Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds dns secrets to support using fully qualified domain #143

Merged
merged 7 commits into from
Mar 24, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ COPY templates/ ${HOME}/templates/
USER root
RUN curl -sLo /tmp/oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.8.7/openshift-client-linux-4.8.7.tar.gz && \
tar xzvf /tmp/oc.tar.gz -C /usr/local/bin/ && rm /tmp/oc.tar.gz
RUN curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
RUN pip3 install jq
RUN pip3 install yq
USER 1001
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# To re-generate a bundle for another specific version without changing the standard setup, you can:
# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
# - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
VERSION ?= 2.7.0
VERSION ?= 2.8.0

# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ The default setup will install on a single cluster. The following advanced conf

- Installing Manage with an External DB.
- Installing multiple instances of MAS and Applications on the same cluster.
- Using Letsencrypt and DNS

### CP4D Important Requirement
BEFORE installing CP4D you currently must have a *global* pull secret defined on the cluster with your IBM Entitlement Key. See CP4D [docs](https://www.ibm.com/docs/en/mas-cd/continuous-delivery?topic=configuring-global-image-pull-secret)
Expand Down
6 changes: 3 additions & 3 deletions bundle/manifests/masauto-operator.clusterserviceversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ metadata:
operatorframework.io/suggested-namespace: masauto-operator-system
operators.operatorframework.io/builder: operator-sdk-v1.22.0-ocp
operators.operatorframework.io/project_layout: ansible.sdk.operatorframework.io/v1
name: masauto-operator.v2.7.0
name: masauto-operator.v2.8.0
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -403,7 +403,7 @@ spec:
env:
- name: ANSIBLE_GATHERING
value: explicit
image: quay.io/cloudnativetoolkit/masauto:v2.7.0
image: quay.io/cloudnativetoolkit/masauto:v2.8.0
imagePullPolicy: Always
livenessProbe:
httpGet:
Expand Down Expand Up @@ -458,4 +458,4 @@ spec:
provider:
name: IBM US Ecosystem Engineering
url: https://modules.cloudnativetoolkit.dev/
version: 2.7.0
version: 2.8.0
2 changes: 1 addition & 1 deletion config/manager/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,4 @@ kind: Kustomization
images:
- name: controller
newName: quay.io/cloudnativetoolkit/masauto
newTag: v2.7.0
newTag: v2.8.0
19 changes: 18 additions & 1 deletion docs/advanced.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,21 @@ The same applies for installing a second Manage on the same cluster. A sample o
name: masauto-manage2
mas_instance_id: "inst2"
db2_instance_name: "db2w-manage2"
```
```

### Using a DNS with Core and Signing with Letsencrypt Service
Current automation supports both IBM CIS or Cloudflare DNS. This automation operator requires your apikey for either service to be in a secret on the cluster. Set this up before running an installation of Core.

1. If using Cloudflare:

```shell
oc create secret generic "cloudflare-apitoken-secret" -n masauto-operator-system --from-literal="apitoken=<your-apitoken-goes-here>"
```

2. If using IBM CIS:

```shell
oc create secret generic "cis-apikey-secret" -n masauto-operator-system --from-literal="apikey=<your-apikey-goes-here>"
```

3. See the samples [directory](/samples) for a sample core CR with either CIS or Cloudflare DNS and letsencrypt.
8 changes: 7 additions & 1 deletion playbooks/core.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
# set defaults for core
sls_compliance_enforce: "true"
sls_mode: "prod"
dns_provider: ""

# Entitlement key can be passed by either the key or a secret name
ibm_entitlement_secret: "{{ ibm_entitlement_secret }}"
Expand All @@ -43,12 +44,16 @@
# Create masconfig directory based on instance_id
- include_tasks: "{{ playbook_dir }}/../tasks/masconfig_setup.yml"

# Setup DNS config secrets if provider is set
- include_tasks: "{{ playbook_dir }}/../tasks/dns_setup.yml"
when: dns_provider != ""

# Set SLS mode set if required
- name: "Set SLS config mode if required"
when: (sls_mode is defined and sls_mode == "dev")
set_fact:
sls_compliance_enforce: "false"

roles:
# 1. Install cluster-scoped dependencies (e.g. SBO, Cert-Manager, Operator Catalogs) & cluster monitoring
- role: ibm.mas_devops.ibm_catalogs
Expand Down Expand Up @@ -83,6 +88,7 @@

# 6. Install & configure MAS
- role: ibm.mas_devops.suite_dns
when: dns_provider != ""
- role: ibm.mas_devops.suite_install
vars:
mas_entitlement_key: "{{ ibm_entitlement_key }}"
Expand Down
27 changes: 27 additions & 0 deletions samples/sample_core_cis_cr.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: masauto.ibm.com/v1alpha1
kind: Core
metadata:
name: masauto-core-cis
namespace: masauto-operator-system
annotations:
ansible.operator-sdk/reconcile-period: "0s"
spec:
mas_channel: "8.9.x"
ibm_entitlement_secret: "ibm-entitlement-key" #secret where your ibm-entitlement-key is stored in operator namespace
mas_instance_id: "inst1"
mas_workspace_id: "masdev"
mas_workspace_name: "MAS Development"
mas_annotations: "mas.ibm.com/operationalMode=production"
mongodb_storage_class: "ocs-storagecluster-ceph-rbd"
uds_contact:
email: "youremail@us.ibm.com"
first_name: "yourfirstname"
last_name: "yourlastname"
uds_storage_class: "ocs-storagecluster-ceph-rbd"

dns_provider: "cis"
cis_crn: "<your crn>"
cis_email: "<your email>"
cis_apikey_secret: "cis-apikey-secret" #see advanced doc link for setup
mas_domain: "mysubdomain.mydomain.com"
mas_cluster_issuer: "inst1-cis-le-prod"
28 changes: 28 additions & 0 deletions samples/sample_core_cloudflare_cr.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: masauto.ibm.com/v1alpha1
kind: Core
metadata:
name: masauto-core-cloudflare
namespace: masauto-operator-system
annotations:
ansible.operator-sdk/reconcile-period: "0s"
spec:
mas_channel: "8.9.x"
ibm_entitlement_secret: "ibm-entitlement-key" #secret where your ibm-entitlement-key is stored in operator namespace
mas_instance_id: "inst1"
mas_workspace_id: "masdev"
mas_workspace_name: "MAS Development"
mas_annotations: "mas.ibm.com/operationalMode=production"
mongodb_storage_class: "ocs-storagecluster-ceph-rbd"
uds_contact:
email: "youremail@us.ibm.com"
first_name: "yourfirstname"
last_name: "yourlastname"
uds_storage_class: "ocs-storagecluster-ceph-rbd"

dns_provider: "cloudflare"
mas_domain: "mysubdomain.mydomain.com"
cloudflare_email: "youremail@ibm.com"
cloudflare_apitoken_secret: "cloudflare-apitoken-secret" #see advanced doc link for setup
cloudflare_zone: "mydomain.com"
cloudflare_subdomain: "mysubdomain"
mas_cluster_issuer: "inst1-cloudflare-le-prod"
54 changes: 54 additions & 0 deletions tasks/dns_setup.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# These tasks grab the apikey for the dns provider
- name: "If Cloudflare set: Check for required Cloudflare properties"
when: dns_provider == "cloudflare"
assert:
that:
- cloudflare_zone is defined and cloudflare_zone != ""
- cloudflare_apitoken_secret is defined and cloudflare_apitoken_secret != ""
- cloudflare_email is defined and cloudflare_email != ""
- mas_domain is defined and mas_domain != ""
fail_msg: "One or more required cloudflare variables are not defined"

- name: "Get cloudflare apikey secret"
when: dns_provider == "cloudflare"
ignore_errors: true
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: "{{ cloudflare_apitoken_secret }}"
namespace: "masauto-operator-system"
register: cf_entitlement_credentials

- name: "Set cf apikey based on secret"
when: (cf_entitlement_credentials.api_found) and
(cloudflare_apitoken_secret is defined and cloudflare_apitoken_secret != "")
ignore_errors: true
set_fact:
cloudflare_apitoken: "{{ cf_entitlement_credentials.resources[0].data.apitoken | b64decode }}"

- name: "If CIS set: Check for required CIS properties"
when: dns_provider == "cis"
assert:
that:
- cis_crn is defined and cis_crn != ""
- cis_email is defined and cis_email != ""
- cis_apikey_secret is defined and cis_apikey_secret != ""
- mas_domain is defined and mas_domain != ""
fail_msg: "One or more required cis properties are missing"

- name: "Get cis apikey secret"
when: dns_provider == "cloudflare"
ignore_errors: true
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: "{{ cis_apikey_secret }}"
namespace: "masauto-operator-system"
register: cis_entitlement_credentials

- name: "Set cis apikey based on secret"
when: (cis_entitlement_credentials.api_found) and
(cis_apikey_secret is defined and cis_apikey_secret != "")
ignore_errors: true
set_fact:
cis_apikey: "{{ cis_entitlement_credentials.resources[0].data.apikey | b64decode }}"