diff options
author | Dylan Griffith <dyl.griffith@gmail.com> | 2018-07-18 13:14:23 +0200 |
---|---|---|
committer | Dylan Griffith <dyl.griffith@gmail.com> | 2018-07-18 13:14:23 +0200 |
commit | 78ebddde0dde3d2a013ca43adafbdf7eecd4c4f2 (patch) | |
tree | 0b95a5b5c9796dd0d7f15fd1a53310d0ccdbaf9c | |
parent | f64cb04ca8217f77235aa89eb6323ec3e6c7574f (diff) | |
download | gitlab-ce-48098-add-mutual-tls-to-tiller-for-gitlab-managed-apps-bkp.tar.gz |
-rw-r--r-- | app/models/clusters/applications/helm.rb | 18 | ||||
-rw-r--r-- | app/models/clusters/applications/ingress.rb | 2 | ||||
-rw-r--r-- | app/models/clusters/applications/jupyter.rb | 2 | ||||
-rw-r--r-- | app/models/clusters/applications/prometheus.rb | 2 | ||||
-rw-r--r-- | app/models/clusters/applications/runner.rb | 2 | ||||
-rw-r--r-- | app/models/clusters/concerns/application_data.rb | 11 | ||||
-rw-r--r-- | app/models/project_auto_devops.rb | 3 | ||||
-rw-r--r-- | lib/gitlab/kubernetes/helm/api.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/kubernetes/helm/base_command.rb | 6 | ||||
-rw-r--r-- | lib/gitlab/kubernetes/helm/init_command.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/kubernetes/helm/install_command.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/kubernetes/helm/pod.rb | 22 | ||||
-rw-r--r-- | qa/qa/factory/resource/kubernetes_cluster.rb | 1 | ||||
-rw-r--r-- | qa/qa/specs/features/project/auto_devops_spec.rb | 22 |
14 files changed, 54 insertions, 47 deletions
diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb index 12d22ecc897..c18e79bd4b5 100644 --- a/app/models/clusters/applications/helm.rb +++ b/app/models/clusters/applications/helm.rb @@ -23,9 +23,14 @@ module Clusters self.ca_cert = ca_cert.cert_string end - def issue_cert + def ca_cert_obj + return unless has_ssl? Gitlab::Kubernetes::Helm::Certificate .from_strings(ca_key, ca_cert) + end + + def issue_cert + ca_cert_obj .issue end @@ -35,19 +40,10 @@ module Clusters self.status = 'installable' if cluster&.platform_kubernetes_active? end - def extra_env - server_cert = issue_cert - { - CA_CERT: ca_cert, - TILLER_CERT: server_cert.cert_string, - TILLER_KEY: server_cert.key_string - } - end - def install_command Gitlab::Kubernetes::Helm::InitCommand.new( name, - extra_env: extra_env + ca_cert: ca_cert_obj ) end diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb index b2d031ccf2a..60c97f99181 100644 --- a/app/models/clusters/applications/ingress.rb +++ b/app/models/clusters/applications/ingress.rb @@ -35,7 +35,7 @@ module Clusters name, chart: chart, values: values, - extra_env: extra_env + ca_cert: ca_cert ) end diff --git a/app/models/clusters/applications/jupyter.rb b/app/models/clusters/applications/jupyter.rb index 548f9f700c9..9eb8b37a04b 100644 --- a/app/models/clusters/applications/jupyter.rb +++ b/app/models/clusters/applications/jupyter.rb @@ -39,7 +39,7 @@ module Clusters chart: chart, values: values, repository: repository, - extra_env: extra_env + ca_cert: ca_cert ) end diff --git a/app/models/clusters/applications/prometheus.rb b/app/models/clusters/applications/prometheus.rb index 69dc26b8f74..1e26d904675 100644 --- a/app/models/clusters/applications/prometheus.rb +++ b/app/models/clusters/applications/prometheus.rb @@ -39,7 +39,7 @@ module Clusters chart: chart, version: version, values: values, - extra_env: extra_env + ca_cert: ca_cert ) end diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb index b1e9192d92d..f25d1f8425b 100644 --- a/app/models/clusters/applications/runner.rb +++ b/app/models/clusters/applications/runner.rb @@ -32,7 +32,7 @@ module Clusters chart: chart, values: values, repository: repository, - extra_env: extra_env + ca_cert: ca_cert ) end diff --git a/app/models/clusters/concerns/application_data.rb b/app/models/clusters/concerns/application_data.rb index 4928aaafa8c..6f5fdc06466 100644 --- a/app/models/clusters/concerns/application_data.rb +++ b/app/models/clusters/concerns/application_data.rb @@ -18,15 +18,8 @@ module Clusters "#{Rails.root}/vendor/#{name}/values.yaml" end - def extra_env - return {} unless cluster.application_helm.has_ssl? - client_cert = cluster.application_helm.issue_cert - - { - CA_CERT: cluster.application_helm.ca_cert, - HELM_CERT: client_cert.cert_string, - HELM_KEY: client_cert.key_string - } + def ca_cert + cluster.application_helm.ca_cert_obj end end end diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb index faa831b1949..7129e39584f 100644 --- a/app/models/project_auto_devops.rb +++ b/app/models/project_auto_devops.rb @@ -24,8 +24,7 @@ class ProjectAutoDevops < ActiveRecord::Base def predefined_variables Gitlab::Ci::Variables::Collection.new.tap do |variables| if has_domain? - variables.append(key: 'AUTO_DEVOPS_DOMAIN', - value: domain.presence || instance_domain) + variables.append(key: 'AUTO_DEVOPS_DOMAIN', value: domain.presence || instance_domain) end if manual? diff --git a/lib/gitlab/kubernetes/helm/api.rb b/lib/gitlab/kubernetes/helm/api.rb index 2edd34109ba..c258ef3e01a 100644 --- a/lib/gitlab/kubernetes/helm/api.rb +++ b/lib/gitlab/kubernetes/helm/api.rb @@ -29,7 +29,7 @@ module Gitlab end def delete_installation_pod!(pod_name) - @kubeclient.delete_pod(pod_name, @namespace.name) + #@kubeclient.delete_pod(pod_name, @namespace.name) end private diff --git a/lib/gitlab/kubernetes/helm/base_command.rb b/lib/gitlab/kubernetes/helm/base_command.rb index f5162658016..fddb18ef4c9 100644 --- a/lib/gitlab/kubernetes/helm/base_command.rb +++ b/lib/gitlab/kubernetes/helm/base_command.rb @@ -2,15 +2,15 @@ module Gitlab module Kubernetes module Helm class BaseCommand - attr_reader :name, :chart, :repository, :values, :extra_env + attr_reader :name, :chart, :repository, :values, :ca_cert - def initialize(name, chart: nil, values: nil, version: nil, repository: nil, extra_env: {}) + def initialize(name, chart: nil, values: nil, version: nil, repository: nil, ca_cert: nil) @name = name @chart = chart @version = version @values = values @repository = repository - @extra_env = extra_env + @ca_cert = ca_cert end def pod_resource diff --git a/lib/gitlab/kubernetes/helm/init_command.rb b/lib/gitlab/kubernetes/helm/init_command.rb index 80f37e5bf92..11e44ad4a86 100644 --- a/lib/gitlab/kubernetes/helm/init_command.rb +++ b/lib/gitlab/kubernetes/helm/init_command.rb @@ -13,8 +13,8 @@ module Gitlab def init_helm_command <<~CMD echo "$CA_CERT" > ca.cert.pem - echo "$TILLER_CERT" > tiller.cert.pem - echo "$TILLER_KEY" > tiller.key.pem + echo "$HELM_CERT" > tiller.cert.pem + echo "$HELM_KEY" > tiller.key.pem helm init --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem >/dev/null CMD end diff --git a/lib/gitlab/kubernetes/helm/install_command.rb b/lib/gitlab/kubernetes/helm/install_command.rb index 2e998cc0168..388c5e8c4fd 100644 --- a/lib/gitlab/kubernetes/helm/install_command.rb +++ b/lib/gitlab/kubernetes/helm/install_command.rb @@ -24,7 +24,7 @@ module Gitlab private def configure_certs_command - return "" unless extra_env.present? + return "" unless ca_cert.present? <<~CMD echo "$CA_CERT" > $(helm home)/ca.pem echo "$HELM_CERT" > $(helm home)/cert.pem @@ -41,7 +41,7 @@ module Gitlab end def script_command - tls_flag = " --tls" if extra_env.present? + tls_flag = " --tls" if ca_cert.present? <<~HEREDOC helm install#{tls_flag} #{chart} --name #{name}#{optional_version_flag} --namespace #{Gitlab::Kubernetes::Helm::NAMESPACE} -f /data/helm/#{name}/config/values.yaml >/dev/null HEREDOC diff --git a/lib/gitlab/kubernetes/helm/pod.rb b/lib/gitlab/kubernetes/helm/pod.rb index bdf176534e6..23cf0cd6d71 100644 --- a/lib/gitlab/kubernetes/helm/pod.rb +++ b/lib/gitlab/kubernetes/helm/pod.rb @@ -51,8 +51,8 @@ module Gitlab { HELM_VERSION: Gitlab::Kubernetes::Helm::HELM_VERSION, TILLER_NAMESPACE: namespace_name, - COMMAND_SCRIPT: command.generate_script - }.merge(command.extra_env) + COMMAND_SCRIPT: command.generate_script, + } .map { |key, value| { name: key, value: value } } end @@ -65,6 +65,18 @@ module Gitlab items: [{ key: 'values', path: 'values.yaml' }] } } + ] + tls_volumes + end + + def tls_volumes + return [] unless command.ca_cert + [ + { + name: 'tls_certs', + secret: { + secretName: "tls-certs-#{command.name}" + } + } ] end @@ -74,6 +86,12 @@ module Gitlab name: 'configuration-volume', mountPath: "/data/helm/#{command.name}/config" } + ] + tls_mounts + end + + def tls_mounts + return [] unless command.ca_cert + [ ] end end diff --git a/qa/qa/factory/resource/kubernetes_cluster.rb b/qa/qa/factory/resource/kubernetes_cluster.rb index f32cf985e9d..5fabe3fcfe5 100644 --- a/qa/qa/factory/resource/kubernetes_cluster.rb +++ b/qa/qa/factory/resource/kubernetes_cluster.rb @@ -40,6 +40,7 @@ module QA page.install!(:helm) page.await_installed(:helm) + require 'pry'; binding.pry page.install!(:ingress) if @install_ingress page.await_installed(:ingress) if @install_ingress page.install!(:prometheus) if @install_prometheus diff --git a/qa/qa/specs/features/project/auto_devops_spec.rb b/qa/qa/specs/features/project/auto_devops_spec.rb index bc713b46d81..54c26660022 100644 --- a/qa/qa/specs/features/project/auto_devops_spec.rb +++ b/qa/qa/specs/features/project/auto_devops_spec.rb @@ -15,17 +15,6 @@ module QA p.description = 'Project with Auto Devops' end - # Create Auto Devops compatible repo - Factory::Repository::ProjectPush.fabricate! do |push| - push.project = project - push.directory = Pathname - .new(__dir__) - .join('../../../fixtures/auto_devops_rack') - push.commit_message = 'Create Auto DevOps compatible rack application' - end - - Page::Project::Show.act { wait_for_push } - # Create and connect K8s cluster @cluster = Service::KubernetesCluster.new.create! kubernetes_cluster = Factory::Resource::KubernetesCluster.fabricate! do |cluster| @@ -37,6 +26,17 @@ module QA cluster.install_runner = true end + # Create Auto Devops compatible repo + Factory::Repository::ProjectPush.fabricate! do |push| + push.project = project + push.directory = Pathname + .new(__dir__) + .join('../../../fixtures/auto_devops_rack') + push.commit_message = 'Create Auto DevOps compatible rack application' + end + + Page::Project::Show.act { wait_for_push } + project.visit! Page::Menu::Side.act { click_ci_cd_settings } Page::Project::Settings::CICD.perform do |p| |