Merge remote-tracking branch 'origin/master' into v2.0.x

cloudfoundry-incubator · Jan 28, 2020 · 0132203 · 0132203
2 parents 0142d1e + 86710cc
commit 0132203
Show file tree

Hide file tree

Showing 34 changed files with 540 additions and 116 deletions.
diff --git a/bin/build-helm b/bin/build-helm
@@ -8,21 +8,22 @@ GIT_ROOT=${GIT_ROOT:-$(git rev-parse --show-toplevel)}
 . "${GIT_ROOT}/bin/include/dependencies"
 
 output_dir=${GIT_ROOT}/helm
-filename="${output_dir}/cf-operator-${ARTIFACT_VERSION}.tgz"
+version=$(echo "$ARTIFACT_VERSION" | sed 's/^v//')
+filename="${output_dir}/cf-operator-${version}.tgz"
 
 [ -d "${output_dir}" ] && rm -r "${output_dir}"
 cp -r "${GIT_ROOT}/deploy/helm" "${output_dir}"
 
+
 perl -pi -e "s|repository: .*|repository: ${DOCKER_IMAGE_REPOSITORY}|g" "${output_dir}/cf-operator/values.yaml"
 perl -pi -e "s|org: .*|org: ${DOCKER_IMAGE_ORG}|g" "${output_dir}/cf-operator/values.yaml"
 perl -pi -e "s|tag: .*|tag: ${DOCKER_IMAGE_TAG}|g" "${output_dir}/cf-operator/values.yaml"
-perl -pi -e "s|version: .*|version: ${ARTIFACT_VERSION}|g" "${output_dir}/cf-operator/Chart.yaml"
+perl -pi -e "s|version: .*|version: ${version}|g" "${output_dir}/cf-operator/Chart.yaml"
+perl -pi -e "s|appVersion: .*|appVersion: ${version}|g" "${output_dir}/cf-operator/Chart.yaml"
 
 repo="https://cf-operators.s3.amazonaws.com/helm-charts/"
 qj="quarks-job-$QUARKS_JOB_HELM_VERSION.tgz"
 pushd "$output_dir/cf-operator"
-  #helm repo add quarks https://cf-operators.s3.amazonaws.com/helm-charts/
-  #helm dependency update
   mkdir charts
   curl -LO "$repo$qj"
   tar xfz "$qj" -C charts

diff --git a/bin/include/dependencies b/bin/include/dependencies
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-git_sha="e0ed198"
+git_sha="6a177e8"
 quarks_job_release="v0.0.0-0.g$git_sha"
 
 # QUARKS_JOB_IMAGE_TAG is used for integration tests
@@ -11,6 +11,6 @@ fi
 
 # QUARKS_JOB_HELM_VERSION is used to build helm charts including sub-charts
 if [ -z ${QUARKS_JOB_HELM_VERSION+x} ]; then
-  QUARKS_JOB_HELM_VERSION="$quarks_job_release"
+  QUARKS_JOB_HELM_VERSION=$(echo "$quarks_job_release" | sed 's/^v//')
   export QUARKS_JOB_HELM_VERSION
 fi
diff --git a/deploy/helm/cf-operator/Chart.yaml b/deploy/helm/cf-operator/Chart.yaml
@@ -1,4 +1,19 @@
 apiVersion: v1
-description: A Helm chart for cf-operator, the k8s operator for deploying BOSH releases
 name: cf-operator
-version: 0.0.1
+version: x.x.x
+appVersion: x.x.x
+description: A Helm chart for cf-operator, the k8s operator for deploying BOSH releases
+home: https://github.com/cloudfoundry-incubator/cf-operator
+icon: https://cloudfoundry-incubator.github.io/quarks-helm/logo.png
+keywords:
+- cloudfoundry
+- bosh
+- quarks
+- deployment
+sources:
+- https://github.com/cloudfoundry-incubator/cf-operator
+- https://github.com/cloudfoundry-incubator/quarks-job
+- https://github.com/cfcontainerizationbot/cf-operator-base
+maintainers:
+- name: project-quarks
+  email: [email protected]
diff --git a/deploy/helm/cf-operator/README.md b/deploy/helm/cf-operator/README.md
@@ -65,12 +65,12 @@ helm delete cf-operator --purge
 | `global.image.pullPolicy`                         | Kubernetes image pullPolicy                                                                       | `IfNotPresent`                                 |
 | `global.image.credentials`                        | Kubernetes image pull secret credentials (map with keys `servername`, `username`, and `password`) | `nil`                                          |
 | `global.operator.watchNamespace`                  | Namespace the operator will watch for BOSH deployments                                            | the release namespace                          |
-| `global.rbacEnable`                               | Install required RBAC service account, roles and rolebindings                                     | `true`                                         |
+| `global.rbac.create`                              | Install required RBAC service account, roles and rolebindings                                     | `true`                                         |
 | `operator.webhook.endpoint`                       | Hostname/IP under which the webhook server can be reached from the cluster                        | the IP of service `cf-operator-webhook`        |
 | `operator.webhook.port`                           | Port the webhook server listens on                                                                | 2999                                           |
 | `global.operator.webhook.useServiceReference`     | If true, the webhook server is addressed using a service reference instead of the IP              | `true`                                         |
-| `serviceAccount.cfOperatorServiceAccount.create`  | Will set the value of `cf-operator.serviceAccountName` to the current chart name                  | `true`                                         |
-| `serviceAccount.cfOperatorServiceAccount.name`    | If the above is not set, it will set the `cf-operator.serviceAccountName`                         |                                                |
+| `serviceAccount.create`                           | If true, create a service account                                                                 | `true`                                         |
+| `serviceAccount.name`                             | If not set and `create` is `true`, a name is generated using the fullname of the chart            |                                                |
 
 > **Note:**
 >
@@ -92,5 +92,5 @@ By default, the helm chart will install RBAC ClusterRole and ClusterRoleBinding
 The RBAC resources are enable by default. To disable:
 
 ```bash
-helm install --namespace cf-operator --name cf-operator https://s3.amazonaws.com/cf-operators/helm-charts/cf-operator-v0.2.2%2B47.g24492ea.tgz --set global.rbacEnable=false
+helm install --namespace cf-operator --name cf-operator https://s3.amazonaws.com/cf-operators/helm-charts/cf-operator-v0.2.2%2B47.g24492ea.tgz --set global.rbac.create=false
 ```
diff --git a/deploy/helm/cf-operator/templates/_helpers.tpl b/deploy/helm/cf-operator/templates/_helpers.tpl
@@ -35,9 +35,9 @@ Create chart name and version as used by the chart label.
 Create the name of the cf-operator service account to use
 */}}
 {{- define "cf-operator.serviceAccountName" -}}
-{{- if .Values.serviceAccount.cfOperatorServiceAccount.create -}}
-    {{ default (include "cf-operator.fullname" .) .Values.serviceAccount.cfOperatorServiceAccount.name }}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "cf-operator.fullname" .) .Values.serviceAccount.name }}
 {{- else -}}
-    {{ default "default" .Values.serviceAccount.cfOperatorServiceAccount.name }}
+    {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
diff --git a/...m/cf-operator/templates/cluster_role.yaml → ...m/cf-operator/templates/cluster-role.yaml b/...m/cf-operator/templates/cluster_role.yaml → ...m/cf-operator/templates/cluster-role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.rbacEnable }}
+{{- if .Values.global.rbac.create }}
 ---
 apiVersion: v1
 kind: List

diff --git a/...m/cf-operator/templates/role_binding.yaml → ...m/cf-operator/templates/role-binding.yaml b/...m/cf-operator/templates/role_binding.yaml → ...m/cf-operator/templates/role-binding.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.global.rbac.create }}
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -10,3 +11,4 @@ roleRef:
   kind: Role
   name: cf-operator
   apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/deploy/helm/cf-operator/templates/role.yaml b/deploy/helm/cf-operator/templates/role.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -47,3 +48,4 @@ rules:
   - jobs
   verbs:
   - '*'
+{{- end }}
diff --git a/...emplates/service_account_pull_secret.yaml → ...emplates/service-account-pull-secret.yaml b/...emplates/service_account_pull_secret.yaml → ...emplates/service-account-pull-secret.yaml
diff --git a/...f-operator/templates/service_account.yaml → ...f-operator/templates/service-account.yaml b/...f-operator/templates/service_account.yaml → ...f-operator/templates/service-account.yaml
@@ -1,3 +1,4 @@
+{{- if or .Values.serviceAccount.create .Values.global.rbac.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,3 +8,4 @@ metadata:
 imagePullSecrets:
 - name: {{ template "cf-operator.serviceAccountName" . }}-pull-secret
 {{- end }}
+{{- end }}
diff --git a/deploy/helm/cf-operator/values.yaml b/deploy/helm/cf-operator/values.yaml
@@ -43,14 +43,13 @@ operator:
 # nameOverride overrides the chart name part of the release name
 nameOverride: ""
 
+# serviceAccount contains the configuration
+# values of the service account used by cf-operator.
 serviceAccount:
-  # cfOperatorServiceAccount contains the configuration
-  # values of the service account used by cf-operator.
-  cfOperatorServiceAccount:
-    # create is a boolean to control the creation of service account name.
-    create: true
-    # name of the service account.
-    name:
+  # create is a boolean to control the creation of service account name.
+  create: true
+  # name of the service account.
+  name:
 
 global:
   # Context Timeout for each K8's API request in seconds.
@@ -70,17 +69,16 @@ global:
       # useServiceReference is a boolean to control the use of the
       # service reference in the webhook spec instead of a url.
       useServiceReference: true
-  # rbacEnable is a boolean to control the installation of quarks job cluster role template.
-  rbacEnable: true
+
+  rbac:
+    # create is a boolean to control the installation of quarks job cluster role template.
+    create: true
 
 quarks-job:
   # createWatchNamespace is a boolean to control creation of watchnamespace.
   createWatchNamespace: false
   serviceAccount:
-    # quarksJobServiceAccount contains the configuration
-    # values of the service account used by quarks-job.
-    quarksJobServiceAccount:
-      # create is a boolean to control the creation of service account name.
-      create: true
-      # name of the service account.
-      name:
+    # create is a boolean to control the creation of service account name.
+    create: true
+    # name of the service account.
+    name:
diff --git a/docs/controllers/quarks_gvc_and_esec_flow.png b/docs/controllers/quarks_gvc_and_esec_flow.png
diff --git a/docs/controllers/quarks_secret.md b/docs/controllers/quarks_secret.md
@@ -13,6 +13,9 @@
          1. [Watches](#watches-in-csr-controller)
          2. [Reconciliation](#reconciliation-in-csr-controller)
          3. [Highlights](#highlights-in-csr-controller)
+      3. [SecretRotation Controller](#_secretrotation-controller_)
+         1. [Watches](#watches-in-secret-rotation-controller)
+         2. [Reconciliation](#reconciliation-in-secret-rotation-controller)
    3. [Relationship with the BDPL component](#relationship-with-the-bdpl-component)
    4. [`QuarksSecret` Examples](#`quarkssecret`-examples)
 
@@ -22,7 +25,7 @@ An QuarksSecret generates passwords, keys and certificates and stores them in Ku
 
 ## QuarksSecret Component
 
-The **QuarksSecret** component is a categorization of a set of controllers, under the same group. Inside the **QuarksSecret** component, we have a set of 2 controllers together with one separate reconciliation loop per controller.
+The **QuarksSecret** component consists of three controllers, each with a separate reconciliation loop.
 
 Figure 1, illustrates the component and associated set of controllers.
 
@@ -34,18 +37,19 @@ Figure 1, illustrates the component and associated set of controllers.
 ![qsec-controller-flow](quarks_eseccontroller_flow.png)
 *Fig. 2: The QuarksSecret controller*
 
-The **QuarksSecret** Controller will get a list of all variables referenced in a BOSH manifest with ops files applied, and will use this list of variables to generate the pertinent `QuarksSecret` instances.
 
-#### Watches in quarks secret controller
+#### Watches in Quarks Secret Controller
 
 - `QuarksSecret`: Creation
+- `QuarksSecret`: Updates if `.status.generated` is false
 
-#### Reconciliation in quarks secret controller
+#### Reconciliation in Quarks Secret Controller
 
 - generates Kubernetes secret of specific types(see Types under Highlights).
 - generate a Certificate Signing Request against the cluster API.
+- sets `.status.generated` to `true`, to avoid re-generation and allow secret rotation.
 
-#### Highlights in quarks secret controller
+#### Highlights in Quarks Secret Controller
 
 ##### Types
 
@@ -64,13 +68,9 @@ Depending on the `spec.type`, `QuarksSecret` supports generating the following:
 >
 > You can find more details in the [BOSH docs](https://bosh.io/docs/variable-types).
 
-##### Policies
-
-The developer can specify policies for rotation (e.g. automatic or not ) and how secrets are created (e.g. password complexity, certificate expiration date, etc.).
-
 ##### Auto-approving Certificates
 
-A certificate `QuarksSecret` can be signed by the Kube API Server. The **QuarksSecret** Controller is responsible for generating the certificate signing request:
+A certificate `QuarksSecret` can be signed by the Kubernetes API Server. The **QuarksSecret** Controller is responsible for generating the certificate signing request:
 
 ```yaml
 apiVersion: certificates.k8s.io/v1beta1
@@ -89,24 +89,36 @@ spec:
 ![certsr-controller-flow](quarks_certsrcontroller_flow.png)
 *Fig. 3: The CertificateSigningRequest controller*
 
-#### Watches in CSR controller
+#### Watches in CSR Controller
 
 - `Certificate Signing Request`: Creation
 
-#### Reconciliation in CSR controller
+#### Reconciliation in CSR Controller
 
 - once the request is approved by Kubernetes API, will generate a certificate stored in a Kubernetes secret, that is recognized by the cluster.
 
-#### Highlights in CSR controller
+#### Highlights in CSR Controller
 
 The CertificateSigningRequest controller watches for `CertificateSigningRequest` and approves `QuarksSecret`-owned CSRs and persists the generated certificate.
 
-## Relationship with the BDPL component
+### **_SecretRotation Controller_**
+
+The secret rotation controller watches for a rotation config map and re-generates all the listed `QuarksSecrets`.
+
+#### Watches in Secret Rotation Controller
+
+- `ConfigMap`: Creation of a config map, which has the `secret-rotation` label.
+
+#### Reconciliation in Secret Rotation Controller
+
+- Will read the array of `QuarksSecret` names from the JSON under the config map key `secrets`.
+- Skip `QuarksSecret` where `.status.generated` is `false`, as these might be under control of the user.
+- Set `.status.generated` for each named `QuarksSecret` to `false`, to trigger re-creation of the corresponding secret.
 
-![bdpl-qjob-relationship](quarks_gvc_and_esec_flow.png)
-*Fig. 4: Relationship between the Generated V.  controller and the QuarksSecret component*
+## Relationship With the BDPL Component
 
-Figure 4 illustrates the interaction of the **Generated Variables** Controller with the **QuarksSecret** Controller. When reconciling, the Generated Variables Controller lists all variables of a BOSH manifest(basically all BOSH variables) and generates an `QuarksSecret` instance per variable, which will trigger the **QuarksSecret** Controller.
+All explicit variables of a BOSH manifest will be created as `QuarksSecret` instances, which will trigger the **QuarksSecret** Controller.
+This will create corresponding secrets. If the user decides to change a secret, the `.status.generated` field in the corresponding `QuarksSecret` should be set to `false`, to protect against overwriting.
 
 ## `QuarksSecret` Examples
 

diff --git a/docs/examples/bosh-deployment/boshdeployment-with-implicit-in-explicit-variable.yaml b/docs/examples/bosh-deployment/boshdeployment-with-implicit-in-explicit-variable.yaml
@@ -0,0 +1,61 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nats-deployment.var-system-domain
+type: Opaque
+stringData:
+  value: foo.com
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nats-manifest
+data:
+  manifest: |
+    ---
+    name: nats-deployment
+    releases:
+    - name: nats
+      version: "26"
+      url: docker.io/cfcontainerization
+      stemcell:
+        os: opensuse-42.3
+        version: 30.g9c91e77-30.80-7.0.0_257.gb97ced55
+    instance_groups:
+    - name: nats
+      instances: 1
+      jobs:
+      - name: nats
+        release: nats
+        properties:
+          nats:
+            user: admin
+            password: ((nats_password))
+            ca: ((nats_ca.certificate))
+    variables:
+    - name: nats_password
+      type: password
+    - name: nats_ca
+      type: certificate
+      options:
+        is_ca: true
+        common_name: routerCA
+    - name: nats_cert
+      type: certificate
+      options:
+        ca: nats_ca
+        common_name: routerSSL
+        alternative_names:
+        - "((system_domain))"
+        - "*.((system_domain))"
+
+---
+apiVersion: quarks.cloudfoundry.org/v1alpha1
+kind: BOSHDeployment
+metadata:
+  name: nats-deployment
+spec:
+  manifest:
+    name: nats-manifest
+    type: configmap
diff --git a/docs/examples/bosh-deployment/boshdeployment-with-implicit-variable.yaml b/docs/examples/bosh-deployment/boshdeployment-with-implicit-variable.yaml
@@ -32,6 +32,7 @@ data:
           nats:
             user: admin
             password: ((nats_password))
+            domain: ((system_domain))
     variables:
     - name: nats_password
       type: password
@@ -46,8 +47,8 @@ data:
         ca: nats_ca
         common_name: routerSSL
         alternative_names:
-        - "((system_domain))"
-        - "*.((system_domain))"
+        - "foo.bar"
+        - "*.foo.bar"
 
 ---
 apiVersion: quarks.cloudfoundry.org/v1alpha1