This repository has been archived by the owner on Oct 22, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
/
certificatesigningrequest_controller.go
74 lines (64 loc) · 2.89 KB
/
certificatesigningrequest_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
package quarkssecret
import (
"context"
"github.com/pkg/errors"
certv1 "k8s.io/api/certificates/v1beta1"
certv1client "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
"sigs.k8s.io/controller-runtime/pkg/event"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/predicate"
"sigs.k8s.io/controller-runtime/pkg/source"
qsv1a1 "code.cloudfoundry.org/quarks-secret/pkg/kube/apis/quarkssecret/v1alpha1"
"code.cloudfoundry.org/quarks-utils/pkg/config"
"code.cloudfoundry.org/quarks-utils/pkg/ctxlog"
)
// AddCertificateSigningRequest creates a new CertificateSigningRequest controller to watch for new and changed
// certificate signing request. Reconciliation will approve them and create a secret.
func AddCertificateSigningRequest(ctx context.Context, config *config.Config, mgr manager.Manager) error {
ctx = ctxlog.NewContextWithRecorder(ctx, "csr-reconciler", mgr.GetEventRecorderFor("csr-recorder"))
certClient, err := certv1client.NewForConfig(mgr.GetConfig())
if err != nil {
return errors.Wrap(err, "Could not get kube client")
}
r := NewCertificateSigningRequestReconciler(ctx, config, mgr, certClient, controllerutil.SetControllerReference)
// Create a new controller
c, err := controller.New("certificate-signing-request-controller", mgr, controller.Options{
Reconciler: r,
MaxConcurrentReconciles: config.MaxQuarksSecretWorkers,
})
if err != nil {
return errors.Wrap(err, "Adding certificate signing request controller to manager failed.")
}
// Watch for changes to CertificateSigningRequests
p := predicate.Funcs{
CreateFunc: func(e event.CreateEvent) bool {
o := e.Object.(*certv1.CertificateSigningRequest)
return ownedByQuarksSecret(config.MonitoredID, o.Annotations)
},
DeleteFunc: func(e event.DeleteEvent) bool { return false },
GenericFunc: func(e event.GenericEvent) bool { return false },
UpdateFunc: func(e event.UpdateEvent) bool {
o := e.ObjectNew.(*certv1.CertificateSigningRequest)
return ownedByQuarksSecret(config.MonitoredID, o.Annotations)
},
}
err = c.Watch(&source.Kind{Type: &certv1.CertificateSigningRequest{}}, &handler.EnqueueRequestForObject{}, p)
if err != nil {
return errors.Wrapf(err, "Watching certificate signing requests failed in certificate signing request controller.")
}
return nil
}
// ownedByQuarksSecret checks if the CSR is owned by a qsec and that the qsec is a namespace monitored by this operator
func ownedByQuarksSecret(monitoredID string, annotations map[string]string) bool {
if _, ok := annotations[qsv1a1.AnnotationCertSecretName]; ok {
if _, ok := annotations[qsv1a1.AnnotationQSecNamespace]; ok {
if id, ok := annotations[qsv1a1.AnnotationMonitoredID]; ok {
return monitoredID == id
}
}
}
return false
}