Skip to content

Commit

Permalink
switch to always publishing wildcard serving certificate for default …
Browse files Browse the repository at this point in the history 
…ingress
  • Loading branch information
@deads2k
deads2k committed Dec 3, 2019
1 parent 55a94f0 commit 7f7256a
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 26 deletions.
24 changes: 9 additions & 15 deletions pkg/operator/controller/certificate/controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ import (
"fmt"
"time"

"k8s.io/apimachinery/pkg/types"

logf "github.com/openshift/cluster-ingress-operator/pkg/log"
"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
ingresscontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller/ingress"
Expand Down Expand Up @@ -67,7 +65,7 @@ type reconciler struct {
}

func (r *reconciler) Reconcile(request reconcile.Request) (reconcile.Result, error) {
controllerMaintainedSigningCertKey, err := r.ensureRouterCASecret()
ca, err := r.ensureRouterCASecret()
if err != nil {
return reconcile.Result{}, fmt.Errorf("failed to ensure router CA: %v", err)
}
Expand Down Expand Up @@ -106,7 +104,7 @@ func (r *reconciler) Reconcile(request reconcile.Request) (reconcile.Result, err
UID: deployment.UID,
Controller: &trueVar,
}
if _, err := r.ensureDefaultCertificateForIngress(controllerMaintainedSigningCertKey, deployment.Namespace, deploymentRef, ingress); err != nil {
if _, err := r.ensureDefaultCertificateForIngress(ca, deployment.Namespace, deploymentRef, ingress); err != nil {
errs = append(errs, fmt.Errorf("failed to ensure default cert for %s: %v", ingress.Name, err))
}
}
Expand All @@ -117,7 +115,7 @@ func (r *reconciler) Reconcile(request reconcile.Request) (reconcile.Result, err
ingresses := &operatorv1.IngressControllerList{}
if err := r.cache.List(context.TODO(), ingresses, client.InNamespace(r.operatorNamespace)); err != nil {
errs = append(errs, fmt.Errorf("failed to list ingresscontrollers: %v", err))
} else if err := r.ensureRouterCAConfigMap(controllerMaintainedSigningCertKey, ingresses.Items); err != nil {
} else if err := r.ensureRouterCAConfigMap(ca, ingresses.Items); err != nil {
errs = append(errs, fmt.Errorf("failed to publish router CA: %v", err))
}

Expand All @@ -129,17 +127,13 @@ func (r *reconciler) Reconcile(request reconcile.Request) (reconcile.Result, err
return result, utilerrors.NewAggregate(errs)
}

caBundle := string(controllerMaintainedSigningCertKey.Data["tls.crt"])
// if we have a custom default certificate, it need to be the one used to very router certificates
if ingress.Spec.DefaultCertificate != nil && len(ingress.Spec.DefaultCertificate.Name) > 0 {
secret := &corev1.Secret{}
if err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: ingress.Namespace, Name: ingress.Spec.DefaultCertificate.Name}, secret); err != nil {
errs = append(errs, fmt.Errorf("failed to get custom router cert: %v", err))
return result, utilerrors.NewAggregate(errs)
}
caBundle = string(secret.Data["tls.crt"])
wildcardServingCertKeySecret := &corev1.Secret{}
if err := r.client.Get(context.TODO(), controller.RouterEffectiveDefaultCertificateSecretName(ingress, ingress.Namespace), wildcardServingCertKeySecret); err != nil {
errs = append(errs, fmt.Errorf("failed to lookup wildcard cert: %v", err))
return result, utilerrors.NewAggregate(errs)
}
if err := r.ensureDefaultIngressCAConfigMap(caBundle); err != nil {
caBundle := string(wildcardServingCertKeySecret.Data["tls.crt"])
if err := r.ensureDefaultIngressCertConfigMap(caBundle); err != nil {
errs = append(errs, fmt.Errorf("failed to publish router CA: %v", err))
}

Expand Down
9 changes: 4 additions & 5 deletions pkg/operator/controller/certificate/publish_ca.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,18 @@ import (
"context"
"fmt"

"k8s.io/apimachinery/pkg/types"

operatorv1 "github.com/openshift/api/operator/v1"
"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"

corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
)

// ensureDefaultIngressCAConfigMap will create or update the configmap for verifying the default ingress wildcard certificate
func (r *reconciler) ensureDefaultIngressCAConfigMap(caBundle string) error {
name := controller.DefaultIngressCAConfigMapName()
// ensureDefaultIngressCertConfigMap will create or update the configmap containing the public half of the default ingress wildcard certificate
func (r *reconciler) ensureDefaultIngressCertConfigMap(caBundle string) error {
name := controller.DefaultIngressCertConfigMapName()
desired := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: name.Name,
Expand Down
6 changes: 3 additions & 3 deletions pkg/operator/controller/names.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,13 +63,13 @@ func RouterCAConfigMapName() types.NamespacedName {
}
}

// DefaultIngressCAConfigMapName returns the namespaced name for the default ingress CA configmap.
// DefaultIngressCertConfigMapName returns the namespaced name for the default ingress cert configmap.
// The operator uses this configmap to publish the public key that golang clients can use to trust
// the default ingress wildcard serving cert.
func DefaultIngressCAConfigMapName() types.NamespacedName {
func DefaultIngressCertConfigMapName() types.NamespacedName {
return types.NamespacedName{
Namespace: GlobalMachineSpecifiedConfigNamespace,
Name: "default-ingress-ca",
Name: "default-ingress-cert",
}
}

Expand Down
6 changes: 3 additions & 3 deletions test/e2e/operator_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ func TestUpdateDefaultIngressController(t *testing.T) {
t.Fatalf("failed to get CA certificate configmap: %v", err)
}
defaultIngressCAConfigmap := &corev1.ConfigMap{}
if err := kclient.Get(context.TODO(), controller.DefaultIngressCAConfigMapName(), defaultIngressCAConfigmap); err != nil {
if err := kclient.Get(context.TODO(), controller.DefaultIngressCertConfigMapName(), defaultIngressCAConfigmap); err != nil {
t.Fatalf("failed to get CA certificate configmap: %v", err)
}

Expand Down Expand Up @@ -262,7 +262,7 @@ func TestUpdateDefaultIngressController(t *testing.T) {
// Wait for the default ingress configmap to be updated
originalDefaultIngressCAConfigmap := defaultIngressCAConfigmap.DeepCopy()
err = wait.PollImmediate(1*time.Second, 10*time.Second, func() (bool, error) {
if err := kclient.Get(context.TODO(), controller.DefaultIngressCAConfigMapName(), defaultIngressCAConfigmap); err != nil {
if err := kclient.Get(context.TODO(), controller.DefaultIngressCertConfigMapName(), defaultIngressCAConfigmap); err != nil {
return false, err
}
if defaultIngressCAConfigmap.Data["ca-bundle.crt"] == originalDefaultIngressCAConfigmap.Data["ca-bundle.crt"] {
Expand Down Expand Up @@ -298,7 +298,7 @@ func TestUpdateDefaultIngressController(t *testing.T) {
}
// Wait for the default ingress configmap to be updated back to the original
err = wait.PollImmediate(1*time.Second, 10*time.Second, func() (bool, error) {
if err := kclient.Get(context.TODO(), controller.DefaultIngressCAConfigMapName(), defaultIngressCAConfigmap); err != nil {
if err := kclient.Get(context.TODO(), controller.DefaultIngressCertConfigMapName(), defaultIngressCAConfigmap); err != nil {
return false, err
}
if defaultIngressCAConfigmap.Data["ca-bundle.crt"] == originalDefaultIngressCAConfigmap.Data["ca-bundle.crt"] {
Expand Down

0 comments on commit 7f7256a

Please sign in to comment.