..3b0c2a11e 100644 --- a/components/13-ironic/aio-values.yaml +++ b/components/13-ironic/aio-values.yaml @@ -56,6 +56,11 @@ network: pxe: device: ens1f0 + # configure OpenStack Helm to use Undercloud's ingress + # instead of expecting the ingress controller provided + # by OpenStack Helm + use_external_ingress_controller: true + dependencies: dynamic: common: From af08b3bf89c772df9576bca95a339fb48c3bfac6 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 21 Mar 2024 09:48:36 -0500 Subject: [PATCH 07/10] feat: parameterize component deployments Add parameters to component deployments to pull secrets and values from a deployment repo that customizes the configuration of these components. --- apps/components/dexidp.yaml | 13 ++++++--- apps/components/ironic.yaml | 27 ++++++++++++++++--- apps/components/keystone.yaml | 37 +++++++++++++++++++++++--- apps/components/mariadb.yaml | 13 ++++++--- apps/components/nautobot.yaml | 18 +++++++++++++ components/openstack-secrets.tpl.yaml | 38 +++++++++++++++++++++++++-- 6 files changed, 128 insertions(+), 18 deletions(-) diff --git a/apps/components/dexidp.yaml b/apps/components/dexidp.yaml index 374a76a89..9a57e09cc 100644 --- a/apps/components/dexidp.yaml +++ b/apps/components/dexidp.yaml @@ -4,10 +4,15 @@ metadata: name: dexidp spec: project: understack - source: - repoURL: https://github.com/rackerlabs/understack.git - path: components/13-dexidp/ - targetRevision: HEAD + sources: + - repoURL: https://github.com/rackerlabs/understack.git + path: components/13-dexidp/ + targetRevision: HEAD + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: HEAD + directory: + include: secret-nautobot-sso-dex.yaml destination: server: "https://kubernetes.default.svc" namespace: dex diff --git a/apps/components/ironic.yaml b/apps/components/ironic.yaml index 17da098fd..e143dd042 100644 --- a/apps/components/ironic.yaml +++ b/apps/components/ironic.yaml @@ -4,10 +4,29 @@ metadata: name: ironic spec: project: understack - source: - repoURL: https://github.com/rackerlabs/understack.git - path: components/13-ironic/ - targetRevision: HEAD + sources: + - repoURL: https://github.com/rackerlabs/understack.git + path: components/13-ironic/ + targetRevision: HEAD + directory: + exclude: kustomization.yaml + recurse: false + ref: understack + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/ + chart: ironic + targetRevision: 0.2.10 + helm: + releaseName: ironic + valueFiles: + - $understack/components/openstack-2023.1-jammy.yaml + - $understack/components/13-ironic/aio-values.yaml + - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: HEAD + directory: + include: 'secret-ironic-*.yaml' + ref: secrets destination: server: "https://kubernetes.default.svc" namespace: openstack diff --git a/apps/components/keystone.yaml b/apps/components/keystone.yaml index 72617b098..c40cc5d1a 100644 --- a/apps/components/keystone.yaml +++ b/apps/components/keystone.yaml @@ -4,10 +4,38 @@ metadata: name: keystone spec: project: understack - source: - repoURL: https://github.com/rackerlabs/understack.git - path: components/10-keystone/ - targetRevision: HEAD + sources: + - repoURL: https://github.com/rackerlabs/understack.git + path: components/10-keystone/ + targetRevision: HEAD + directory: + exclude: kustomization.yaml + recurse: false + ref: understack + - repoURL: https://tarballs.opendev.org/openstack/openstack-helm/ + chart: keystone + targetRevision: 0.3.7 + helm: + releaseName: keystone + valueFiles: + - $understack/components/openstack-2023.1-jammy.yaml + - $understack/components/10-keystone/aio-values.yaml + - $secrets/secrets/${DEPLOY_NAME}/secret-openstack.yaml + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: HEAD + directory: + include: 'secret-keystone-*.yaml' + ref: secrets + ignoreDifferences: + - kind: Secret + name: keystone-fernet-keys + jqPathExpressions: + - .data + - kind: Secret + name: keystone-credential-keys + jqPathExpressions: + - .data destination: server: "https://kubernetes.default.svc" namespace: openstack @@ -16,6 +44,7 @@ spec: selfHeal: true syncOptions: - CreateNamespace=true + - RespectIgnoreDifferences=true managedNamespaceMetadata: labels: kubernetes.io/metadata.name: openstack diff --git a/apps/components/mariadb.yaml b/apps/components/mariadb.yaml index a266ef3a3..7d0eb48b6 100644 --- a/apps/components/mariadb.yaml +++ b/apps/components/mariadb.yaml @@ -4,10 +4,15 @@ metadata: name: mariadb spec: project: understack - source: - repoURL: https://github.com/rackerlabs/understack.git - path: components/03-mariadb/ - targetRevision: HEAD + sources: + - repoURL: https://github.com/rackerlabs/understack.git + path: components/03-mariadb/ + targetRevision: HEAD + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: HEAD + directory: + include: secret-mariadb.yaml destination: server: "https://kubernetes.default.svc" namespace: openstack diff --git a/apps/components/nautobot.yaml b/apps/components/nautobot.yaml index e1ebc1e25..13d5d233b 100644 --- a/apps/components/nautobot.yaml +++ b/apps/components/nautobot.yaml @@ -11,6 +11,24 @@ spec: - repoURL: https://github.com/rackerlabs/understack.git path: components/09-nautobot/ targetRevision: HEAD + kustomize: + patches: + - target: + kind: Ingress + name: nautobot + patch: |- + - op: replace + path: /spec/rules/0/host + value: nautobot.${DNS_ZONE} + - op: replace + path: /spec/tls/0/hosts/0 + value: nautobot.${DNS_ZONE} + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: HEAD + directory: + include: 'secret-nautobot*.yaml' + exclude: secret-nautobot-sso-dex.yaml destination: server: "https://kubernetes.default.svc" namespace: nautobot diff --git a/components/openstack-secrets.tpl.yaml b/components/openstack-secrets.tpl.yaml index c7fdc9652..e03ed8fe7 100644 --- a/components/openstack-secrets.tpl.yaml +++ b/components/openstack-secrets.tpl.yaml @@ -1,6 +1,6 @@ # The purpose of this file is to serve as a template for OpenStack Helm -# based secrets values that are necessary for OpenStack Helm to populate -# it's configmap-etc, which is really a secret with connection strings +# based endpoints configuration so that OpenStack Helm populates the +# correct URLs in the configs that it generates for the various services --- endpoints: @@ -17,6 +17,17 @@ endpoints: ironic: password: "${IRONIC_KEYSTONE_PASSWORD}" + # set our public facing URL + host_fqdn_override: + public: + host: keystone.${DNS_ZONE} + tls: + # must match the value in the top level 'secrets' key for the public endpoint + secretName: keystone-tls-api + issuerRef: + name: cluster-issuer + kind: ClusterIssuer + # 'oslo_cache' is the memcache layer oslo_cache: auth: @@ -42,4 +53,27 @@ endpoints: # this is what the ironic service uses to connect to RabbitMQ ironic: password: "${IRONIC_RABBITMQ_PASSWORD}" + + # 'baremetal' is the ironic service + baremetal: + # set our public facing URL + host_fqdn_override: + public: + host: ironic.${DNS_ZONE} + tls: + # must match the value in the top level 'secrets' key for the public endpoint + secretName: ironic-tls-api + issuerRef: + name: cluster-issuer + kind: ClusterIssuer + +# necessary cause the ingress definition in openstack-helm-infra helm-toolkit hardcodes this +secrets: + tls: + baremetal: + api: + public: ironic-tls-api + identity: + api: + public: keystone-tls-api ... From fbf00c0a6b67c86934d3d83012569babdca4dde2 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 25 Mar 2024 09:54:58 -0500 Subject: [PATCH 08/10] feat: add parameterizes install of cert-manager --- apps/operators/cert-manager.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 apps/operators/cert-manager.yaml diff --git a/apps/operators/cert-manager.yaml b/apps/operators/cert-manager.yaml new file mode 100644 index 000000000..72b1badb5 --- /dev/null +++ b/apps/operators/cert-manager.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: operators + sources: + - chart: cert-manager + repoURL: https://charts.jetstack.io + targetRevision: 1.* + helm: + releaseName: cert-manager + valuesObject: + installCRDs: true + - repoURL: ${UC_DEPLOY_GIT_URL} + path: secrets/${DEPLOY_NAME}/ + targetRevision: HEAD + directory: + include: cluster-issuer.yaml + destination: + namespace: cert-manager + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: false + selfHeal: true + syncOptions: + - CreateNamespace=true From 1894e59aca26927f774daf8029af43f3726926a8 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 1 Apr 2024 09:51:51 -0500 Subject: [PATCH 09/10] feat: make secrets gen script more flexible Added the ability to write out the data into a target directory. Added the generation of the OpenStack Helm values file by the script. Allowed skipping of the usage of kubeseal when generating the secrets. --- scripts/easy-secrets-gen.sh | 71 +++++++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 22 deletions(-) diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh index b77754229..8e4c8850b 100755 --- a/scripts/easy-secrets-gen.sh +++ b/scripts/easy-secrets-gen.sh @@ -2,6 +2,8 @@ cd $(git rev-parse --show-toplevel) +DEST_DIR=${1:-.} + kubectl --namespace openstack \ create secret generic mariadb \ --dry-run=client \ @@ -9,7 +11,7 @@ kubectl --namespace openstack \ --type Opaque \ --from-literal=root-password="$(./scripts/pwgen.sh)" \ --from-literal=password="$(./scripts/pwgen.sh)" \ - > secret-mariadb.yaml + > "${DEST_DIR}/secret-mariadb.yaml" kubectl --namespace nautobot \ create secret generic nautobot-env \ @@ -19,7 +21,7 @@ kubectl --namespace nautobot \ --from-literal=NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SUPERUSER_API_TOKEN="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SUPERUSER_PASSWORD="$(./scripts/pwgen.sh)" \ - > secret-nautobot-env.yaml + > "${DEST_DIR}/secret-nautobot-env.yaml" kubectl --namespace nautobot \ create secret generic nautobot-redis \ @@ -27,7 +29,7 @@ kubectl --namespace nautobot \ -o yaml \ --type Opaque \ --from-literal=redis-password="$(./scripts/pwgen.sh)" \ - > secret-nautobot-redis.yaml + > "${DEST_DIR}/secret-nautobot-redis.yaml" NAUTOBOT_SSO_SECRET=$(./scripts/pwgen.sh) for ns in nautobot dex; do @@ -37,7 +39,7 @@ for ns in nautobot dex; do -o yaml \ --type Opaque \ --from-literal=client-secret="$NAUTOBOT_SSO_SECRET" \ - > secret-nautobot-sso-$ns.yaml + > "${DEST_DIR}/secret-nautobot-sso-$ns.yaml" done unset NAUTOBOT_SSO_SECRET @@ -50,72 +52,97 @@ for ns in argo argo-events argocd dex; do --type Opaque \ --from-literal=client-secret="$ARGO_SSO_SECRET" \ --from-literal=client-id=argo \ - > secret-argo-sso-$ns.yaml + > "${DEST_DIR}/secret-argo-sso-$ns.yaml" done unset ARGO_SSO_SECRET +# create constant OpenStack memcache key to avoid cache invalidation on deploy +export MEMCACHE_SECRET_KEY="$(./scripts/pwgen.sh 64)" +# keystone admin user password +export KEYSTONE_ADMIN_PASSWORD="$(./scripts/pwgen.sh)" +# keystone user password in mariadb for keystone db +export KEYSTONE_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the keystone queues +export KEYSTONE_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" +# ironic keystone service account +export IRONIC_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" +# ironic user password in mariadb for ironic db +export IRONIC_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the ironic queues +export IRONIC_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" kubectl --namespace openstack \ create secret generic keystone-rabbitmq-password \ --type Opaque \ --from-literal=username="keystone" \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ + --from-literal=password="${KEYSTONE_RABBITMQ_PASSWORD}" \ --dry-run=client -o yaml \ - > secret-keystone-rabbitmq-password.yaml + > "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" kubectl --namespace openstack \ create secret generic keystone-db-password \ --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ + --from-literal=password="${KEYSTONE_DB_PASSWORD}" \ --dry-run=client -o yaml \ - > secret-keystone-db-password.yaml + > "${DEST_DIR}/secret-keystone-db-password.yaml" kubectl --namespace openstack \ create secret generic keystone-admin \ --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ + --from-literal=password="${KEYSTONE_ADMIN_PASSWORD}" \ --dry-run=client -o yaml \ - > secret-keystone-admin.yaml + > "${DEST_DIR}/secret-keystone-admin.yaml" # ironic credentials kubectl --namespace openstack \ create secret generic ironic-rabbitmq-password \ --type Opaque \ --from-literal=username="ironic" \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run=client -o yaml > secret-ironic-rabbitmq-password.yaml + --from-literal=password="${IRONIC_RABBITMQ_PASSWORD}" \ + --dry-run=client -o yaml > "${DEST_DIR}/secret-ironic-rabbitmq-password.yaml" kubectl --namespace openstack \ create secret generic ironic-db-password \ --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run=client -o yaml > secret-ironic-db-password.yaml + --from-literal=password="${IRONIC_DB_PASSWORD}" \ + --dry-run=client -o yaml > "${DEST_DIR}/secret-ironic-db-password.yaml" kubectl --namespace openstack \ create secret generic ironic-keystone-password \ --type Opaque \ --from-literal=username="ironic" \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run=client -o yaml > secret-ironic-keystone-password.yaml + --from-literal=password="${IRONIC_KEYSTONE_PASSWORD}" \ + --dry-run=client -o yaml > "${DEST_DIR}/secret-ironic-keystone-password.yaml" + +if [ "x${DO_TMPL_VALUES}" = "xy" ]; then + yq '(.. | select(tag == "!!str")) |= envsubst' \ + "./components/openstack-secrets.tpl.yaml" \ + > "${DEST_DIR}/secret-openstack.yaml" +fi + +if [ "x${SKIP_KUBESEAL}" = "xy" ]; then + echo "Skipping kubeseal" + exit 0 +fi kubeseal \ --scope cluster-wide \ --allow-empty-data \ -o yaml \ - -f secret-mariadb.yaml \ + -f "${DEST_DIR}/secret-mariadb.yaml" \ -w components/01-secrets/encrypted-mariadb.yaml kubeseal \ --scope cluster-wide \ --allow-empty-data \ -o yaml \ - -f secret-nautobot-env.yaml \ + -f "${DEST_DIR}/secret-nautobot-env.yaml" \ -w components/01-secrets/encrypted-nautobot-env.yaml kubeseal \ --scope cluster-wide \ --allow-empty-data \ -o yaml \ - -f secret-nautobot-redis.yaml \ + -f "${DEST_DIR}/secret-nautobot-redis.yaml" \ -w components/01-secrets/encrypted-nautobot-redis.yaml -for skrt in $(find . -maxdepth 1 -name "secret-keystone*.yaml" -o -name "secret-ironic*.yaml"); do +for skrt in $(find "${DEST_DIR}" -maxdepth 1 -name "secret-keystone*.yaml" -o -name "secret-ironic*.yaml"); do encskrt=$(echo "${skrt}" | sed -e 's/secret-/components\/01-secrets\/encrypted-/') kubeseal \ --scope cluster-wide \ @@ -130,7 +157,7 @@ for ns in nautobot dex; do --scope cluster-wide \ --allow-empty-data \ -o yaml \ - -f secret-nautobot-sso-$ns.yaml \ + -f "${DEST_DIR}/secret-nautobot-sso-$ns.yaml" \ -w components/01-secrets/encrypted-nautobot-sso-$ns.yaml done From d54b5c4ba13a6b760852a421efee3076196e9742 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Tue, 5 Mar 2024 16:57:21 -0600 Subject: [PATCH 10/10] feat: craft a gitops focused installation Write up a GitOps focused installation of Understack along with some helper scripts to assist the user with crafting their secrets and their initial layout of their data. --- apps/app-of-apps.yaml | 23 ++++ apps/components/nautobot.yaml | 3 + components/openstack-secrets.tpl.yaml | 4 +- docs/gitops-install.md | 171 ++++++++++++++++++++++++++ mkdocs.yml | 1 + scripts/gitops-deploy.sh | 55 +++++++++ scripts/gitops-secrets-gen.sh | 96 +++++++++++++++ 7 files changed, 351 insertions(+), 2 deletions(-) create mode 100644 apps/app-of-apps.yaml create mode 100644 docs/gitops-install.md create mode 100755 scripts/gitops-deploy.sh create mode 100755 scripts/gitops-secrets-gen.sh diff --git a/apps/app-of-apps.yaml b/apps/app-of-apps.yaml new file mode 100644 index 000000000..7ec7e1293 --- /dev/null +++ b/apps/app-of-apps.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: app-of-apps + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: default + source: + path: clusters/${DEPLOY_NAME} + repoURL: ${UC_DEPLOY_GIT_URL} + targetRevision: main + directory: + recurse: true + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/apps/components/nautobot.yaml b/apps/components/nautobot.yaml index 13d5d233b..bc364cf52 100644 --- a/apps/components/nautobot.yaml +++ b/apps/components/nautobot.yaml @@ -23,6 +23,9 @@ spec: - op: replace path: /spec/tls/0/hosts/0 value: nautobot.${DNS_ZONE} + - op: replace + path: '/metadata/annotations/cert-manager.io~1cluster-issuer' + value: ${DEPLOY_NAME}-cluster-issuer - repoURL: ${UC_DEPLOY_GIT_URL} path: secrets/${DEPLOY_NAME}/ targetRevision: HEAD diff --git a/components/openstack-secrets.tpl.yaml b/components/openstack-secrets.tpl.yaml index e03ed8fe7..041bafaaa 100644 --- a/components/openstack-secrets.tpl.yaml +++ b/components/openstack-secrets.tpl.yaml @@ -25,7 +25,7 @@ endpoints: # must match the value in the top level 'secrets' key for the public endpoint secretName: keystone-tls-api issuerRef: - name: cluster-issuer + name: ${DEPLOY_NAME}-cluster-issuer kind: ClusterIssuer # 'oslo_cache' is the memcache layer @@ -64,7 +64,7 @@ endpoints: # must match the value in the top level 'secrets' key for the public endpoint secretName: ironic-tls-api issuerRef: - name: cluster-issuer + name: ${DEPLOY_NAME}-cluster-issuer kind: ClusterIssuer # necessary cause the ingress definition in openstack-helm-infra helm-toolkit hardcodes this diff --git a/docs/gitops-install.md b/docs/gitops-install.md new file mode 100644 index 000000000..905ee9257 --- /dev/null +++ b/docs/gitops-install.md @@ -0,0 +1,171 @@ +# GitOps based Install + +This guide is not meant to be a definitive guide to [GitOps][gitops] and +how it can be used with UnderStack or even a best practices example +but instead focused on an example development oriented installation. +It will make a few assumptions and some opinionated choices that may +not align with a production best practices installation. +Most notable assumptions are: + +- [GitOps][gitops] tooling runs on the same cluster as the deploy +- AIO (All-in-One) configuration +- Your cluster is a blank slate and can be entirely consumed + +You will have the source to your deployment and all the pre-deployment +work will occur on your local machine and not on any of the target +machines. + +## Getting the source + +You must fetch the source to this repo and since we will be using +[GitOps][gitops], you must also have a deployment repo. These +operations can all happen locally on your development machine. + +```bash +git clone https://github.com/rackerlabs/understack +# then either +git init uc-deploy +# or +git clone https://path/to/my/uc-deploy +``` + +## Pre-deployment + +Embracing GitOps and declarative configuration, we will define three +distinct pieces of information for your deployment. + +- Infrastructure: Where the software will live (TODO: this defines the cluster) +- Secrets: What are all the credentials, passwords, etc needed by the software +- Cluster: The actual software that will be deployed + +To properly scope this you'll need an environment name. For the +purposes of this document we'll call it `my-k3s`. + +### Environment Variables + +To avoid defining many environment variables we'll simplify by creating an +`.env` file for our deployment. In this case we'll call it `my-k3s.env` and +place it where we've cloned understack. A complete file would like like + +```bash title="/path/to/understack/my-k3s.env" +UC_REPO="$HOME/devel/understack" +UC_DEPLOY="$HOME/devel/uc-deploy" +DEPLOY_NAME="my-k3s" +UC_DEPLOY_GIT_URL=git@github.com:myorg/uc-deploy.git +UC_DEPLOY_SSH_FILE="$HOME/devel/uc-deploy-key" +DNS_ZONE=home.lab +UC_DEPLOY_EMAIL="my@email" +``` + +#### Paths + +The `UC_REPO` and `UC_DEPLOY` variables are local paths on your machine to where +these two repos have been cloned. + +#### Deployment Name + +The `DEPLOY_NAME` variable contains the name that you'll refer to your +deployment as. + +#### Git access for ArgoCD + +ArgoCD will need to know where it can access your deployment config +repo. This can be over SSH with a key or over HTTPS or via a GitHub App. +At this time the scripts only support SSH. It is recommended to +use a [GitHub Deploy Key][gh-deploy-keys], the private key of which +should available locally and the path to it should be set into the +`UC_DEPLOY_SSH_FILE` variable. While the SSH clone URL for your repo +should be set to `UC_DEPLOY_GIT_URL`. + +#### DNS for Ingress and SSL certificates + +All services will utilize unique DNS names. The facilitate this, UnderStack +will take a domain and add sub-domains for them. The script will also create +a cluster issuer for [Cert Manager](https://cert-manager.io) which will use +the http01 solver by default, so you'll need to provide your email address +which needs to be set into the `UC_DEPLOY_EMAIL` variable. +All Ingress DNS names will be created as subdomains of the value you put +into the `DNS_ZONE` variable. + +#### Getting Ready to Generate Secrets and Configs + +You can run `source /path/to/understack/my-k3s.env` to have `$UC_DEPLOY` in +your shell. + +### Populating the infrastructure + +TODO: some examples and documentation on how to build out a cluster + +### Generating secrets + +Secrets in their very nature are sensitive pieces of data. The ultimate +storage and injection of these in a production environment needs to be +carefully considered. For the purposes of this document no specific +choice has been made but tools like Vault, Sealed Secrets, SOPS, etc +should be considered. This will only generate the necessary secrets +using random data to sucessfully continue the installation. + +TODO: probably give at least one secure example + +```bash +./scripts/gitops-secrets-gen.sh ./my-k3s.env +pushd "${UC_DEPLOY}" +git add secrets/my-k3s +git commit -m "my-k3s: secrets generation" +popd +``` + +### Defining the app deployment + +In this section we will use the [App of Apps][app-of-apps] pattern to define +the deployment of all the components of UnderStack. + +```bash +./scripts/gitops-deploy.sh ./my-k3s.env +pushd "${UC_DEPLOY}" +git add clusters/my-k3s +git commit -m "my-k3s: initial cluster config" +popd +``` + +## Final modifications of your deployment + +This is point you can make changes to the [ArgoCD][argocd] configs before +you do the deployment in your `$UC_DEPLOY` repo. You'll want to consider +any changes to each of components to your cluster by modifying or adding +values files or kustomize patches. This should be considered a rough template +that is yours to modify. Once you've made all the changes you want to make, +ensure that you `git push` your `$UC_DEPLOY` repo so that ArgoCD can access it. + +## Doing the Deployment + +At this point we will use our configs to make the actual deployment. +Make sure everything you've committed to your deployment repo is pushed +to your git server so that ArgoCD can access it. + +If you do not have ArgoCD deployed then you can use the following: + +```bash +kubectl kustomize --enable-helm \ + https://github.com/rackerlabs/understack//bootstrap/argocd/ \ + | kubectl apply -f - +``` + +Now configure your ArgoCD to have the credential access to your deploy repo: + +```bash +kubectl -n argocd apply -f "${UC_DEPLOY}/secrets/my-k3s/argocd/secret-deploy-repo.yaml" +``` + +Finally run the following to have ArgoCD deploy the system: + +```bash +kubectl apply -f "${UC_DEPLOY}/clusters/my-k3s/app-of-apps.yaml" +``` + +At this point ArgoCD will work to deploy Understack. + +[gitops]: +[app-of-apps]: +[argocd]: +[gh-deploy-keys]: diff --git a/mkdocs.yml b/mkdocs.yml index ed0f68e10..3b70f9aa1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -53,3 +53,4 @@ nav: - openstack-helm.md - secrets.md - install-understack-ubuntu-k3s.md + - gitops-install.md diff --git a/scripts/gitops-deploy.sh b/scripts/gitops-deploy.sh new file mode 100755 index 000000000..7225c5b03 --- /dev/null +++ b/scripts/gitops-deploy.sh @@ -0,0 +1,55 @@ +#!/bin/sh + +usage() { + echo "$(basename "$0") " >&2 + echo "" >&2 + echo "Generates an initial layout of configs for deploying" >&2 + exit 1 +} + +template() { + local subvars + subvars="\$DNS_ZONE \$UC_DEPLOY_GIT_URL \$DEPLOY_NAME" + cat "$1" | envsubst "${subvars}" > "$2" +} + +if [ $# -ne 1 ]; then + usage +fi + +SCRIPTS_DIR="$(dirname "$0")" + +if [ ! -f "$1" ]; then + echo "Did not get a file with environment variables." >&2 + usage +fi + +source "$1" + +if [ ! -d "${UC_DEPLOY}" ]; then + echo "UC_DEPLOY not set to a path." >&2 + usage +fi + +if [ "x${DEPLOY_NAME}" = "x" ]; then + echo "DEPLOY_NAME is not set." >&2 + usage +fi + +OUTPUT_DIR="${UC_DEPLOY}/clusters/${DEPLOY_NAME}" + +export DNS_ZONE +export UC_DEPLOY_GIT_URL +export DEPLOY_NAME + +for part in operators components; do + echo "Creating ${part} configs" + mkdir -p "${OUTPUT_DIR}/${part}" + for tmpl in $(find "${SCRIPTS_DIR}/../apps/${part}" -type f); do + outfile=$(basename "${tmpl}") + template "${tmpl}" "${OUTPUT_DIR}/${part}/${outfile}" + done + rm -rf "${OUTPUT_DIR}/${part}/kustomization.yaml" +done +echo "Creating app-of-apps config" +template "${SCRIPTS_DIR}/../apps/app-of-apps.yaml" "${OUTPUT_DIR}/app-of-apps.yaml" diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh new file mode 100755 index 000000000..35c684ff1 --- /dev/null +++ b/scripts/gitops-secrets-gen.sh @@ -0,0 +1,96 @@ +#!/bin/sh + +function usage() { + echo "$(basename "$0") " >&2 + echo "" >&2 + echo "Generates random secrets needed by the apps in this repo" >&2 + exit 1 +} + +if [ $# -ne 1 ]; then + usage +fi + +SCRIPTS_DIR=$(dirname "$0") + +if [ ! -f "$1" ]; then + echo "Did not get a file with environment variables." >&2 + usage +fi + +source "$1" + +if [ ! -d "${UC_DEPLOY}" ]; then + echo "UC_DEPLOY not set to a path." >&2 + usage +fi + +if [ "x${DEPLOY_NAME}" = "x" ]; then + echo "DEPLOY_NAME is not set." >&2 + usage +fi + +if [ "x${UC_DEPLOY_GIT_URL}" = "x" ]; then + echo "UC_DEPLOY_GIT_URL is not set." >&2 + usage +fi + +if [ "x${UC_DEPLOY_SSH_FILE}" = "x" ]; then + echo "UC_DEPLOY_SSH_FILE is not set." >&2 + usage +fi + +if [ ! -f "${UC_DEPLOY_SSH_FILE}" ]; then + echo "UC_DEPLOY_SSH_FILE is not a file." >&2 + usage +fi + +if [ "x${DNS_ZONE}" = "x" ]; then + echo "DNS_ZONE is not set." >&2 + usage +fi + +if [ "x${UC_DEPLOY_EMAIL}" = "x" ]; then + echo "UC_DEPLOY_EMAIL is not set." >&2 + usage +fi + +export DNS_ZONE +export DEPLOY_NAME +export SKIP_KUBESEAL=y +export DO_TMPL_VALUES=y +mkdir -p "${UC_DEPLOY}/secrets/${DEPLOY_NAME}" +"${SCRIPTS_DIR}/easy-secrets-gen.sh" "${UC_DEPLOY}/secrets/${DEPLOY_NAME}" + +echo "Creating ArgoCD config" +mkdir -p "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/argocd" +cat << EOF > "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/argocd/secret-deploy-repo.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: ${DEPLOY_NAME}-repo + labels: + argocd.argoproj.io/secret-type: repo-creds +data: + sshPrivateKey: $(cat "${UC_DEPLOY_SSH_FILE}" | base64 | tr -d '\n') + type: $(printf "git" | base64) + url: $(printf "${UC_DEPLOY_GIT_URL}" | base64) +EOF + +echo "Creating Cert Manager Cluster Issuer" +cat << EOF > "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/cluster-issuer.yaml" +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: ${DEPLOY_NAME}-cluster-issuer +spec: + acme: + email: ${UC_DEPLOY_EMAIL} + privateKeySecretRef: + name: letsencrypt-prod + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + ingressClassName: nginx +EOF