Skip to content

G
gitlab-ce
Commit 2699768f authored by Matt Kasa's avatar Matt Kasa
Browse files
Options

Add service and worker to configure istio ingress 

- Add ClusterConfigureIstioWorker
- Add ConfigureIstioIngressService
- Adds gcp_cluster:cluster_configure_istio queue

Relates to https://gitlab.com/gitlab-org/gitlab/issues/33559
parent 100fba9e
Hide whitespace changes
Inline Side-by-side
Showing with 366 additions and 0 deletions
app/services/clusters/kubernetes/configure_istio_ingress_service.rb 0 → 100644
View file @ 2699768f
# frozen_string_literal: true
require 'openssl'
module Clusters
module Kubernetes
class ConfigureIstioIngressService
PASSTHROUGH_RESOURCE = Kubeclient::Resource.new(
mode: 'PASSTHROUGH'
).freeze
MTLS_RESOURCE = Kubeclient::Resource.new(
mode: 'MUTUAL',
privateKey: '/etc/istio/ingressgateway-certs/tls.key',
serverCertificate: '/etc/istio/ingressgateway-certs/tls.crt',
caCertificates: '/etc/istio/ingressgateway-ca-certs/cert.pem'
).freeze
def initialize(cluster:)
@cluster = cluster
@platform = cluster.platform
@kubeclient = platform.kubeclient
@knative = cluster.application_knative
end
def execute
return configure_certificates if serverless_domain_cluster
configure_passthrough
end
private
attr_reader :cluster, :platform, :kubeclient, :knative
def serverless_domain_cluster
knative&.serverless_domain_cluster
end
def configure_certificates
create_or_update_istio_cert_and_key
set_gateway_wildcard_https(MTLS_RESOURCE)
end
def create_or_update_istio_cert_and_key
name = OpenSSL::X509::Name.parse("CN=#{knative.hostname}")
key = OpenSSL::PKey::RSA.new(2048)
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = 0
cert.not_before = Time.now
cert.not_after = Time.now + 1000.years
cert.public_key = key.public_key
cert.subject = name
cert.issuer = name
cert.sign(key, OpenSSL::Digest::SHA256.new)
serverless_domain_cluster.update!(
key: key.to_pem,
certificate: cert.to_pem
)
kubeclient.create_or_update_secret(istio_ca_certs_resource)
kubeclient.create_or_update_secret(istio_certs_resource)
end
def istio_ca_certs_resource
Gitlab::Kubernetes::GenericSecret.new(
'istio-ingressgateway-ca-certs',
{
'cert.pem': Base64.strict_encode64(serverless_domain_cluster.certificate)
},
Clusters::Kubernetes::ISTIO_SYSTEM_NAMESPACE
).generate
end
def istio_certs_resource
Gitlab::Kubernetes::TlsSecret.new(
'istio-ingressgateway-certs',
serverless_domain_cluster.certificate,
serverless_domain_cluster.key,
Clusters::Kubernetes::ISTIO_SYSTEM_NAMESPACE
).generate
end
def set_gateway_wildcard_https(tls_resource)
gateway_resource = gateway
gateway_resource.spec.servers.each do |server|
next unless server.hosts == ['*'] && server.port.name == 'https'
server.tls = tls_resource
end
kubeclient.update_gateway(gateway_resource)
end
def configure_passthrough
set_gateway_wildcard_https(PASSTHROUGH_RESOURCE)
end
def gateway
kubeclient.get_gateway('knative-ingress-gateway', Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
end
end
end
end
app/workers/all_queues.yml
View file @ 2699768f
......@@ -231,6 +231,12 @@
:latency_sensitive:
:resource_boundary: :unknown
:weight: 1
- :name: gcp_cluster:cluster_configure_istio
:feature_category: :kubernetes_management
:has_external_dependencies: true
:latency_sensitive:
:resource_boundary: :unknown
:weight: 1
- :name: gcp_cluster:cluster_install_app
:feature_category: :kubernetes_management
:has_external_dependencies: true
......
app/workers/cluster_configure_istio_worker.rb 0 → 100644
View file @ 2699768f
# frozen_string_literal: true
class ClusterConfigureIstioWorker
include ApplicationWorker
include ClusterQueue
worker_has_external_dependencies!
def perform(cluster_id)
Clusters::Cluster.find_by_id(cluster_id).try do |cluster|
Clusters::Kubernetes::ConfigureIstioIngressService.new(cluster: cluster).execute
end
end
end
spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb 0 → 100644
View file @ 2699768f
# frozen_string_literal: true
require 'spec_helper'
describe Clusters::Kubernetes::ConfigureIstioIngressService, '#execute' do
include KubernetesHelpers
let(:cluster) { create(:cluster, :project, :provided_by_gcp) }
let(:api_url) { 'https://kubernetes.example.com' }
let(:project) { cluster.project }
let(:environment) { create(:environment, project: project) }
let(:cluster_project) { cluster.cluster_project }
let(:namespace) { "#{project.name}-#{project.id}-#{environment.slug}" }
let(:kubeclient) { cluster.kubeclient }
subject do
described_class.new(
cluster: cluster
).execute
end
before do
stub_kubeclient_discover_istio(api_url)
stub_kubeclient_create_secret(api_url, namespace: namespace)
stub_kubeclient_put_secret(api_url, "#{namespace}-token", namespace: namespace)
stub_kubeclient_get_secret(
api_url,
{
metadata_name: "#{namespace}-token",
token: Base64.encode64('sample-token'),
namespace: namespace
}
)
stub_kubeclient_get_secret(
api_url,
{
metadata_name: 'istio-ingressgateway-ca-certs',
namespace: 'istio-system'
}
)
stub_kubeclient_get_secret(
api_url,
{
metadata_name: 'istio-ingressgateway-certs',
namespace: 'istio-system'
}
)
stub_kubeclient_put_secret(api_url, 'istio-ingressgateway-ca-certs', namespace: 'istio-system')
stub_kubeclient_put_secret(api_url, 'istio-ingressgateway-certs', namespace: 'istio-system')
stub_kubeclient_get_gateway(api_url, 'knative-ingress-gateway', namespace: 'knative-serving')
stub_kubeclient_put_gateway(api_url, 'knative-ingress-gateway', namespace: 'knative-serving')
end
context 'without a serverless_domain_cluster' do
it 'configures gateway to use PASSTHROUGH' do
subject
expect(WebMock).to have_requested(:put, api_url + '/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway').with(
body: hash_including(
apiVersion: "networking.istio.io/v1alpha3",
kind: "Gateway",
metadata: {
generation: 1,
labels: {
"networking.knative.dev/ingress-provider" => "istio",
"serving.knative.dev/release" => "v0.7.0"
},
name: "knative-ingress-gateway",
namespace: "knative-serving",
selfLink: "/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway"
},
spec: {
selector: {
istio: "ingressgateway"
},
servers: [
{
hosts: ["*"],
port: {
name: "http",
number: 80,
protocol: "HTTP"
}
},
{
hosts: ["*"],
port: {
name: "https",
number: 443,
protocol: "HTTPS"
},
tls: {
mode: "PASSTHROUGH"
}
}
]
}
)
)
end
end
context 'with a serverless_domain_cluster' do
let(:serverless_domain_cluster) { create(:serverless_domain_cluster) }
let(:certificate) { OpenSSL::X509::Certificate.new(serverless_domain_cluster.certificate) }
before do
cluster.application_knative = serverless_domain_cluster.knative
end
it 'configures certificates' do
subject
expect(serverless_domain_cluster.reload.key).not_to be_blank
expect(serverless_domain_cluster.reload.certificate).not_to be_blank
expect(certificate.subject.to_s).to include(serverless_domain_cluster.knative.hostname)
expect(certificate.not_before).to be_within(1.minute).of(Time.now)
expect(certificate.not_after).to be_within(1.minute).of(Time.now + 1000.years)
expect(WebMock).to have_requested(:put, api_url + '/api/v1/namespaces/istio-system/secrets/istio-ingressgateway-ca-certs').with(
body: hash_including(
metadata: {
name: 'istio-ingressgateway-ca-certs',
namespace: 'istio-system'
},
type: 'Opaque'
)
)
expect(WebMock).to have_requested(:put, api_url + '/api/v1/namespaces/istio-system/secrets/istio-ingressgateway-certs').with(
body: hash_including(
metadata: {
name: 'istio-ingressgateway-certs',
namespace: 'istio-system'
},
type: 'kubernetes.io/tls'
)
)
end
it 'configures gateway to use MUTUAL' do
subject
expect(WebMock).to have_requested(:put, api_url + '/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway').with(
body: {
apiVersion: "networking.istio.io/v1alpha3",
kind: "Gateway",
metadata: {
generation: 1,
labels: {
"networking.knative.dev/ingress-provider" => "istio",
"serving.knative.dev/release" => "v0.7.0"
},
name: "knative-ingress-gateway",
namespace: "knative-serving",
selfLink: "/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway"
},
spec: {
selector: {
istio: "ingressgateway"
},
servers: [
{
hosts: ["*"],
port: {
name: "http",
number: 80,
protocol: "HTTP"
}
},
{
hosts: ["*"],
port: {
name: "https",
number: 443,
protocol: "HTTPS"
},
tls: {
mode: "MUTUAL",
privateKey: "/etc/istio/ingressgateway-certs/tls.key",
serverCertificate: "/etc/istio/ingressgateway-certs/tls.crt",
caCertificates: "/etc/istio/ingressgateway-ca-certs/cert.pem"
}
}
]
}
}
)
end
end
end
spec/workers/cluster_configure_istio_worker_spec.rb 0 → 100644
View file @ 2699768f
# frozen_string_literal: true
require 'spec_helper'
describe ClusterConfigureIstioWorker do
describe '#perform' do
shared_examples 'configure istio service' do
it 'configures istio' do
expect_any_instance_of(Clusters::Kubernetes::ConfigureIstioIngressService).to receive(:execute)
described_class.new.perform(cluster.id)
end
end
context 'when provider type is gcp' do
let(:cluster) { create(:cluster, :project, :provided_by_gcp) }
it_behaves_like 'configure istio service'
end
context 'when provider type is aws' do
let(:cluster) { create(:cluster, :project, :provided_by_aws) }
it_behaves_like 'configure istio service'
end
context 'when provider type is user' do
let(:cluster) { create(:cluster, :project, :provided_by_user) }
it_behaves_like 'configure istio service'
end
context 'when cluster does not exist' do
it 'does not provision a cluster' do
expect_any_instance_of(Clusters::Kubernetes::ConfigureIstioIngressService).not_to receive(:execute)
described_class.new.perform(123)
end
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7