Merge pull request #411 from marun/stop-adding-service-ca

Bug 1813894: Enable the addition of service ca to token secrets via UnsupportedConfigOverride
openshift · May 27, 2020 · de3f7a3 · de3f7a3
2 parents dcfc3b6 + 3e3aa00
commit de3f7a3
Showing 1 changed file with 58 additions and 2 deletions.
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -210,7 +210,26 @@ func createTargetConfigController(ctx context.Context, c TargetConfigController,
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "serviceaccount/localhost-recovery-client", err))
 	}
-	_, _, err = managePod(ctx, c.kubeClient.CoreV1(), c.kubeClient.CoreV1(), recorder, operatorSpec, c.targetImagePullSpec, c.operatorImagePullSpec, c.clusterPolicyControllerPullSpec)
+
+	// Allow the addition of the service ca to token secrets to be enabled by setting an
+	// UnsupportedConfigOverride field named
+	// enableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade
+	// to true.
+	//
+	// This option is provided for backwards-compatibility in 4.5, and should be removed in 4.6.
+	addServingServiceCAToTokenSecrets := false
+	if len(operatorSpec.UnsupportedConfigOverrides.Raw) > 0 {
+		cmConfigOverride := struct {
+			EnableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade bool
+		}{}
+		if err := json.Unmarshal(operatorSpec.UnsupportedConfigOverrides.Raw, &cmConfigOverride); err != nil {
+			errors = append(errors, fmt.Errorf("failed to load EnableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade from UnsupportedConfigOverride: %v", err))
+		} else {
+			addServingServiceCAToTokenSecrets = cmConfigOverride.EnableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade
+		}
+	}
+
+	_, _, err = managePod(ctx, c.kubeClient.CoreV1(), c.kubeClient.CoreV1(), recorder, operatorSpec, c.targetImagePullSpec, c.operatorImagePullSpec, c.clusterPolicyControllerPullSpec, addServingServiceCAToTokenSecrets)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-controller-manager-pod", err))
 	}
@@ -220,6 +239,29 @@ func createTargetConfigController(ctx context.Context, c TargetConfigController,
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/trusted-ca-bundle", err))
 	}
 
+	// The operator is not upgradeable if serving service CA addition to token secrets is enabled
+	// with the UnsupportedConfigOverride field
+	// EnableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade.
+	//
+	// This should be removed in 4.6.
+	var upgradeableCondition operatorv1.OperatorCondition
+	if addServingServiceCAToTokenSecrets {
+		upgradeableCondition = operatorv1.OperatorCondition{
+			Type:    operatorv1.OperatorStatusTypeUpgradeable,
+			Status:  operatorv1.ConditionFalse,
+			Reason:  "AddServingServiceCAToTokenSecretsEnabled",
+			Message: "Disable the addition of the serving service ca to token secrets by removing EnableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade from the operator's UnsupportedConfigOverrdies",
+		}
+	} else {
+		upgradeableCondition = operatorv1.OperatorCondition{
+			Type:   operatorv1.OperatorStatusTypeUpgradeable,
+			Status: operatorv1.ConditionTrue,
+		}
+	}
+	if _, _, err := v1helpers.UpdateStaticPodStatus(c.operatorClient, v1helpers.UpdateStaticPodConditionFn(upgradeableCondition)); err != nil {
+		return true, err
+	}
+
 	if len(errors) > 0 {
 		condition := operatorv1.OperatorCondition{
 			Type:    "TargetConfigControllerDegraded",
@@ -327,7 +369,7 @@ func ensureLocalhostRecoverySAToken(ctx context.Context, client corev1client.Cor
 	return err
 }
 
-func managePod(ctx context.Context, configMapsGetter corev1client.ConfigMapsGetter, secretsGetter corev1client.SecretsGetter, recorder events.Recorder, operatorSpec *operatorv1.StaticPodOperatorSpec, imagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec string) (*corev1.ConfigMap, bool, error) {
+func managePod(ctx context.Context, configMapsGetter corev1client.ConfigMapsGetter, secretsGetter corev1client.SecretsGetter, recorder events.Recorder, operatorSpec *operatorv1.StaticPodOperatorSpec, imagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec string, addServingServiceCAToTokenSecrets bool) (*corev1.ConfigMap, bool, error) {
 	required := resourceread.ReadPodV1OrDie(v411_00_assets.MustAsset("v4.1.0/kube-controller-manager/pod.yaml"))
 	// TODO: If the image pull spec is not specified, the "${IMAGE}" will be used as value and the pod will fail to start.
 	images := map[string]string{
@@ -398,6 +440,20 @@ func managePod(ctx context.Context, configMapsGetter corev1client.ConfigMapsGett
 		required.Spec.Containers[i].Env = append(container.Env, proxyEnvVars...)
 	}
 
+	if addServingServiceCAToTokenSecrets {
+		// Ensure the addition of serving service ca to token secrets by setting the environment
+		// variable that will enable the behavior in the controller manager.
+		for _, container := range required.Spec.Containers {
+			if container.Name == "kube-controller-manager" {
+				container.Env = append(container.Env, corev1.EnvVar{
+					Name:  "ADD_SERVICE_SERVING_CA_TO_TOKEN_SECRETS",
+					Value: "true",
+				})
+				break
+			}
+		}
+	}
+
 	configMap := resourceread.ReadConfigMapV1OrDie(v411_00_assets.MustAsset("v4.1.0/kube-controller-manager/pod-cm.yaml"))
 	configMap.Data["pod.yaml"] = resourceread.WritePodV1OrDie(required)
 	configMap.Data["forceRedeploymentReason"] = operatorSpec.ForceRedeploymentReason