-
Notifications
You must be signed in to change notification settings - Fork 19
/
ingress_cert_config_reconciler.go
115 lines (100 loc) · 4.1 KB
/
ingress_cert_config_reconciler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
package osm
import (
"context"
"fmt"
"github.com/Azure/aks-app-routing-operator/pkg/controller/controllername"
"github.com/go-logr/logr"
cfgv1alpha2 "github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"github.com/Azure/aks-app-routing-operator/pkg/config"
"github.com/Azure/aks-app-routing-operator/pkg/controller/metrics"
)
const (
osmNamespace = "kube-system"
osmMeshConfigName = "osm-mesh-config"
osmNginxSAN = "ingress-nginx.ingress.cluster.local"
osmClientCertValidity = "24h"
osmClientCertName = "osm-ingress-client-cert"
)
var (
ingressCertConfigControllerName = controllername.New("osm", "ingress", "cert", "config")
)
// IngressCertConfigReconciler updates the Open Service Mesh configuration to generate a client cert
// to be used by the ingress controller when contacting upstreams.
type IngressCertConfigReconciler struct {
client client.Client
}
func NewIngressCertConfigReconciler(manager ctrl.Manager, conf *config.Config) error {
metrics.InitControllerMetrics(ingressCertConfigControllerName)
if conf.DisableOSM {
return nil
}
return ingressCertConfigControllerName.AddToController(
ctrl.
NewControllerManagedBy(manager).
For(&cfgv1alpha2.MeshConfig{}), manager.GetLogger(),
).Complete(&IngressCertConfigReconciler{client: manager.GetClient()})
}
func (i *IngressCertConfigReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
var err error
result := ctrl.Result{}
// do metrics
defer func() {
//placing this call inside a closure allows for result and err to be bound after Reconcile executes
//this makes sure they have the proper value
//just calling defer metrics.HandleControllerReconcileMetrics(ingressCertConfigControllerName, result, err) would bind
//the values of result and err to their zero values, since they were just instantiated
metrics.HandleControllerReconcileMetrics(ingressCertConfigControllerName, result, err)
}()
logger, err := logr.FromContext(ctx)
if err != nil {
return result, err
}
logger = ingressCertConfigControllerName.AddToLogger(logger).WithValues("namespace", req.Namespace, "name", req.Name)
if req.Name != osmMeshConfigName || req.Namespace != osmNamespace {
logger.Info(fmt.Sprintf("ignoring mesh config, we only reconcile mesh config %s/%s", osmNamespace, osmMeshConfigName))
return result, nil
}
logger.Info("getting OSM ingress mesh config")
conf := &cfgv1alpha2.MeshConfig{}
err = i.client.Get(ctx, req.NamespacedName, conf)
if err != nil {
return result, client.IgnoreNotFound(err)
}
logger = logger.WithValues("generation", conf.Generation)
var dirty bool
if conf.Spec.Certificate.IngressGateway == nil {
conf.Spec.Certificate.IngressGateway = &cfgv1alpha2.IngressGatewayCertSpec{}
}
if conf.Spec.Certificate.IngressGateway.Secret.Name != osmClientCertName {
logger.Info("updating IngressGateway client cert secret name")
dirty = true
conf.Spec.Certificate.IngressGateway.Secret.Name = osmClientCertName
}
if conf.Spec.Certificate.IngressGateway.Secret.Namespace != osmNamespace {
logger.Info("updating IngressGateway client cert secret namespace")
dirty = true
conf.Spec.Certificate.IngressGateway.Secret.Namespace = osmNamespace
}
if conf.Spec.Certificate.IngressGateway.ValidityDuration != osmClientCertValidity {
logger.Info("updating IngressGateway client cert validity duration")
dirty = true
conf.Spec.Certificate.IngressGateway.ValidityDuration = osmClientCertValidity
}
if l := len(conf.Spec.Certificate.IngressGateway.SubjectAltNames); l != 1 ||
(l == 1 && conf.Spec.Certificate.IngressGateway.SubjectAltNames[0] != osmNginxSAN) {
logger.Info("updating IngressGateway SAN")
dirty = true
conf.Spec.Certificate.IngressGateway.SubjectAltNames = []string{osmNginxSAN}
}
if !dirty {
logger.Info("no changes required for OSM ingress client cert configuration")
return result, nil
}
logger.Info("updating OSM ingress mesh config")
err = i.client.Update(ctx, conf)
return result, err
}