Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-02-05 09:08:43 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-02-05 09:08:43 +0000
commit: 26384c9a61da9922b8fa4b8351d4e42d51661b37 (patch)
tree: ef3decbed644db3c97dcdbb5b71d4ade77f3155d /app/services/clusters
parent: 79cbe31b18159ea394c6f6e3027c1dc69bdabb75 (diff)
download: gitlab-ce-26384c9a61da9922b8fa4b8351d4e42d51661b37.tar.gz
2 files changed, 110 insertions, 0 deletions
diff --git a/app/services/clusters/kubernetes.rb b/app/services/clusters/kubernetes.rb
index d29519999b2..aafea64c820 100644
--- a/app/services/clusters/kubernetes.rb
+++ b/app/services/clusters/kubernetes.rb
@@ -12,5 +12,7 @@ module Clusters
     GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
     GITLAB_CROSSPLANE_DATABASE_ROLE_NAME = 'gitlab-crossplane-database-role'
     GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
+    KNATIVE_SERVING_NAMESPACE = 'knative-serving'
+    ISTIO_SYSTEM_NAMESPACE = 'istio-system'
   end
 end
diff --git a/app/services/clusters/kubernetes/configure_istio_ingress_service.rb b/app/services/clusters/kubernetes/configure_istio_ingress_service.rb
new file mode 100644
index 00000000000..fe577beaa8a
--- /dev/null
+++ b/app/services/clusters/kubernetes/configure_istio_ingress_service.rb
@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Clusters
+  module Kubernetes
+    class ConfigureIstioIngressService
+      PASSTHROUGH_RESOURCE = Kubeclient::Resource.new(
+        mode: 'PASSTHROUGH'
+      ).freeze
+
+      MTLS_RESOURCE = Kubeclient::Resource.new(
+        mode: 'MUTUAL',
+        privateKey: '/etc/istio/ingressgateway-certs/tls.key',
+        serverCertificate: '/etc/istio/ingressgateway-certs/tls.crt',
+        caCertificates: '/etc/istio/ingressgateway-ca-certs/cert.pem'
+      ).freeze
+
+      def initialize(cluster:)
+        @cluster = cluster
+        @platform = cluster.platform
+        @kubeclient = platform.kubeclient
+        @knative = cluster.application_knative
+      end
+
+      def execute
+        return configure_certificates if serverless_domain_cluster
+
+        configure_passthrough
+      end
+
+      private
+
+      attr_reader :cluster, :platform, :kubeclient, :knative
+
+      def serverless_domain_cluster
+        knative&.serverless_domain_cluster
+      end
+
+      def configure_certificates
+        create_or_update_istio_cert_and_key
+        set_gateway_wildcard_https(MTLS_RESOURCE)
+      end
+
+      def create_or_update_istio_cert_and_key
+        name = OpenSSL::X509::Name.parse("CN=#{knative.hostname}")
+
+        key = OpenSSL::PKey::RSA.new(2048)
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.version = 2
+        cert.serial = 0
+        cert.not_before = Time.now
+        cert.not_after = Time.now + 1000.years
+
+        cert.public_key = key.public_key
+        cert.subject = name
+        cert.issuer = name
+        cert.sign(key, OpenSSL::Digest::SHA256.new)
+
+        serverless_domain_cluster.update!(
+          key: key.to_pem,
+          certificate: cert.to_pem
+        )
+
+        kubeclient.create_or_update_secret(istio_ca_certs_resource)
+        kubeclient.create_or_update_secret(istio_certs_resource)
+      end
+
+      def istio_ca_certs_resource
+        Gitlab::Kubernetes::GenericSecret.new(
+          'istio-ingressgateway-ca-certs',
+          {
+            'cert.pem': Base64.strict_encode64(serverless_domain_cluster.certificate)
+          },
+          Clusters::Kubernetes::ISTIO_SYSTEM_NAMESPACE
+        ).generate
+      end
+
+      def istio_certs_resource
+        Gitlab::Kubernetes::TlsSecret.new(
+          'istio-ingressgateway-certs',
+          serverless_domain_cluster.certificate,
+          serverless_domain_cluster.key,
+          Clusters::Kubernetes::ISTIO_SYSTEM_NAMESPACE
+        ).generate
+      end
+
+      def set_gateway_wildcard_https(tls_resource)
+        gateway_resource = gateway
+        gateway_resource.spec.servers.each do |server|
+          next unless server.hosts == ['*'] && server.port.name == 'https'
+
+          server.tls = tls_resource
+        end
+        kubeclient.update_gateway(gateway_resource)
+      end
+
+      def configure_passthrough
+        set_gateway_wildcard_https(PASSTHROUGH_RESOURCE)
+      end
+
+      def gateway
+        kubeclient.get_gateway('knative-ingress-gateway', Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
+      end
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-02-05 09:08:43 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-02-05 09:08:43 +0000
commit	26384c9a61da9922b8fa4b8351d4e42d51661b37 (patch)
tree	ef3decbed644db3c97dcdbb5b71d4ade77f3155d /app/services/clusters
parent	79cbe31b18159ea394c6f6e3027c1dc69bdabb75 (diff)
download	gitlab-ce-26384c9a61da9922b8fa4b8351d4e42d51661b37.tar.gz