From de84200e8dcefa5f816349e60596ae168fcf1638 Mon Sep 17 00:00:00 2001 From: Radim Hrazdil <32546791+rhrazdil@users.noreply.github.com> Date: Wed, 30 Mar 2022 17:07:01 +0200 Subject: [PATCH] [release-0.64] Nmstate add selfsigned api (#1029) * nmstate, api: Add SelfSign configuration API to NMState Add SelfSign API to achieve feature parity with CNAO. For future implementation of Cert Rotation. Signed-off-by: Radim Hrazdil * make vendor Signed-off-by: Radim Hrazdil * operator: pass SelfSignedConfiguration from NMState spec If defined, pass SelfSignedConfiguration from NMState. If not specified, keep using the same defaults as of now. Signed-off-by: Radim Hrazdil * set defaults of SelfSignConfiguration in the operator Signed-off-by: Radim Hrazdil --- api/v1/nmstate_types.go | 13 +++++++++++ api/v1/zz_generated.deepcopy.go | 20 +++++++++++++++++ controllers/operator/nmstate_controller.go | 18 ++++++++++----- deploy/crds/nmstate.io_nmstates.yaml | 22 +++++++++++++++++++ deploy/handler/operator.yaml | 8 +++---- .../api/v1/nmstate_types.go | 13 +++++++++++ .../nodenetworkconfigurationpolicy_types.go | 1 + .../api/v1/zz_generated.deepcopy.go | 20 +++++++++++++++++ .../nodenetworkconfigurationpolicy_types.go | 1 + ...nodenetworkconfigurationenactment_types.go | 1 + 10 files changed, 107 insertions(+), 10 deletions(-) diff --git a/api/v1/nmstate_types.go b/api/v1/nmstate_types.go index d4886f997..32fd812ad 100644 --- a/api/v1/nmstate_types.go +++ b/api/v1/nmstate_types.go @@ -50,6 +50,19 @@ type NMStateSpec struct { // If InfraTolerations is specified, the webhook and certmanager will be able to be scheduled on nodes with corresponding taints // +optional InfraTolerations []corev1.Toleration `json:"infraTolerations,omitempty"` + // SelfSignConfiguration defines self signed certificate configuration + SelfSignConfiguration *SelfSignConfiguration `json:"selfSignConfiguration,omitempty"` +} + +type SelfSignConfiguration struct { + // CARotateInterval defines duration for CA expiration + CARotateInterval string `json:"caRotateInterval,omitempty"` + // CAOverlapInterval defines the duration where expired CA certificate can overlap with new one, in order to allow fluent CA rotation transitioning + CAOverlapInterval string `json:"caOverlapInterval,omitempty"` + // CertRotateInterval defines duration for of service certificate expiration + CertRotateInterval string `json:"certRotateInterval,omitempty"` + // CertOverlapInterval defines the duration where expired service certificate can overlap with new one, in order to allow fluent service rotation transitioning + CertOverlapInterval string `json:"certOverlapInterval,omitempty"` } // NMStateStatus defines the observed state of NMState diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index b4538c932..3bfa3e666 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -126,6 +126,11 @@ func (in *NMStateSpec) DeepCopyInto(out *NMStateSpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.SelfSignConfiguration != nil { + in, out := &in.SelfSignConfiguration, &out.SelfSignConfiguration + *out = new(SelfSignConfiguration) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NMStateSpec. @@ -218,3 +223,18 @@ func (in *NodeNetworkConfigurationPolicyList) DeepCopyObject() runtime.Object { } return nil } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSignConfiguration) DeepCopyInto(out *SelfSignConfiguration) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignConfiguration. +func (in *SelfSignConfiguration) DeepCopy() *SelfSignConfiguration { + if in == nil { + return nil + } + out := new(SelfSignConfiguration) + in.DeepCopyInto(out) + return out +} diff --git a/controllers/operator/nmstate_controller.go b/controllers/operator/nmstate_controller.go index 43c119e38..a30a4b41a 100644 --- a/controllers/operator/nmstate_controller.go +++ b/controllers/operator/nmstate_controller.go @@ -209,6 +209,16 @@ func (r *NMStateReconciler) applyHandler(instance *nmstatev1.NMState) error { infraAffinity = &corev1.Affinity{} } + selfSignConfiguration := instance.Spec.SelfSignConfiguration + if selfSignConfiguration == nil { + selfSignConfiguration = &nmstatev1.SelfSignConfiguration{ + CARotateInterval: "8760h0m0s", + CAOverlapInterval: "24h0m0s", + CertRotateInterval: "4380h0m0s", + CertOverlapInterval: "24h0m0s", + } + } + data.Data["HandlerNamespace"] = os.Getenv("HANDLER_NAMESPACE") data.Data["HandlerImage"] = os.Getenv("RELATED_IMAGE_HANDLER_IMAGE") data.Data["HandlerPullPolicy"] = os.Getenv("HANDLER_IMAGE_PULL_POLICY") @@ -221,12 +231,8 @@ func (r *NMStateReconciler) applyHandler(instance *nmstatev1.NMState) error { data.Data["HandlerNodeSelector"] = archAndCRNodeSelector data.Data["HandlerTolerations"] = handlerTolerations data.Data["HandlerAffinity"] = handlerAffinity - // TODO: This is just a place holder to make template renderer happy - // proper variable has to be read from env or CR - data.Data["CARotateInterval"] = "" - data.Data["CAOverlapInterval"] = "" - data.Data["CertRotateInterval"] = "" - data.Data["CertOverlapInterval"] = "" + data.Data["SelfSignConfiguration"] = selfSignConfiguration + return r.renderAndApply(instance, data, "handler", true) } diff --git a/deploy/crds/nmstate.io_nmstates.yaml b/deploy/crds/nmstate.io_nmstates.yaml index 50a29a457..8a7802527 100644 --- a/deploy/crds/nmstate.io_nmstates.yaml +++ b/deploy/crds/nmstate.io_nmstates.yaml @@ -1750,6 +1750,28 @@ spec: that have each of the indicated key-value pairs as labels applied to the node. type: object + selfSignConfiguration: + description: SelfSignConfiguration defines self signed certificate + configuration + properties: + caOverlapInterval: + description: CAOverlapInterval defines the duration where expired + CA certificate can overlap with new one, in order to allow fluent + CA rotation transitioning + type: string + caRotateInterval: + description: CARotateInterval defines duration for CA expiration + type: string + certOverlapInterval: + description: CertOverlapInterval defines the duration where expired + service certificate can overlap with new one, in order to allow + fluent service rotation transitioning + type: string + certRotateInterval: + description: CertRotateInterval defines duration for of service + certificate expiration + type: string + type: object tolerations: description: Tolerations is an optional list of tolerations to be added to handler DaemonSet manifest If Tolerations is specified, diff --git a/deploy/handler/operator.yaml b/deploy/handler/operator.yaml index 465d59c07..0e0e8ab02 100644 --- a/deploy/handler/operator.yaml +++ b/deploy/handler/operator.yaml @@ -165,13 +165,13 @@ spec: - name: PROFILER_PORT value: "6060" - name: CA_ROTATE_INTERVAL - value: {{ .CARotateInterval | default "8760h0m0s" }} + value: {{ .SelfSignConfiguration.CARotateInterval }} - name: CA_OVERLAP_INTERVAL - value: {{ .CAOverlapInterval | default "24h0m0s" }} + value: {{ .SelfSignConfiguration.CAOverlapInterval }} - name: CERT_ROTATE_INTERVAL - value: {{ .CertRotateInterval | default "4380h0m0s" }} + value: {{ .SelfSignConfiguration.CertRotateInterval }} - name: CERT_OVERLAP_INTERVAL - value: {{ .CertOverlapInterval | default "24h0m0s" }} + value: {{ .SelfSignConfiguration.CertOverlapInterval }} --- apiVersion: apps/v1 kind: DaemonSet diff --git a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nmstate_types.go b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nmstate_types.go index d4886f997..32fd812ad 100644 --- a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nmstate_types.go +++ b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nmstate_types.go @@ -50,6 +50,19 @@ type NMStateSpec struct { // If InfraTolerations is specified, the webhook and certmanager will be able to be scheduled on nodes with corresponding taints // +optional InfraTolerations []corev1.Toleration `json:"infraTolerations,omitempty"` + // SelfSignConfiguration defines self signed certificate configuration + SelfSignConfiguration *SelfSignConfiguration `json:"selfSignConfiguration,omitempty"` +} + +type SelfSignConfiguration struct { + // CARotateInterval defines duration for CA expiration + CARotateInterval string `json:"caRotateInterval,omitempty"` + // CAOverlapInterval defines the duration where expired CA certificate can overlap with new one, in order to allow fluent CA rotation transitioning + CAOverlapInterval string `json:"caOverlapInterval,omitempty"` + // CertRotateInterval defines duration for of service certificate expiration + CertRotateInterval string `json:"certRotateInterval,omitempty"` + // CertOverlapInterval defines the duration where expired service certificate can overlap with new one, in order to allow fluent service rotation transitioning + CertOverlapInterval string `json:"certOverlapInterval,omitempty"` } // NMStateStatus defines the observed state of NMState diff --git a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nodenetworkconfigurationpolicy_types.go b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nodenetworkconfigurationpolicy_types.go index 42e962c35..e35d29eff 100644 --- a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nodenetworkconfigurationpolicy_types.go +++ b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/nodenetworkconfigurationpolicy_types.go @@ -38,6 +38,7 @@ type NodeNetworkConfigurationPolicyList struct { // +kubebuilder:subresource:status // +kubebuilder:resource:path=nodenetworkconfigurationpolicies,shortName=nncp,scope=Cluster // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.status==\"True\")].type",description="Status" +// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.conditions[?(@.status==\"True\")].reason",description="Reason" // +kubebuilder:storageversion // NodeNetworkConfigurationPolicy is the Schema for the nodenetworkconfigurationpolicies API diff --git a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/zz_generated.deepcopy.go b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/zz_generated.deepcopy.go index b4538c932..3bfa3e666 100644 --- a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1/zz_generated.deepcopy.go @@ -126,6 +126,11 @@ func (in *NMStateSpec) DeepCopyInto(out *NMStateSpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.SelfSignConfiguration != nil { + in, out := &in.SelfSignConfiguration, &out.SelfSignConfiguration + *out = new(SelfSignConfiguration) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NMStateSpec. @@ -218,3 +223,18 @@ func (in *NodeNetworkConfigurationPolicyList) DeepCopyObject() runtime.Object { } return nil } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSignConfiguration) DeepCopyInto(out *SelfSignConfiguration) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignConfiguration. +func (in *SelfSignConfiguration) DeepCopy() *SelfSignConfiguration { + if in == nil { + return nil + } + out := new(SelfSignConfiguration) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1alpha1/nodenetworkconfigurationpolicy_types.go b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1alpha1/nodenetworkconfigurationpolicy_types.go index 497620ddb..f006021bb 100644 --- a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1alpha1/nodenetworkconfigurationpolicy_types.go +++ b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1alpha1/nodenetworkconfigurationpolicy_types.go @@ -22,6 +22,7 @@ type NodeNetworkConfigurationPolicyList struct { // +kubebuilder:subresource:status // +kubebuilder:resource:path=nodenetworkconfigurationpolicies,shortName=nncp,scope=Cluster // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.status==\"True\")].type",description="Status" +// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.conditions[?(@.status==\"True\")].reason",description="Reason" // +kubebuilder:deprecatedversion // NodeNetworkConfigurationPolicy is the Schema for the nodenetworkconfigurationpolicies API diff --git a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1beta1/nodenetworkconfigurationenactment_types.go b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1beta1/nodenetworkconfigurationenactment_types.go index e5d74f69e..49abdd8ac 100644 --- a/vendor/github.com/nmstate/kubernetes-nmstate/api/v1beta1/nodenetworkconfigurationenactment_types.go +++ b/vendor/github.com/nmstate/kubernetes-nmstate/api/v1beta1/nodenetworkconfigurationenactment_types.go @@ -23,6 +23,7 @@ type NodeNetworkConfigurationEnactmentList struct { // +kubebuilder:subresource:status // +kubebuilder:resource:path=nodenetworkconfigurationenactments,shortName=nnce,scope=Cluster // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.status==\"True\")].type",description="Status" +// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.conditions[?(@.status==\"True\")].reason",description="Reason" // +kubebuilder:pruning:PreserveUnknownFields // +kubebuilder:storageversion