Skip to content

Commit

Permalink
Add support to validation using multiple cert-manager requests
Browse files Browse the repository at this point in the history
  • Loading branch information
wpjunior committed Sep 16, 2024
1 parent c5eb5ea commit 295c814
Show file tree
Hide file tree
Showing 9 changed files with 89 additions and 35 deletions.
20 changes: 10 additions & 10 deletions api/v1alpha1/rpaasinstance.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,17 +64,17 @@ func (i *RpaasInstance) BelongsToCluster(clusterName string) bool {
return clusterName == instanceCluster
}

func (i *RpaasInstance) CertManagerRequests() (reqs []CertManager) {
if i == nil || i.Spec.DynamicCertificates == nil {
func (s *RpaasInstanceSpec) CertManagerRequests(name string) (reqs []CertManager) {
if s == nil || s.DynamicCertificates == nil {
return
}

uniqueCertsByIssuer := make(map[string]*CertManager)
uniqueCertsByName := make(map[string]*CertManager)

if req := i.Spec.DynamicCertificates.CertManager; req != nil {
if req := s.DynamicCertificates.CertManager; req != nil {
r := req.DeepCopy()
r.DNSNames = r.dnsNames(i)
r.DNSNames = r.dnsNames(name, s)

if req.Name != "" {
uniqueCertsByName[req.Name] = r
Expand All @@ -83,12 +83,12 @@ func (i *RpaasInstance) CertManagerRequests() (reqs []CertManager) {
}
}

for _, req := range i.Spec.DynamicCertificates.CertManagerRequests {
for _, req := range s.DynamicCertificates.CertManagerRequests {

if req.Name != "" {
r, found := uniqueCertsByName[req.Name]
if found {
r.DNSNames = append(r.DNSNames, req.dnsNames(i)...)
r.DNSNames = append(r.DNSNames, req.dnsNames(name, s)...)
r.IPAddresses = append(r.IPAddresses, req.IPAddresses...)
} else {
uniqueCertsByName[req.Name] = req.DeepCopy()
Expand All @@ -103,7 +103,7 @@ func (i *RpaasInstance) CertManagerRequests() (reqs []CertManager) {
continue
}

r.DNSNames = append(r.DNSNames, req.dnsNames(i)...)
r.DNSNames = append(r.DNSNames, req.dnsNames(name, s)...)
r.IPAddresses = append(r.IPAddresses, req.IPAddresses...)
}

Expand All @@ -125,14 +125,14 @@ func (i *RpaasInstance) CertManagerRequests() (reqs []CertManager) {
return
}

func (c *CertManager) dnsNames(i *RpaasInstance) (names []string) {
func (c *CertManager) dnsNames(name string, spec *RpaasInstanceSpec) (names []string) {
if c == nil {
return
}

names = append(names, c.DNSNames...)
if c.DNSNamesDefault && i.Spec.DNS != nil && i.Spec.DNS.Zone != "" {
names = append(names, fmt.Sprintf("%s.%s", i.Name, i.Spec.DNS.Zone))
if c.DNSNamesDefault && spec.DNS != nil && spec.DNS.Zone != "" {
names = append(names, fmt.Sprintf("%s.%s", name, spec.DNS.Zone))
}

return
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/rpaasinstance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,5 +105,5 @@ func TestCertManagerRequests(t *testing.T) {
IPAddresses: []string{"10.1.1.1", "10.1.1.2"},
DNSNamesDefault: true,
},
}, instance.CertManagerRequests())
}, instance.Spec.CertManagerRequests(instance.Name))
}
2 changes: 1 addition & 1 deletion controllers/rpaasinstance_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func (r *RpaasInstanceReconciler) Reconcile(ctx context.Context, req ctrl.Reques

changes := map[string]bool{}

certificateSecrets, err := certificates.ListCertificateSecrets(ctx, r.Client, instanceMergedWithFlavors)
certificateSecrets, err := certificates.ListCertificateSecrets(ctx, r.Client, instanceMergedWithFlavors.Namespace, instanceMergedWithFlavors.Name)
if err != nil {
return reportError(err)
}
Expand Down
42 changes: 35 additions & 7 deletions controllers/validation_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"time"

"github.com/go-logr/logr"
nginxv1alpha1 "github.com/tsuru/nginx-operator/api/v1alpha1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/equality"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
Expand All @@ -19,6 +20,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/reconcile"

"github.com/tsuru/rpaas-operator/api/v1alpha1"
"github.com/tsuru/rpaas-operator/internal/controllers/certificates"
"github.com/tsuru/rpaas-operator/internal/pkg/rpaas/nginx"
)

Expand All @@ -37,6 +39,7 @@ type RpaasValidationReconciler struct {
// +kubebuilder:rbac:groups=extensions.tsuru.io,resources=rpaasvalidations/status,verbs=get;update;patch

func (r *RpaasValidationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

validation, err := r.getRpaasValidation(ctx, req.NamespacedName)
if k8sErrors.IsNotFound(err) {
return reconcile.Result{}, nil
Expand All @@ -46,6 +49,9 @@ func (r *RpaasValidationReconciler) Reconcile(ctx context.Context, req ctrl.Requ
return reconcile.Result{}, err
}

logger := r.Log.WithName("Reconcile").
WithValues("RpaasValidation", types.NamespacedName{Name: validation.Name, Namespace: validation.Namespace})

if validation.Status.ObservedGeneration == validation.ObjectMeta.Generation && validation.Status.Valid != nil {
return reconcile.Result{}, nil
}
Expand Down Expand Up @@ -76,7 +82,19 @@ func (r *RpaasValidationReconciler) Reconcile(ctx context.Context, req ctrl.Requ
}
}

rendered, err := r.renderTemplate(ctx, validationMergedWithFlavors, plan)
certificateSecrets, err := certificates.ListCertificateSecrets(ctx, r.Client, validationMergedWithFlavors.Namespace, validationMergedWithFlavors.Name)
if err != nil {
return reconcile.Result{}, err
}

certManagerCertificates, err := certificates.CertManagerCertificates(ctx, r.Client, validationMergedWithFlavors.Namespace, validationMergedWithFlavors.Name, &validationMergedWithFlavors.Spec)
if err != nil {
return reconcile.Result{}, err
}

podAnnotations, nginxTLS := newNginxTLS(&logger, certificateSecrets, validationMergedWithFlavors.Spec.TLS, certManagerCertificates)

rendered, err := r.renderTemplate(ctx, validationMergedWithFlavors, plan, nginxTLS)
if err != nil {
return reconcile.Result{}, err
}
Expand All @@ -92,7 +110,13 @@ func (r *RpaasValidationReconciler) Reconcile(ctx context.Context, req ctrl.Requ
return reconcile.Result{}, err
}

pod := newValidationPod(validationMergedWithFlavors, validationHash, plan, configMap)
pod := newValidationPod(validationMergedWithFlavors, validationHash, plan, configMap, nginxTLS)
if pod.Annotations == nil {
pod.Annotations = make(map[string]string)
}
for k, v := range podAnnotations {
pod.Annotations[k] = v
}

existingPod, err := r.getPod(ctx, pod.Namespace, pod.Name)
if err != nil && !k8sErrors.IsNotFound(err) {
Expand Down Expand Up @@ -270,7 +294,7 @@ func mergeValidationWithFlavor(validation *v1alpha1.RpaasValidation, flavor v1al
return nil
}

func (r *RpaasValidationReconciler) renderTemplate(ctx context.Context, validation *v1alpha1.RpaasValidation, plan *v1alpha1.RpaasPlan) (string, error) {
func (r *RpaasValidationReconciler) renderTemplate(ctx context.Context, validation *v1alpha1.RpaasValidation, plan *v1alpha1.RpaasPlan, nginxTLS []nginxv1alpha1.NginxTLS) (string, error) {
rf := &referenceFinder{
spec: &validation.Spec,
client: r.Client,
Expand All @@ -291,11 +315,15 @@ func (r *RpaasValidationReconciler) renderTemplate(ctx context.Context, validati
return "", err
}

validationWithNginxTLS := validation.DeepCopy()
validationWithNginxTLS.Spec.TLS = nginxTLS

config := nginx.ConfigurationData{
Instance: &v1alpha1.RpaasInstance{
Spec: validation.Spec,
Spec: validationWithNginxTLS.Spec,
},
Config: &plan.Spec.Config,
Config: &plan.Spec.Config,
NginxTLS: nginxTLS,
}

return cr.Render(config)
Expand Down Expand Up @@ -371,7 +399,7 @@ func (r *RpaasValidationReconciler) reconcilePod(ctx context.Context, pod *corev
return true, nil
}

func newValidationPod(validationMergedWithFlavors *v1alpha1.RpaasValidation, validationHash string, plan *v1alpha1.RpaasPlan, configMap *corev1.ConfigMap) *corev1.Pod {
func newValidationPod(validationMergedWithFlavors *v1alpha1.RpaasValidation, validationHash string, plan *v1alpha1.RpaasPlan, configMap *corev1.ConfigMap, nginxTLS []nginxv1alpha1.NginxTLS) *corev1.Pod {
n := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: configMap.Name,
Expand Down Expand Up @@ -466,7 +494,7 @@ func newValidationPod(validationMergedWithFlavors *v1alpha1.RpaasValidation, val
})
}

for index, t := range validationMergedWithFlavors.Spec.TLS {
for index, t := range nginxTLS {
volumeName := fmt.Sprintf("nginx-certs-%d", index)

n.Spec.Volumes = append(n.Spec.Volumes, corev1.Volume{
Expand Down
19 changes: 10 additions & 9 deletions controllers/validation_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ func TestNewValidationPod(t *testing.T) {
Name: "valid-config",
},
},
[]nginxv1alpha1.NginxTLS{},
)

assert.Equal(t, &corev1.Pod{
Expand Down Expand Up @@ -115,15 +116,6 @@ func TestNewValidationPodFullFeatured(t *testing.T) {
},
},
},
TLS: []nginxv1alpha1.NginxTLS{
{
SecretName: "secret-tls",
Hosts: []string{
"host1",
"host2",
},
},
},

TLSSessionResumption: &v1alpha1.TLSSessionResumption{
SessionTicket: &v1alpha1.TLSSessionTicket{
Expand All @@ -146,6 +138,15 @@ func TestNewValidationPodFullFeatured(t *testing.T) {
Name: "valid-config",
},
},
[]nginxv1alpha1.NginxTLS{
{
SecretName: "secret-tls",
Hosts: []string{
"host1",
"host2",
},
},
},
)

assert.Equal(t, &corev1.Pod{
Expand Down
29 changes: 27 additions & 2 deletions internal/controllers/certificates/cert_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ func ReconcileCertManager(ctx context.Context, client client.Client, instance, i

certManagerCerts := []cmv1.Certificate{}

for _, req := range instanceMergedWithFlavors.CertManagerRequests() {
for _, req := range instanceMergedWithFlavors.Spec.CertManagerRequests(instance.Name) {
issuer, err := getCertManagerIssuer(ctx, client, req, instanceMergedWithFlavors.Namespace)
if err != nil {
return nil, err
Expand Down Expand Up @@ -77,6 +77,31 @@ func ReconcileCertManager(ctx context.Context, client client.Client, instance, i
return certManagerCerts, nil
}

func CertManagerCertificates(ctx context.Context, client client.Client, namespace, name string, spec *v1alpha1.RpaasInstanceSpec) ([]cmv1.Certificate, error) {
certManagerCerts := []cmv1.Certificate{}

for _, req := range spec.CertManagerRequests(name) {
certName := CertManagerCertificateNameForInstance(name, req)

var cert cmv1.Certificate
err := client.Get(ctx, types.NamespacedName{Name: certName, Namespace: namespace}, &cert)
if err != nil {
if k8serrors.IsNotFound(err) {
continue
}
return nil, err
}

if !isCertificateReady(&cert) {
continue
}

certManagerCerts = append(certManagerCerts, cert)
}

return certManagerCerts, nil
}

func removeOldCertificates(ctx context.Context, c client.Client, instance, instanceMergedWithFlavors *v1alpha1.RpaasInstance) error {
certs, err := getCertificates(ctx, c, instanceMergedWithFlavors)
if err != nil {
Expand All @@ -88,7 +113,7 @@ func removeOldCertificates(ctx context.Context, c client.Client, instance, insta
toRemove[cert.Name] = true
}

for _, req := range instanceMergedWithFlavors.CertManagerRequests() {
for _, req := range instanceMergedWithFlavors.Spec.CertManagerRequests(instanceMergedWithFlavors.Name) {
delete(toRemove, CertManagerCertificateNameForInstance(instance.Name, req))
}

Expand Down
6 changes: 3 additions & 3 deletions internal/controllers/certificates/certificates.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,13 +135,13 @@ func updateInstanceSpecWithCertificateInfos(ctx context.Context, c client.Client
return nil
}

func ListCertificateSecrets(ctx context.Context, c client.Client, instance *v1alpha1.RpaasInstance) ([]corev1.Secret, error) {
func ListCertificateSecrets(ctx context.Context, c client.Client, namespace, instance string) ([]corev1.Secret, error) {
var sl corev1.SecretList
err := c.List(ctx, &sl, &client.ListOptions{
LabelSelector: labels.Set{
"rpaas.extensions.tsuru.io/instance-name": instance.Name,
"rpaas.extensions.tsuru.io/instance-name": instance,
}.AsSelector(),
Namespace: instance.Namespace,
Namespace: namespace,
})

if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion internal/pkg/rpaas/certificates.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func (m *k8sRpaasManager) GetCertManagerRequests(ctx context.Context, instanceNa
}

var requests []clientTypes.CertManager
for _, r := range instance.CertManagerRequests() {
for _, r := range instance.Spec.CertManagerRequests(instance.Name) {
requests = append(requests, clientTypes.CertManager{
Name: r.Name,
Issuer: r.Issuer,
Expand Down
2 changes: 1 addition & 1 deletion internal/pkg/rpaas/k8s.go
Original file line number Diff line number Diff line change
Expand Up @@ -713,7 +713,7 @@ func (m *k8sRpaasManager) GetCertificates(ctx context.Context, instanceName stri

events := make([]clientTypes.Event, 0)

for _, certManagerRequest := range instance.CertManagerRequests() {
for _, certManagerRequest := range instance.Spec.CertManagerRequests(instance.Name) {
certName := certManagerRequest.RequiredName()
certManagerCertificateName := certificates.CertManagerCertificateNameForInstance(instance.Name, certManagerRequest)
certificateEvents, err := m.eventsForObjectName(ctx, instance.Namespace, "Certificate", certManagerCertificateName)
Expand Down

0 comments on commit 295c814

Please sign in to comment.