Skip to content

Commit

Permalink
feat(runner): inject config for hermicrab (wip)
Browse files Browse the repository at this point in the history
  • Loading branch information
LucasMrqes committed Apr 5, 2024
1 parent 770b2e2 commit ac6cef2
Show file tree
Hide file tree
Showing 8 changed files with 164 additions and 5 deletions.
22 changes: 21 additions & 1 deletion deploy/charts/burrito/templates/controllers.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{{ $configChecksum := (include (print $.Template.BasePath "/config.yaml") . | sha256sum) }}
{{ $sshKnownHostsChecksum := (include (print $.Template.BasePath "/ssh-known-hosts.yaml") . | sha256sum) }}
{{- $mainNamespace := list (dict "name" "BURRITO_CONTROLLER_MAINNAMESPACE" "valueFrom" (dict "fieldRef" (dict "fieldPath" "metadata.namespace"))) -}}

{{- with mergeOverwrite (deepCopy .Values.global) .Values.controllers }}
apiVersion: apps/v1
Expand Down Expand Up @@ -52,7 +53,8 @@ spec:
resources:
{{- toYaml .deployment.resources | nindent 12 }}
env:
{{- toYaml .deployment.env | nindent 12 }}
{{- concat $mainNamespace .deployment.env | toYaml | nindent 12}}

envFrom:
{{- toYaml .deployment.envFrom | nindent 12 }}
volumeMounts:
Expand Down Expand Up @@ -118,4 +120,22 @@ subjects:
- kind: ServiceAccount
name: burrito-controllers
namespace: {{ $.Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: burrito-controllers-secrets
namespace: {{ $.Release.Namespace }}
labels:
{{- toYaml .metadata.labels | nindent 4 }}
annotations:
{{- toYaml .metadata.annotations | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: burrito-controllers-secrets
subjects:
- kind: ServiceAccount
name: burrito-controllers
namespace: {{ $.Release.Namespace }}
{{- end }}
2 changes: 1 addition & 1 deletion deploy/charts/burrito/templates/hermitcrab.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.hermitcrab.enabled }}
{{- if .Values.config.burrito.hermitcrab.enabled }}
{{- with mergeOverwrite (deepCopy .Values.global) .Values.hermitcrab }}
{{- if .persistence.enabled }}
apiVersion: v1
Expand Down
26 changes: 26 additions & 0 deletions deploy/charts/burrito/templates/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,14 @@ rules:
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- create
- update
- apiGroups:
- config.terraform.padok.cloud
resources:
Expand Down Expand Up @@ -272,3 +280,21 @@ rules:
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: controllers
app.kubernetes.io/name: burrito-controllers
app.kubernetes.io/part-of: burrito
name: burrito-controllers-secrets
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- watch
- list
- get
9 changes: 8 additions & 1 deletion deploy/charts/burrito/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ config:
# -- Prefer override with the BURRITO_CONTROLLER_GITLABCONFIG_APITOKEN environment variable
apiToken: ""
url: ""
hermitcrab:
enabled: false
certificateSecretName: burrito-hermitcrab-tls

# Burrito server configuration
server:
Expand Down Expand Up @@ -91,7 +94,6 @@ redis:
targetPort: 6379

hermitcrab:
enabled: false
metadata:
labels:
app.kubernetes.io/component: hermitcrab
Expand All @@ -102,6 +104,10 @@ hermitcrab:
tls:
certManager:
use: true
certificate:
issuer:
kind: ClusterIssuer
name: letsencrypt

deployment:
image:
Expand Down Expand Up @@ -199,6 +205,7 @@ controllers:
initialDelaySeconds: 15
periodSeconds: 20
envFrom: []
env: []
service:
enabled: false

Expand Down
7 changes: 7 additions & 0 deletions internal/burrito/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ type Config struct {
Controller ControllerConfig `mapstructure:"controller"`
Redis Redis `mapstructure:"redis"`
Server ServerConfig `mapstructure:"server"`
Hermitcrab HermitcrabConfig `mapstructure:"hermitcrab"`
}

type WebhookConfig struct {
Expand All @@ -32,6 +33,7 @@ type WebhookGitlabConfig struct {
}

type ControllerConfig struct {
MainNamespace string `mapstructure:"mainNamespace"`
Namespaces []string `mapstructure:"namespaces"`
Timers ControllerTimers `mapstructure:"timers"`
TerraformMaxRetries int `mapstructure:"terraformMaxRetries"`
Expand Down Expand Up @@ -94,6 +96,11 @@ type Redis struct {
Database int `mapstructure:"database"`
}

type HermitcrabConfig struct {
Enabled bool `mapstructure:"enabled"`
CertificateSecretName string `mapstructure:"certificateSecretName"`
}

type ServerConfig struct {
Addr string `mapstructure:"addr"`
Webhook WebhookConfig `mapstructure:"webhook"`
Expand Down
2 changes: 1 addition & 1 deletion internal/controllers/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ func (c *Controllers) Exec() {
LeaderElection: c.config.Controller.LeaderElection.Enabled,
LeaderElectionID: c.config.Controller.LeaderElection.ID,
Cache: cache.Options{
Namespaces: c.config.Controller.Namespaces,
Namespaces: append(c.config.Controller.Namespaces, c.config.Controller.MainNamespace),
},
})
if err != nil {
Expand Down
71 changes: 71 additions & 0 deletions internal/controllers/terraformrun/pod.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ import (
configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
"github.com/padok-team/burrito/internal/burrito/config"
"github.com/padok-team/burrito/internal/version"
log "github.com/sirupsen/logrus"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/selection"
Expand Down Expand Up @@ -52,9 +54,78 @@ func (r *Reconciler) GetLinkedPods(run *configv1alpha1.TerraformRun) (*corev1.Po
return list, nil
}

func (r *Reconciler) ensureHermitcrabSecret(tenantNamespace string) error {
secret := &corev1.Secret{}
err := r.Client.Get(context.Background(), client.ObjectKey{Namespace: r.Config.Controller.MainNamespace,
Name: r.Config.Hermitcrab.CertificateSecretName}, secret)
if err != nil {
return err
}
if _, ok := secret.Data["ca.crt"]; !ok {
return fmt.Errorf("ca.crt not found in secret %s", r.Config.Hermitcrab.CertificateSecretName)
}
secret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: r.Config.Hermitcrab.CertificateSecretName,
Namespace: tenantNamespace,
},
Data: map[string][]byte{
"ca.crt": secret.Data["ca.crt"],
},
}
err = r.Client.Create(context.Background(), secret)
if err != nil && apierrors.IsAlreadyExists(err) {
err = r.Client.Update(context.Background(), secret)
if err != nil {
return err
}
} else if err != nil {
return err
}
log.Infof("HermitCrab cert secret is present in namespace %s", tenantNamespace)
return nil
}

func (r *Reconciler) getPod(run *configv1alpha1.TerraformRun, layer *configv1alpha1.TerraformLayer, repository *configv1alpha1.TerraformRepository) corev1.Pod {
defaultSpec := defaultPodSpec(r.Config, layer, repository)

if r.Config.Hermitcrab.Enabled {
err := r.ensureHermitcrabSecret(layer.Namespace)
if err != nil {
log.Errorf("failed to ensure HermitCrab secret in namespace %s: %s", layer.Namespace, err)
} else {
defaultSpec.Volumes = append(defaultSpec.Volumes, corev1.Volume{
Name: "hermitcrab-ca-cert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: r.Config.Hermitcrab.CertificateSecretName,
Items: []corev1.KeyToPath{
{
Key: "ca.crt",
Path: "hermitcrab-ca.crt",
},
},
},
},
})
defaultSpec.Containers[0].VolumeMounts = append(defaultSpec.Containers[0].VolumeMounts, corev1.VolumeMount{
MountPath: "/etc/ssl/certs/hermitcrab-ca.crt",
Name: "hermitcrab-ca-cert",
SubPath: "hermitcrab-ca.crt",
})

defaultSpec.Containers[0].Env = append(defaultSpec.Containers[0].Env,
corev1.EnvVar{
Name: "HERMITCRAB_ENABLED",
Value: "true",
},
corev1.EnvVar{
Name: "HERMITCRAB_URL",
Value: fmt.Sprintf("https://burrito-hermitcrab.%s.svc.cluster.local/v1/providers/", r.Config.Controller.MainNamespace),
},
)
}
}
switch Action(run.Spec.Action) {
case PlanAction:
defaultSpec.Containers[0].Env = append(defaultSpec.Containers[0].Env, corev1.EnvVar{
Expand Down
30 changes: 29 additions & 1 deletion internal/runner/runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,6 @@ func (r *Runner) Exec() error {
log.Errorf("could not update terraform layer annotations: %s", err)
}
log.Infof("successfully updated terraform layer annotations")

return err
}

Expand Down Expand Up @@ -199,6 +198,15 @@ func (r *Runner) init() error {
}
log.Infof("binaries successfully installed")

if os.Getenv("HERMITCRAB_ENABLED") == "true" {
log.Infof("Hermitcrab configuration detected, creating network mirror configuration...")
err := createNetworkMirrorConfig(os.Getenv("HERMITCRAB_URL"))
if err != nil {
log.Errorf("error creating network mirror configuration: %s", err)
}
log.Infof("network mirror configuration created")
}

workingDir := fmt.Sprintf("%s/%s", WorkingDir, r.layer.Spec.Path)
log.Infof("Launching terraform init in %s", workingDir)
err = r.exec.Init(workingDir)
Expand Down Expand Up @@ -267,6 +275,7 @@ func (r *Runner) plan() (string, error) {
return "", err
}
log.Infof("terraform plan ran successfully")
time.Sleep(3600 * time.Second)
return b64.StdEncoding.EncodeToString(sum[:]), nil
}

Expand Down Expand Up @@ -324,3 +333,22 @@ func getDiff(plan *tfjson.Plan) (bool, string) {
}
return diff, fmt.Sprintf("Plan: %d to create, %d to update, %d to delete", create, update, delete)
}

func createNetworkMirrorConfig(endpoint string) error {
terraformrcContent := fmt.Sprintf(`
provider_installation {
network_mirror {
url = "%s"
}
}`, endpoint)
filePath := fmt.Sprintf("%s/config.tfrc", WorkingDir)
err := os.WriteFile(filePath, []byte(terraformrcContent), 0644)
if err != nil {
return err
}
err = os.Setenv("TF_CLI_CONFIG_FILE", filePath)
if err != nil {
return err
}
return nil
}

0 comments on commit ac6cef2

Please sign in to comment.