Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8SPSMDB-956: fix problems with TLS certificate renewal #1287

Merged
merged 18 commits into from
Sep 11, 2023
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/manager/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ import (
// to ensure that exec-entrypoint and run can make use of them.
_ "k8s.io/client-go/plugin/pkg/client/auth"

certmgrscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
"github.com/go-logr/logr"
certmgrscheme "github.com/jetstack/cert-manager/pkg/client/clientset/versioned/scheme"
uzap "go.uber.org/zap"
"go.uber.org/zap/zapcore"
k8sruntime "k8s.io/apimachinery/pkg/runtime"
Expand Down
1 change: 1 addition & 0 deletions deploy/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ rules:
resources:
- issuers
- certificates
- certificates/status
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please also update the bundle.yaml

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not have it at all. It is needed only for test.

verbs:
- get
- list
Expand Down
28 changes: 28 additions & 0 deletions e2e-tests/conf/cmctl.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cmctl
spec:
replicas: 1
selector:
matchLabels:
name: cmctl
template:
metadata:
labels:
name: cmctl
spec:
serviceAccountName: percona-server-mongodb-operator
containers:
- name: cmctl
image: debian
imagePullPolicy: Always
command:
- /bin/bash
- -c
- |
apt-get update && apt-get install -y curl \
&& curl -fsSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-linux-amd64.tar.gz \
&& tar xzf cmctl.tar.gz \
&& sleep 100500
restartPolicy: Always
5 changes: 3 additions & 2 deletions e2e-tests/functions
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ SKIP_BACKUPS_TO_AWS_GCP_AZURE=${SKIP_BACKUPS_TO_AWS_GCP_AZURE:-1}
PMM_SERVER_VER=${PMM_SERVER_VER:-"9.9.9"}
IMAGE_PMM_SERVER_REPO=${IMAGE_PMM_SERVER_REPO:-"perconalab/pmm-server"}
IMAGE_PMM_SERVER_TAG=${IMAGE_PMM_SERVER_TAG:-"dev-latest"}
CERT_MANAGER_VER="1.8.0"
CERT_MANAGER_VER="1.12.3"
tmp_dir=$(mktemp -d)
sed=$(which gsed || which sed)
date=$(which gdate || which date)
Expand Down Expand Up @@ -846,7 +846,8 @@ deploy_cert_manager() {
kubectl_bin create namespace cert-manager || :
kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || :
kubectl_bin apply -f "https://github.com/jetstack/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null
hors marked this conversation as resolved.
Show resolved Hide resolved
sleep 30
kubectl_bin -n cert-manager wait pod -l app.kubernetes.io/instance=cert-manager --for=condition=ready
sleep 120
}

delete_crd() {
Expand Down
1 change: 1 addition & 0 deletions e2e-tests/run-distro.csv
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ pitr-sharded
recover-no-primary
rs-shard-migration
scaling
tls-issue-cert-manager
upgrade
upgrade-sharded
users
1 change: 1 addition & 0 deletions e2e-tests/run-minikube.csv
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ scheduled-backup
security-context
self-healing-chaos
smart-update
tls-issue-cert-manager
upgrade-consistency
upgrade-consistency-sharded
users
Expand Down
1 change: 1 addition & 0 deletions e2e-tests/run-pr.csv
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ service-per-pod
serviceless-external-nodes
smart-update
storage
tls-issue-cert-manager
upgrade
upgrade-consistency
upgrade-consistency-sharded
Expand Down
1 change: 1 addition & 0 deletions e2e-tests/run-release.csv
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ service-per-pod
serviceless-external-nodes
smart-update
storage
tls-issue-cert-manager
upgrade
upgrade-consistency
upgrade-consistency-sharded
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
generation: 1
name: some-name-ssl-internal
ownerReferences:
- blockOwnerDeletion: true
controller: true
kind: PerconaServerMongoDB
name: some-name
spec:
commonName: some-name
dnsNames:
- localhost
- some-name-rs0
- some-name-rs0.NAME_SPACE
- some-name-rs0.NAME_SPACE.svc.cluster.local
- '*.some-name-rs0'
- '*.some-name-rs0.NAME_SPACE'
- '*.some-name-rs0.NAME_SPACE.svc.cluster.local'
- some-name-rs0.NAME_SPACE.svc.clusterset.local
- '*.some-name-rs0.NAME_SPACE.svc.clusterset.local'
- '*.NAME_SPACE.svc.clusterset.local'
- some-name-mongos
- some-name-mongos.NAME_SPACE
- some-name-mongos.NAME_SPACE.svc.cluster.local
- '*.some-name-mongos'
- '*.some-name-mongos.NAME_SPACE'
- '*.some-name-mongos.NAME_SPACE.svc.cluster.local'
- some-name-cfg
- some-name-cfg.NAME_SPACE
- some-name-cfg.NAME_SPACE.svc.cluster.local
- '*.some-name-cfg'
- '*.some-name-cfg.NAME_SPACE'
- '*.some-name-cfg.NAME_SPACE.svc.cluster.local'
- some-name-mongos.NAME_SPACE.svc.clusterset.local
- '*.some-name-mongos.NAME_SPACE.svc.clusterset.local'
- some-name-cfg.NAME_SPACE.svc.clusterset.local
- '*.some-name-cfg.NAME_SPACE.svc.clusterset.local'
duration: 2160h0m0s
issuerRef:
kind: Issuer
name: some-name-psmdb-issuer
secretName: some-name-ssl-internal
subject:
organizations:
- PSMDB
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
generation: 1
name: some-name-ssl
ownerReferences:
- blockOwnerDeletion: true
controller: true
kind: PerconaServerMongoDB
name: some-name
spec:
commonName: some-name
dnsNames:
- localhost
- some-name-rs0
- some-name-rs0.NAME_SPACE
- some-name-rs0.NAME_SPACE.svc.cluster.local
- '*.some-name-rs0'
- '*.some-name-rs0.NAME_SPACE'
- '*.some-name-rs0.NAME_SPACE.svc.cluster.local'
- some-name-rs0.NAME_SPACE.svc.clusterset.local
- '*.some-name-rs0.NAME_SPACE.svc.clusterset.local'
- '*.NAME_SPACE.svc.clusterset.local'
- some-name-mongos
- some-name-mongos.NAME_SPACE
- some-name-mongos.NAME_SPACE.svc.cluster.local
- '*.some-name-mongos'
- '*.some-name-mongos.NAME_SPACE'
- '*.some-name-mongos.NAME_SPACE.svc.cluster.local'
- some-name-cfg
- some-name-cfg.NAME_SPACE
- some-name-cfg.NAME_SPACE.svc.cluster.local
- '*.some-name-cfg'
- '*.some-name-cfg.NAME_SPACE'
- '*.some-name-cfg.NAME_SPACE.svc.cluster.local'
- some-name-mongos.NAME_SPACE.svc.clusterset.local
- '*.some-name-mongos.NAME_SPACE.svc.clusterset.local'
- some-name-cfg.NAME_SPACE.svc.clusterset.local
- '*.some-name-cfg.NAME_SPACE.svc.clusterset.local'
duration: 2160h0m0s
issuerRef:
kind: Issuer
name: some-name-psmdb-issuer
secretName: some-name-ssl
subject:
organizations:
- PSMDB
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
generation: 1
name: some-name-psmdb-ca-issuer
ownerReferences:
- blockOwnerDeletion: true
controller: true
kind: PerconaServerMongoDB
name: some-name
spec:
selfSigned: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
generation: 1
name: some-name-psmdb-issuer
ownerReferences:
- blockOwnerDeletion: true
controller: true
kind: PerconaServerMongoDB
name: some-name
spec:
ca:
secretName: some-name-ca-cert
45 changes: 45 additions & 0 deletions e2e-tests/tls-issue-cert-manager/conf/some-name.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: psmdb.percona.com/v1
kind: PerconaServerMongoDB
metadata:
name: some-name
spec:
#platform: openshift
image:
imagePullPolicy: Always
backup:
enabled: false
replsets:
- name: rs0
affinity:
antiAffinityTopologyKey: none
resources:
limits:
cpu: 500m
memory: 1G
requests:
cpu: 100m
memory: 0.1G
volumeSpec:
persistentVolumeClaim:
resources:
requests:
storage: 1Gi
expose:
enabled: false
exposeType: ClusterIP
size: 3
sharding:
enabled: true
configsvrReplSet:
size: 3
volumeSpec:
persistentVolumeClaim:
resources:
requests:
storage: 3Gi
expose:
enabled: false
mongos:
size: 3
secrets:
users: some-users
112 changes: 112 additions & 0 deletions e2e-tests/tls-issue-cert-manager/run
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
#!/bin/bash

set -o errexit

test_dir=$(realpath $(dirname $0))
. "${test_dir}/../functions"
set_debug

renew-certificate() {
certificate="$1"

desc "renew $certificate"

local pod_name
pod_name=$(kubectl_bin get pods --selector=name=cmctl -o 'jsonpath={.items[].metadata.name}')

local revision
revision=$(kubectl_bin get certificate "$certificate" -o 'jsonpath={.status.revision}')

kubectl_bin exec "$pod_name" -- ./cmctl renew "$certificate"

# wait for new revision
for i in {1..10}; do
local new_revision
new_revision=$(kubectl_bin get certificate "$certificate" -o 'jsonpath={.status.revision}')
if [ "$((revision + 1))" == "$new_revision" ]; then
break
fi
sleep 1
done
}

check_tls_secret() {
local secret_name=$1
check_secret_data_key "$secret_name" 'ca.crt'
check_secret_data_key "$secret_name" 'tls.crt'
check_secret_data_key "$secret_name" 'tls.key'
}

check_secret_data_key() {
local secret_name=$1
local data_key=$2
local secret_data

secret_data=$(kubectl_bin get "secrets/${secret_name}" -o json | jq ".data[\"${data_key}\"]")
if [ -z "$secret_data" ]; then
exit 1
fi
}

main() {
deploy_cert_manager
create_infra "$namespace"

desc 'create secrets and start client'
kubectl_bin apply -f "$conf_dir/secrets.yml"
kubectl_bin apply -f "$conf_dir/client_with_tls.yml"
kubectl_bin apply -f "$conf_dir/cmctl.yml"

cluster="some-name"
desc "create first PSMDB cluster $cluster"
apply_cluster "$test_dir/conf/$cluster.yml"

desc 'check if all Pods started'
wait_for_running $cluster-rs0 3
wait_for_running $cluster-cfg 3 "false"
wait_for_running $cluster-mongos 3

desc 'check if certificates issued with certmanager'
check_tls_secret "$cluster-ssl"

desc 'check if CA issuer created'
compare_kubectl issuer/$cluster-psmdb-ca-issuer

desc 'check if issuer created'
compare_kubectl issuer/$cluster-psmdb-issuer

desc 'check if certificate issued'
compare_kubectl certificate/$cluster-ssl

desc 'check if internal certificate issued'
compare_kubectl certificate/$cluster-ssl-internal

renew-certificate "some-name-ssl"
sleep 10
wait_for_running $cluster-rs0 3
wait_for_running $cluster-cfg 3 "false"
wait_for_running $cluster-mongos 3

renew-certificate "some-name-ssl-internal"
sleep 10
wait_for_running $cluster-rs0 3
wait_for_running $cluster-cfg 3 "false"
wait_for_running $cluster-mongos 3

desc 'check if CA issuer created'
compare_kubectl issuer/$cluster-psmdb-ca-issuer

desc 'check if issuer created'
compare_kubectl issuer/$cluster-psmdb-issuer

desc 'check if certificate issued'
compare_kubectl certificate/$cluster-ssl

desc 'check if internal certificate issued'
compare_kubectl certificate/$cluster-ssl-internal

destroy "$namespace"
desc 'test passed'
}

main
Loading