Migrate Zenith to CRD store

roles/azimuth_identity_operator/defaults/main.yml

@@ -146,7 +146,7 @@ azimuth_identity_operator_keycloak_zenith_redirect_uri_scheme: >-
 #   The namespace to write Zenith discovery secrets to
 azimuth_identity_operator_keycloak_zenith_discovery_namespace: >-
   {{-
-    zenith_sync_target_namespace |
+    zenith_target_namespace |
       default("zenith-services", True)
   }}
 

roles/zenith/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use
 zenith_chart_repo: https://stackhpc.github.io/zenith
 zenith_chart_name: zenith-server
-zenith_chart_version: 0.6.0
+zenith_chart_version: 0.7.0
 
 # Release information for the Zenith release
 # Use the same namespace as the Azimuth release by default
@@ -63,22 +63,8 @@ zenith_registrar_reserved_subdomains: >-
     list
   }}
 
-# The Consul server and port
-zenith_consul_server_host: >-
-  {{-
-    consul_server_host
-    if consul_server_host is defined
-    else undef(hint = 'zenith_consul_server_host is required')
-  }}
-zenith_consul_server_port: >-
-  {{
-    consul_server_port
-    if consul_server_port is defined
-    else undef(hint = 'zenith_consul_server_port is required')
-  }}
-
 # The namespace to create Zenith services in
-zenith_sync_target_namespace: zenith-services
+zenith_target_namespace: zenith-services
 
 # The type of service to make for SSHD
 zenith_sshd_service_type: LoadBalancer
@@ -91,24 +77,19 @@ zenith_sshd_service_load_balancer_ip:
 
 # The values for the release
 zenith_release_defaults:
-  # We don't need Zenith to deploy a Consul server
-  consul:
-    enabled: false
   common:
-    consul:
-      address: "{{ zenith_consul_server_host }}"
-      port: "{{ zenith_consul_server_port }}"
     ingress:
       baseDomain: "{{ zenith_ingress_base_domain }}"
       annotations: "{{ zenith_ingress_annotations }}"
       tls:
         enabled: "{{ zenith_ingress_tls_enabled }}"
         secretName: "{{ zenith_ingress_tls_secret_name }}"
         annotations: "{{ zenith_ingress_tls_annotations }}"
+    kubernetes:
+      targetNamespace: "{{ zenith_target_namespace }}"
   sync:
     config:
       kubernetes:
-        targetNamespace: "{{ zenith_sync_target_namespace }}"
         ingress:
           oidc:
             # Enable OIDC discovery

roles/zenith/tasks/main.yml

@@ -131,3 +131,9 @@
           )
         )
       }}
+
+- name: Migrate services from Consul to CRDs
+  include_tasks: migrate-services.yml
+  when:
+    - consul_server_host is defined
+    - consul_server_port is defined

roles/zenith/tasks/migrate-services.yml

@@ -0,0 +1,84 @@
+---
+
+- name: Fetch services from Consul
+  command: >-
+    kubectl exec {{ zenith_migrate_consul_release_name }}-server-0
+      --namespace {{ zenith_migrate_consul_release_namespace }}
+      --
+      consul kv get -keys zenith/subdomains/
+  vars:
+    zenith_migrate_consul_release_name: "{{ consul_release_name | default('consul') }}"
+    zenith_migrate_consul_release_namespace: >-
+      {{
+        consul_release_namespace |
+          default(azimuth_release_namespace) |
+          default('azimuth')
+      }}
+  changed_when: false
+  register: zenith_migrate_consul_services_cmd
+
+- name: Create service CRDs
+  command: kubectl create -f -
+  args:
+    stdin: "{{ zenith_migrate_service_definition | to_nice_yaml }}"
+  vars:
+    zenith_migrate_service_definition:
+      apiVersion: zenith.stackhpc.com/v1alpha1
+      kind: Service
+      metadata:
+        name: "{{ item }}"
+        namespace: "{{ zenith_target_namespace }}"
+  register: zenith_migrate_create_service
+  changed_when: zenith_migrate_create_service.rc == 0
+  failed_when: >-
+    zenith_migrate_create_service.rc != 0 and
+    "AlreadyExists" not in zenith_migrate_create_service.stderr
+  loop: >-
+    {{
+      zenith_migrate_consul_services_cmd.stdout_lines |
+        map("regex_replace", "^zenith/subdomains/", "")
+    }}
+
+- name: Fetch public key associations from Consul
+  command: >-
+    kubectl exec {{ zenith_migrate_consul_release_name }}-server-0
+      --namespace {{ zenith_migrate_consul_release_namespace }}
+      --
+      consul kv get -recurse zenith/pubkeys/
+  vars:
+    zenith_migrate_consul_release_name: "{{ consul_release_name | default('consul') }}"
+    zenith_migrate_consul_release_namespace: >-
+      {{
+        consul_release_namespace |
+          default(azimuth_release_namespace) |
+          default('azimuth')
+      }}
+  changed_when: false
+  register: zenith_migrate_consul_keys_cmd
+
+- name: Attach public key to service CRD
+  command: >-
+    kubectl patch services.zenith {{ item.1 }}
+      --namespace {{ zenith_target_namespace }}
+      --type merge
+      --patch-file /dev/stdin
+  args:
+    stdin: "{{ zenith_migrate_service_pk_patch | to_nice_yaml }}"
+  vars:
+    zenith_migrate_service_pk_patch:
+      metadata:
+        labels:
+          # The key we get from Consul is URL-safe base64-encoded, which we need
+          # We need to add the prefix in case it starts with - or _
+          zenith.stackhpc.com/fingerprint: "fp{{ item.0 }}"
+      spec:
+        # The fingerprint here should be regular base64-encoded, so we need to
+        # undo any URL-safe changes
+        # https://docs.python.org/3/library/base64.html#base64.urlsafe_b64encode
+        publicKeyFingerprint: "{{ item.0 | replace('-', '+') | replace('_', '/') }}"
+  loop: >-
+    {{
+      zenith_migrate_consul_keys_cmd.stdout_lines |
+        map("regex_replace", "^zenith/pubkeys/", "") |
+        map("split", ":")
+    }}