Merge pull request #1438 from Nordix/lentzi90/e2e-basic-auth-tls

⚠️ Kustomizations usable off the shelf

.gitignore

@@ -44,8 +44,13 @@ password
 ironic-auth-config
 ironic-inspector-auth-config
 ironic-rpc-auth-config
+ironic-username
+ironic-password
+ironic-inspector-username
+ironic-inspector-password
 HTTP_BASIC_HTPASSWD
 ironic-deployment/overlays/temp
+config/overlays/temp
 
 # Development containers (https://containers.dev/)
 .devcontainer

Makefile

@@ -183,8 +183,8 @@ manifests: manifests-generate manifests-kustomize ## Generate manifests e.g. CRD
 
 .PHONY: manifests-generate
 manifests-generate: $(CONTROLLER_GEN)
-	cd apis; $(abspath $<) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:webhook:dir=../config/webhook/ output:crd:artifacts:config=../config/crd/bases
-	$< rbac:roleName=manager-role paths="./..." output:rbac:artifacts:config=config/rbac
+	cd apis; $(abspath $<) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:webhook:dir=../config/base/webhook/ output:crd:artifacts:config=../config/base/crds/bases
+	$< rbac:roleName=manager-role paths="./..." output:rbac:artifacts:config=config/base/rbac
 
 .PHONY: manifests-kustomize
 manifests-kustomize: $(KUSTOMIZE)
@@ -193,7 +193,7 @@ manifests-kustomize: $(KUSTOMIZE)
 .PHONY: set-manifest-image-bmo
 set-manifest-image-bmo: $(KUSTOMIZE) manifests
 	$(info Updating container image for BMO to use ${MANIFEST_IMG}:${MANIFEST_TAG})
-	cd config/default && $(abspath $(KUSTOMIZE)) edit set image quay.io/metal3-io/baremetal-operator=${MANIFEST_IMG}:${MANIFEST_TAG}
+	cd config/base && $(abspath $(KUSTOMIZE)) edit set image quay.io/metal3-io/baremetal-operator=${MANIFEST_IMG}:${MANIFEST_TAG}
 
 .PHONY: set-manifest-image-ironic
 set-manifest-image-ironic: $(KUSTOMIZE) manifests
@@ -333,6 +333,7 @@ go-version: ## Print the go version we use to compile our binaries and images
 .PHONY: clean
 clean: ## Remove all temporary files and folders
 	rm -rf ironic-deployment/overlays/temp
+	rm -rf config/overlays/temp
 
 .PHONY: clean-e2e
 clean-e2e: ## Remove everything related to e2e tests

config/README.md

@@ -0,0 +1,35 @@
+# Kustomizations for Baremetal Operator
+
+This folder contains kustomizations for the Baremetal Operator. They have
+traditionally been used through the [deploy.sh](../tools/deploy.sh) script,
+which takes care of generating the necessary config for basic-auth and TLS.
+However, a more GitOps friendly way would be to create your own static overlay.
+Check the `overlays/e2e` for an example that is used in the e2e tests.
+In the CI system we generate the necessary credentials before starting the test
+in `hack/ci-e2e.sh`, and put them directly in the `e2e` overlays.
+
+**NOTE** that you will need to supply the necessary secrets and config! This can
+be done in many ways, e.g. through the
+[external secrets operator](https://external-secrets.io/latest/) or directly in
+your overlay.
+In the CI system we generate the necessary credentials before starting the test
+in `hack/ci-e2e.sh`, and put them directly in the `e2e` overlays.
+
+- **base** - This is the kustomize base that we start from.
+- **components** - In here you will find re-usable kustomize components for TLS
+  and basic-auth.
+   - **basic-auth** - Enable basic authentication. Note that the basic-auth
+      component is missing the actual credentials. This is on purpose, to make
+      sure that the user is setting the password instead of using sample
+      credentials. The required secrets are:
+      - `ironic-credentials`
+      - `ironic-inspector-credentials`
+   - **tls** - Enable TLS. A CA certificate is needed here to verify the
+      connection to Ironic. If you deploy BMO together with Ironic in a
+      Kubernetes cluster, they can share the secret created for Ironic. The CA
+      should be in a secret:
+      - `ironic-cacert`
+- **default** - A minimal, fully working, BMO kustomization including configmap.
+   Use only for development! There is no TLS or basic-auth.
+- **overlays** - Here you will find ready made overlays that use the above
+   mentioned components. These can be used as examples.

config/base/kustomization.yaml

@@ -0,0 +1,124 @@
+# Adds namespace to all resources.
+namespace: baremetal-operator-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: baremetal-operator-
+
+# Labels to add to all resources and selectors.
+#commonLabels:
+#  someName: someValue
+
+resources:
+- crds
+- rbac
+- manager.yaml
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+- webhook
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
+- certmanager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- prometheus
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+configMapGenerator:
+- name: manager-config
+  files:
+  - controller_manager_config.yaml
+
+patches:
+# Protect the /metrics endpoint by putting it behind auth.
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, please comment the following line.
+- path: manager_auth_proxy_patch.yaml
+
+# Mount the controller config file for loading manager configurations
+# through a ComponentConfig type
+#- manager_config_patch.yaml
+
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+- path: manager_webhook_patch.yaml
+
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
+# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
+- path: webhookcainjection_patch.yaml
+
+replacements:
+- source:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+    fieldpath: metadata.namespace
+  targets:
+  - select:
+      kind: ValidatingWebhookConfiguration
+    fieldPaths:
+      - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: '/'
+      index: 0
+  - select:
+      kind: CustomResourceDefinition
+      name: baremetalhosts.metal3.io
+    fieldPaths:
+      - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: '/'
+      index: 0
+- source:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+    fieldpath: metadata.name
+  targets:
+  - select:
+      kind: ValidatingWebhookConfiguration
+    fieldPaths:
+      - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: '/'
+      index: 1
+  - select:
+      kind: CustomResourceDefinition
+      name: baremetalhosts.metal3.io
+    fieldPaths:
+      - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: '/'
+      index: 1
+- source:
+    kind: Service
+    version: v1
+    name: webhook-service
+    fieldpath: metadata.namespace
+  targets:
+  - select:
+      kind: Certificate
+    fieldPaths:
+    - spec.dnsNames.*
+    options:
+      delimiter: '.'
+      index: 1
+- source:
+    kind: Service
+    version: v1
+    name: webhook-service
+    fieldpath: metadata.name
+  targets:
+  - select:
+      kind: Certificate
+    fieldPaths:
+    - spec.dnsNames.*
+    options:
+      delimiter: '.'
+      index: 0

config/components/basic-auth/kustomization.yaml

@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# NOTE: This component requires secrets with the basic auth credentials!
+# How you create them is up to you.
+# The required secrets are:
+# - ironic-credentials
+# - ironic-inspector-credentials
+#
+# Both should contain 2 fields: username and password.
+# Example:
+#
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: ironic-credentials
+# data:
+#   password: <base64-encoded-password>
+#   username: <base64-encoded-username>
+
+patches:
+- path: credentials_patch.yaml

config/components/tls/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+- path: tls_ca_patch.yaml
+  target:
+    kind: Deployment
+    name: controller-manager

config/tls/tls_ca_patch.yaml → config/components/tls/tls_ca_patch.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: controller-manager
-  namespace: system
 spec:
   template:
     spec:
@@ -15,4 +14,4 @@ spec:
       volumes:
       - name: cacert
         secret:
-          secretName: ironic-cacert
+          secretName: ironic-cacert