/
cluster_controller.go
221 lines (191 loc) · 8.13 KB
/
cluster_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
/*
Copyright 2023.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
"time"
"github.com/giantswarm/microerror"
"github.com/go-logr/logr"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
capi "sigs.k8s.io/cluster-api/api/v1beta1"
ctrl "sigs.k8s.io/controller-runtime"
"github.com/giantswarm/teleport-operator/internal/pkg/config"
"github.com/giantswarm/teleport-operator/internal/pkg/key"
"github.com/giantswarm/teleport-operator/internal/pkg/teleport"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
)
const identityExpirationPeriod = 20 * time.Minute
// ClusterReconciler reconciles a Cluster object
type ClusterReconciler struct {
Client client.Client
Log logr.Logger
Scheme *runtime.Scheme
Teleport *teleport.Teleport
Namespace string
}
//+kubebuilder:rbac:groups=cluster.x-k8s.io.giantswarm.io,resources=clusters,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=cluster.x-k8s.io.giantswarm.io,resources=clusters/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=cluster.x-k8s.io.giantswarm.io,resources=clusters/finalizers,verbs=update
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
// TODO(user): Modify the Reconcile function to compare the state specified by
// the Cluster object against the actual cluster state, and then
// perform operations to make the cluster state reflect the state specified by
// the user.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.14.4/pkg/reconcile
func (r *ClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
log := r.Log.WithValues("cluster", req.NamespacedName)
cluster := &capi.Cluster{}
if err := r.Client.Get(ctx, req.NamespacedName, cluster); err != nil {
if apierrors.IsNotFound(err) {
return ctrl.Result{}, nil
}
return ctrl.Result{}, microerror.Mask(err)
}
log.Info("Reconciling cluster", "cluster", cluster)
if r.Teleport.Identity != nil {
log.Info("Teleport identity", "last-read-minutes-ago", r.Teleport.Identity.Age(), "hash", r.Teleport.Identity.Hash())
}
if r.Teleport.Identity == nil || time.Since(r.Teleport.Identity.LastRead) > identityExpirationPeriod {
log.Info("Retrieving new identity", "secretName", key.TeleportBotSecretName)
newIdentityConfig, err := config.GetIdentityConfigFromSecret(ctx, r.Client, r.Namespace)
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if r.Teleport.TeleportClient, err = teleport.NewClient(ctx, r.Teleport.Config.ProxyAddr, newIdentityConfig.IdentityFile); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if r.Teleport.Identity == nil {
log.Info("Connected to teleport cluster", "proxyAddr", r.Teleport.Config.ProxyAddr)
} else {
log.Info("Re-connected to teleport cluster with new identity", "proxyAddr", r.Teleport.Config.ProxyAddr)
}
r.Teleport.Identity = newIdentityConfig
}
registerName := cluster.Name
if cluster.Name != r.Teleport.Config.ManagementClusterName {
registerName = key.GetRegisterName(r.Teleport.Config.ManagementClusterName, cluster.Name)
}
// Check if the cluster instance is marked to be deleted, which is indicated by the deletion timestamp being set.
// if it is, delete the cluster from teleport
if !cluster.DeletionTimestamp.IsZero() {
// Delete teleport token for the cluster
if err := r.Teleport.DeleteToken(ctx, log, registerName); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
// Delete Secret for the cluster
if err := r.Teleport.DeleteSecret(ctx, log, r.Client, cluster.Name, cluster.Namespace); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
// Delete ConfigMap for the cluster
if err := r.Teleport.DeleteConfigMap(ctx, log, r.Client, cluster.Name, cluster.Namespace); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
// Remove finalizer from the Cluster CR
if controllerutil.ContainsFinalizer(cluster, key.TeleportOperatorFinalizer) {
if err := teleport.RemoveFinalizer(ctx, log, cluster, r.Client); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
}
return ctrl.Result{}, nil
}
// Add finalizer to cluster CR if it's not there
if !controllerutil.ContainsFinalizer(cluster, key.TeleportOperatorFinalizer) {
if err := teleport.AddFinalizer(ctx, log, cluster, r.Client); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
}
// Check if the secret exists in the cluster, if not, generate teleport token and create the secret
// if it is, check teleport token validity, and update the secret if teleport token has expired
secret, err := r.Teleport.GetSecret(ctx, log, r.Client, cluster.Name, cluster.Namespace)
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if secret == nil {
token, err := r.Teleport.GenerateToken(ctx, registerName, "node")
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if err := r.Teleport.CreateSecret(ctx, log, r.Client, cluster.Name, cluster.Namespace, token); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
} else {
token, err := r.Teleport.GetTokenFromSecret(ctx, secret)
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
tokenValid, err := r.Teleport.IsTokenValid(ctx, registerName, token, "node")
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if !tokenValid {
token, err := r.Teleport.GenerateToken(ctx, registerName, "node")
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if err := r.Teleport.UpdateSecret(ctx, log, r.Client, cluster.Name, cluster.Namespace, token); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
} else {
log.Info("Secret has valid teleport node join token", "secretName", secret.GetName())
}
}
// Check if the confimap exists in the cluster, if not, generate teleport token and create the config map
// if it is, check teleport token validity, and update the configmap if teleport token has expired
configMap, err := r.Teleport.GetConfigMap(ctx, log, r.Client, cluster.Name, cluster.Namespace)
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if configMap != nil {
token, err := r.Teleport.GetTokenFromConfigMap(ctx, configMap)
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
tokenValid, err := r.Teleport.IsTokenValid(ctx, registerName, token, "kube")
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if !tokenValid {
token, err := r.Teleport.GenerateToken(ctx, registerName, "kube")
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if err := r.Teleport.UpdateConfigMap(ctx, log, r.Client, configMap, token); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
} else {
log.Info("ConfigMap has valid teleport kube join token", "configMapName", configMap.GetName())
}
} else {
token, err := r.Teleport.GenerateToken(ctx, registerName, "kube")
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if err := r.Teleport.CreateConfigMap(ctx, log, r.Client, cluster.Name, cluster.Namespace, registerName, token); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
}
// We need to requeue to check the teleport token validity
// and update secret for the cluster, if it expires
return ctrl.Result{RequeueAfter: 1 * time.Minute}, nil
}
// SetupWithManager sets up the controller with the Manager.
func (r *ClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&capi.Cluster{}).
Complete(r)
}