fix: regenerate TLS certificate even if csr already exists (#807)

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
minio · Sep 3, 2021 · 019600d · 019600d
1 parent 27b228c
commit 019600d
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/pkg/controller/cluster/operator.go b/pkg/controller/cluster/operator.go
@@ -83,12 +83,12 @@ func (c *Controller) generateTLSCert() (string, string) {
 		operatorTLSCert, err := c.kubeClientSet.CoreV1().Secrets(namespace).Get(ctx, OperatorTLSSecretName, metav1.GetOptions{})
 		if err != nil {
 			if k8serrors.IsNotFound(err) {
-				klog.Infof("operator TLS secret not found %v", err)
+				klog.Infof("operator TLS secret not found: %v", err)
 				if err = c.checkAndCreateOperatorCSR(ctx, operatorDeployment); err != nil {
 					klog.Infof("Waiting for the operator certificates to be issued %v", err.Error())
 					time.Sleep(time.Second * 10)
 				} else {
-					if err = c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Delete(ctx, "operator-auto-tls", metav1.DeleteOptions{}); err != nil {
+					if err = c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Delete(ctx, c.operatorCSRName(), metav1.DeleteOptions{}); err != nil {
 						klog.Infof(err.Error())
 					}
 				}
@@ -207,25 +207,24 @@ func (c *Controller) createOperatorCSR(ctx context.Context, operator metav1.Obje
 		return err
 	}
 	namespace := miniov2.GetNSFromFile()
-	operatorCSRName := fmt.Sprintf("operator-%s-csr", namespace)
-	err = c.createCertificateSigningRequest(ctx, map[string]string{}, operatorCSRName, namespace, csrBytes, operator, "server")
+	err = c.createCertificateSigningRequest(ctx, map[string]string{}, c.operatorCSRName(), namespace, csrBytes, operator, "server")
 	if err != nil {
-		klog.Errorf("Unexpected error during the creation of the csr/%s: %v", operatorCSRName, err)
+		klog.Errorf("Unexpected error during the creation of the csr/%s: %v", c.operatorCSRName(), err)
 		return err
 	}
 
 	// fetch certificate from CSR
-	certBytes, err := c.fetchCertificate(ctx, operatorCSRName)
+	certBytes, err := c.fetchCertificate(ctx, c.operatorCSRName())
 	if err != nil {
-		klog.Errorf("Unexpected error during the creation of the csr/%s: %v", operatorCSRName, err)
+		klog.Errorf("Unexpected error during the creation of the csr/%s: %v", c.operatorCSRName(), err)
 		return err
 	}
 
 	// PEM encode private ECDSA key
-	encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})
+	encodedPrivateKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})
 
 	// Create secret for operator to use
-	err = c.createOperatorSecret(ctx, operator, map[string]string{}, "operator-tls", encodedPrivKey, certBytes)
+	err = c.createOperatorSecret(ctx, operator, map[string]string{}, "operator-tls", encodedPrivateKey, certBytes)
 	if err != nil {
 		klog.Errorf("Unexpected error during the creation of the secret/%s: %v", "operator-tls", err)
 		return err
@@ -234,7 +233,7 @@ func (c *Controller) createOperatorCSR(ctx context.Context, operator metav1.Obje
 }
 
 func (c *Controller) checkAndCreateOperatorCSR(ctx context.Context, operator metav1.Object) error {
-	if _, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, "operator-auto-tls", metav1.GetOptions{}); err != nil {
+	if _, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, c.operatorCSRName(), metav1.GetOptions{}); err != nil {
 		if k8serrors.IsNotFound(err) {
 			klog.V(2).Infof("Creating a new Certificate Signing Request for Operator Server Certs, cluster %q")
 			if err = c.createOperatorCSR(ctx, operator); err != nil {
@@ -280,3 +279,8 @@ func (c *Controller) createUsers(ctx context.Context, tenant *miniov2.Tenant, te
 
 	return nil
 }
+
+func (c *Controller) operatorCSRName() string {
+	namespace := miniov2.GetNSFromFile()
+	return fmt.Sprintf("operator-%s-csr", namespace)
+}