From 122ac954efbbdc05415443f78671d35b7dd4917e Mon Sep 17 00:00:00 2001 From: pjuarezd Date: Tue, 28 May 2024 16:17:19 -0700 Subject: [PATCH] No longer needed to create `operator-ca-tls` prefixed secrets on the Tenant namespace This was fixed by trusting CA's as soon as the secret changed on PR https://github.com/minio/operator/pull/2133 Signed-off-by: pjuarezd --- pkg/controller/monitoring.go | 7 --- pkg/controller/operator.go | 15 +++--- pkg/controller/tenants.go | 93 ------------------------------------ 3 files changed, 9 insertions(+), 106 deletions(-) diff --git a/pkg/controller/monitoring.go b/pkg/controller/monitoring.go index f404ab237b9..fcbddc29225 100644 --- a/pkg/controller/monitoring.go +++ b/pkg/controller/monitoring.go @@ -18,7 +18,6 @@ import ( "context" "fmt" "log" - "strings" "time" "github.com/minio/madmin-go/v3" @@ -119,12 +118,6 @@ func (c *Controller) updateHealthStatusForTenant(tenant *miniov2.Tenant) error { // get cluster health for tenant healthResult, err := aClnt.Healthy(hctx, madmin.HealthOpts{}) if err != nil { - if strings.Contains(err.Error(), "failed to verify certificate") { - err := c.reloadTenantExternalCerts(tenant) - if err != nil { - return err - } - } // show the error and continue klog.Infof("'%s/%s' Failed to get cluster health: %v", tenant.Namespace, tenant.Name, err) return nil diff --git a/pkg/controller/operator.go b/pkg/controller/operator.go index cb5cd042e08..eaaa0e0278d 100644 --- a/pkg/controller/operator.go +++ b/pkg/controller/operator.go @@ -384,9 +384,12 @@ func (c *Controller) checkOpenshiftSignerCACertInOperatorNamespace(ctx context.C }, } _, err = c.kubeClientSet.CoreV1().Secrets(namespace).Create(ctx, csrSignerSecret, metav1.CreateOptions{}) - // Reload CA certificates - c.createTransport() - return err + if err != nil { + return err + } + // Add the CA certificate to the trusted Root CA's + c.trustPEMInSecretField(csrSignerSecret, certs.TLSCertFile) + return nil } return err } @@ -397,9 +400,9 @@ func (c *Controller) checkOpenshiftSignerCACertInOperatorNamespace(ctx context.C if err != nil { return err } - klog.Infof("'%s/%s' secret changed, updating '%s/%s' secret", OpenshiftKubeControllerNamespace, OpenshiftCATLSSecretName, namespace, OperatorCSRSignerCASecretName) - // Reload CA certificates - c.createTransport() + klog.Infof("'%s/%s' secret changed, updated '%s/%s' secret", OpenshiftKubeControllerNamespace, OpenshiftCATLSSecretName, namespace, OperatorCSRSignerCASecretName) + // Add the CA certificate to the trusted Root CA's + c.trustPEMInSecretField(csrSignerSecret, certs.TLSCertFile) } return nil } diff --git a/pkg/controller/tenants.go b/pkg/controller/tenants.go index b0b33a3a6f6..5f7d553e282 100644 --- a/pkg/controller/tenants.go +++ b/pkg/controller/tenants.go @@ -19,12 +19,6 @@ package controller import ( "context" "errors" - "strings" - - "github.com/minio/operator/pkg/certs" - - corev1 "k8s.io/api/core/v1" - "k8s.io/klog/v2" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -51,93 +45,6 @@ func (c *Controller) getTenantConfiguration(ctx context.Context, tenant *miniov2 return tenantConfiguration, nil } -// renewCert will renew one certificate at a time -func (c *Controller) renewCert(secret corev1.Secret, index int, tenant *miniov2.Tenant) error { - // If the secret does not start with "operator-ca-tls-" then no need to continue - if !strings.HasPrefix(secret.Name, OperatorCATLSSecretPrefix) { - return nil - } - klog.Infof("%d external secret found: %s", index, secret.Name) - klog.Info("We are going to renew the external certificate for the tenant...") - // Get the new certificate generated by cert-manager - tenantSecretName := tenant.Spec.ExternalCertSecret[0].Name - data, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(context.Background(), tenantSecretName, metav1.GetOptions{}) - if err != nil { - klog.Errorf("Couldn't get the certificate due to error %s", err) - return err - } - if data == nil || len(data.Data) <= 0 { - klog.Errorf("certificate's data can't be empty: %s", data) - return errors.New("empty cert data") - } - CACertificate := data.Data[certs.CAPublicCertFile] - if CACertificate == nil || len(CACertificate) <= 0 { - klog.Errorf("ca.crt certificate data can't be empty: %s", CACertificate) - return errors.New("empty cert ca data") - } - klog.Info("certificate data is not empty, proceed with renewal") - // Delete the secret that starts with operator-ca-tls- because it is expired - err = c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Delete(context.Background(), secret.Name, metav1.DeleteOptions{}) - if err != nil { - klog.Infof("There was an error when deleting the secret: %s", err) - return err - } - // Create the new secret that contains the new certificate - newSecret := &corev1.Secret{ - Type: "Opaque", - ObjectMeta: metav1.ObjectMeta{ - Name: secret.Name, - Namespace: miniov2.GetNSFromFile(), - }, - Data: map[string][]byte{ - certs.CAPublicCertFile: CACertificate, - }, - } - _, err = c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Create(context.Background(), newSecret, metav1.CreateOptions{}) - if err != nil { - klog.Errorf("Secret not created %s", err) - return err - } - // Reload CA certificates - c.createTransport() - // Rollout the Operator Deployment to use new certificate and trust the tenant. - operatorDeployment, err := c.kubeClientSet.AppsV1().Deployments(miniov2.GetNSFromFile()).Get(context.Background(), miniov2.GetNSFromFile(), metav1.GetOptions{}) - if err != nil || operatorDeployment == nil { - klog.Errorf("Couldn't retrieve the deployment %s", err) - return err - } - operatorDeployment.Spec.Template.ObjectMeta.Name = miniov2.GetNSFromFile() - operatorDeployment, err = c.kubeClientSet.AppsV1().Deployments(miniov2.GetNSFromFile()).Update(context.Background(), operatorDeployment, metav1.UpdateOptions{}) - if err != nil { - klog.Errorf("There was an error on deployment update %s", err) - return err - } - klog.Info("external certificate successfully renewed for the tenant") - return nil -} - -// reloadTenantExternalCerts reloads Tenant external certificates -func (c *Controller) reloadTenantExternalCerts(tenant *miniov2.Tenant) error { - externalCertSecret := tenant.Spec.ExternalCertSecret - if externalCertSecret != nil { - // Check that there is a secret that starts with "operator-ca-tls-" to proceed with the renewal - secretsAvailableAtOperatorNS, err := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).List(context.Background(), metav1.ListOptions{}) - if err != nil { - klog.Info("No external certificates are found under the multi-tenancy architecture to handle.") - return nil - } - klog.Info("there are secret(s) for the operator") - for index, secret := range secretsAvailableAtOperatorNS.Items { - err = c.renewCert(secret, index, tenant) - if err != nil { - klog.Errorf("There was an error while renewing the cert: %s", err) - return err - } - } - } - return nil -} - // getTenantCredentials returns a combination of env, credsSecret and Configuration tenant credentials func (c *Controller) getTenantCredentials(ctx context.Context, tenant *miniov2.Tenant) (map[string][]byte, error) { // Configuration for tenant can be passed using 2 different sources, tenant.spec.env and config.env secret