-
Notifications
You must be signed in to change notification settings - Fork 26
/
certinjector.go
90 lines (76 loc) · 2.96 KB
/
certinjector.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
package registry
import (
"context"
"fmt"
"os"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
api "github.com/aws/eks-anywhere-packages/api/v1alpha1"
)
const (
registryMirrorCredName = "registry-mirror-cred"
registryMirrorSecretName = "registry-mirror-secret"
)
type CertInjector struct {
k8sClient client.Client
log logr.Logger
}
// NewCertInjector creates a new CertInjector.
func NewCertInjector(k8sClient client.Client, log logr.Logger) *CertInjector {
return &CertInjector{
k8sClient: k8sClient,
log: log,
}
}
// UpdateIfNeeded is responsible for verifying the registry CA cert is available on the mounted `registry-mirror-cred` secret.
func (ci *CertInjector) UpdateIfNeeded(ctx context.Context, clusterName string) error {
certContent, err := ci.fetchCertContent(ctx, clusterName)
if err != nil {
return fmt.Errorf("fetching CA cert content: %v", err)
}
if certContent == nil {
ci.log.Info("No CA cert content found", "cluster", clusterName)
return nil
}
registryMirrorCred := &corev1.Secret{}
credSecretName := types.NamespacedName{Name: registryMirrorCredName, Namespace: api.PackageNamespace}
if err := ci.k8sClient.Get(ctx, credSecretName, registryMirrorCred); err != nil {
return fmt.Errorf("getting secret %s: %s", credSecretName.String(), err)
}
credCertKey := fmt.Sprintf("%s_ca.crt", clusterName)
if _, ok := registryMirrorCred.Data[credCertKey]; !ok {
ci.log.Info("Updating registry CA cert", "cluster", clusterName, "secret", registryMirrorCredName)
registryMirrorCred.Data[credCertKey] = certContent
if err := ci.k8sClient.Update(ctx, registryMirrorCred, &client.UpdateOptions{}); err != nil {
return fmt.Errorf("updating secret %s: %s", credSecretName.String(), err)
}
} else {
ci.log.Info("CA Cert already updated", "cluster", clusterName)
}
return nil
}
// fetchCertContent fetches the CA cert content from `registry-mirror-secret` in the cluster namespace.
// If CACERTCONTENT is empty; we return nil.
// Else we return the contents.
func (ci *CertInjector) fetchCertContent(ctx context.Context, clusterName string) ([]byte, error) {
managementClusterName := os.Getenv("CLUSTER_NAME")
registryMirrorSecret := &corev1.Secret{}
nn := types.NamespacedName{Name: registryMirrorSecretName, Namespace: api.PackageNamespace}
if clusterName != managementClusterName {
nn = types.NamespacedName{Name: registryMirrorSecretName, Namespace: fmt.Sprintf("%s-%s", api.PackageNamespace, clusterName)}
}
if err := ci.k8sClient.Get(ctx, nn, registryMirrorSecret); err != nil {
if apierrors.IsNotFound(err) {
ci.log.Info("Registry mirror secret not found", "error", err)
return nil, nil
}
return nil, fmt.Errorf("getting secret %s: %s", nn.String(), err)
}
if len(registryMirrorSecret.Data["CACERTCONTENT"]) > 0 {
return registryMirrorSecret.Data["CACERTCONTENT"], nil
}
return nil, nil
}