Skip to content

Commit

Permalink
Update tls cert secret validation due VerifyCertSecrets() change
Browse files Browse the repository at this point in the history
Depends-On: openstack-k8s-operators/lib-common#559

Jira: OSPRH-9991

Signed-off-by: Martin Schuppert <[email protected]>
  • Loading branch information
stuggi committed Sep 5, 2024
1 parent 11bd61e commit cd8ce0f
Show file tree
Hide file tree
Showing 16 changed files with 140 additions and 77 deletions.
4 changes: 1 addition & 3 deletions api/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ go 1.20

require (
github.com/google/go-cmp v0.6.0
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240730142703-7fd3da600c9d
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240905123813-174296c09ec6
github.com/robfig/cron/v3 v3.0.1
k8s.io/api v0.28.13
k8s.io/apimachinery v0.28.13
Expand Down Expand Up @@ -37,8 +37,6 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/onsi/ginkgo/v2 v2.20.1 // indirect
github.com/onsi/gomega v1.34.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.18.0 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
Expand Down
6 changes: 2 additions & 4 deletions api/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,9 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo=
github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI=
github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240730142703-7fd3da600c9d h1:WfEUkOxDpMnnYo+mQTJc9juoY85me/V6ubNAsOHdjnc=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240730142703-7fd3da600c9d/go.mod h1:YlNmaOTuZNZvwlOfosPI94od/V2Itektn9KWThRzylI=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240905123813-174296c09ec6 h1:VSbVNzUa41hybq/lZi0L8bNv/yzYyNylc8yKSEO+ZCA=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240905123813-174296c09ec6/go.mod h1:6zxa5xg9uvpObVKFSJa/SA+vDDlgh0Q1aswxDB2XbxU=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
Expand Down
28 changes: 20 additions & 8 deletions controllers/novaapi_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ func (r *NovaAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request) (re
//
// Validate the CA cert secret if provided
if instance.Spec.TLS.CaBundleSecretName != "" {
hash, ctrlResult, err := tls.ValidateCACertSecret(
hash, err := tls.ValidateCACertSecret(
ctx,
h.GetClient(),
types.NamespacedName{
Expand All @@ -247,15 +247,21 @@ func (r *NovaAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request) (re
},
)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, instance.Spec.TLS.CaBundleSecretName)))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
return ctrl.Result{}, err
}

if hash != "" {
Expand All @@ -264,17 +270,23 @@ func (r *NovaAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request) (re
}

// Validate API service certs secrets
certsHash, ctrlResult, err := instance.Spec.TLS.API.ValidateCertSecrets(ctx, h, instance.Namespace)
certsHash, err := instance.Spec.TLS.API.ValidateCertSecrets(ctx, h, instance.Namespace)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, err.Error())))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
return ctrl.Result{}, err
}
hashes[tls.TLSHashName] = env.SetValue(certsHash)

Expand Down
14 changes: 10 additions & 4 deletions controllers/novacompute_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ func (r *NovaComputeReconciler) Reconcile(ctx context.Context, req ctrl.Request)
//
// Validate the CA cert secret if provided
if instance.Spec.TLS.CaBundleSecretName != "" {
hash, ctrlResult, err := tls.ValidateCACertSecret(
hash, err := tls.ValidateCACertSecret(
ctx,
h.GetClient(),
types.NamespacedName{
Expand All @@ -185,15 +185,21 @@ func (r *NovaComputeReconciler) Reconcile(ctx context.Context, req ctrl.Request)
},
)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, instance.Spec.TLS.CaBundleSecretName)))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
return ctrl.Result{}, err
}

if hash != "" {
Expand Down
14 changes: 10 additions & 4 deletions controllers/novaconductor_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ func (r *NovaConductorReconciler) Reconcile(ctx context.Context, req ctrl.Reques
//
// Validate the CA cert secret if provided
if instance.Spec.TLS.CaBundleSecretName != "" {
hash, ctrlResult, err := tls.ValidateCACertSecret(
hash, err := tls.ValidateCACertSecret(
ctx,
h.GetClient(),
types.NamespacedName{
Expand All @@ -209,15 +209,21 @@ func (r *NovaConductorReconciler) Reconcile(ctx context.Context, req ctrl.Reques
},
)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, instance.Spec.TLS.CaBundleSecretName)))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
return ctrl.Result{}, err
}

if hash != "" {
Expand Down
26 changes: 19 additions & 7 deletions controllers/novametadata_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,7 @@ func (r *NovaMetadataReconciler) Reconcile(ctx context.Context, req ctrl.Request
//
// Validate the CA cert secret if provided
if instance.Spec.TLS.CaBundleSecretName != "" {
hash, ctrlResult, err := tls.ValidateCACertSecret(
hash, err := tls.ValidateCACertSecret(
ctx,
h.GetClient(),
types.NamespacedName{
Expand All @@ -225,15 +225,21 @@ func (r *NovaMetadataReconciler) Reconcile(ctx context.Context, req ctrl.Request
},
)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, instance.Spec.TLS.CaBundleSecretName)))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
return ctrl.Result{}, err
}

if hash != "" {
Expand All @@ -243,17 +249,23 @@ func (r *NovaMetadataReconciler) Reconcile(ctx context.Context, req ctrl.Request

// Validate metadata service cert secret
if instance.Spec.TLS.Enabled() {
hash, ctrlResult, err := instance.Spec.TLS.ValidateCertSecret(ctx, h, instance.Namespace)
hash, err := instance.Spec.TLS.ValidateCertSecret(ctx, h, instance.Namespace)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, err.Error())))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrl.Result{}, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
}
hashes[tls.TLSHashName] = env.SetValue(hash)
}
Expand Down
38 changes: 28 additions & 10 deletions controllers/novanovncproxy_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ func (r *NovaNoVNCProxyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
//
// Validate the CA cert secret if provided
if instance.Spec.TLS.CaBundleSecretName != "" {
hash, ctrlResult, err := tls.ValidateCACertSecret(
hash, err := tls.ValidateCACertSecret(
ctx,
h.GetClient(),
types.NamespacedName{
Expand All @@ -203,15 +203,21 @@ func (r *NovaNoVNCProxyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
},
)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, instance.Spec.TLS.CaBundleSecretName)))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
return ctrl.Result{}, err
}

if hash != "" {
Expand All @@ -221,34 +227,46 @@ func (r *NovaNoVNCProxyReconciler) Reconcile(ctx context.Context, req ctrl.Reque

// Validate the service cert secret
if instance.Spec.TLS.Service.Enabled() {
hash, ctrlResult, err := instance.Spec.TLS.Service.ValidateCertSecret(ctx, h, instance.Namespace)
hash, err := instance.Spec.TLS.Service.ValidateCertSecret(ctx, h, instance.Namespace)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, err.Error())))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrl.Result{}, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
}
hashes[tls.TLSHashName] = env.SetValue(hash)
}

// Validate the Vencrypt cert secret
if instance.Spec.TLS.Vencrypt.Enabled() {
hash, ctrlResult, err := instance.Spec.TLS.Vencrypt.ValidateCertSecret(ctx, h, instance.Namespace)
hash, err := instance.Spec.TLS.Vencrypt.ValidateCertSecret(ctx, h, instance.Namespace)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, err.Error())))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrl.Result{}, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
}
hashes[novncproxy.VencryptName] = env.SetValue(hash)
}
Expand Down
14 changes: 10 additions & 4 deletions controllers/novascheduler_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ func (r *NovaSchedulerReconciler) Reconcile(ctx context.Context, req ctrl.Reques
//
// Validate the CA cert secret if provided
if instance.Spec.TLS.CaBundleSecretName != "" {
hash, ctrlResult, err := tls.ValidateCACertSecret(
hash, err := tls.ValidateCACertSecret(
ctx,
h.GetClient(),
types.NamespacedName{
Expand All @@ -207,15 +207,21 @@ func (r *NovaSchedulerReconciler) Reconcile(ctx context.Context, req ctrl.Reques
},
)
if err != nil {
if k8s_errors.IsNotFound(err) {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf(condition.TLSInputReadyWaitingMessage, instance.Spec.TLS.CaBundleSecretName)))
return ctrl.Result{}, nil
}
instance.Status.Conditions.Set(condition.FalseCondition(
condition.TLSInputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.TLSInputErrorMessage,
err.Error()))
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
return ctrl.Result{}, err
}

if hash != "" {
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ require (
github.com/onsi/gomega v1.34.1
github.com/openstack-k8s-operators/infra-operator/apis v0.4.1-0.20240730162859-91b64b2d2de7
github.com/openstack-k8s-operators/keystone-operator/api v0.4.1-0.20240730210414-ba2309d261a2
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240730142703-7fd3da600c9d
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240905123813-174296c09ec6
github.com/openstack-k8s-operators/lib-common/modules/openstack v0.4.1-0.20240730142703-7fd3da600c9d
github.com/openstack-k8s-operators/lib-common/modules/test v0.4.1-0.20240730142703-7fd3da600c9d
github.com/openstack-k8s-operators/mariadb-operator/api v0.4.1-0.20240730222151-2d771bf1a024
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.4.1-0.20240730162859-9
github.com/openstack-k8s-operators/infra-operator/apis v0.4.1-0.20240730162859-91b64b2d2de7/go.mod h1:OamtaW9c7aCtfUmxc/r+/XJS7XRI7s5iR//SZ8ilSwk=
github.com/openstack-k8s-operators/keystone-operator/api v0.4.1-0.20240730210414-ba2309d261a2 h1:F5NZmK9Gr12bHmNCJDRy7ad3I5j97adJ5Gm9HjSwV5g=
github.com/openstack-k8s-operators/keystone-operator/api v0.4.1-0.20240730210414-ba2309d261a2/go.mod h1:cSNSeN7+pXC/DLwtGoT9HsbdUYzbAnLHGtXN9/uugk8=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240730142703-7fd3da600c9d h1:WfEUkOxDpMnnYo+mQTJc9juoY85me/V6ubNAsOHdjnc=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240730142703-7fd3da600c9d/go.mod h1:YlNmaOTuZNZvwlOfosPI94od/V2Itektn9KWThRzylI=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240905123813-174296c09ec6 h1:VSbVNzUa41hybq/lZi0L8bNv/yzYyNylc8yKSEO+ZCA=
github.com/openstack-k8s-operators/lib-common/modules/common v0.4.1-0.20240905123813-174296c09ec6/go.mod h1:6zxa5xg9uvpObVKFSJa/SA+vDDlgh0Q1aswxDB2XbxU=
github.com/openstack-k8s-operators/lib-common/modules/openstack v0.4.1-0.20240730142703-7fd3da600c9d h1:SRB1rCIVpaVhKxJPkSXE9CNN+xHSrdgXzrRV9ed/hIc=
github.com/openstack-k8s-operators/lib-common/modules/openstack v0.4.1-0.20240730142703-7fd3da600c9d/go.mod h1:TyZh5+Uwxb1vcyY44H5GJVulvlQxU05TTAPQ4tSmbzY=
github.com/openstack-k8s-operators/lib-common/modules/test v0.4.1-0.20240730142703-7fd3da600c9d h1:P5tF3/shBcQf0HkPHWcr5Ri+jsRStMPbGOPQw4qRHRI=
Expand Down
4 changes: 2 additions & 2 deletions test/functional/nova_compute_ironic_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -576,8 +576,8 @@ var _ = Describe("NovaCompute with ironic diver controller", func() {
ConditionGetterFunc(NovaComputeConditionGetter),
condition.TLSInputReadyCondition,
corev1.ConditionFalse,
condition.ErrorReason,
fmt.Sprintf("TLSInput error occured in TLS sources Secret %s/combined-ca-bundle not found", novaNames.Namespace),
condition.RequestedReason,
fmt.Sprintf("TLSInput is missing: %s", novaNames.CaBundleSecretName.Name),
)
th.ExpectCondition(
cell1.NovaComputeName,
Expand Down
9 changes: 5 additions & 4 deletions test/functional/nova_metadata_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -910,8 +910,8 @@ var _ = Describe("NovaMetadata controller", func() {
ConditionGetterFunc(NovaMetadataConditionGetter),
condition.TLSInputReadyCondition,
corev1.ConditionFalse,
condition.ErrorReason,
fmt.Sprintf("TLSInput error occured in TLS sources Secret %s/combined-ca-bundle not found", novaNames.Namespace),
condition.RequestedReason,
fmt.Sprintf("TLSInput is missing: %s", novaNames.CaBundleSecretName.Name),
)
th.ExpectCondition(
novaNames.MetadataName,
Expand All @@ -929,8 +929,9 @@ var _ = Describe("NovaMetadata controller", func() {
ConditionGetterFunc(NovaMetadataConditionGetter),
condition.TLSInputReadyCondition,
corev1.ConditionFalse,
condition.ErrorReason,
fmt.Sprintf("TLSInput error occured in TLS sources Secret %s/internal-tls-certs not found", novaNames.Namespace),
condition.RequestedReason,
fmt.Sprintf("TLSInput is missing: secrets \"%s in namespace %s\" not found",
novaNames.InternalCertSecretName.Name, novaNames.InternalCertSecretName.Namespace),
)
th.ExpectCondition(
novaNames.MetadataName,
Expand Down
Loading

0 comments on commit cd8ce0f

Please sign in to comment.