This is an automated email from the ASF dual-hosted git repository.
dgrove pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk-deploy-kube.git
The following commit(s) were added to refs/heads/master by this push:
new bb2ed42 generate nginx server certificate during deployment (#550)
bb2ed42 is described below
commit bb2ed4281c6bbcbc514052d2d6a3cf6ec9dfed97
Author: David Grove <[email protected]>
AuthorDate: Tue Dec 3 10:25:38 2019 -0500
generate nginx server certificate during deployment (#550)
Add a job to generate the nginx server certificate during deployment.
Although not currently done, the same job could (should?) be used to
generate additional certificates and secrets to enable ssl-protected
communication between all services on the openwhisk control plane.
Fixes #305.
---
helm/openwhisk/Chart.yaml | 2 +-
.../genCerts/gencerts.sh} | 17 ++-----
.../{Chart.yaml => templates/gen-certs-cm.yaml} | 19 +++-----
helm/openwhisk/templates/gen-certs-job.yaml | 57 ++++++++++++++++++++++
.../{Chart.yaml => templates/init-role.yaml} | 25 +++++-----
.../{Chart.yaml => templates/init-rolebind.yaml} | 27 +++++-----
.../{Chart.yaml => templates/init-svcact.yaml} | 17 ++-----
helm/openwhisk/templates/nginx-secret.yaml | 29 -----------
helm/openwhisk/values.yaml | 10 ++--
9 files changed, 105 insertions(+), 98 deletions(-)
diff --git a/helm/openwhisk/Chart.yaml b/helm/openwhisk/Chart.yaml
index 9d93a6e..266e80d 100644
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/Chart.yaml
@@ -18,7 +18,7 @@
apiVersion: v1
description: An open source, distributed serverless platform that executes
functions in response to events at any scale
name: openwhisk
-version: 0.1.8
+version: 0.1.9
icon:
https://raw.githubusercontent.com/apache/openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
keywords:
- Apache OpenWhisk
diff --git a/helm/openwhisk/Chart.yaml
b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
old mode 100644
new mode 100755
similarity index 60%
copy from helm/openwhisk/Chart.yaml
copy to helm/openwhisk/configMapFiles/genCerts/gencerts.sh
index 9d93a6e..8db6236
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
@@ -15,16 +15,7 @@
# limitations under the License.
#
-apiVersion: v1
-description: An open source, distributed serverless platform that executes
functions in response to events at any scale
-name: openwhisk
-version: 0.1.8
-icon:
https://raw.githubusercontent.com/apache/openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
-keywords:
- - Apache OpenWhisk
- - amd64
-maintainers:
- - name: Apache OpenWhisk committers
- email: [email protected]
-tillerVersion: ">=2.9.0"
-kubeVersion: ">=v1.10.0-r0"
+genssl.sh "*.$WHISK_API_HOST_NAME" server /cert-gen
+
+kubectl create secret tls $NGINX_CERT_SECRET
--cert=/cert-gen/openwhisk-server-cert.pem
--key=/cert-gen/openwhisk-server-key.pem
+
diff --git a/helm/openwhisk/Chart.yaml
b/helm/openwhisk/templates/gen-certs-cm.yaml
similarity index 62%
copy from helm/openwhisk/Chart.yaml
copy to helm/openwhisk/templates/gen-certs-cm.yaml
index 9d93a6e..f7840ea 100644
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/templates/gen-certs-cm.yaml
@@ -16,15 +16,10 @@
#
apiVersion: v1
-description: An open source, distributed serverless platform that executes
functions in response to events at any scale
-name: openwhisk
-version: 0.1.8
-icon:
https://raw.githubusercontent.com/apache/openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
-keywords:
- - Apache OpenWhisk
- - amd64
-maintainers:
- - name: Apache OpenWhisk committers
- email: [email protected]
-tillerVersion: ">=2.9.0"
-kubeVersion: ">=v1.10.0-r0"
+kind: ConfigMap
+metadata:
+ name: {{ .Release.Name }}-gen-certs
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+data:
+{{ (.Files.Glob "configMapFiles/genCerts/gencerts.sh").AsConfig | indent 2 }}
diff --git a/helm/openwhisk/templates/gen-certs-job.yaml
b/helm/openwhisk/templates/gen-certs-job.yaml
new file mode 100644
index 0000000..d8925e1
--- /dev/null
+++ b/helm/openwhisk/templates/gen-certs-job.yaml
@@ -0,0 +1,57 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ .Release.Name }}-gen-certs
+ labels:
+ name: {{ .Release.Name }}-gen-certs
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+spec:
+ backoffLimit: 3
+ template:
+ metadata:
+ name: {{ .Release.Name }}-gen-certs
+ labels:
+ name: {{ .Release.Name }}-gen-certs
+{{ include "openwhisk.label_boilerplate" . | indent 8 }}
+ spec:
+ serviceAccountName: {{ .Release.Name }}-init-sa
+ restartPolicy: Never
+ volumes:
+ - name: task-dir
+ configMap:
+ name: {{ .Release.Name }}-gen-certs
+{{ include "openwhisk.docker.imagePullSecrets" . | indent 6 }}
+ containers:
+ - name: gen-certs
+ image: "{{- .Values.docker.registry.name -}}{{-
.Values.utility.imageName -}}:{{- .Values.utility.imageTag -}}"
+ imagePullPolicy: {{ .Values.utility.imagePullPolicy | quote }}
+ command: ["/bin/bash", "-c", "set -e; . /task/gencerts.sh"]
+ volumeMounts:
+ - name: task-dir
+ mountPath: "/task/gencerts.sh"
+ subPath: "gencerts.sh"
+ env:
+ - name: "NGINX_CERT_SECRET"
+ value: {{ .Release.Name }}-nginx
+ - name: "WHISK_API_HOST_NAME"
+ valueFrom:
+ configMapKeyRef:
+ name: {{ .Release.Name }}-whisk.config
+ key: whisk_api_host_name
diff --git a/helm/openwhisk/Chart.yaml b/helm/openwhisk/templates/init-role.yaml
similarity index 60%
copy from helm/openwhisk/Chart.yaml
copy to helm/openwhisk/templates/init-role.yaml
index 9d93a6e..51db340 100644
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/templates/init-role.yaml
@@ -15,16 +15,15 @@
# limitations under the License.
#
-apiVersion: v1
-description: An open source, distributed serverless platform that executes
functions in response to events at any scale
-name: openwhisk
-version: 0.1.8
-icon:
https://raw.githubusercontent.com/apache/openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
-keywords:
- - Apache OpenWhisk
- - amd64
-maintainers:
- - name: Apache OpenWhisk committers
- email: [email protected]
-tillerVersion: ">=2.9.0"
-kubeVersion: ">=v1.10.0-r0"
+# A role to allow initialization jobs to create secrets and config maps
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ .Release.Name }}-init-role
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+rules:
+- apiGroups: [""]
+ resources: ["secrets", "configmaps"]
+ verbs: ["create"]
+
diff --git a/helm/openwhisk/Chart.yaml
b/helm/openwhisk/templates/init-rolebind.yaml
similarity index 60%
copy from helm/openwhisk/Chart.yaml
copy to helm/openwhisk/templates/init-rolebind.yaml
index 9d93a6e..2c7469c 100644
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/templates/init-rolebind.yaml
@@ -15,16 +15,17 @@
# limitations under the License.
#
-apiVersion: v1
-description: An open source, distributed serverless platform that executes
functions in response to events at any scale
-name: openwhisk
-version: 0.1.8
-icon:
https://raw.githubusercontent.com/apache/openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
-keywords:
- - Apache OpenWhisk
- - amd64
-maintainers:
- - name: Apache OpenWhisk committers
- email: [email protected]
-tillerVersion: ">=2.9.0"
-kubeVersion: ">=v1.10.0-r0"
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ .Release.Name }}-init-rb
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace | quote }}
+ name: {{ .Release.Name }}-init-sa
+roleRef:
+ kind: Role
+ name: {{ .Release.Name }}-init-role
+ apiGroup: rbac.authorization.k8s.io
diff --git a/helm/openwhisk/Chart.yaml
b/helm/openwhisk/templates/init-svcact.yaml
similarity index 62%
copy from helm/openwhisk/Chart.yaml
copy to helm/openwhisk/templates/init-svcact.yaml
index 9d93a6e..ea2b6b0 100644
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/templates/init-svcact.yaml
@@ -16,15 +16,8 @@
#
apiVersion: v1
-description: An open source, distributed serverless platform that executes
functions in response to events at any scale
-name: openwhisk
-version: 0.1.8
-icon:
https://raw.githubusercontent.com/apache/openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
-keywords:
- - Apache OpenWhisk
- - amd64
-maintainers:
- - name: Apache OpenWhisk committers
- email: [email protected]
-tillerVersion: ">=2.9.0"
-kubeVersion: ">=v1.10.0-r0"
+kind: ServiceAccount
+metadata:
+ name: {{ .Release.Name }}-init-sa
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
diff --git a/helm/openwhisk/templates/nginx-secret.yaml
b/helm/openwhisk/templates/nginx-secret.yaml
deleted file mode 100644
index 1f2e9ce..0000000
--- a/helm/openwhisk/templates/nginx-secret.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-{{- if ne .Values.whisk.ingress.type "OpenShift" }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Release.Name }}-nginx
- labels:
-{{ include "openwhisk.label_boilerplate" . | indent 4 }}
-type: tls
-data:
- tls.crt:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhJQ0NRQ3JWVW52eWpMdHpEQU5CZ2txaGtpRzl3MEJBUVVGQURCWE1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1Rsa3hFVEFQQmdOVkJBY01DRmx2Y210MGIzZHVNUkl3RUFZRFZRUUtEQWxQY0dWdQpWMmhwYzJzeEZEQVNCZ05WQkFNTUN5b3ViRzlqWVd4b2IzTjBNQjRYRFRFNE1UQXdNVEl3TlRBd01sb1hEVEU1Ck1UQXdNVEl3TlRBd01sb3dWekVMTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnTUFrNVpNUkV3RHdZRFZRUUgKREFoWmIzSnJkRzkzYmpFU01CQUdBMVVFQ2d3SlQzQmxibGRvYVhOck1SUXdFZ1lEVlFRRERBc3FMbXh2WTJGcwphRzl6ZERDQ
[...]
- tls.key:
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMVhrMTZjYXFBZGNmM05JVFZjRnNxWEhjZVFmMTBsUGpsS1Q1RGcrYmJKUHdTKzlwCnFBc1lPbTB2TFA0RjcyUzcvQTlJZmdNc2t5VWJSc3VtSmx4U3pSNUplNG9iTVZRUUNCQjVmejkwUnpLZGFxSXMKclpkd2htb0JmcjlWZFVxT0pqY1VQZTBUTzJGVzdRSE8wcFAxV3dJUUJmdjI5bjFpdGtpTGxNWk9KZ05TV2NtRgpZN0hnai83V0RNK3dNL1hXdzlsS0NGM0o5R3NYczluQTcwQWxmLytidmxiUGZTVmdLM1Q0c0ljQlpsMWIrT3ZLCnMrMzR6cjJ4R2pXN1pidjFTK01XbEcvMzQyYkVsRm9UcStOMUtnUkxIMXJUUGRIWmZZL3FoM2hZZUJONDE2eEIKb1E3M
[...]
-{{- end }}
diff --git a/helm/openwhisk/values.yaml b/helm/openwhisk/values.yaml
index fa42716..3b5671b 100644
--- a/helm/openwhisk/values.yaml
+++ b/helm/openwhisk/values.yaml
@@ -129,9 +129,9 @@ whisk:
includeSystemTests: false
versions:
openwhisk:
- buildDate: "2019-11-08-08:32:33Z"
+ buildDate: "2019-11-20-14:48:00Z"
buildNo: "20191108a"
- gitTag: "d47f4ec91d467295ffcfa894401ddb113984c108"
+ gitTag: "4cb41be6b7ea14c8002c9decda4b20f8d0fdd691"
openwhiskCli:
tag: "1.0.0"
openwhiskCatalog:
@@ -154,7 +154,7 @@ k8s:
# Images used to run auxillary tasks/jobs
utility:
imageName: "openwhisk/ow-utils"
- imageTag: "d47f4ec"
+ imageTag: "4cb41be"
imagePullPolicy: "IfNotPresent"
# Docker registry
@@ -238,7 +238,7 @@ nginx:
# Controller configurations
controller:
imageName: "openwhisk/controller"
- imageTag: "d47f4ec"
+ imageTag: "4cb41be"
imagePullPolicy: "IfNotPresent"
replicaCount: 1
restartPolicy: "Always"
@@ -250,7 +250,7 @@ controller:
# Invoker configurations
invoker:
imageName: "openwhisk/invoker"
- imageTag: "d47f4ec"
+ imageTag: "4cb41be"
imagePullPolicy: "IfNotPresent"
restartPolicy: "Always"
port: 8080