WIP: to add certs to managed clusters

Signed-off-by: Salvatore Dario Minonne <sminonne@redhat.com>
sdminonne · May 25, 2023 · 1adf682 · 1adf682
1 parent 65530ca
commit 1adf682
Show file tree

Hide file tree

Showing 3 changed files with 224 additions and 38 deletions.
diff --git a/00-boostrap-minikube-infra.sh b/00-boostrap-minikube-infra.sh
@@ -85,7 +85,8 @@ done
 log::info "Restaring minikube(s)"
 for CLUSTERNAME in "${clusters[@]}"
 do
-   minikube start -p ${CLUSTERNAME};
+    minikube start -p ${CLUSTERNAME};
+    minikube -p ${CLUSTERNAME} addons enable ingress
    wait_until "minikube_up_and_running ${CLUSTERNAME}"
 done
 

diff --git a/common.sh b/common.sh
@@ -108,3 +108,16 @@ http_endpoint_is_up()  {
   fi
   echo "1"
 }
+
+crd_defined_for_context() {
+    crd=$1
+    context=$2
+    kubectl --context ${context} get crd ${crd} &>/dev/null
+    if [[ $? -ne 0 ]]
+    then
+        echo "1"
+    else
+        echo "0"
+    fi
+    return
+}
diff --git a/demo.sh b/demo.sh
@@ -11,6 +11,9 @@ command -v kubectl >/dev/null 2>&1 || { log::error >&2 "can't find kubectl.  Abo
 command -v argocd >/dev/null 2>&1 || { log::error >&2 "can't find argocd. Aborting."; exit 1; }
 
 
+command -v helm >/dev/null 2>&1 || { log::error >&2 "can't find helm. Aborting."; exit 1; }
+
+
 command -v curl >/dev/null 2>&1 || { log::error >&2 "can't find curl. Aborting."; exit 1; }
 
 MGMTIP=$(minikube -p "${MGMT}" ip)
@@ -19,10 +22,179 @@ MGMTURL=https://${MGMTIP}:8443
 clear
 
 
+
+#################
+# Install ArgoCD
+#################
+log::info "Install ArgoCD"
+pe "kubectl --context $(get_client_context_from_cluster_name ${MGMT}) create namespace argocd"
+pe "kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply -n argocd -f manifests/argocd/" # we install only Argo Core
+wait_until "all_pods_in_namespace_for_context_are_running argocd $(get_client_context_from_cluster_name ${MGMT})" 10 120
+
+pe "kubectl config use-context  $(get_client_context_from_cluster_name ${MGMT})"
+pe "kubectl config set-context --current --namespace=argocd"
+
+pe "argocd cluster list"
+
+########################
+# Add clusters to argo
+#######################
+for mc in "${managedclusters[@]}"; do
+    pe "kubectl --context $(get_client_context_from_cluster_name ${mc}) config view --minify --flatten > ${mc}.kubeconfig"
+    pe "argocd cluster add ${mc} --kubeconfig= ${mc}.kubeconfig -y"
+done
+
+pe "argocd cluster list"
+
+
+
+#####################################
+# Creates ingress-nginx on clusters
+####################################
+#cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply -n argocd -f -
+#apiVersion: argoproj.io/v1alpha1
+#kind: ApplicationSet
+#metadata:
+#  name: ingress-nginx
+#spec:
+#  generators:
+#  - list:
+#      elements:
+#      - cluster: ${managedclusters[0]}
+#        url: https://$(minikube -p ${managedclusters[0]} ip):8443
+#      - cluster: ${managedclusters[1]}
+#        url: https://$(minikube -p ${managedclusters[1]} ip):8443
+#  template:
+#    metadata:
+#      name: '{{cluster}}-nginx-ingress'
+#    spec:
+#      project: default
+#      syncPolicy:
+#        automated:
+#          prune: true
+#          selfHeal: true
+#        syncOptions:
+#          - CreateNamespace=true
+#      source:
+#        chart: nginx-ingress
+#        repoURL: https://helm.nginx.com/stable
+#        targetRevision: 0.17.1
+#        helm:
+#          releaseName: nginx-stable
+#      destination:
+#        server: '{{url}}'
+#        namespace: ingress-nginx
+#  syncPolicy:
+#    preserveResourcesOnDeletion: true
+#EOF
+
+
+
+#######################
+# Deploy cert-manager
+#######################
+
+cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f -
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+spec:
+  destination:
+    namespace: cert-manager
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: cert-manager
+    helm:
+      parameters:
+        - name: installCRDs
+          value: "true"
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.11.0
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+EOF
+
+
+wait_until "crd_defined_for_context certificates.cert-manager.io $(get_client_context_from_cluster_name ${MGMT})" 10 120
+wait_until "crd_defined_for_context issuers.cert-manager.io $(get_client_context_from_cluster_name ${MGMT})" 10 120
+wait_until "all_pods_in_namespace_for_context_are_running cert-manager  $(get_client_context_from_cluster_name ${MGMT})" 10 120
+
+
+##################################
+# Deploy self-signed  cert issuer
+##################################
+cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f -
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: cert-manager
+spec:
+  selfSigned: {}
+EOF
+
+#################
+# generate certs
+#################
+for mc in "${managedclusters[@]}"; do
+    cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f -
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${mc}-cert
+  namespace: cert-manager
+spec:
+  secretName: ${mc}-tls
+  secretTemplate:
+    annotations:
+      cluster-url: $(minikube -p ${mc} ip)
+    labels:
+      cluster: ${mc}
+  duration: 24h
+  renewBefore: 12h
+  secretTemplate:
+    labels:
+      cluster: ${mc}
+  commonName: ${mc}
+  subject:
+    organizations:
+      - argocd-fleet-manager
+    organizationalUnits:
+      - argo
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  ipAddresses:
+    - $(minikube -p ${mc} ip)
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+EOF
+done
+
+#TODO wait_until "certificates.cert-manager.io in namespace for context READY"
+#TODO wait_until "certificates.cert-manager.io in namespace for context READY"
+
+
 ################################
 # Install gitea on mgmt cluter
 ################################
-pe "helm --kube-context $(get_client_context_from_cluster_name ${MGMT}) install gitea gitea-charts/gitea  --set service.http.type=LoadBalancer"
+#from https://gitea.com/gitea/helm-chart/src/branch/main/values.yaml
+#username: gitea_admin
+#password: r8sA8CPHD9!bt6d
+#email: "gitea@local.domain"
+
+GITEAUSERNAME='gitea_admin'
+GITEAPASSWORD='r8sA8CPHD9!bt6d'
+
+log::info "Creating a GIT repository on ${MGMT} cluster using helm charts for GITEA -> https://gitea.io/en-us"
+pe "helm --kube-context $(get_client_context_from_cluster_name ${MGMT}) install gitea gitea-charts/gitea  --namespace default --create-namespace --set service.http.type=LoadBalancer"
 
 # TODO for ariplane mode retrieve image gitea/gitea:1.19.1
 wait_until "pod_in_namespace_for_context_is_running gitea-0 default $(get_client_context_from_cluster_name ${MGMT})" 10 120
@@ -33,21 +205,22 @@ wait_until "deployment_in_namespace_for_context_up_and_running gitea-memcached d
 #TODO for airplane mode retrieve image docker.io/bitnami/postgresql:15.2.0-debian-11-r14
 wait_until "pod_in_namespace_for_context_is_running gitea-postgresql-0 default $(get_client_context_from_cluster_name ${MGMT})" 10 120
 
-GITEAPORT=$(kubectl --context $(get_client_context_from_cluster_name ${MGMT}) -n default get svc gitea-http -o jsonpath='{.spec.ports[0].nodePort}')
-
-kubectl --context $(get_client_context_from_cluster_name ${MGMT}) patch svc gitea-http -p "{\"spec\":{\"externalIPs\":[\"${MGMTIP}\"]}}"
-
 
+#patch the gitea svc on ${MGMT} cluster with the minikube IP address
+kubectl --context $(get_client_context_from_cluster_name ${MGMT}) -n default patch svc gitea-http -p "{\"spec\":{\"externalIPs\":[\"${MGMTIP}\"]}}"
 
-#from https://gitea.com/gitea/helm-chart/src/branch/main/values.yaml
-#username: gitea_admin
-#password: r8sA8CPHD9!bt6d
-#email: "gitea@local.domain"
+#gets the GITEA port to check when/if svc is available
+GITEAPORT=$(kubectl --context $(get_client_context_from_cluster_name ${MGMT}) -n default get svc gitea-http -o jsonpath='{.spec.ports[0].nodePort}')
 
+#check when/if svc is available
 wait_until "http_endpoint_is_up http://${MGMTIP}:${GITEAPORT}" 10 120
 
-log::info "creating GIT repo in http://${MGMTIP}:${GITEAPORT}"
 
+
+###########################
+# creating guestbook on git
+###########################
+log::info "creating guestbook GIT repo in http://${MGMTIP}:${GITEAPORT}"
 curl -u 'gitea_admin:r8sA8CPHD9!bt6d' \
     -X POST  "http://${MGMTIP}:${GITEAPORT}/api/v1/user/repos" \
     -H "Content-Type: application/json" \
@@ -99,6 +272,28 @@ spec:
     app: guestbook-ui
 EOF
     git add ${GUESTBOOKTMP}/${mc}/guestbook-ui-svc.yaml
+    cat << EOF >  ${GUESTBOOKTMP}/${mc}/guestbook-ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: guestbookl-ingress
+spec:
+    rules:
+    - http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: guestbook-ui
+              port:
+                number: 80
+    tls:
+    - hosts:
+      - $(minikube -p cluster1 ip)
+      secretName: ${mc}-tls
+EOF
+    git add ${GUESTBOOKTMP}/${mc}/guestbook-ingress.yaml
 done
 
 git remote add origin http://${MGMTIP}:${GITEAPORT}/gitea_admin/guestbook.git
@@ -109,35 +304,10 @@ cd -
 log::info "GIT repo http://${MGMTIP}:${GITEAPORT}/gitea_admin/guestbook.git created"
 
 
-
-#################
-# Install ArgoCD
-#################
-log::info "Install ArgoCD"
-pe "kubectl --context $(get_client_context_from_cluster_name ${MGMT}) create namespace argocd"
-pe "kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply -n argocd -f manifests/argocd/" # we install only Argo Core
-wait_until "all_pods_in_namespace_for_context_are_running argocd $(get_client_context_from_cluster_name ${MGMT})" 10 120
-
-pe "kubectl config use-context  $(get_client_context_from_cluster_name ${MGMT})"
-pe "kubectl config set-context --current --namespace=argocd"
-
-pe "argocd cluster list"
-
-########################
-# Add clusters to argo
-#######################
-for mc in "${managedclusters[@]}"; do
-    pe "kubectl --context $(get_client_context_from_cluster_name ${mc}) config view --minify --flatten > ${mc}.kubeconfig"
-    pe "argocd cluster add ${mc} --kubeconfig= ${mc}.kubeconfig -y"
-done
-
-pe "argocd cluster list"
-
-
-
 #####################################
 # Now load the applications
 #####################################
+#TODO: adds the certificates
 cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply -f -
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
@@ -171,9 +341,11 @@ spec:
         namespace: guestbook
   syncPolicy:
     preserveResourcesOnDeletion: true
-
 EOF
 
+
+
+
 #####################################
 # Now sync the applications
 #####################################