publish a router-ca that can be used to verify routes in golang clients

openshift · Nov 27, 2019 · 2caa301 · 2caa301
1 parent 1f864f6
commit 2caa301
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 83 deletions.
diff --git a/pkg/operator/controller/certificate/controller.go b/pkg/operator/controller/certificate/controller.go
@@ -16,11 +16,13 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 
 	"k8s.io/client-go/tools/record"
 
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
 
@@ -64,7 +66,7 @@ type reconciler struct {
 }
 
 func (r *reconciler) Reconcile(request reconcile.Request) (reconcile.Result, error) {
-	ca, err := r.ensureRouterCASecret()
+	controllerMaintainedSigningCertKey, err := r.ensureRouterCASecret()
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to ensure router CA: %v", err)
 	}
@@ -103,16 +105,31 @@ func (r *reconciler) Reconcile(request reconcile.Request) (reconcile.Result, err
 				UID:        deployment.UID,
 				Controller: &trueVar,
 			}
-			if _, err := r.ensureDefaultCertificateForIngress(ca, deployment.Namespace, deploymentRef, ingress); err != nil {
+			if _, err := r.ensureDefaultCertificateForIngress(controllerMaintainedSigningCertKey, deployment.Namespace, deploymentRef, ingress); err != nil {
 				errs = append(errs, fmt.Errorf("failed to ensure default cert for %s: %v", ingress.Name, err))
 			}
 		}
 	}
 
-	ingresses := &operatorv1.IngressControllerList{}
-	if err := r.cache.List(context.TODO(), ingresses, client.InNamespace(r.operatorNamespace)); err != nil {
-		errs = append(errs, fmt.Errorf("failed to list ingresscontrollers: %v", err))
-	} else if err := r.ensureRouterCAConfigMap(ca, ingresses.Items); err != nil {
+	// We need to construct the CA bundle that can be used to verify the ingress used to serve the console and the oauth-server.
+	// In an operator maintained cluster, this is always `oc get -n openshift-ingress-operator ingresscontroller/default`, skip the rest and return here.
+	// TODO if network-edge wishes to expand the scope of the CA bundle (and you could legitimately see a need/desire to have one CA that verifies all ingress traffic).
+	// TODO this could be accomplished using union logic similar to the kube-apiserver's join of multiple CAs.
+	if ingress == nil || ingress.Namespace != "openshift-ingress-operator" || ingress.Name != "default" {
+		return result, utilerrors.NewAggregate(errs)
+	}
+
+	caBundle := string(controllerMaintainedSigningCertKey.Data["tls.crt"])
+	// if we have a custom default certificate, it need to be the one used to very router certificates
+	if len(ingress.Spec.DefaultCertificate.Name) > 0 {
+		secret := &corev1.Secret{}
+		if err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: ingress.Namespace, Name: ingress.Spec.DefaultCertificate.Name}, secret); err != nil {
+			errs = append(errs, fmt.Errorf("failed to get custom router cert: %v", err))
+			return result, utilerrors.NewAggregate(errs)
+		}
+		caBundle = string(controllerMaintainedSigningCertKey.Data["tls.crt"])
+	}
+	if err := r.ensureRouterCAConfigMap(caBundle); err != nil {
 		errs = append(errs, fmt.Errorf("failed to publish router CA: %v", err))
 	}
 

diff --git a/pkg/operator/controller/certificate/publish_ca.go b/pkg/operator/controller/certificate/publish_ca.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	operatorv1 "github.com/openshift/api/operator/v1"
 	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
 
 	corev1 "k8s.io/api/core/v1"
@@ -14,8 +13,8 @@ import (
 
 // ensureRouterCAConfigMap will create, update, or delete the configmap for the
 // router CA as appropriate.
-func (r *reconciler) ensureRouterCAConfigMap(secret *corev1.Secret, ingresses []operatorv1.IngressController) error {
-	desired, err := desiredRouterCAConfigMap(secret, ingresses)
+func (r *reconciler) ensureRouterCAConfigMap(caBundle string) error {
+	desired, err := desiredRouterCAConfigMap(caBundle)
 	if err != nil {
 		return err
 	}
@@ -53,35 +52,20 @@ func (r *reconciler) ensureRouterCAConfigMap(secret *corev1.Secret, ingresses []
 }
 
 // desiredRouterCAConfigMap returns the desired router CA configmap.
-func desiredRouterCAConfigMap(secret *corev1.Secret, ingresses []operatorv1.IngressController) (*corev1.ConfigMap, error) {
-	if !shouldPublishRouterCA(ingresses) {
-		return nil, nil
-	}
-
+func desiredRouterCAConfigMap(caBundle string) (*corev1.ConfigMap, error) {
 	name := controller.RouterCAConfigMapName()
 	cm := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name.Name,
 			Namespace: name.Namespace,
 		},
 		Data: map[string]string{
-			"ca-bundle.crt": string(secret.Data["tls.crt"]),
+			"ca-bundle.crt": caBundle,
 		},
 	}
 	return cm, nil
 }
 
-// shouldPublishRouterCA checks if some IngressController uses the default
-// certificate, in which case the CA certificate needs to be published.
-func shouldPublishRouterCA(ingresses []operatorv1.IngressController) bool {
-	for _, ci := range ingresses {
-		if ci.Spec.DefaultCertificate == nil {
-			return true
-		}
-	}
-	return false
-}
-
 // currentRouterCAConfigMap returns the current router CA configmap.
 func (r *reconciler) currentRouterCAConfigMap() (*corev1.ConfigMap, error) {
 	name := controller.RouterCAConfigMapName()

diff --git a/pkg/operator/controller/certificate/publish_ca_test.go b/pkg/operator/controller/certificate/publish_ca_test.go