Server pods are unable to find certificates provided by OpenShift inf…

…inispan#1587 Resolves infinispan#1587
ryanemerson · Jul 1, 2022 · 54164a6 · 54164a6
1 parent 7ae7c55
commit 54164a6
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 9 deletions.
diff --git a/api/v1/infinispan_webhook.go b/api/v1/infinispan_webhook.go
@@ -22,13 +22,13 @@ import (
 var (
 	log              = ctrl.Log.WithName("webhook").WithName("Infinispan")
 	eventRec         record.EventRecorder
-	servingCertsMode string
+	ServingCertsMode string
 )
 
 func (i *Infinispan) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	kubernetes := kube.NewKubernetesFromController(mgr)
 	eventRec = mgr.GetEventRecorderFor("webhook-infinispan")
-	servingCertsMode = kubernetes.GetServingCertsMode(context.Background())
+	ServingCertsMode = kubernetes.GetServingCertsMode(context.Background())
 
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(i).
@@ -98,7 +98,7 @@ func (i *Infinispan) Default() {
 		}
 	}
 
-	i.ApplyEndpointEncryptionSettings(servingCertsMode)
+	i.ApplyEndpointEncryptionSettings(ServingCertsMode)
 
 	if i.HasSites() {
 		// Migrate Spec.Service.Locations Host and Port parameters into the unified URL schema

diff --git a/pkg/reconcile/pipeline/infinispan/handler/configure/tls.go b/pkg/reconcile/pipeline/infinispan/handler/configure/tls.go
@@ -18,16 +18,18 @@ const (
 
 func Keystore(i *ispnv1.Infinispan, ctx pipeline.Context) {
 	keystore := &pipeline.Keystore{}
+
+	keystoreSecret := &corev1.Secret{}
+	if err := ctx.Resources().Load(i.GetKeystoreSecretName(), keystoreSecret, pipeline.RetryOnErr); err != nil {
+		return
+	}
+
 	if i.IsEncryptionCertFromService() {
 		if strings.Contains(i.Spec.Security.EndpointEncryption.CertServiceName, "openshift.io") {
 			keystore.Path = consts.ServerOperatorSecurity + "/" + EncryptPemKeystoreName
+			keystore.PemFile = append(keystoreSecret.Data["tls.key"], keystoreSecret.Data["tls.crt"]...)
 		}
 	} else {
-		keystoreSecret := &corev1.Secret{}
-		if err := ctx.Resources().Load(i.GetKeystoreSecretName(), keystoreSecret, pipeline.RetryOnErr); err != nil {
-			return
-		}
-
 		isUserProvidedPrivateKey := func() bool {
 			for _, k := range []string{corev1.TLSPrivateKeyKey, corev1.TLSCertKey} {
 				if _, ok := keystoreSecret.Data[k]; !ok {

diff --git a/pkg/reconcile/pipeline/infinispan/pipeline/pipeline.go b/pkg/reconcile/pipeline/infinispan/pipeline/pipeline.go
@@ -144,6 +144,10 @@ func (b *builder) Build() pipeline.Pipeline {
 	// Provision/Remove the XSite service before performing configuration so that Remote site information can be retrieved
 	handlers.Add(provision.XSiteService)
 
+	// Provision the Cluster Service before executing the configuration handlers, as the Secret created by Openshift
+	// `serving-cert-secret-name` annotation is required in order to configure the Keystore
+	handlers.Add(provision.ClusterService)
+
 	// Configuration Handlers
 	handlers.AddFeatureSpecific(i.HasSites(), configure.XSite)
 	handlers.AddFeatureSpecific(i.IsSiteTLSEnabled(),
@@ -173,7 +177,6 @@ func (b *builder) Build() pipeline.Pipeline {
 		provision.InfinispanConfigMap,
 		provision.PingService,
 		provision.AdminService,
-		provision.ClusterService,
 		provision.ClusterStatefulSet,
 	)
 	handlers.AddFeatureSpecific(i.IsExposed(), provision.ExternalService)

diff --git a/test/e2e/utils/common.go b/test/e2e/utils/common.go
@@ -138,6 +138,9 @@ func DefaultSpec(t *testing.T, testKube *TestKubernetes, initializer func(*ispnv
 	if initializer != nil {
 		initializer(infinispan)
 	}
+	// Explicitly set the ServingCertsMode so that Openshift automatic encryption configuration is applied when running
+	// tests locally
+	ispnv1.ServingCertsMode = testKube.Kubernetes.GetServingCertsMode(context.TODO())
 	infinispan.Default()
 	return infinispan
 }