chore: switch to clusterissuer
diff --git a/atmosphere/tasks/kubernetes/cert_manager.py b/atmosphere/tasks/kubernetes/cert_manager.py
index c40156e..48b8bf2 100644
--- a/atmosphere/tasks/kubernetes/cert_manager.py
+++ b/atmosphere/tasks/kubernetes/cert_manager.py
@@ -41,19 +41,19 @@
)
-class Issuer(pykube.objects.NamespacedAPIObject):
+class ClusterIssuer(pykube.objects.APIObject):
version = "cert-manager.io/v1"
- endpoint = "issuers"
- kind = "Issuer"
+ endpoint = "clusterissuers"
+ kind = "ClusterIssuer"
-class ApplyIssuerTask(base.ApplyKubernetesObjectTask):
- def __init__(self, namespace: str, name: str, spec: dict):
+class ApplyClusterIssuerTask(base.ApplyKubernetesObjectTask):
+ def __init__(self, name: str, spec: dict):
self._spec = spec
super().__init__(
- kind=Issuer,
- namespace=namespace,
+ kind=ClusterIssuer,
+ namespace=None,
name=name,
requires=set(
[
@@ -62,15 +62,14 @@
),
)
- def generate_object(self) -> Issuer:
- return Issuer(
+ def generate_object(self) -> ClusterIssuer:
+ return ClusterIssuer(
self.api,
{
"apiVersion": self._obj_kind.version,
"kind": self._obj_kind.kind,
"metadata": {
"name": self._obj_name,
- "namespace": self._obj_namespace,
},
"spec": self._spec,
},
@@ -79,8 +78,7 @@
def issuer_tasks_from_config(config: config.Issuer) -> list:
objects = [
- ApplyIssuerTask(
- namespace=constants.NAMESPACE_OPENSTACK,
+ ApplyClusterIssuerTask(
name="self-signed",
spec={
"selfSigned": {},
@@ -114,7 +112,7 @@
# credentials in this case.
objects.append(
v1.ApplySecretTask(
- constants.NAMESPACE_OPENSTACK,
+ constants.NAMESPACE_CERT_MANAGER,
"cert-manager-issuer-tsig-secret-key",
data={
"tsig-secret-key": config.solver.tsig_secret,
@@ -142,7 +140,7 @@
# credentials in this case.
objects.append(
v1.ApplySecretTask(
- constants.NAMESPACE_OPENSTACK,
+ constants.NAMESPACE_CERT_MANAGER,
"cert-manager-issuer-route53-credentials",
data={
"secret-access-key": config.solver.secret_access_key,
@@ -170,7 +168,7 @@
# certificate and key in this case.
objects.append(
v1.ApplySecretTask(
- constants.NAMESPACE_OPENSTACK,
+ constants.NAMESPACE_CERT_MANAGER,
"cert-manager-issuer-ca",
data={
"tls.crt": config.certificate,
@@ -188,7 +186,7 @@
# NOTE(mnaser): We have to setup the self-signed CA in this case
objects += [
ApplyCertificateTask(
- namespace=constants.NAMESPACE_OPENSTACK,
+ namespace=constants.NAMESPACE_CERT_MANAGER,
name="self-signed-ca",
spec={
"isCA": True,
@@ -198,7 +196,7 @@
"renewBefore": "360h",
"privateKey": {"algorithm": "ECDSA", "size": 256},
"issuerRef": {
- "kind": "Issuer",
+ "kind": "ClusterIssuer",
"name": "self-signed",
},
},
@@ -211,8 +209,4 @@
}
}
- return objects + [
- ApplyIssuerTask(
- namespace=constants.NAMESPACE_OPENSTACK, name="openstack", spec=spec
- )
- ]
+ return objects + [ApplyClusterIssuerTask(name="openstack", spec=spec)]
diff --git a/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py b/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py
index 81e6a2a..debc07a 100644
--- a/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py
+++ b/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py
@@ -20,22 +20,20 @@
),
[
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "self-signed",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"selfSigned": {},
},
},
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "openstack",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"acme": {
@@ -75,11 +73,10 @@
),
[
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "self-signed",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"selfSigned": {},
@@ -90,18 +87,17 @@
"kind": pykube.Secret.kind,
"metadata": {
"name": "cert-manager-issuer-tsig-secret-key",
- "namespace": constants.NAMESPACE_OPENSTACK,
+ "namespace": constants.NAMESPACE_CERT_MANAGER,
},
"stringData": {
"tsig-secret-key": "secret123",
},
},
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "openstack",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"acme": {
@@ -146,11 +142,10 @@
),
[
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "self-signed",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"selfSigned": {},
@@ -161,18 +156,17 @@
"kind": pykube.Secret.kind,
"metadata": {
"name": "cert-manager-issuer-route53-credentials",
- "namespace": constants.NAMESPACE_OPENSTACK,
+ "namespace": constants.NAMESPACE_CERT_MANAGER,
},
"stringData": {
"secret-access-key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
},
},
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "openstack",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"acme": {
@@ -225,11 +219,10 @@
),
[
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "self-signed",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"selfSigned": {},
@@ -240,7 +233,7 @@
"kind": pykube.Secret.kind,
"metadata": {
"name": "cert-manager-issuer-ca",
- "namespace": constants.NAMESPACE_OPENSTACK,
+ "namespace": constants.NAMESPACE_CERT_MANAGER,
},
"stringData": {
"tls.crt": textwrap.dedent(
@@ -264,11 +257,10 @@
},
},
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "openstack",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"ca": {
@@ -288,11 +280,10 @@
),
[
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "self-signed",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"selfSigned": {},
@@ -303,7 +294,7 @@
"kind": cert_manager.Certificate.kind,
"metadata": {
"name": "self-signed-ca",
- "namespace": constants.NAMESPACE_OPENSTACK,
+ "namespace": constants.NAMESPACE_CERT_MANAGER,
},
"spec": {
"isCA": True,
@@ -313,17 +304,16 @@
"renewBefore": "360h",
"privateKey": {"algorithm": "ECDSA", "size": 256},
"issuerRef": {
- "kind": "Issuer",
+ "kind": "ClusterIssuer",
"name": "self-signed",
},
},
},
{
- "apiVersion": cert_manager.Issuer.version,
- "kind": cert_manager.Issuer.kind,
+ "apiVersion": cert_manager.ClusterIssuer.version,
+ "kind": cert_manager.ClusterIssuer.kind,
"metadata": {
"name": "openstack",
- "namespace": constants.NAMESPACE_OPENSTACK,
},
"spec": {
"ca": {
diff --git a/roles/atmosphere/templates/cluster_role.yml b/roles/atmosphere/templates/cluster_role.yml
index 2a0d447..2b4cc2b 100644
--- a/roles/atmosphere/templates/cluster_role.yml
+++ b/roles/atmosphere/templates/cluster_role.yml
@@ -5,6 +5,10 @@
name: atmosphere
rules:
- apiGroups: [""]
+ resources: ["namespaces", "services", "configmaps", "secrets"]
+ verbs: ["get", "create", "patch"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses"]
resources: ["namespaces", "services"]
verbs: ["get", "create", "patch"]
- apiGroups: ["source.toolkit.fluxcd.io"]
@@ -13,3 +17,9 @@
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["get", "create", "patch"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "clusterissuers"]
+ verbs: ["get", "create", "patch"]
+ - apiGroups: ["ceph.rook.io"]
+ resources: ["cephclusters", "cephobjectstores"]
+ verbs: ["get", "create", "patch"]
diff --git a/roles/atmosphere/templates/role.yml b/roles/atmosphere/templates/role.yml
index 1a0a38e..21040ab 100644
--- a/roles/atmosphere/templates/role.yml
+++ b/roles/atmosphere/templates/role.yml
@@ -5,15 +5,9 @@
namespace: openstack
name: atmosphere
rules:
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "create", "patch"]
- apiGroups: ["pxc.percona.com"]
resources: ["perconaxtradbclusters"]
verbs: ["get", "create", "patch"]
- apiGroups: ["rabbitmq.com"]
resources: ["rabbitmqclusters"]
verbs: ["get", "create", "patch"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "issuers"]
- verbs: ["get", "create", "patch"]
diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml
index 72ed046..4cdb916 100644
--- a/roles/certificates/tasks/main.yml
+++ b/roles/certificates/tasks/main.yml
@@ -22,7 +22,7 @@
api_version: v1
kind: Secret
name: "{{ (atmosphere_issuer_config.type == 'self-signed') | ternary('cert-manager-selfsigned-ca', 'cert-manager-issuer-ca') }}"
- namespace: openstack
+ namespace: cert-manager
wait: true
wait_sleep: 1
wait_timeout: 300
diff --git a/roles/openstack_helm_ingress/vars/main.yml b/roles/openstack_helm_ingress/vars/main.yml
index a000c50..4c860cf 100644
--- a/roles/openstack_helm_ingress/vars/main.yml
+++ b/roles/openstack_helm_ingress/vars/main.yml
@@ -13,7 +13,7 @@
# under the License.
_openstack_helm_ingress_annotations:
- cert-manager.io/issuer: openstack
+ cert-manager.io/cluster-issuer: atmosphere
_openstack_helm_ingress_paths: "{{ openstack_helm_ingress_paths + __openstack_helm_ingress_paths }}"
__openstack_helm_ingress_paths:
diff --git a/roles/openstack_helm_octavia/tasks/main.yml b/roles/openstack_helm_octavia/tasks/main.yml
index dce8c18..14001e1 100644
--- a/roles/openstack_helm_octavia/tasks/main.yml
+++ b/roles/openstack_helm_octavia/tasks/main.yml
@@ -156,7 +156,7 @@
size: 256
issuerRef:
name: self-signed
- kind: Issuer
+ kind: ClusterIssuer
group: cert-manager.io
- apiVersion: cert-manager.io/v1