From a03d256219c303c22622a32602109e79635abf07 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 24 Oct 2024 08:33:12 -0700
Subject: [PATCH] Load clusterissuer secret from cert-manager namespace

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .config/api-rules/violation_exceptions.list   |  1 +
 apis/cacerts/v1alpha1/openapi_generated.go    | 80 +++++++++++++++++--
 .../cacerts/caproviderclass_controller.go     | 14 ++--
 pkg/providers/ca.go                           | 33 ++++++--
 4 files changed, 106 insertions(+), 22 deletions(-)

diff --git a/.config/api-rules/violation_exceptions.list b/.config/api-rules/violation_exceptions.list
index bb44ca39..d9a33ad0 100644
--- a/.config/api-rules/violation_exceptions.list
+++ b/.config/api-rules/violation_exceptions.list
@@ -6,6 +6,7 @@ API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateS
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,EmailAddresses
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,IPAddresses
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,URIs
+API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,ClusterInfo,ClusterManagers
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,ImageInfo,Lineages
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,Lineage,Chain
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,Lineage,Containers
diff --git a/apis/cacerts/v1alpha1/openapi_generated.go b/apis/cacerts/v1alpha1/openapi_generated.go
index 26961fe5..3745607e 100644
--- a/apis/cacerts/v1alpha1/openapi_generated.go
+++ b/apis/cacerts/v1alpha1/openapi_generated.go
@@ -358,6 +358,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"kmodules.xyz/client-go/api/v1.CAPIClusterInfo":                              schema_kmodulesxyz_client_go_api_v1_CAPIClusterInfo(ref),
 		"kmodules.xyz/client-go/api/v1.CertificatePrivateKey":                        schema_kmodulesxyz_client_go_api_v1_CertificatePrivateKey(ref),
 		"kmodules.xyz/client-go/api/v1.CertificateSpec":                              schema_kmodulesxyz_client_go_api_v1_CertificateSpec(ref),
+		"kmodules.xyz/client-go/api/v1.ClusterInfo":                                  schema_kmodulesxyz_client_go_api_v1_ClusterInfo(ref),
 		"kmodules.xyz/client-go/api/v1.ClusterMetadata":                              schema_kmodulesxyz_client_go_api_v1_ClusterMetadata(ref),
 		"kmodules.xyz/client-go/api/v1.Condition":                                    schema_kmodulesxyz_client_go_api_v1_Condition(ref),
 		"kmodules.xyz/client-go/api/v1.HealthCheckSpec":                              schema_kmodulesxyz_client_go_api_v1_HealthCheckSpec(ref),
@@ -18399,23 +18400,27 @@ func schema_kmodulesxyz_client_go_api_v1_CAPIClusterInfo(ref common.ReferenceCal
 				Properties: map[string]spec.Schema{
 					"provider": {
 						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
 						},
 					},
 					"namespace": {
 						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
 						},
 					},
 					"clusterName": {
 						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
 						},
 					},
 				},
+				Required: []string{"provider", "namespace", "clusterName"},
 			},
 		},
 	}
@@ -18482,7 +18487,7 @@ func schema_kmodulesxyz_client_go_api_v1_CertificateSpec(ref common.ReferenceCal
 					},
 					"renewBefore": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Certificate renew before expiration duration",
+							Description: "Certificate renew before expiration duration\n\nDeprecated use `ReconfigureTLS` type OpsRequest instead.",
 							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
 						},
 					},
@@ -18561,6 +18566,55 @@ func schema_kmodulesxyz_client_go_api_v1_CertificateSpec(ref common.ReferenceCal
 	}
 }
 
+func schema_kmodulesxyz_client_go_api_v1_ClusterInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ClusterInfo used in ace-installer",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"uid": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"clusterManagers": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+					"capi": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("kmodules.xyz/client-go/api/v1.CAPIClusterInfo"),
+						},
+					},
+				},
+				Required: []string{"uid", "name", "clusterManagers"},
+			},
+		},
+		Dependencies: []string{
+			"kmodules.xyz/client-go/api/v1.CAPIClusterInfo"},
+	}
+}
+
 func schema_kmodulesxyz_client_go_api_v1_ClusterMetadata(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -18616,6 +18670,18 @@ func schema_kmodulesxyz_client_go_api_v1_ClusterMetadata(ref common.ReferenceCal
 							Format: "",
 						},
 					},
+					"managerID": {
+						SchemaProps: spec.SchemaProps{
+							Type:   []string{"string"},
+							Format: "",
+						},
+					},
+					"hubClusterID": {
+						SchemaProps: spec.SchemaProps{
+							Type:   []string{"string"},
+							Format: "",
+						},
+					},
 				},
 				Required: []string{"uid"},
 			},
diff --git a/pkg/controllers/cacerts/caproviderclass_controller.go b/pkg/controllers/cacerts/caproviderclass_controller.go
index 4f043e7c..714d3d61 100644
--- a/pkg/controllers/cacerts/caproviderclass_controller.go
+++ b/pkg/controllers/cacerts/caproviderclass_controller.go
@@ -22,7 +22,7 @@ import (
 	api "kubeops.dev/csi-driver-cacerts/apis/cacerts/v1alpha1"
 
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
-	core "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -65,7 +65,7 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			}
 			var req []reconcile.Request
 
-			var ns string
+			var refNamespace string
 			for _, p := range providers.Items {
 				for _, ref := range p.Spec.Refs {
 					var group string
@@ -78,12 +78,12 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 						continue
 					}
 
-					ns = ref.Namespace
-					if ns == "" {
-						ns = p.Namespace
+					refNamespace = ref.Namespace
+					if refNamespace == "" && gk.Kind != "ClusterIssuer" {
+						refNamespace = p.Namespace
 					}
 
-					if a.GetNamespace() != "" && a.GetNamespace() != ns {
+					if a.GetNamespace() != "" && a.GetNamespace() != refNamespace {
 						continue
 					}
 
@@ -97,7 +97,7 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&api.CAProviderClass{}).
-		Watches(&core.Secret{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: "", Kind: "Secret"}))).
+		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: "", Kind: "Secret"}))).
 		Watches(&cmapi.Issuer{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: cmapi.SchemeGroupVersion.Group, Kind: "Issuer"}))).
 		Watches(&cmapi.ClusterIssuer{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: cmapi.SchemeGroupVersion.Group, Kind: "ClusterIssuer"}))).
 		Complete(r)
diff --git a/pkg/providers/ca.go b/pkg/providers/ca.go
index 64947401..811816ba 100644
--- a/pkg/providers/ca.go
+++ b/pkg/providers/ca.go
@@ -27,6 +27,8 @@ import (
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"gomodules.xyz/cert"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"kmodules.xyz/client-go/meta"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -37,20 +39,35 @@ type IssuerProvider struct {
 var _ lib.CAProvider = &IssuerProvider{}
 
 func (c *IssuerProvider) GetCAs(obj client.Object, _ string) ([]*x509.Certificate, error) {
+	kind := obj.GetObjectKind().GroupVersionKind().Kind
+	issuerKey, err := cache.MetaNamespaceKeyFunc(obj)
+	if err != nil {
+		return nil, err
+	}
+
 	issuer, ok := obj.(cmapi.GenericIssuer)
 	if !ok {
-		return nil, fmt.Errorf("%v %s/%s is not a GenericIssuer", obj.GetObjectKind().GroupVersionKind(), obj.GetNamespace(), obj.GetName())
+		return nil, fmt.Errorf("%s %s is not a GenericIssuer", kind, issuerKey)
 	}
+
 	if issuer.GetSpec().CA == nil {
-		return nil, fmt.Errorf("%v %s/%s does not have a CA", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName())
+		return nil, fmt.Errorf("%s %s does not have a CA", kind, issuerKey)
 	}
 
 	var secret corev1.Secret
 	secretRef := client.ObjectKey{
-		Namespace: issuer.GetNamespace(),
-		Name:      issuer.GetSpec().CA.SecretName,
+		Namespace: func() string {
+			if kind == "ClusterIssuer" {
+				// cert-manager requires the ClusterIssuer ca secret to be in the same namespace where it is deployed.
+				// So, csi-driver must be in the same namespace where cert-manager is installed.
+				// ns will be defaulted to cert-manager namespace in standard deployments.
+				return meta.PodNamespace()
+			}
+			return issuer.GetNamespace()
+		}(),
+		Name: issuer.GetSpec().CA.SecretName,
 	}
-	err := c.Reader.Get(context.TODO(), secretRef, &secret)
+	err = c.Reader.Get(context.TODO(), secretRef, &secret)
 	if err != nil {
 		return nil, err
 	}
@@ -64,16 +81,16 @@ func (c *IssuerProvider) GetCAs(obj client.Object, _ string) ([]*x509.Certificat
 		return nil, err
 	}
 	if len(caCerts) == 0 {
-		return nil, fmt.Errorf("%v %s/%s signing certificate is not a CA", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName())
+		return nil, fmt.Errorf("%s %s signing certificate is not a CA", kind, issuerKey)
 	}
 
 	now := time.Now()
 	for _, caCert := range caCerts {
 		if now.Before(caCert.NotBefore) {
-			return nil, fmt.Errorf("%v %s/%s points a CA cert not valid before %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName(), caCert.NotBefore, now)
+			return nil, fmt.Errorf("%s %s points a CA cert not valid before %v, now: %s", kind, issuerKey, caCert.NotBefore, now)
 		}
 		if now.After(caCert.NotAfter) {
-			return nil, fmt.Errorf("%v %s/%s points a CA cert expired at %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName(), caCert.NotAfter, now)
+			return nil, fmt.Errorf("%s %s points a CA cert expired at %v, now: %s", kind, issuerKey, caCert.NotAfter, now)
 		}
 	}