Skip to content

Commit

Permalink
feat: inject custom ca (#5269)
Browse files Browse the repository at this point in the history 
* feat: add runner custom ca variable

* feat: add runner ca certificate to default job template

* feat: add runner ca certificate to job template

* feat: add runner ca certificate to job scraper template

* feat: add runner ca certificate to slave pod template
  • Loading branch information
@ed382
ed382 authored Apr 3, 2024
1 parent 8358103 commit e515775
Show file tree
Hide file tree
Showing 13 changed files with 152 additions and 42 deletions.
1 change: 1 addition & 0 deletions cmd/api-server/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -533,6 +533,7 @@ func main() {
logsStream,
cfg.TestkubeNamespace,
cfg.TestkubeProTLSSecret,
cfg.TestkubeProRunnerCustomCASecret,
)
if mode == common.ModeAgent {
sched.WithSubscriptionChecker(subscriptionChecker)
Expand Down
21 changes: 19 additions & 2 deletions config/job-scraper-template.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,16 +46,33 @@ spec:
command:
- "/bin/runner"
- '{{ .Jsn }}'
{{- if .RunnerCustomCASecret }}
env:
- name: SSL_CERT_DIR
value: /etc/testkube/certs
{{- end }}
volumeMounts:
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
mountPath: /etc/testkube/certs/testkube-custom-ca.pem
readOnly: true
subPath: ca.crt
{{- end }}
{{- if .ArtifactRequest }}
{{- if .ArtifactRequest.VolumeMountPath }}
volumeMounts:
- name: artifact-volume
mountPath: {{ .ArtifactRequest.VolumeMountPath }}
{{- end }}
{{- end }}
volumes:
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
secret:
secretName: {{ .RunnerCustomCASecret }}
defaultMode: 420
{{- end }}
{{- if .ArtifactRequest }}
{{- if and .ArtifactRequest.VolumeMountPath .ArtifactRequest.StorageClassName }}
volumes:
- name: artifact-volume
persistentVolumeClaim:
claimName: {{ .Name }}-pvc
Expand Down
28 changes: 28 additions & 0 deletions config/job-template.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,24 @@ spec:
command:
- "/bin/runner"
- '{{ .Jsn }}'
{{- if .RunnerCustomCASecret }}
env:
- name: SSL_CERT_DIR
value: /etc/testkube/certs
{{- end }}
volumeMounts:
- name: data-volume
mountPath: /data
{{- if .CertificateSecret }}
- name: {{ .CertificateSecret }}
mountPath: /etc/certs
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
mountPath: /etc/testkube/certs/testkube-custom-ca.pem
readOnly: true
subPath: ca.crt
{{- end }}
{{- if .AgentAPITLSSecret }}
- mountPath: /tmp/agent-cert
readOnly: true
Expand Down Expand Up @@ -86,13 +97,24 @@ spec:
command:
- "/bin/runner"
- '{{ .Jsn }}'
{{- if .RunnerCustomCASecret }}
env:
- name: SSL_CERT_DIR
value: /etc/testkube/certs
{{- end }}
volumeMounts:
- name: data-volume
mountPath: /data
{{- if .CertificateSecret }}
- name: {{ .CertificateSecret }}
mountPath: /etc/certs
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
mountPath: /etc/testkube/certs/testkube-custom-ca.pem
readOnly: true
subPath: ca.crt
{{- end }}
{{- if .AgentAPITLSSecret }}
- mountPath: /tmp/agent-cert
readOnly: true
Expand Down Expand Up @@ -124,6 +146,12 @@ spec:
secret:
secretName: {{ .CertificateSecret }}
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
secret:
secretName: {{ .RunnerCustomCASecret }}
defaultMode: 420
{{- end }}
{{- if .AgentAPITLSSecret }}
- name: {{ .AgentAPITLSSecret }}
secret:
Expand Down
17 changes: 17 additions & 0 deletions config/slave-pod-template.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,24 @@ spec:
command:
- "/bin/runner"
- '{{ .Jsn }}'
{{- if .RunnerCustomCASecret }}
env:
- name: SSL_CERT_DIR
value: /etc/testkube/certs
{{- end }}
volumeMounts:
- name: data-volume
mountPath: /data
{{- if .CertificateSecret }}
- name: {{ .CertificateSecret }}
mountPath: /etc/certs
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
mountPath: /etc/testkube/certs/testkube-custom-ca.pem
readOnly: true
subPath: ca.crt
{{- end }}
{{- if .ArtifactRequest }}
{{- if and .ArtifactRequest.VolumeMountPath .ArtifactRequest.StorageClassName }}
- name: artifact-volume
Expand Down Expand Up @@ -159,6 +170,12 @@ spec:
secret:
secretName: {{ .CertificateSecret }}
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
secret:
secretName: {{ .RunnerCustomCASecret }}
defaultMode: 420
{{- end }}
{{- if .ArtifactRequest }}
{{- if and .ArtifactRequest.VolumeMountPath .ArtifactRequest.StorageClassName }}
- name: artifact-volume
Expand Down
62 changes: 35 additions & 27 deletions internal/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,33 +75,34 @@ type Config struct {
TestkubeProConnectionTimeout int `envconfig:"TESTKUBE_PRO_CONNECTION_TIMEOUT" default:"10"`
TestkubeProCertFile string `envconfig:"TESTKUBE_PRO_CERT_FILE" default:""`
TestkubeProKeyFile string `envconfig:"TESTKUBE_PRO_KEY_FILE" default:""`
TestkubeProCAFile string `envconfig:"TESTKUBE_PRO_CA_FILE" default:""`
TestkubeProTLSSecret string `envconfig:"TESTKUBE_PRO_TLS_SECRET" default:""`
TestkubeWatcherNamespaces string `envconfig:"TESTKUBE_WATCHER_NAMESPACES" default:""`
GraphqlPort string `envconfig:"TESTKUBE_GRAPHQL_PORT" default:"8070"`
TestkubeRegistry string `envconfig:"TESTKUBE_REGISTRY" default:""`
TestkubePodStartTimeout time.Duration `envconfig:"TESTKUBE_POD_START_TIMEOUT" default:"30m"`
CDEventsTarget string `envconfig:"CDEVENTS_TARGET" default:""`
TestkubeDashboardURI string `envconfig:"TESTKUBE_DASHBOARD_URI" default:""`
DisableReconciler bool `envconfig:"DISABLE_RECONCILER" default:"false"`
TestkubeClusterName string `envconfig:"TESTKUBE_CLUSTER_NAME" default:""`
CompressArtifacts bool `envconfig:"COMPRESSARTIFACTS" default:"false"`
TestkubeHelmchartVersion string `envconfig:"TESTKUBE_HELMCHART_VERSION" default:""`
DebugListenAddr string `envconfig:"DEBUG_LISTEN_ADDR" default:"0.0.0.0:1337"`
EnableDebugServer bool `envconfig:"ENABLE_DEBUG_SERVER" default:"false"`
EnableSecretsEndpoint bool `envconfig:"ENABLE_SECRETS_ENDPOINT" default:"false"`
DisableMongoMigrations bool `envconfig:"DISABLE_MONGO_MIGRATIONS" default:"false"`
Debug bool `envconfig:"DEBUG" default:"false"`
EnableImageDataPersistentCache bool `envconfig:"TESTKUBE_ENABLE_IMAGE_DATA_PERSISTENT_CACHE" default:"false"`
ImageDataPersistentCacheKey string `envconfig:"TESTKUBE_IMAGE_DATA_PERSISTENT_CACHE_KEY" default:"testkube-image-cache"`
LogServerGrpcAddress string `envconfig:"LOG_SERVER_GRPC_ADDRESS" default:":9090"`
LogServerSecure bool `envconfig:"LOG_SERVER_SECURE" default:"false"`
LogServerSkipVerify bool `envconfig:"LOG_SERVER_SKIP_VERIFY" default:"false"`
LogServerCertFile string `envconfig:"LOG_SERVER_CERT_FILE" default:""`
LogServerKeyFile string `envconfig:"LOG_SERVER_KEY_FILE" default:""`
LogServerCAFile string `envconfig:"LOG_SERVER_CA_FILE" default:""`
DisableSecretCreation bool `envconfig:"DISABLE_SECRET_CREATION" default:"false"`
TestkubeExecutionNamespaces string `envconfig:"TESTKUBE_EXECUTION_NAMESPACES" default:""`

TestkubeProTLSSecret string `envconfig:"TESTKUBE_PRO_TLS_SECRET" default:""`
TestkubeProRunnerCustomCASecret string `envconfig:"TESTKUBE_PRO_RUNNER_CUSTOM_CA_SECRET" default:""`
TestkubeWatcherNamespaces string `envconfig:"TESTKUBE_WATCHER_NAMESPACES" default:""`
GraphqlPort string `envconfig:"TESTKUBE_GRAPHQL_PORT" default:"8070"`
TestkubeRegistry string `envconfig:"TESTKUBE_REGISTRY" default:""`
TestkubePodStartTimeout time.Duration `envconfig:"TESTKUBE_POD_START_TIMEOUT" default:"30m"`
CDEventsTarget string `envconfig:"CDEVENTS_TARGET" default:""`
TestkubeDashboardURI string `envconfig:"TESTKUBE_DASHBOARD_URI" default:""`
DisableReconciler bool `envconfig:"DISABLE_RECONCILER" default:"false"`
TestkubeClusterName string `envconfig:"TESTKUBE_CLUSTER_NAME" default:""`
CompressArtifacts bool `envconfig:"COMPRESSARTIFACTS" default:"false"`
TestkubeHelmchartVersion string `envconfig:"TESTKUBE_HELMCHART_VERSION" default:""`
DebugListenAddr string `envconfig:"DEBUG_LISTEN_ADDR" default:"0.0.0.0:1337"`
EnableDebugServer bool `envconfig:"ENABLE_DEBUG_SERVER" default:"false"`
EnableSecretsEndpoint bool `envconfig:"ENABLE_SECRETS_ENDPOINT" default:"false"`
DisableMongoMigrations bool `envconfig:"DISABLE_MONGO_MIGRATIONS" default:"false"`
Debug bool `envconfig:"DEBUG" default:"false"`
EnableImageDataPersistentCache bool `envconfig:"TESTKUBE_ENABLE_IMAGE_DATA_PERSISTENT_CACHE" default:"false"`
ImageDataPersistentCacheKey string `envconfig:"TESTKUBE_IMAGE_DATA_PERSISTENT_CACHE_KEY" default:"testkube-image-cache"`
LogServerGrpcAddress string `envconfig:"LOG_SERVER_GRPC_ADDRESS" default:":9090"`
LogServerSecure bool `envconfig:"LOG_SERVER_SECURE" default:"false"`
LogServerSkipVerify bool `envconfig:"LOG_SERVER_SKIP_VERIFY" default:"false"`
LogServerCertFile string `envconfig:"LOG_SERVER_CERT_FILE" default:""`
LogServerKeyFile string `envconfig:"LOG_SERVER_KEY_FILE" default:""`
LogServerCAFile string `envconfig:"LOG_SERVER_CA_FILE" default:""`
DisableSecretCreation bool `envconfig:"DISABLE_SECRET_CREATION" default:"false"`
TestkubeExecutionNamespaces string `envconfig:"TESTKUBE_EXECUTION_NAMESPACES" default:""`

// DEPRECATED: Use TestkubeProAPIKey instead
TestkubeCloudAPIKey string `envconfig:"TESTKUBE_CLOUD_API_KEY" default:""`
Expand All @@ -119,6 +120,13 @@ type Config struct {
TestkubeCloudOrgID string `envconfig:"TESTKUBE_CLOUD_ORG_ID" default:""`
// DEPRECATED: Use TestkubeProMigrate instead
TestkubeCloudMigrate string `envconfig:"TESTKUBE_CLOUD_MIGRATE" default:"false"`

// TestkubeProCAFile is meant to provide a custom CA when making a TLS connection to
// the agent API.
//
// Deprecated: Instead mount a CA file into a directory and specify the diretory
// path with the SSL_CERT_DIR environment variable.
TestkubeProCAFile string `envconfig:"TESTKUBE_PRO_CA_FILE" default:""`
}

func Get() (*Config, error) {
Expand Down
25 changes: 13 additions & 12 deletions pkg/executor/client/common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,19 @@ const (
)

type ExecuteOptions struct {
ID string
TestName string
Namespace string
TestSpec testsv3.TestSpec
ExecutorName string
ExecutorSpec executorv1.ExecutorSpec
Request testkube.ExecutionRequest
Sync bool
Labels map[string]string
UsernameSecret *testkube.SecretRef
TokenSecret *testkube.SecretRef
CertificateSecret string
ID string
TestName string
Namespace string
TestSpec testsv3.TestSpec
ExecutorName string
ExecutorSpec executorv1.ExecutorSpec
Request testkube.ExecutionRequest
Sync bool
Labels map[string]string
UsernameSecret *testkube.SecretRef
TokenSecret *testkube.SecretRef
RunnerCustomCASecret string
CertificateSecret string
// AgentAPITLSSecret is a secret name that contains TLS certificate for Agent (gRPC) API
AgentAPITLSSecret string
ImagePullSecretNames []string
Expand Down
2 changes: 2 additions & 0 deletions pkg/executor/client/job.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ type JobOptions struct {
HTTPSProxy string
UsernameSecret *testkube.SecretRef
TokenSecret *testkube.SecretRef
RunnerCustomCASecret string
CertificateSecret string
AgentAPITLSSecret string
Variables map[string]testkube.Variable
Expand Down Expand Up @@ -614,6 +615,7 @@ func NewJobOptionsFromExecutionOptions(options ExecuteOptions) JobOptions {
HTTPSProxy: options.Request.HttpsProxy,
UsernameSecret: options.UsernameSecret,
TokenSecret: options.TokenSecret,
RunnerCustomCASecret: options.RunnerCustomCASecret,
CertificateSecret: options.CertificateSecret,
ActiveDeadlineSeconds: options.Request.ActiveDeadlineSeconds,
JobTemplateExtensions: options.Request.JobTemplate,
Expand Down
2 changes: 2 additions & 0 deletions pkg/executor/containerexecutor/containerexecutor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ type JobOptions struct {
HTTPSProxy string
UsernameSecret *testkube.SecretRef
TokenSecret *testkube.SecretRef
RunnerCustomCASecret string
CertificateSecret string
AgentAPITLSSecret string
Variables map[string]testkube.Variable
Expand Down Expand Up @@ -683,6 +684,7 @@ func NewJobOptionsFromExecutionOptions(options client.ExecuteOptions) *JobOption
HTTPSProxy: options.Request.HttpsProxy,
UsernameSecret: options.UsernameSecret,
TokenSecret: options.TokenSecret,
RunnerCustomCASecret: options.RunnerCustomCASecret,
CertificateSecret: options.CertificateSecret,
AgentAPITLSSecret: options.AgentAPITLSSecret,
ActiveDeadlineSeconds: options.Request.ActiveDeadlineSeconds,
Expand Down
30 changes: 29 additions & 1 deletion pkg/executor/containerexecutor/templates/job.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,24 @@ spec:
command:
- "/bin/runner"
- '{{ .Jsn }}'
{{- if .RunnerCustomCASecret }}
env:
- name: SSL_CERT_DIR
value: /etc/testkube/certs
{{- end }}
volumeMounts:
- name: data-volume
mountPath: /data
{{- if .CertificateSecret }}
- name: {{ .CertificateSecret }}
mountPath: /etc/certs
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
mountPath: /etc/testkube/certs/testkube-custom-ca.pem
readOnly: true
subPath: ca.crt
{{- end }}
{{- if .ArtifactRequest }}
{{- if .ArtifactRequest.VolumeMountPath }}
- name: artifact-volume
Expand All @@ -49,7 +60,7 @@ spec:
{{- end }}
{{- end }}
containers:
{{ if .Features.LogsV2 -}}
{{ if .Features.LogsV2 -}}
- name: "{{ .Name }}-logs"
image: {{ .Registry }}/{{ .LogSidecarImage }}
env:
Expand Down Expand Up @@ -84,13 +95,24 @@ spec:
{{- if .WorkingDir }}
workingDir: {{ .WorkingDir }}
{{- end }}
{{- if .RunnerCustomCASecret }}
env:
- name: SSL_CERT_DIR
value: /etc/testkube/certs
{{- end }}
volumeMounts:
- name: data-volume
mountPath: /data
{{- if .CertificateSecret }}
- name: {{ .CertificateSecret }}
mountPath: /etc/certs
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
mountPath: /etc/testkube/certs/testkube-custom-ca.pem
readOnly: true
subPath: ca.crt
{{- end }}
{{- if .ArtifactRequest }}
{{- if .ArtifactRequest.VolumeMountPath }}
- name: artifact-volume
Expand All @@ -117,6 +139,12 @@ spec:
secret:
secretName: {{ .CertificateSecret }}
{{- end }}
{{- if .RunnerCustomCASecret }}
- name: {{ .RunnerCustomCASecret }}
secret:
secretName: {{ .RunnerCustomCASecret }}
defaultMode: 420
{{- end }}
{{- if .ArtifactRequest }}
{{- if and .ArtifactRequest.VolumeMountPath .ArtifactRequest.StorageClassName }}
- name: artifact-volume
Expand Down
3 changes: 3 additions & 0 deletions pkg/scheduler/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ type Scheduler struct {
subscriptionChecker checktcl.SubscriptionChecker
namespace string
agentAPITLSSecret string
runnerCustomCASecret string
}

func NewScheduler(
Expand All @@ -70,6 +71,7 @@ func NewScheduler(
logsStream logsclient.Stream,
namespace string,
agentAPITLSSecret string,
runnerCustomCASecret string,
) *Scheduler {
return &Scheduler{
metrics: metrics,
Expand All @@ -93,6 +95,7 @@ func NewScheduler(
logsStream: logsStream,
namespace: namespace,
agentAPITLSSecret: agentAPITLSSecret,
runnerCustomCASecret: runnerCustomCASecret,
}
}

Expand Down
1 change: 1 addition & 0 deletions pkg/scheduler/test_scheduler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -556,6 +556,7 @@ func (s *Scheduler) getExecuteOptions(namespace, id string, request testkube.Exe
Labels: testCR.Labels,
UsernameSecret: usernameSecret,
TokenSecret: tokenSecret,
RunnerCustomCASecret: s.runnerCustomCASecret,
CertificateSecret: certificateSecret,
AgentAPITLSSecret: s.agentAPITLSSecret,
ImagePullSecretNames: imagePullSecrets,
Expand Down
1 change: 1 addition & 0 deletions pkg/triggers/executor_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ func TestExecute(t *testing.T) {
mockLogsStream,
"",
"",
"",
)
s := &Service{
triggerStatus: make(map[statusKey]*triggerStatus),
Expand Down
Loading

0 comments on commit e515775

Please sign in to comment.