Merge pull request #216 from MikeEdgar/customize-observability-cr

Enable customized Observability CR patch, bump KFM to c97e8cd
bf2fc6cc711aee1a0c2a · Sep 8, 2022 · 186bff2 · 186bff2
2 parents 6b83953 + bc379ce
commit 186bff2
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 17 deletions.
diff --git a/kas-fleet-manager/deploy-kas-fleet-manager.sh b/kas-fleet-manager/deploy-kas-fleet-manager.sh
@@ -206,6 +206,11 @@ deploy_kasfleetmanager() {
       echo 'KAFKA_OWNERS=[ "'${REDHAT_SSO_CLIENT_ID}'" ]' >> ${SERVICE_PARAMS}
   fi
 
+  if [ -n "$(${KUBECTL} get deployment kas-fleet-manager --ignore-not-found -o jsonpath=\"{.metadata.name}\" -n ${KAS_FLEET_MANAGER_NAMESPACE})" ] ; then
+      echo "Scaling down existing kas-fleet-manager deployment to apply changes"
+      ${KUBECTL} scale deployment/kas-fleet-manager --replicas=0
+  fi
+
   ${OC} process -f ${KAS_FLEET_MANAGER_CODE_DIR}/templates/service-template.yml \
     --param-file=${SERVICE_PARAMS} \
     -p ENVIRONMENT="${OCM_ENV}" \
@@ -273,20 +278,24 @@ disable_observability_operator_extras() {
     sleep 3
   done
 
-  echo "Patching Observability CR to disable: Observatorium, PagerDuty, DeadmanSnitch, Smtp"
-  OBSERVABILITY_MERGE_PATCH_CONTENT=$(cat << EOF
-{
-  "spec": {
-    "selfContained": {
-      "disablePagerDuty": true,
-      "disableObservatorium": true,
-      "disableDeadmansSnitch": true,
-      "disableSmtp": true
-    }
-  }
-}
-EOF
-)
+  OBSERVABILITY_MERGE_PATCH_CONTENT="${OBSERVABILITY_CR_MERGE_PATCH_CONTENT:-}"
+
+  if [ -n "${OBSERVABILITY_MERGE_PATCH_CONTENT}" ] ; then
+    echo "Patching Observability CR with custom content: ${OBSERVABILITY_MERGE_PATCH_CONTENT}"
+  else
+    echo "Patching Observability CR to disable: Observatorium, PagerDuty, DeadmanSnitch, Smtp"
+    OBSERVABILITY_MERGE_PATCH_CONTENT='{
+      "spec": {
+        "selfContained": {
+          "disablePagerDuty": true,
+          "disableObservatorium": true,
+          "disableDeadmansSnitch": true,
+          "disableSmtp": true
+        }
+      }
+    }'
+  fi
+
   while [ "$(${KUBECTL} patch Observability observability-stack --type=merge --patch "${OBSERVABILITY_MERGE_PATCH_CONTENT}" -n ${OBSERVABILITY_OPERATOR_K8S_NAMESPACE} || echo 'false')" = 'false' ] ; do
     echo "Failed to patch Observability CR, retrying"
     sleep 2

diff --git a/kas-installer-defaults.env b/kas-installer-defaults.env
@@ -96,7 +96,7 @@ KAS_FLEET_MANAGER_IMAGE_REPOSITORY="${KAS_FLEET_MANAGER_IMAGE_REPOSITORY:-"bf2fc
 # [optional]
 # KAS Fleet Manager container image tag
 #
-KAS_FLEET_MANAGER_IMAGE_TAG="${KAS_FLEET_MANAGER_IMAGE_TAG:-"1ba3dbc"}"
+KAS_FLEET_MANAGER_IMAGE_TAG="${KAS_FLEET_MANAGER_IMAGE_TAG:-"c97e8cd"}"
 
 # [optional]
 # Build the KAS Fleet Manager image from source (determined by KAS_FLEET_MANAGER_GIT_URL and KAS_FLEET_MANAGER_GIT_REF)
@@ -114,7 +114,7 @@ KAS_FLEET_MANAGER_GIT_URL="${KAS_FLEET_MANAGER_GIT_URL:-"https://github.com/bf2f
 # KAS Fleet Manager's git reference. A commit ID, branch name or tag can be used. The commit ID should be compatible with
 # the container image contents used
 #
-KAS_FLEET_MANAGER_GIT_REF="${KAS_FLEET_MANAGER_GIT_REF:-"1ba3dbc0c8a822507fdd9ebc83d8e1c74c9f120b"}"
+KAS_FLEET_MANAGER_GIT_REF="${KAS_FLEET_MANAGER_GIT_REF:-"c97e8cd2199daeca18fc7ce6f94e1d0da82594ae"}"
 
 # [optional]
 # OCM offline token for use with kas-fleet-manager's "ocm" cluster provider
@@ -150,4 +150,21 @@ STRIMZI_OPERATOR_NAMESPACE="${STRIMZI_OPERATOR_NAMESPACE:-}"
 # Strimzi cluster operator OLM bundle index image reference
 STRIMZI_OLM_INDEX_IMAGE="${STRIMZI_OLM_INDEX_IMAGE:-"quay.io/osd-addons/rhosak-strimzi-operator-bundle-index:v4.9-v0.1.4-2"}"
 
+# [optional]
+# TLS certificate to be used with the Kafka instance listeners and the admin API server. Must also configure the value
+# of ENABLE_KAFKA_EXTERNAL_CERTIFICATE to 'true' using kas-fleet-manager parameter customization (see README)
+#
+KAFKA_TLS_CERT="${KAFKA_TLS_CERT:-}"
+
+# [optional]
+# TLS key to be used with the Kafka instance listeners and the admin API server. Must also configure the value
+# of ENABLE_KAFKA_EXTERNAL_CERTIFICATE to 'true' using kas-fleet-manager parameter customization (see README)
+#
+KAFKA_TLS_KEY="${KAFKA_TLS_KEY:-}"
+
+# [optional]
+# JSON content used to patch the Observability resource. May be used to customize the resyncPeriod, for example.
+#
+OBSERVABILITY_CR_MERGE_PATCH_CONTENT="${OBSERVABILITY_CR_MERGE_PATCH_CONTENT:-}"
+
 trap - EXIT
diff --git a/kas-installer.sh b/kas-installer.sh
@@ -65,6 +65,7 @@ generate_kas_fleet_manager_env_config() {
   echo "OBSERVABILITY_CONFIG_ACCESS_TOKEN=${OBSERVABILITY_CONFIG_ACCESS_TOKEN}" >> ${KAS_FLEET_MANAGER_DEPLOY_ENV_FILE}
   echo "OBSERVABILITY_CONFIG_REPO=${OBSERVABILITY_CONFIG_REPO}" >> ${KAS_FLEET_MANAGER_DEPLOY_ENV_FILE}
   echo "OBSERVABILITY_CONFIG_TAG=${OBSERVABILITY_CONFIG_TAG}" >> ${KAS_FLEET_MANAGER_DEPLOY_ENV_FILE}
+  echo "OBSERVABILITY_CR_MERGE_PATCH_CONTENT='${OBSERVABILITY_CR_MERGE_PATCH_CONTENT}'" >> ${KAS_FLEET_MANAGER_DEPLOY_ENV_FILE}
 
   echo "STRIMZI_OPERATOR_NAMESPACE=${STRIMZI_OPERATOR_NAMESPACE}" >> ${KAS_FLEET_MANAGER_DEPLOY_ENV_FILE}
   echo "STRIMZI_OLM_INDEX_IMAGE=${STRIMZI_OLM_INDEX_IMAGE}" >> ${KAS_FLEET_MANAGER_DEPLOY_ENV_FILE}

diff --git a/managed_kafka.sh b/managed_kafka.sh
@@ -149,9 +149,17 @@ certgen() {
 
     rm -f ${TRUSTSTORE} || true
 
+    echo "Adding ${KAFKA_USERNAME}-cluster-ca-cert certificate to truststore"
     oc get secret -o yaml ${KAFKA_USERNAME}-cluster-ca-cert -n ${KAFKA_INSTANCE_NAMESPACE} -o json | jq -r '.data."ca.crt"' | base64 --decode  > ${CRT_PEM}
     keytool -import -trustcacerts -keystore ${TRUSTSTORE} -storepass:env TRUSTSTORE_PASSWORD -noprompt -alias mk${KAFKA_ID} -file ${CRT_PEM}
 
+    if [ -n "${KAFKA_TLS_CERT}" ] ; then
+        echo "Adding configured KAFKA_TLS_CERT certificate to truststore"
+        echo "${KAFKA_TLS_CERT}" > ${CRT_PEM}
+        keytool -import -trustcacerts -keystore ${TRUSTSTORE} -storepass:env TRUSTSTORE_PASSWORD -noprompt -alias mk${KAFKA_ID}-tlscert -file ${CRT_PEM}
+        rm ${CRT_PEM}
+    fi
+
     echo "Adding JVM platform trust to truststore in order to enable OAuth use-cases.."
     i=0
     while IFS= read -r -d $'\0' file; do
@@ -179,7 +187,7 @@ certgen() {
     echo 'ssl.truststore.password = password' >> app-services.properties
     echo 'sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="'${SA_CLIENT_ID}'" password="'${SA_CLIENT_SECRET}'";' >> app-services.properties
     echo 'bootstrap.servers='${BOOTSTRAP_SERVER_HOST} >> app-services.properties
-    
+
     echo "Certificate generation complete. Please use app-services.properties as the --command-config flag when using kafka bin scripts."
 }