-
Notifications
You must be signed in to change notification settings - Fork 24
/
certrotation_controller.go
103 lines (87 loc) · 3.46 KB
/
certrotation_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
package controllers
import (
"context"
"errors"
"time"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
configv1alpha1 "github.com/grafana/tempo-operator/apis/config/v1alpha1"
"github.com/grafana/tempo-operator/apis/tempo/v1alpha1"
tempoStackState "github.com/grafana/tempo-operator/controllers/tempo/internal/management/state"
"github.com/grafana/tempo-operator/internal/certrotation"
"github.com/grafana/tempo-operator/internal/certrotation/handlers"
)
// CertRotationReconciler reconciles the `tempo.grafana.com/certRotationRequiredAt` annotation on
// any TempoStack object associated with any of the owned signer/client/serving certificates secrets
// and CA bundle configmap.
type CertRotationReconciler struct {
client.Client
Scheme *runtime.Scheme
FeatureGates configv1alpha1.FeatureGates
}
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
// Compare the state specified by the TempoStack object against the actual cluster state,
// and then perform operations to make the cluster state reflect the state specified by
// the user.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.7.0/pkg/reconcile
func (r *CertRotationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
log := ctrl.LoggerFrom(ctx).WithName("certrotation-reconcile").WithValues("tempo", req.NamespacedName)
log.V(1).Info("starting reconcile loop")
defer log.V(1).Info("finished reconcile loop")
managed, err := tempoStackState.IsManaged(ctx, req, r.Client)
if err != nil {
return ctrl.Result{}, err
}
if !managed {
log.Info("Skipping reconciliation for unmanaged TempoStack resource", "name", req.String())
// Stop requeueing for unmanaged TempoStack custom resources
return ctrl.Result{}, nil
}
rt, err := certrotation.ParseRotation(r.FeatureGates.BuiltInCertManagement)
if err != nil {
return ctrl.Result{}, err
}
checkExpiryAfter := expiryRetryAfter(rt.TargetCertRefresh)
log.Info("Checking if TempoStack certificates expired", "name", req.String(), "interval", checkExpiryAfter.String())
var expired *certrotation.CertExpiredError
err = handlers.CheckCertExpiry(ctx, log, req, r.Client, r.FeatureGates)
switch {
case errors.As(err, &expired):
log.Info("Certificate expired", "msg", expired.Error())
case err != nil:
return ctrl.Result{}, err
default:
log.Info("Skipping cert rotation, all TempoStack certificates still valid", "name", req.String())
return ctrl.Result{
RequeueAfter: checkExpiryAfter,
}, nil
}
log.Error(err, "TempoStack certificates expired", "name", req.String())
err = handlers.AnnotateForRequiredCertRotation(ctx, r.Client, req.Name, req.Namespace)
if err != nil {
log.Error(err, "failed to annotate required cert rotation", "name", req.String())
return ctrl.Result{}, err
}
return ctrl.Result{
RequeueAfter: checkExpiryAfter,
}, nil
}
// SetupWithManager sets up the controller with the Manager.
func (r *CertRotationReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&v1alpha1.TempoStack{}).
Owns(&corev1.Secret{}).
Complete(r)
}
func expiryRetryAfter(certRefresh time.Duration) time.Duration {
day := 24 * time.Hour
if certRefresh > day {
return 12 * time.Hour
}
return certRefresh / 4
}