Improving operator-tls certificate for tenants

- Operator will detect is `operator-tls` secret is missing on tenants and automatically will re-create it - Operator will detect if `operator-tls` secret changed (ie certificate rotation) and automatically will update the secret on each tenant Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
minio · May 17, 2022 · c98936c · c98936c
1 parent d54c46a
commit c98936c
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 31 deletions.
diff --git a/pkg/controller/cluster/main-controller.go b/pkg/controller/cluster/main-controller.go
@@ -751,39 +751,13 @@ func (c *Controller) syncHandler(key string) error {
 		return err
 	}
 
-	if isOperatorTLS() {
-		// Copy Operator TLS certificate to Tenant Namespace
-		operatorTLSSecret, err := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Get(ctx, OperatorTLSSecretName, metav1.GetOptions{})
-		if err != nil {
-			return err
-		}
-		if val, ok := operatorTLSSecret.Data["public.crt"]; ok {
-			secret := &corev1.Secret{
-				Type: "Opaque",
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      OperatorTLSSecretName,
-					Namespace: tenant.Namespace,
-					Labels:    tenant.MinIOPodLabels(),
-					OwnerReferences: []metav1.OwnerReference{
-						*metav1.NewControllerRef(tenant, schema.GroupVersionKind{
-							Group:   miniov2.SchemeGroupVersion.Group,
-							Version: miniov2.SchemeGroupVersion.Version,
-							Kind:    miniov2.MinIOCRDResourceKind,
-						}),
-					},
-				},
-				Data: map[string][]byte{
-					"public.crt": val,
-				},
-			}
-			_, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Create(ctx, secret, metav1.CreateOptions{})
-			if err != nil && !k8serrors.IsAlreadyExists(err) {
-				return err
-			}
-		}
+	// check if operator-tls has to be updated or re-created in the tenant namespace
+	err = c.checkOperatorTLSForMinIOTenant(ctx, tenant)
+	if err != nil {
+		return err
 	}
 
-	// Create logSecret before deploying any statefulset
+	// Create logSecret before deploying any StatefulSet
 	if tenant.HasLogEnabled() {
 		_, err = c.checkAndCreateLogSecret(ctx, tenant)
 		if err != nil {

diff --git a/pkg/controller/cluster/minio.go b/pkg/controller/cluster/minio.go
@@ -27,6 +27,8 @@ import (
 	"fmt"
 	"time"
 
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
 	"github.com/minio/operator/pkg/controller/cluster/certificates"
 
 	corev1 "k8s.io/api/core/v1"
@@ -144,6 +146,61 @@ func (c *Controller) getTLSSecret(ctx context.Context, nsName string, secretName
 	return c.kubeClientSet.CoreV1().Secrets(nsName).Get(ctx, secretName, metav1.GetOptions{})
 }
 
+// checkOperatorTLSForMinIOTenant checks create or updates the operator-tls secret for tenant
+func (c *Controller) checkOperatorTLSForMinIOTenant(ctx context.Context, tenant *miniov2.Tenant) error {
+	if isOperatorTLS() {
+		// get operator-tls in minio-operator namespace
+		operatorTLSSecret, err := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Get(ctx, OperatorTLSSecretName, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+		// get operator-tls in tenant namespace
+		tenantOperatorTLSSecret, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(ctx, OperatorTLSSecretName, metav1.GetOptions{})
+		if err != nil && !k8serrors.IsNotFound(err) {
+			return err
+		}
+		if operatorTLSPublicCrt, ok := operatorTLSSecret.Data["public.crt"]; ok {
+			// update tenant operator-tls secret
+			if tenantOperatorTLSPublicCrt, ok := tenantOperatorTLSSecret.Data["public.crt"]; ok {
+				if string(tenantOperatorTLSPublicCrt) != string(operatorTLSPublicCrt) {
+					klog.Infof("public key in operator-tls secret changed, updating operator-tls for '%s/%s'", tenant.Namespace, tenant.Name)
+					tenantOperatorTLSSecret.Data["public.crt"] = operatorTLSPublicCrt
+					_, err = c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Update(ctx, tenantOperatorTLSSecret, metav1.UpdateOptions{})
+					if err != nil {
+						return err
+					}
+				}
+			} else {
+				klog.Infof("operator-tls secret in tenant '%s/%s' not found, creating one now", tenant.Namespace, tenant.Name)
+				// create tenant operator-tls secret
+				opTLSSecret := &corev1.Secret{
+					Type: "Opaque",
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      OperatorTLSSecretName,
+						Namespace: tenant.Namespace,
+						Labels:    tenant.MinIOPodLabels(),
+						OwnerReferences: []metav1.OwnerReference{
+							*metav1.NewControllerRef(tenant, schema.GroupVersionKind{
+								Group:   miniov2.SchemeGroupVersion.Group,
+								Version: miniov2.SchemeGroupVersion.Version,
+								Kind:    miniov2.MinIOCRDResourceKind,
+							}),
+						},
+					},
+					Data: map[string][]byte{
+						"public.crt": operatorTLSPublicCrt,
+					},
+				}
+				_, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Create(ctx, opTLSSecret, metav1.CreateOptions{})
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
 // checkMinIOCertificatesStatus checks for the current status of MinIO and it's service
 func (c *Controller) checkMinIOCertificatesStatus(ctx context.Context, tenant *miniov2.Tenant, nsName types.NamespacedName) error {
 	if tenant.AutoCert() {