Merge pull request #23 from stackpath/WAF-7504-generate_a_certificate…

…_trusted_by_the_cluster_with_the_ip Waf 7504 generate a certificate trusted by the cluster with the ip
stackpath · Sep 13, 2023 · 84ddc39 · 84ddc39
2 parents b8b3ea4 + 459e503
commit 84ddc39
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 23 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -37,5 +37,7 @@ jobs:
           file: docker/Dockerfile
           build-args: |
             VERSION_FLAGS=-ldflags=-X main.buildVersion=${{ github.ref_name }} -X main.buildTime=${{ steps.date.outputs.date }}
-          tags: ghcr.io/stackpath/virtual-kubelet-stackpath:${{ github.ref_name }}
+          tags: |
+            ghcr.io/stackpath/virtual-kubelet-stackpath:${{ github.ref_name }}
+            ghcr.io/stackpath/virtual-kubelet-stackpath:latest
           labels: org.opencontainers.image.source=https://github.com/stackpath/virtual-kubelet-stackpath
diff --git a/.github/workflows/cover.yml b/.github/workflows/cover.yml
@@ -15,7 +15,7 @@ jobs:
         env:
           TESTCOVERAGE_THRESHOLD: 84
         run: |
-          GO_FILES=$(go list ./... |grep -v 'vendor')
+          GO_FILES=$(go list ./... |grep -v 'vendor|e2e')
           echo $GO_FILES | xargs -t -n4 go test -coverprofile=coverage.out -covermode=count  -cover -timeout=30s -parallel=4
           BASE_TOTAL=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | tr -d '%')
           if (( $(echo "$BASE_TOTAL $TESTCOVERAGE_THRESHOLD" | awk '{print ($1 > $2)}') )); then
@@ -30,7 +30,7 @@ jobs:
           ref: ${{ github.base_ref }}
       - name: Generate coverage report
         run: |
-          GO_FILES=$(go list ./... |grep -v 'vendor')
+          GO_FILES=$(go list ./... |grep -v 'vendor|e2e')
           echo $GO_FILES | xargs -t -n4 go test -coverprofile=coverage.out -covermode=count  -cover -timeout=30s -parallel=4
           TARGET_TOTAL=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | tr -d '%')
           if (( $(echo "${{ env.BASE_TOTAL }} $TARGET_TOTAL" | awk '{print ($1 >= $2)}') )); then

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-TEST?=$$(go list ./... |grep -v 'vendor')
+TEST?=$$(go list ./... |grep -v 'vendor|e2e')
 GOFMT_FILES?=$$(find . -name '*.go' |grep -v vendor)
 
 VERSION ?= v0.0.1

diff --git a/deployment/README.md b/deployment/README.md
@@ -36,13 +36,13 @@ SP_CLIENT_SECRET=<your-client-secret>
 kubectl apply -k .
 ```
 
-This will create the Virtual Kubelet deployment in your Kubernetes cluster.
+This will create a default Virtual Kubelet deployment in your Kubernetes cluster.
 
-Note that a secret will be generated from the `config.properties` file specified in the `secretGenerator` section of the `kustomization.yaml` file. This secret contains the values of the environment variables specified in the `config.properties` file.
+> **Note:** A secret will be generated from the `config.properties` file specified in the `secretGenerator` section of the `kustomization.yaml` file. This secret contains the values of the environment variables specified in the `config.properties` file.
 
-## Updating Resources
+## Customize Deployment
 
-To customize the Virtual Kublet deployment, create an overlay directory (in this example `vk-deployment-updated`) within the `overlays` directory with a `kustomization.yaml` file that specifies the changes you want to make.
+To customize the Virtual Kublet deployment, create an overlay directory (in this example `sp-atl`) within the `overlays` directory with a `kustomization.yaml` file that specifies the changes you want to make.
 
 ```txt
 .
@@ -54,7 +54,7 @@ To customize the Virtual Kublet deployment, create an overlay directory (in this
 │   ├── service-account.yaml
 │   └── vk-deployment.yaml
 └── overlays
-    └── vk-deployment-updated
+    └── sp-atl
         └── kustomization.yaml
 ```
 
@@ -65,10 +65,7 @@ resources:
 - ../../base
 
 namespace: sp-atl
-
-images:
-- name: stackpath.com/virtual-kubelet
-  newTag: 0.0.2
+nameSuffix: -atl
 
 configMapGenerator:
 - name: sp-vk-location
@@ -83,16 +80,17 @@ secretGenerator:
     - SP_STACK_ID=<another_stack_id>
 ```
 
+> **Note:** If you intend to utilize multiple Virtual Kubelets across various locations, it is advisable to establish an overlay for each location. You can leverage the `nameSuffix` parameter to generate unique name for Virtual Kubelet resources. This practice will prove invaluable in a future step when we need to reference a specific Virtual Kubelet node by name.
+
 - The resources section references the base resources that are inherited by this overlay, which includes a default Virtual Kubelet deployment configuration.
 - The namespace section specifies that the Virtual Kubelet deployment will be created in the sp-atl namespace.
-- The images section is used to define the version of the StackPath Virtual Kubelet image to be used.
 - The configMapGenerator section replaces the existing value of SP_CITY_CODE with `ATL`, which specifies the geographic location of the edge compute infrastructure.
 - The secretGenerator section merges the existing config.properties file with a new SP_STACK_ID value of <another_stack_id>. This updates the StackPath stack ID specified in `config.properties`.
 
 To deploy overlay, run the following command:
 
 ```bash
-kubectl apply -k overlays/vk-deployment-updated
+kubectl apply -k overlays/sp-atl
 ```
 
 ## Configuring Pods to Use Virtual Kubelet
@@ -101,14 +99,13 @@ Now that you've created a Virtual Kubelet pod after completing the steps above,
 
 To use the Virtual Kubelet deployment to deploy workloads in the StackPath Edge Compute infrastructure, configure your pods to use the virtual-kubelet.io/provider toleration and type: virtual-kubelet node selector.
 
-Here is an example configuration that will create the simplest possible container in the sp-atl namespace by providing only a name (my-pod) and image (my-image):
+Here is an example configuration that will create the simplest possible container in the default namespace. This is achieved by specifying only a name (my-pod) and an image (my-image). To reference a Virtual Kubelet node by its hostname, you should set the `nodeSelector` field to `kubernetes.io/hostname`, followed by the value provided in `nameSuffix`. In this example, it is `-atl`.
 
 ```yaml
 apiVersion: v1
 kind: Pod
 metadata:
   name: my-pod
-  namespace: sp-atl
 spec:
   containers:
   - name: my-container
@@ -120,6 +117,7 @@ spec:
     effect: NoSchedule
   nodeSelector: 
     kubernetes.io/role: agent
+    kubernetes.io/hostname: stackpath-edge-provider-atl
     type: virtual-kubelet
 ```
 

diff --git a/deployment/kustomize/base/kustomization.yaml b/deployment/kustomize/base/kustomization.yaml
@@ -21,5 +21,4 @@ configMapGenerator:
 
 images:
   - name: ghcr.io/stackpath/virtual-kubelet-stackpath
-    newTag: v0.4.0
-
+    newTag: latest
diff --git a/deployment/kustomize/base/scripts/cert-gen.sh b/deployment/kustomize/base/scripts/cert-gen.sh
@@ -40,12 +40,14 @@ openssl req -new -key /etc/virtual-kubelet/key.pem -out /etc/virtual-kubelet/vk-
 
 CSR=$(cat /etc/virtual-kubelet/vk-sp.csr | base64 | tr -d "\n")
 
+CERT_NAME=vk-sp-$(date | md5sum  | awk '{print $1}')
+
 # Create and approve CSR
 body='{
     "kind": "CertificateSigningRequest",
     "apiVersion": "certificates.k8s.io/v1",
     "metadata": {
-        "name": "vk-sp"
+        "name": "'${CERT_NAME}'"
     },
     "spec": {
         "request": "'${CSR}'",
@@ -58,11 +60,11 @@ kubectl_request "POST" "/apis/certificates.k8s.io/v1/certificatesigningrequests?
 
 sleep 10
 
-kubectl_request "PUT" "/apis/certificates.k8s.io/v1/certificatesigningrequests/vk-sp/approval" '{
+kubectl_request "PUT" "/apis/certificates.k8s.io/v1/certificatesigningrequests/${CERT_NAME}/approval" '{
     "kind": "CertificateSigningRequest",
     "apiVersion": "certificates.k8s.io/v1",
     "metadata": {
-        "name": "vk-sp"
+        "name": "'${CERT_NAME}'"
     },
     "status": {
         "conditions": [
@@ -79,7 +81,10 @@ kubectl_request "PUT" "/apis/certificates.k8s.io/v1/certificatesigningrequests/v
 sleep 10
 
 # Get and save the certificate
-kubectl_request "GET" "/apis/certificates.k8s.io/v1/certificatesigningrequests/vk-sp" "" | jq -r '.status.certificate' | base64 -d > /etc/virtual-kubelet/cert.pem
+kubectl_request "GET" "/apis/certificates.k8s.io/v1/certificatesigningrequests/${CERT_NAME}" "" | jq -r '.status.certificate' | base64 -d > /etc/virtual-kubelet/cert.pem
+
+# Delete signing request
+kubectl_request "DELETE" "/apis/certificates.k8s.io/v1/certificatesigningrequests/${CERT_NAME}" ""
 
 # Check if the certificate is valid
 if openssl x509 -noout -in /etc/virtual-kubelet/cert.pem; then