diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 7c4809ebe..000000000 --- a/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Atmosphere-Rebuild-Time: 2024-06-28T12:14:26Z - -ARG RELEASE - -FROM golang:1.22 AS go-builder -COPY go.mod go.sum /src/ -WORKDIR /src -RUN go mod download - -FROM go-builder AS libvirt-tls-sidecar-builder -COPY cmd/ /src/cmd/ -COPY internal/ /src/internal/ -RUN go build -o main ./cmd/libvirt-tls-sidecar/main.go - -FROM registry.atmosphere.dev/library/ubuntu:${RELEASE} AS libvirt-tls-sidecar -COPY --from=libvirt-tls-sidecar-builder /src/main /usr/bin/libvirt-tls-sidecar -ENTRYPOINT ["/usr/bin/libvirt-tls-sidecar"] diff --git a/cmd/libvirt-tls-sidecar/main.go b/cmd/libvirt-tls-sidecar/main.go deleted file mode 100644 index c94f5c854..000000000 --- a/cmd/libvirt-tls-sidecar/main.go +++ /dev/null @@ -1,97 +0,0 @@ -// Copyright (c) 2024 VEXXHOST, Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. You may obtain -// a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -// License for the specific language governing permissions and limitations -// under the License. - -package main - -import ( - "context" - "fmt" - "os" - - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - log "github.com/sirupsen/logrus" - "k8s.io/client-go/rest" - - "github.com/vexxhost/atmosphere/internal/tls" -) - -const ( - EnvVarApiIssuerKind = "API_ISSUER_KIND" - EnvVarApiIssuerName = "API_ISSUER_NAME" - EnvVarVncIssuerKind = "VNC_ISSUER_KIND" - EnvVarVncIssuerName = "VNC_ISSUER_NAME" -) - -func main() { - config, err := rest.InClusterConfig() - if err != nil { - log.Fatal(err) - } - - required := []string{ - EnvVarApiIssuerKind, - EnvVarApiIssuerName, - EnvVarVncIssuerKind, - EnvVarVncIssuerName, - } - - for _, env := range required { - if os.Getenv(env) == "" { - log.Fatal(fmt.Sprintf("missing required environment variable: %s", env)) - } - } - - ctx := context.Background() - go createCertificateSpec(ctx, config, tls.LibvirtCertificateTypeAPI) - go createCertificateSpec(ctx, config, tls.LibvirtCertificateTypeVNC) - - <-ctx.Done() -} - -func createCertificateSpec(ctx context.Context, config *rest.Config, certificateType tls.LibvirtCertificateType) { - var issuerRef cmmeta.ObjectReference - switch certificateType { - case tls.LibvirtCertificateTypeAPI: - issuerRef = cmmeta.ObjectReference{ - Kind: os.Getenv(EnvVarApiIssuerKind), - Name: os.Getenv(EnvVarApiIssuerName), - } - case tls.LibvirtCertificateTypeVNC: - issuerRef = cmmeta.ObjectReference{ - Kind: os.Getenv(EnvVarVncIssuerKind), - Name: os.Getenv(EnvVarVncIssuerName), - } - } - - spec := &tls.LibvirtCertificateSpec{ - Type: certificateType, - IssuerRef: issuerRef, - } - - manager, err := tls.NewLibvirtManager(config, spec) - if err != nil { - log.Fatal(err) - } - - err = manager.Create(ctx) - if err != nil { - log.Fatal(err) - } - - log.WithFields(log.Fields{ - "certificateType": certificateType, - }).Info("certificate created") - - go manager.Watch(ctx) -} diff --git a/go.mod b/go.mod index 13def1189..41a93058c 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,7 @@ module github.com/vexxhost/atmosphere go 1.22.0 require ( - github.com/cert-manager/cert-manager v1.14.2 - github.com/containers/image/v5 v5.29.2 + github.com/containers/image/v5 v5.30.1 github.com/erikgeiser/promptkit v0.9.0 github.com/goccy/go-yaml v1.11.3 github.com/nsf/jsondiff v0.0.0-20230430225905-43f6cf3098c1 @@ -44,6 +43,7 @@ require ( github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cert-manager/cert-manager v1.14.5 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/charmbracelet/bubbles v0.16.1 // indirect @@ -59,7 +59,7 @@ require ( github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.5.0 // indirect - github.com/docker/cli v25.0.1+incompatible // indirect + github.com/docker/cli v25.0.3+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v27.0.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.1 // indirect @@ -93,7 +93,7 @@ require ( github.com/google/pprof v0.0.0-20240711041743-f6c9dda6c6da // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect - github.com/gorilla/mux v1.8.0 // indirect + github.com/gorilla/mux v1.8.1 // indirect github.com/gorilla/websocket v1.5.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect @@ -192,7 +192,6 @@ require ( k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect oras.land/oras-go v1.2.5 // indirect sigs.k8s.io/controller-runtime v0.17.0 // indirect - sigs.k8s.io/gateway-api v1.0.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.17.2 // indirect sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect diff --git a/go.sum b/go.sum index 2d94a4735..02cf3868e 100644 --- a/go.sum +++ b/go.sum @@ -53,8 +53,8 @@ github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0Bsq github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cert-manager/cert-manager v1.14.2 h1:C/uci6yxiCRO04PWomBbSX+T4JT58FIIpDj5SZ6Ks6I= -github.com/cert-manager/cert-manager v1.14.2/go.mod h1:pik7K6jXfgh++lfVJ/i1HzEnDluSUtTVLXSHikj8Lho= +github.com/cert-manager/cert-manager v1.14.5 h1:uuM1O2g2S80nxiH3eW2cZYMGiL2zmDFVdAzg8sibWuc= +github.com/cert-manager/cert-manager v1.14.5/go.mod h1:fmr/cU5jiLxWj69CroDggSOa49RljUK+dU583TaQUXM= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= @@ -81,8 +81,8 @@ github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5Z github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= -github.com/containers/image/v5 v5.29.2 h1:b8U0XYWhaQbKucK73IbmSm8WQyKAhKDbAHQc45XlsOw= -github.com/containers/image/v5 v5.29.2/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= +github.com/containers/image/v5 v5.30.1 h1:AKrQMgOKI1oKx5FW5eoU2xoNyzACajHGx1O3qxobvFM= +github.com/containers/image/v5 v5.30.1/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= github.com/containers/ocicrypt v1.1.9 h1:2Csfba4jse85Raxk5HIyEk8OwZNjRvfkhEGijOjIdEM= @@ -102,8 +102,8 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbTO1lpcGSkU= -github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v25.0.3+incompatible h1:KLeNs7zws74oFuVhgZQ5ONGZiXUUdgsdy6/EsX/6284= +github.com/docker/cli v25.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE= @@ -227,8 +227,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= -github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= -github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= @@ -403,8 +403,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4= github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY= -github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= -github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= @@ -595,8 +595,8 @@ gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gorm.io/gorm v1.25.10 h1:dQpO+33KalOA+aFYGlK+EfxcI5MbO7EP2yYygwh9h+s= gorm.io/gorm v1.25.10/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= -gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= -gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= +gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= +gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -627,8 +627,6 @@ oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= -sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs= -sigs.k8s.io/gateway-api v1.0.0/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= diff --git a/internal/net/hostname.go b/internal/net/hostname.go deleted file mode 100644 index a2a7c9682..000000000 --- a/internal/net/hostname.go +++ /dev/null @@ -1,21 +0,0 @@ -package net - -import ( - "os" - "os/exec" - "strings" -) - -func Hostname() (string, error) { - return os.Hostname() -} - -func FQDN() (string, error) { - cmd := exec.Command("/bin/hostname", "--fqdn") - out, err := cmd.Output() - if err != nil { - return "", err - } - - return strings.TrimSpace(string(out)), nil -} diff --git a/internal/tls/libvirt.go b/internal/tls/libvirt.go deleted file mode 100644 index 227dd6ff5..000000000 --- a/internal/tls/libvirt.go +++ /dev/null @@ -1,317 +0,0 @@ -package tls - -import ( - "bytes" - "context" - "encoding/json" - "fmt" - "os" - "time" - - cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1" - log "github.com/sirupsen/logrus" - "github.com/vexxhost/atmosphere/internal/net" - v1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/fields" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/apimachinery/pkg/watch" - kubernetes "k8s.io/client-go/kubernetes/typed/core/v1" - "k8s.io/client-go/rest" - "k8s.io/client-go/tools/cache" -) - -type LibvirtCertificateType string - -const ( - LibvirtCertificateTypeAPI LibvirtCertificateType = "api" - LibvirtCertificateTypeVNC LibvirtCertificateType = "vnc" -) - -const ( - EnvVarPodUID = "POD_UID" - EnvVarPodName = "POD_NAME" - EnvVarPodNamespace = "POD_NAMESPACE" - EnvVarPodIP = "POD_IP" -) - -type LibvirtCertificateSpec struct { - Type LibvirtCertificateType - IssuerRef cmmeta.ObjectReference -} - -type LibvirtManager struct { - logger *log.Entry - spec *LibvirtCertificateSpec - certificate *cmv1.Certificate - certificateName string - certificateClient cmclient.CertificateInterface - secretClient kubernetes.SecretInterface -} - -func NewLibvirtManager(config *rest.Config, spec *LibvirtCertificateSpec) (*LibvirtManager, error) { - required := []string{ - EnvVarPodName, - EnvVarPodNamespace, - EnvVarPodUID, - EnvVarPodIP, - } - - for _, env := range required { - if os.Getenv(env) == "" { - return nil, fmt.Errorf("missing required environment variable: %s", env) - } - } - - mgr := &LibvirtManager{} - - hostname, err := net.Hostname() - if err != nil { - return nil, err - } - - fqdn, err := net.FQDN() - if err != nil { - return nil, err - } - - clientset, err := kubernetes.NewForConfig(config) - if err != nil { - return nil, err - } - - cmClient, err := cmclient.NewForConfig(config) - if err != nil { - return nil, err - } - - podUID := types.UID(os.Getenv(EnvVarPodUID)) - podNamespace := os.Getenv(EnvVarPodNamespace) - podName := os.Getenv(EnvVarPodName) - podIP := os.Getenv(EnvVarPodIP) - - mgr.spec = spec - mgr.secretClient = clientset.Secrets(podNamespace) - mgr.certificateClient = cmClient.Certificates(podNamespace) - mgr.certificateName = fmt.Sprintf("%s-%s", podName, spec.Type) - - mgr.logger = log.WithFields(log.Fields{ - "certificateName": mgr.certificateName, - "podName": podName, - "podNamespace": podNamespace, - "podUID": podUID, - "podIP": podIP, - "hostname": hostname, - "fqdn": fqdn, - "issuerKind": spec.IssuerRef.Kind, - "issuerName": spec.IssuerRef.Name, - }) - - mgr.certificate = &cmv1.Certificate{ - ObjectMeta: metav1.ObjectMeta{ - Name: mgr.certificateName, - Namespace: podNamespace, - OwnerReferences: []metav1.OwnerReference{ - { - APIVersion: "v1", - Kind: "Pod", - Name: podName, - UID: podUID, - }, - }, - }, - Spec: cmv1.CertificateSpec{ - SecretName: mgr.certificateName, - CommonName: podIP, - Usages: []cmv1.KeyUsage{ - cmv1.UsageClientAuth, - cmv1.UsageServerAuth, - }, - DNSNames: []string{hostname, fqdn}, - IPAddresses: []string{podIP}, - IssuerRef: spec.IssuerRef, - }, - } - - return mgr, nil -} - -func (m *LibvirtManager) Create(ctx context.Context) error { - // Create certificate - _, err := m.certificateClient.Create(ctx, m.certificate, metav1.CreateOptions{}) - if err != nil && !errors.IsAlreadyExists(err) { - return err - } - - m.logger.Info("certificate created") - - // Wait for certificate to become ready - err = wait.PollUntilContextTimeout(ctx, 5*time.Second, 300*time.Second, true, func(ctx context.Context) (bool, error) { - certificate, err := m.certificateClient.Get(ctx, m.certificateName, metav1.GetOptions{}) - if err != nil { - return false, err - } - - for _, condition := range certificate.Status.Conditions { - if condition.Type == cmv1.CertificateConditionReady { - if condition.Status == cmmeta.ConditionTrue { - return true, nil - } - - m.logger.WithFields(log.Fields{ - "reason": condition.Reason, - "message": condition.Message, - }).Info("certificate not ready") - } - } - - return false, nil - }) - if err != nil { - return err - } - - m.logger.Info("certificate ready") - - // Create patch with ownerReference so the secret is garbage collected - patch := []map[string]interface{}{ - { - "op": "add", - "path": "/metadata/ownerReferences", - "value": m.certificate.OwnerReferences, - }, - } - patchBytes, err := json.Marshal(patch) - if err != nil { - return err - } - - m.logger.Info("patching secret") - - // Patch secret with ownerReference - _, err = m.secretClient.Patch(ctx, m.certificateName, types.JSONPatchType, patchBytes, metav1.PatchOptions{}) - return err -} - -func (m *LibvirtManager) Watch(ctx context.Context) { - for { - m.watch(ctx) - m.logger.Info("watch closed or disconnected, retrying in 5 seconds") - - time.Sleep(5 * time.Second) - } -} - -func (m *LibvirtManager) watch(ctx context.Context) { - fieldSelector := fields.OneTermEqualSelector("metadata.name", m.certificateName).String() - - listWatcher := &cache.ListWatch{ - ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { - options.FieldSelector = fieldSelector - return m.secretClient.List(ctx, options) - }, - WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { - options.FieldSelector = fieldSelector - return m.secretClient.Watch(ctx, options) - }, - } - - _, controller := cache.NewInformer( - listWatcher, - &v1.Secret{}, - time.Minute, - cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - secret := obj.(*v1.Secret) - m.write(secret) - }, - UpdateFunc: func(oldObj, newObj interface{}) { - secret := newObj.(*v1.Secret) - m.write(secret) - }, - DeleteFunc: func(obj interface{}) { - m.logger.Fatal("secret deleted") - }, - }, - ) - - stop := make(chan struct{}) - defer close(stop) - controller.Run(stop) -} - -func (m *LibvirtManager) write(secret *v1.Secret) { - switch m.spec.Type { - case LibvirtCertificateTypeAPI: - m.createDirectory("/etc/pki/libvirt/private") - m.writeFile("/etc/pki/CA/cacert.pem", secret.Data["ca.crt"]) - m.writeFile("/etc/pki/libvirt/servercert.pem", secret.Data["tls.crt"]) - m.writeFile("/etc/pki/libvirt/private/serverkey.pem", secret.Data["tls.key"]) - m.writeFile("/etc/pki/libvirt/clientcert.pem", secret.Data["tls.crt"]) - m.writeFile("/etc/pki/libvirt/private/clientkey.pem", secret.Data["tls.key"]) - m.createDirectory("/etc/pki/qemu") - m.writeFile("/etc/pki/qemu/ca-cert.pem", secret.Data["ca.crt"]) - m.writeFile("/etc/pki/qemu/server-cert.pem", secret.Data["tls.crt"]) - m.writeFile("/etc/pki/qemu/server-key.pem", secret.Data["tls.key"]) - m.writeFile("/etc/pki/qemu/client-cert.pem", secret.Data["tls.crt"]) - m.writeFile("/etc/pki/qemu/client-key.pem", secret.Data["tls.key"]) - case LibvirtCertificateTypeVNC: - m.createDirectory("/etc/pki/libvirt-vnc") - m.writeFile("/etc/pki/libvirt-vnc/ca-cert.pem", secret.Data["ca.crt"]) - m.writeFile("/etc/pki/libvirt-vnc/server-cert.pem", secret.Data["tls.crt"]) - m.writeFile("/etc/pki/libvirt-vnc/server-key.pem", secret.Data["tls.key"]) - } -} - -func (m *LibvirtManager) createDirectory(path string) { - if _, err := os.Stat(path); !os.IsNotExist(err) { - return - } - - m.logger.WithFields(log.Fields{ - "path": path, - }).Info("creating directory") - - err := os.MkdirAll(path, 0755) - if err != nil { - m.logger.Fatal(err) - } -} - -func (m *LibvirtManager) writeFile(path string, data []byte) { - log := m.logger.WithFields(log.Fields{ - "path": path, - }) - - existingData, err := os.ReadFile(path) - if err != nil { - if os.IsNotExist(err) { - log.Info("file does not exist, creating file") - - err = os.WriteFile(path, data, 0644) - if err != nil { - log.Fatal(err) - } - - return - } - - m.logger.Fatal(err) - } - - if bytes.Equal(existingData, data) { - return - } - - log.Info("file contents changed, updating file") - - err = os.WriteFile(path, data, 0644) - if err != nil { - log.Fatal(err) - } -} diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml index afda28d39..47fbfe55a 100644 --- a/roles/defaults/vars/main.yml +++ b/roles/defaults/vars/main.yml @@ -120,7 +120,7 @@ _atmosphere_images: kube_vip: ghcr.io/kube-vip/kube-vip:v0.6.4 kubectl: docker.io/bitnami/kubectl:1.27.3 libvirt: "registry.atmosphere.dev/library/libvirtd:{{ atmosphere_release }}" - libvirt_tls_sidecar: "registry.atmosphere.dev/library/libvirt-tls-sidecar:{{ atmosphere_release }}" + libvirt_tls_sidecar: registry.atmosphere.dev/library/libvirt-tls-sidecar:latest libvirt_exporter: registry.atmosphere.dev/library/libvirtd-exporter:latest local_path_provisioner_helper: docker.io/library/busybox:1.36.0 local_path_provisioner: docker.io/rancher/local-path-provisioner:v0.0.24 diff --git a/zuul.d/container-images/libvirt-tls-sidecar.yaml b/zuul.d/container-images/libvirt-tls-sidecar.yaml deleted file mode 100644 index 93d997ff6..000000000 --- a/zuul.d/container-images/libvirt-tls-sidecar.yaml +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright (c) 2024 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -- project: - check: - jobs: - - atmosphere-build-container-image-libvirt-tls-sidecar - gate: - jobs: - - atmosphere-upload-container-image-libvirt-tls-sidecar - promote: - jobs: - - atmosphere-promote-container-image-libvirt-tls-sidecar - -- job: - name: atmosphere-build-container-image-libvirt-tls-sidecar - parent: atmosphere-build-container-image - dependencies: - - name: atmosphere-buildset-registry - soft: false - - name: atmosphere-build-container-image-ubuntu - soft: true - vars: &container_image_vars - promote_container_image_job: atmosphere-upload-container-image-libvirt-tls-sidecar - container_images: - - context: . - target: libvirt-tls-sidecar - registry: registry.atmosphere.dev - repository: registry.atmosphere.dev/library/libvirt-tls-sidecar - arch: - - linux/amd64 - - linux/arm64 - build_args: - - "RELEASE={{ zuul.branch | replace('stable/', '') }}" - tags: - - "{{ zuul.branch | replace('stable/', '') }}" - files: &container_image_files - - images/ubuntu/.* - - cmd/.* - - internal/.* - - Dockerfile - - go.mod - - go.sum - -- job: - name: atmosphere-upload-container-image-libvirt-tls-sidecar - parent: atmosphere-upload-container-image - dependencies: - - name: atmosphere-buildset-registry - soft: false - - name: atmosphere-upload-container-image-ubuntu - soft: true - vars: *container_image_vars - files: *container_image_files - -- job: - name: atmosphere-promote-container-image-libvirt-tls-sidecar - parent: atmosphere-promote-container-image - vars: *container_image_vars - files: *container_image_files diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index d10ed60c7..0baae0cf4 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -46,8 +46,6 @@ soft: true - name: atmosphere-build-container-image-kubernetes-entrypoint soft: true - - name: atmosphere-build-container-image-libvirt-tls-sidecar - soft: true - name: atmosphere-build-container-image-libvirtd soft: true - name: atmosphere-build-container-image-magnum @@ -118,8 +116,6 @@ soft: true - name: atmosphere-upload-container-image-kubernetes-entrypoint soft: true - - name: atmosphere-upload-container-image-libvirt-tls-sidecar - soft: true - name: atmosphere-upload-container-image-libvirtd soft: true - name: atmosphere-upload-container-image-magnum