Skip to content

Commit

Permalink
No longer needed to create operator-ca-tls prefixed secrets on the …
Browse files Browse the repository at this point in the history
…Tenant namespace

This was fixed by trusting CA's as soon as the secret changed on PR minio#2133

Signed-off-by: pjuarezd <[email protected]>
  • Loading branch information
pjuarezd committed May 28, 2024
1 parent c2988da commit 122ac95
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 106 deletions.
7 changes: 0 additions & 7 deletions pkg/controller/monitoring.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
"context"
"fmt"
"log"
"strings"
"time"

"github.com/minio/madmin-go/v3"
Expand Down Expand Up @@ -119,12 +118,6 @@ func (c *Controller) updateHealthStatusForTenant(tenant *miniov2.Tenant) error {
// get cluster health for tenant
healthResult, err := aClnt.Healthy(hctx, madmin.HealthOpts{})
if err != nil {
if strings.Contains(err.Error(), "failed to verify certificate") {
err := c.reloadTenantExternalCerts(tenant)
if err != nil {
return err
}
}
// show the error and continue
klog.Infof("'%s/%s' Failed to get cluster health: %v", tenant.Namespace, tenant.Name, err)
return nil
Expand Down
15 changes: 9 additions & 6 deletions pkg/controller/operator.go
Original file line number Diff line number Diff line change
Expand Up @@ -384,9 +384,12 @@ func (c *Controller) checkOpenshiftSignerCACertInOperatorNamespace(ctx context.C
},
}
_, err = c.kubeClientSet.CoreV1().Secrets(namespace).Create(ctx, csrSignerSecret, metav1.CreateOptions{})
// Reload CA certificates
c.createTransport()
return err
if err != nil {
return err
}
// Add the CA certificate to the trusted Root CA's
c.trustPEMInSecretField(csrSignerSecret, certs.TLSCertFile)
return nil
}
return err
}
Expand All @@ -397,9 +400,9 @@ func (c *Controller) checkOpenshiftSignerCACertInOperatorNamespace(ctx context.C
if err != nil {
return err
}
klog.Infof("'%s/%s' secret changed, updating '%s/%s' secret", OpenshiftKubeControllerNamespace, OpenshiftCATLSSecretName, namespace, OperatorCSRSignerCASecretName)
// Reload CA certificates
c.createTransport()
klog.Infof("'%s/%s' secret changed, updated '%s/%s' secret", OpenshiftKubeControllerNamespace, OpenshiftCATLSSecretName, namespace, OperatorCSRSignerCASecretName)
// Add the CA certificate to the trusted Root CA's
c.trustPEMInSecretField(csrSignerSecret, certs.TLSCertFile)
}
return nil
}
Expand Down
93 changes: 0 additions & 93 deletions pkg/controller/tenants.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,6 @@ package controller
import (
"context"
"errors"
"strings"

"github.com/minio/operator/pkg/certs"

corev1 "k8s.io/api/core/v1"
"k8s.io/klog/v2"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

Expand All @@ -51,93 +45,6 @@ func (c *Controller) getTenantConfiguration(ctx context.Context, tenant *miniov2
return tenantConfiguration, nil
}

// renewCert will renew one certificate at a time
func (c *Controller) renewCert(secret corev1.Secret, index int, tenant *miniov2.Tenant) error {
// If the secret does not start with "operator-ca-tls-" then no need to continue
if !strings.HasPrefix(secret.Name, OperatorCATLSSecretPrefix) {
return nil
}
klog.Infof("%d external secret found: %s", index, secret.Name)
klog.Info("We are going to renew the external certificate for the tenant...")
// Get the new certificate generated by cert-manager
tenantSecretName := tenant.Spec.ExternalCertSecret[0].Name
data, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(context.Background(), tenantSecretName, metav1.GetOptions{})
if err != nil {
klog.Errorf("Couldn't get the certificate due to error %s", err)
return err
}
if data == nil || len(data.Data) <= 0 {
klog.Errorf("certificate's data can't be empty: %s", data)
return errors.New("empty cert data")
}
CACertificate := data.Data[certs.CAPublicCertFile]
if CACertificate == nil || len(CACertificate) <= 0 {
klog.Errorf("ca.crt certificate data can't be empty: %s", CACertificate)
return errors.New("empty cert ca data")
}
klog.Info("certificate data is not empty, proceed with renewal")
// Delete the secret that starts with operator-ca-tls- because it is expired
err = c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Delete(context.Background(), secret.Name, metav1.DeleteOptions{})
if err != nil {
klog.Infof("There was an error when deleting the secret: %s", err)
return err
}
// Create the new secret that contains the new certificate
newSecret := &corev1.Secret{
Type: "Opaque",
ObjectMeta: metav1.ObjectMeta{
Name: secret.Name,
Namespace: miniov2.GetNSFromFile(),
},
Data: map[string][]byte{
certs.CAPublicCertFile: CACertificate,
},
}
_, err = c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Create(context.Background(), newSecret, metav1.CreateOptions{})
if err != nil {
klog.Errorf("Secret not created %s", err)
return err
}
// Reload CA certificates
c.createTransport()
// Rollout the Operator Deployment to use new certificate and trust the tenant.
operatorDeployment, err := c.kubeClientSet.AppsV1().Deployments(miniov2.GetNSFromFile()).Get(context.Background(), miniov2.GetNSFromFile(), metav1.GetOptions{})
if err != nil || operatorDeployment == nil {
klog.Errorf("Couldn't retrieve the deployment %s", err)
return err
}
operatorDeployment.Spec.Template.ObjectMeta.Name = miniov2.GetNSFromFile()
operatorDeployment, err = c.kubeClientSet.AppsV1().Deployments(miniov2.GetNSFromFile()).Update(context.Background(), operatorDeployment, metav1.UpdateOptions{})
if err != nil {
klog.Errorf("There was an error on deployment update %s", err)
return err
}
klog.Info("external certificate successfully renewed for the tenant")
return nil
}

// reloadTenantExternalCerts reloads Tenant external certificates
func (c *Controller) reloadTenantExternalCerts(tenant *miniov2.Tenant) error {
externalCertSecret := tenant.Spec.ExternalCertSecret
if externalCertSecret != nil {
// Check that there is a secret that starts with "operator-ca-tls-" to proceed with the renewal
secretsAvailableAtOperatorNS, err := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).List(context.Background(), metav1.ListOptions{})
if err != nil {
klog.Info("No external certificates are found under the multi-tenancy architecture to handle.")
return nil
}
klog.Info("there are secret(s) for the operator")
for index, secret := range secretsAvailableAtOperatorNS.Items {
err = c.renewCert(secret, index, tenant)
if err != nil {
klog.Errorf("There was an error while renewing the cert: %s", err)
return err
}
}
}
return nil
}

// getTenantCredentials returns a combination of env, credsSecret and Configuration tenant credentials
func (c *Controller) getTenantCredentials(ctx context.Context, tenant *miniov2.Tenant) (map[string][]byte, error) {
// Configuration for tenant can be passed using 2 different sources, tenant.spec.env and config.env secret
Expand Down

0 comments on commit 122ac95

Please sign in to comment.