Merge pull request #143 from cloud-native-toolkit/updates-core-dns

adds dns support using fully qualified domain and letsencrypt
cloud-native-toolkit · Mar 24, 2023 · 13ce07b · 13ce07b
2 parents 018f531 + 059fcfd
commit 13ce07b
Show file tree

Hide file tree

Showing 10 changed files with 141 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -18,6 +18,7 @@ COPY templates/ ${HOME}/templates/
 USER root
 RUN curl -sLo /tmp/oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.8.7/openshift-client-linux-4.8.7.tar.gz && \
     tar xzvf /tmp/oc.tar.gz -C /usr/local/bin/ && rm /tmp/oc.tar.gz
+RUN curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
 RUN pip3 install jq
 RUN pip3 install yq    
 USER 1001

diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 2.7.0
+VERSION ?= 2.8.0
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

diff --git a/README.md b/README.md
@@ -52,6 +52,7 @@ The default setup will install on a single cluster.  The following advanced conf
 
 - Installing Manage with an External DB.
 - Installing multiple instances of MAS and Applications on the same cluster.
+- Using Letsencrypt and DNS
 
 ### CP4D Important Requirement
 BEFORE installing CP4D you currently must have a *global* pull secret defined on the cluster with your IBM Entitlement Key. See CP4D [docs](https://www.ibm.com/docs/en/mas-cd/continuous-delivery?topic=configuring-global-image-pull-secret)

diff --git a/bundle/manifests/masauto-operator.clusterserviceversion.yaml b/bundle/manifests/masauto-operator.clusterserviceversion.yaml
@@ -275,7 +275,7 @@ metadata:
     operatorframework.io/suggested-namespace: masauto-operator-system
     operators.operatorframework.io/builder: operator-sdk-v1.22.0-ocp
     operators.operatorframework.io/project_layout: ansible.sdk.operatorframework.io/v1
-  name: masauto-operator.v2.7.0
+  name: masauto-operator.v2.8.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -403,7 +403,7 @@ spec:
                 env:
                 - name: ANSIBLE_GATHERING
                   value: explicit
-                image: quay.io/cloudnativetoolkit/masauto:v2.7.0
+                image: quay.io/cloudnativetoolkit/masauto:v2.8.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
@@ -458,4 +458,4 @@ spec:
   provider:
     name: IBM US Ecosystem Engineering
     url: https://modules.cloudnativetoolkit.dev/
-  version: 2.7.0
+  version: 2.8.0
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/cloudnativetoolkit/masauto
-  newTag: v2.7.0
+  newTag: v2.8.0
diff --git a/docs/advanced.md b/docs/advanced.md
@@ -28,4 +28,21 @@ The same applies for installing a second Manage on the same cluster.  A sample o
   name: masauto-manage2
   mas_instance_id: "inst2"
   db2_instance_name: "db2w-manage2"
-```
+```
+
+### Using a DNS with Core and Signing with Letsencrypt Service
+Current automation supports both IBM CIS or Cloudflare DNS.  This automation operator requires your apikey for either service to be in a secret on the cluster.  Set this up before running an installation of Core.
+
+1. If using Cloudflare:
+
+```shell
+  oc create secret generic "cloudflare-apitoken-secret" -n masauto-operator-system --from-literal="apitoken=<your-apitoken-goes-here>"
+``` 
+
+2. If using IBM CIS:
+
+```shell
+  oc create secret generic "cis-apikey-secret" -n masauto-operator-system --from-literal="apikey=<your-apikey-goes-here>"
+```
+
+3.  See the samples [directory](/samples) for a sample core CR with either CIS or Cloudflare DNS and letsencrypt.
diff --git a/playbooks/core.yml b/playbooks/core.yml
@@ -18,6 +18,7 @@
   # set defaults for core
     sls_compliance_enforce: "true"
     sls_mode: "prod"
+    dns_provider: ""
 
     # Entitlement key can be passed by either the key or a secret name
     ibm_entitlement_secret: "{{ ibm_entitlement_secret }}"
@@ -43,12 +44,16 @@
     # Create masconfig directory based on instance_id
     - include_tasks: "{{ playbook_dir }}/../tasks/masconfig_setup.yml"    
 
+    # Setup DNS config secrets if provider is set
+    - include_tasks: "{{ playbook_dir }}/../tasks/dns_setup.yml"
+      when: dns_provider != ""
+
     # Set SLS mode set if required
     - name: "Set SLS config mode if required"
       when: (sls_mode is defined and sls_mode == "dev")
       set_fact:
         sls_compliance_enforce: "false"
-      
+
   roles:
     # 1. Install cluster-scoped dependencies (e.g. SBO, Cert-Manager, Operator Catalogs) & cluster monitoring
     - role: ibm.mas_devops.ibm_catalogs
@@ -83,6 +88,7 @@
 
     # 6. Install & configure MAS
     - role: ibm.mas_devops.suite_dns
+      when: dns_provider != ""
     - role: ibm.mas_devops.suite_install
       vars:
         mas_entitlement_key: "{{ ibm_entitlement_key }}"

diff --git a/samples/sample_core_cis_cr.yaml b/samples/sample_core_cis_cr.yaml
@@ -0,0 +1,27 @@
+apiVersion: masauto.ibm.com/v1alpha1
+kind: Core
+metadata:
+  name: masauto-core-cis
+  namespace: masauto-operator-system
+annotations:
+  ansible.operator-sdk/reconcile-period: "0s"    
+spec:
+  mas_channel: "8.9.x"
+  ibm_entitlement_secret: "ibm-entitlement-key" #secret where your ibm-entitlement-key is stored in operator namespace
+  mas_instance_id: "inst1"
+  mas_workspace_id: "masdev"
+  mas_workspace_name: "MAS Development"
+  mas_annotations: "mas.ibm.com/operationalMode=production"
+  mongodb_storage_class: "ocs-storagecluster-ceph-rbd"
+  uds_contact:
+    email: "youremail@us.ibm.com"
+    first_name: "yourfirstname"
+    last_name: "yourlastname"  
+  uds_storage_class: "ocs-storagecluster-ceph-rbd"
+
+  dns_provider: "cis"
+  cis_crn: "<your crn>"
+  cis_email: "<your email>"
+  cis_apikey_secret: "cis-apikey-secret" #see advanced doc link for setup
+  mas_domain: "mysubdomain.mydomain.com"
+  mas_cluster_issuer: "inst1-cis-le-prod"
diff --git a/samples/sample_core_cloudflare_cr.yaml b/samples/sample_core_cloudflare_cr.yaml
@@ -0,0 +1,28 @@
+apiVersion: masauto.ibm.com/v1alpha1
+kind: Core
+metadata:
+  name: masauto-core-cloudflare
+  namespace: masauto-operator-system
+annotations:
+  ansible.operator-sdk/reconcile-period: "0s"    
+spec:
+  mas_channel: "8.9.x"
+  ibm_entitlement_secret: "ibm-entitlement-key" #secret where your ibm-entitlement-key is stored in operator namespace
+  mas_instance_id: "inst1"
+  mas_workspace_id: "masdev"
+  mas_workspace_name: "MAS Development"
+  mas_annotations: "mas.ibm.com/operationalMode=production"
+  mongodb_storage_class: "ocs-storagecluster-ceph-rbd"
+  uds_contact:
+    email: "youremail@us.ibm.com"
+    first_name: "yourfirstname"
+    last_name: "yourlastname"  
+  uds_storage_class: "ocs-storagecluster-ceph-rbd"
+
+  dns_provider: "cloudflare"
+  mas_domain: "mysubdomain.mydomain.com"
+  cloudflare_email: "youremail@ibm.com"
+  cloudflare_apitoken_secret: "cloudflare-apitoken-secret" #see advanced doc link for setup
+  cloudflare_zone: "mydomain.com"
+  cloudflare_subdomain: "mysubdomain"
+  mas_cluster_issuer: "inst1-cloudflare-le-prod"
diff --git a/tasks/dns_setup.yml b/tasks/dns_setup.yml
@@ -0,0 +1,54 @@
+    # These tasks grab the apikey for the dns provider
+    - name: "If Cloudflare set: Check for required Cloudflare properties"
+      when: dns_provider == "cloudflare"
+      assert:
+        that:
+          - cloudflare_zone is defined and cloudflare_zone != ""
+          - cloudflare_apitoken_secret is defined and cloudflare_apitoken_secret != ""
+          - cloudflare_email is defined and cloudflare_email != ""
+          - mas_domain is defined and mas_domain != ""
+        fail_msg: "One or more required cloudflare variables are not defined"  
+
+    - name: "Get cloudflare apikey secret"
+      when: dns_provider == "cloudflare"
+      ignore_errors: true      
+      kubernetes.core.k8s_info:
+        api_version: v1
+        kind: Secret
+        name: "{{ cloudflare_apitoken_secret }}"
+        namespace: "masauto-operator-system"
+      register: cf_entitlement_credentials 
+
+    - name: "Set cf apikey based on secret"
+      when: (cf_entitlement_credentials.api_found) and
+            (cloudflare_apitoken_secret is defined and cloudflare_apitoken_secret != "")
+      ignore_errors: true
+      set_fact:
+        cloudflare_apitoken: "{{ cf_entitlement_credentials.resources[0].data.apitoken | b64decode }}"
+
+    - name: "If CIS set: Check for required CIS properties"
+      when: dns_provider == "cis"
+      assert:
+        that:
+          - cis_crn is defined and cis_crn != ""
+          - cis_email is defined and cis_email != ""
+          - cis_apikey_secret is defined and cis_apikey_secret != ""
+          - mas_domain is defined and mas_domain != ""
+        fail_msg: "One or more required cis properties are missing"
+
+    - name: "Get cis apikey secret"
+      when: dns_provider == "cloudflare"
+      ignore_errors: true      
+      kubernetes.core.k8s_info:
+        api_version: v1
+        kind: Secret
+        name: "{{ cis_apikey_secret }}"
+        namespace: "masauto-operator-system"
+      register: cis_entitlement_credentials 
+
+    - name: "Set cis apikey based on secret"
+      when: (cis_entitlement_credentials.api_found) and
+            (cis_apikey_secret is defined and cis_apikey_secret != "")
+      ignore_errors: true
+      set_fact:
+        cis_apikey: "{{ cis_entitlement_credentials.resources[0].data.apikey | b64decode }}"