Fixes tls certificate issue for webhook endpoint

When `operator-ca-tls` secret is defined operator will use that to verify tls connections with minio tenants, however that was causing a problem with kube-apiserver in where the certificate exposed on the `caBundle` from tenants.minio.min.io crd will not match with the actual certificate operator is using for the webhook https endpoint Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
minio · May 16, 2022 · 06ec28e · 06ec28e
1 parent fcf39d0
commit 06ec28e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 14 deletions.
diff --git a/main.go b/main.go
@@ -124,17 +124,18 @@ func main() {
 	}
 
 	ctx := context.Background()
-	var caContent []byte
-	operatorCATLSCert, err := kubeClient.CoreV1().Secrets(miniov2.GetNSFromFile()).Get(ctx, "operator-ca-tls", metav1.GetOptions{})
-	// if custom ca.crt is not present in kubernetes secrets use the one stored in the pod
-	if err != nil {
-		caContent = miniov2.GetPodCAFromFile()
-	} else {
+
+	// default kubernetes CA certificate
+	caContent := miniov2.GetPodCAFromFile()
+	// if operator-ca-tls is defined concatenate that to the final webhook public certificate
+	operatorCATLSCert, err := kubeClient.CoreV1().Secrets(miniov2.GetNSFromFile()).Get(ctx, cluster.OperatorTLSCASecretName, metav1.GetOptions{})
+	if err == nil && operatorCATLSCert != nil {
 		if val, ok := operatorCATLSCert.Data["ca.crt"]; ok {
-			caContent = val
+			caContent = append(caContent, val...)
+		} else if val, ok = operatorCATLSCert.Data["public.crt"]; ok {
+			caContent = append(caContent, val...)
 		}
 	}
-
 	if len(caContent) > 0 {
 		crd, err := extClient.ApiextensionsV1().CustomResourceDefinitions().Get(context.Background(), "tenants.minio.min.io", metav1.GetOptions{})
 		if err != nil {

diff --git a/pkg/controller/cluster/operator.go b/pkg/controller/cluster/operator.go
@@ -272,19 +272,21 @@ func (c *Controller) getTransport() *http.Transport {
 	if c.transport != nil {
 		return c.transport
 	}
-
+	rootCAs := miniov2.MustGetSystemCertPool()
+	// loading kubernetes ca certificate
+	rootCAs.AppendCertsFromPEM(miniov2.GetPodCAFromFile())
 	var caContent []byte
+	// This is the custom CA certificate used to verify TLS connections against the MinIO tenants
 	operatorCATLSCert, err := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Get(context.Background(), OperatorTLSCASecretName, metav1.GetOptions{})
-	// if custom ca.crt is not present in kubernetes secrets use the one stored in the pod
-	if err != nil {
-		caContent = miniov2.GetPodCAFromFile()
-	} else {
+	// If custom ca.crt is not present in kubernetes secrets use the one stored in the pod
+	if err == nil && operatorCATLSCert != nil {
 		if val, ok := operatorCATLSCert.Data["ca.crt"]; ok {
 			caContent = val
+		} else if val, ok = operatorCATLSCert.Data["public.crt"]; ok {
+			caContent = val
 		}
 	}
 
-	rootCAs := miniov2.MustGetSystemCertPool()
 	if len(caContent) > 0 {
 		rootCAs.AppendCertsFromPEM(caContent)
 	}