From cdd19be64b3ca55ab1f720049e97b9100b4d5ed0 Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Tue, 28 Nov 2023 10:23:43 +0100 Subject: [PATCH] Bump library-go --- go.mod | 2 +- go.sum | 4 +- .../pkg/operator/certrotation/annotations.go | 37 +++++++++++++++++ .../pkg/operator/certrotation/cabundle.go | 16 ++++++-- .../pkg/operator/certrotation/signer.go | 40 +++++++------------ .../pkg/operator/certrotation/target.go | 21 +++++++++- .../pkg/operator/csr/cert_controller.go | 23 ++++++----- .../operator/resource/resourceapply/rbac.go | 25 +++++++----- .../operator/resourcesynccontroller/core.go | 20 ++++++++-- vendor/modules.txt | 4 +- 10 files changed, 134 insertions(+), 58 deletions(-) create mode 100644 vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go diff --git a/go.mod b/go.mod index 514e5fa6a8..14039dee0c 100644 --- a/go.mod +++ b/go.mod @@ -150,4 +150,4 @@ require ( sigs.k8s.io/yaml v1.3.0 // indirect ) -replace github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20231122144858-bd3a034d7b33 +replace github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20231128081504-a568dda48dc2 diff --git a/go.sum b/go.sum index 0ae6fdbf5f..07a9e20b73 100644 --- a/go.sum +++ b/go.sum @@ -503,8 +503,8 @@ github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhV github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= -github.com/vrutkovs/library-go v0.0.0-20231122144858-bd3a034d7b33 h1:zrh5/6tKgXu0RLczcYFSh5H6P8qAEDF5jyMTjZkp8uU= -github.com/vrutkovs/library-go v0.0.0-20231122144858-bd3a034d7b33/go.mod h1:8UzmrBMCn7+GzouL8DVYkL9COBQTB1Ggd13/mHJQCUg= +github.com/vrutkovs/library-go v0.0.0-20231128081504-a568dda48dc2 h1:HmnhHnWSxZ6Z13gs/iKYd3vonzVFuOYqJVVmnsew2r0= +github.com/vrutkovs/library-go v0.0.0-20231128081504-a568dda48dc2/go.mod h1:8UzmrBMCn7+GzouL8DVYkL9COBQTB1Ggd13/mHJQCUg= github.com/vultr/govultr/v2 v2.17.2 h1:gej/rwr91Puc/tgh+j33p/BLR16UrIPnSr+AIwYWZQs= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go new file mode 100644 index 0000000000..c9b5648926 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go @@ -0,0 +1,37 @@ +package certrotation + +import ( + "github.com/openshift/api/annotations" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func NewObjectMeta(name, namespace, jiraComponent, description string) metav1.ObjectMeta { + return metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + Annotations: map[string]string{ + annotations.OpenShiftComponent: jiraComponent, + annotations.OpenShiftDescription: description, + }, + } +} + +// EnsureTLSMetadataUpdate mutates objectMeta setting necessary annotations if unset +func EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta, jiraComponent, description string) bool { + modified := false + if meta.Annotations == nil { + meta.Annotations = map[string]string{ + annotations.OpenShiftComponent: "", + annotations.OpenShiftDescription: "", + } + } + if len(jiraComponent) > 0 && meta.Annotations[annotations.OpenShiftComponent] != jiraComponent { + meta.Annotations[annotations.OpenShiftComponent] = jiraComponent + modified = true + } + if len(description) > 0 && meta.Annotations[annotations.OpenShiftDescription] != description { + meta.Annotations[annotations.OpenShiftDescription] = description + modified = true + } + return modified +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go index 7111a30899..7dcaa28857 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go @@ -53,13 +53,23 @@ func (c CABundleConfigMap) ensureConfigMapCABundle(ctx context.Context, signingC caBundleConfigMap := originalCABundleConfigMap.DeepCopy() if apierrors.IsNotFound(err) { // create an empty one - caBundleConfigMap = &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Namespace: c.Namespace, Name: c.Name}} + caBundleConfigMap = &corev1.ConfigMap{ObjectMeta: NewObjectMeta( + c.Namespace, + c.Name, + c.JiraComponent, + c.Description, + )} secretExists = false } + + needsMetadataUpdate := false if c.Owner != nil { - ensureOwnerReference(&caBundleConfigMap.ObjectMeta, c.Owner) + needsMetadataUpdate = ensureOwnerReference(&caBundleConfigMap.ObjectMeta, c.Owner) + } + if len(c.JiraComponent) > 0 || len(c.Description) > 0 { + needsMetadataUpdate = EnsureTLSMetadataUpdate(&caBundleConfigMap.ObjectMeta, c.JiraComponent, c.Description) || needsMetadataUpdate } - if NeedsTLSMetadataUpdate(&caBundleConfigMap.ObjectMeta, c.JiraComponent, c.Description) && secretExists { + if needsMetadataUpdate && secretExists { _, _, err := resourceapply.ApplyConfigMap(ctx, c.Client, c.EventRecorder, caBundleConfigMap) if err != nil { return nil, err diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go index 883a99fa26..f0b4f00529 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go @@ -6,7 +6,6 @@ import ( "fmt" "time" - "github.com/openshift/api/annotations" "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/resource/resourceapply" @@ -66,15 +65,24 @@ func (c RotatedSigningCASecret) ensureSigningCertKeyPair(ctx context.Context) (* signingCertKeyPairSecret := originalSigningCertKeyPairSecret.DeepCopy() if apierrors.IsNotFound(err) { // create an empty one - signingCertKeyPairSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: c.Namespace, Name: c.Name}} + signingCertKeyPairSecret = &corev1.Secret{ObjectMeta: NewObjectMeta( + c.Namespace, + c.Name, + c.JiraComponent, + c.Description, + )} secretExists = false } signingCertKeyPairSecret.Type = corev1.SecretTypeTLS + needsMetadataUpdate := false if c.Owner != nil { - ensureOwnerReference(&signingCertKeyPairSecret.ObjectMeta, c.Owner) + needsMetadataUpdate = ensureOwnerReference(&signingCertKeyPairSecret.ObjectMeta, c.Owner) } - if NeedsTLSMetadataUpdate(&signingCertKeyPairSecret.ObjectMeta, c.JiraComponent, c.Description) && secretExists { + if len(c.JiraComponent) > 0 || len(c.Description) > 0 { + needsMetadataUpdate = EnsureTLSMetadataUpdate(&signingCertKeyPairSecret.ObjectMeta, c.JiraComponent, c.Description) || needsMetadataUpdate + } + if needsMetadataUpdate && secretExists { _, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) if err != nil { return nil, err @@ -105,7 +113,7 @@ func (c RotatedSigningCASecret) ensureSigningCertKeyPair(ctx context.Context) (* } // ensureOwnerReference adds the owner to the list of owner references in meta, if necessary -func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference) { +func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference) bool { var found bool for _, ref := range meta.OwnerReferences { if ref == *owner { @@ -115,27 +123,9 @@ func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference) } if !found { meta.OwnerReferences = append(meta.OwnerReferences, *owner) + return true } -} - -// NeedsTLSMetadataUpdate adds annotations in meta, if necessary -func NeedsTLSMetadataUpdate(meta *metav1.ObjectMeta, jiraComponent, description string) bool { - modified := false - if len(meta.Annotations) == 0 { - meta.Annotations = map[string]string{ - annotations.OpenShiftComponent: "", - annotations.OpenShiftDescription: "", - } - } - if len(jiraComponent) > 0 && meta.Annotations[annotations.OpenShiftComponent] != jiraComponent { - meta.Annotations[annotations.OpenShiftComponent] = jiraComponent - modified = true - } - if len(description) > 0 && meta.Annotations[annotations.OpenShiftDescription] != description { - meta.Annotations[annotations.OpenShiftDescription] = description - modified = true - } - return modified + return false } func needNewSigningCertKeyPair(annotations map[string]string, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go index 2289d0082b..ec95c90c57 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go @@ -94,6 +94,7 @@ func (c RotatedSelfSignedCertKeySecret) ensureTargetCertKeyPair(ctx context.Cont // validity percentage. We always check to see if we need to sign. Often we are signing with an old key or we have no target // and need to mint one // TODO do the cross signing thing, but this shows the API consumers want and a very simple impl. + secretExists := true originalTargetCertKeyPairSecret, err := c.Lister.Secrets(c.Namespace).Get(c.Name) if err != nil && !apierrors.IsNotFound(err) { return err @@ -101,12 +102,28 @@ func (c RotatedSelfSignedCertKeySecret) ensureTargetCertKeyPair(ctx context.Cont targetCertKeyPairSecret := originalTargetCertKeyPairSecret.DeepCopy() if apierrors.IsNotFound(err) { // create an empty one - targetCertKeyPairSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: c.Namespace, Name: c.Name}} + targetCertKeyPairSecret = &corev1.Secret{ObjectMeta: NewObjectMeta( + c.Namespace, + c.Name, + c.JiraComponent, + c.Description, + )} + secretExists = false } targetCertKeyPairSecret.Type = corev1.SecretTypeTLS + needsMetadataUpdate := false if c.Owner != nil { - ensureOwnerReference(&targetCertKeyPairSecret.ObjectMeta, c.Owner) + needsMetadataUpdate = ensureOwnerReference(&targetCertKeyPairSecret.ObjectMeta, c.Owner) + } + if len(c.JiraComponent) > 0 || len(c.Description) > 0 { + needsMetadataUpdate = EnsureTLSMetadataUpdate(&targetCertKeyPairSecret.ObjectMeta, c.JiraComponent, c.Description) || needsMetadataUpdate + } + if needsMetadataUpdate && secretExists { + _, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, targetCertKeyPairSecret) + if err != nil { + return err + } } if reason := needNewTargetCertKeyPair(targetCertKeyPairSecret.Annotations, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired); len(reason) > 0 { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/csr/cert_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/csr/cert_controller.go index 7872d86dab..23e075d637 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/csr/cert_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/csr/cert_controller.go @@ -152,20 +152,21 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory. switch { case errors.IsNotFound(err): secret = &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: c.SecretNamespace, - Name: c.SecretName, - }, + ObjectMeta: certrotation.NewObjectMeta( + c.SecretNamespace, + c.SecretName, + c.JiraComponent, + c.Description, + ), } secretExists = false case err != nil: return fmt.Errorf("unable to get secret %q: %w", c.SecretNamespace+"/"+c.SecretName, err) } - // ensure the secret has necessary metadata - if certrotation.NeedsTLSMetadataUpdate(&secret.ObjectMeta, c.JiraComponent, c.Description) && secretExists { - if err := c.saveSecret(secret); err != nil { - return err - } + + needsMetadataUpdate := false + if len(c.JiraComponent) > 0 || len(c.Description) > 0 { + needsMetadataUpdate = certrotation.EnsureTLSMetadataUpdate(&secret.ObjectMeta, c.JiraComponent, c.Description) } // reconcile pending csr if exists @@ -190,6 +191,10 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory. syncCtx.Recorder().Eventf("ClientCertificateCreated", "A new client certificate for %s is available", c.controllerName) c.reset() return nil + } else if needsMetadataUpdate && secretExists { + if err := c.saveSecret(secret); err != nil { + return err + } } // create a csr to request new client certificate if diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go index 0e378edd2d..38a92222ed 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go @@ -2,7 +2,6 @@ package resourceapply import ( "context" - "fmt" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/equality" @@ -15,12 +14,8 @@ import ( "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" ) -// ApplyClusterRole merges objectmeta, requires rules, aggregation rules are not allowed for now. +// ApplyClusterRole merges objectmeta, requires rules. func ApplyClusterRole(ctx context.Context, client rbacclientv1.ClusterRolesGetter, recorder events.Recorder, required *rbacv1.ClusterRole) (*rbacv1.ClusterRole, bool, error) { - if required.AggregationRule != nil && len(required.AggregationRule.ClusterRoleSelectors) != 0 { - return nil, false, fmt.Errorf("cannot create an aggregated cluster role") - } - existing, err := client.ClusterRoles().Get(ctx, required.Name, metav1.GetOptions{}) if apierrors.IsNotFound(err) { requiredCopy := required.DeepCopy() @@ -37,13 +32,23 @@ func ApplyClusterRole(ctx context.Context, client rbacclientv1.ClusterRolesGette existingCopy := existing.DeepCopy() resourcemerge.EnsureObjectMeta(modified, &existingCopy.ObjectMeta, required.ObjectMeta) - contentSame := equality.Semantic.DeepEqual(existingCopy.Rules, required.Rules) - if contentSame && !*modified { + rulesContentSame := equality.Semantic.DeepEqual(existingCopy.Rules, required.Rules) + aggregationRuleContentSame := equality.Semantic.DeepEqual(existingCopy.AggregationRule, required.AggregationRule) + + if aggregationRuleContentSame && rulesContentSame && !*modified { return existingCopy, false, nil } - existingCopy.Rules = required.Rules - existingCopy.AggregationRule = nil + if !aggregationRuleContentSame { + existingCopy.AggregationRule = required.AggregationRule + } + + // The control plane controller that reconciles ClusterRoles + // overwrites any values that are manually specified in the rules field of an aggregate ClusterRole. + // As such skip reconciling on the Rules field when the AggregationRule is set. + if !rulesContentSame && required.AggregationRule == nil { + existingCopy.Rules = required.Rules + } if klog.V(4).Enabled() { klog.Infof("ClusterRole %q changes: %v", required.Name, JSONPatchNoError(existing, existingCopy)) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go index f5a26338b7..fe600d4564 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go @@ -11,10 +11,11 @@ import ( corev1listers "k8s.io/client-go/listers/core/v1" "k8s.io/client-go/util/cert" + "github.com/openshift/api/annotations" "github.com/openshift/library-go/pkg/crypto" ) -func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister corev1listers.ConfigMapLister, inputConfigMaps ...ResourceLocation) (*corev1.ConfigMap, error) { +func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister corev1listers.ConfigMapLister, jiraComponent, description string, inputConfigMaps ...ResourceLocation) (*corev1.ConfigMap, error) { certificates := []*x509.Certificate{} for _, input := range inputConfigMaps { inputConfigMap, err := lister.ConfigMaps(input.Namespace).Get(input.Name) @@ -58,10 +59,21 @@ func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister cor return nil, err } - return &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{Namespace: destinationConfigMap.Namespace, Name: destinationConfigMap.Name}, + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: destinationConfigMap.Namespace, + Name: destinationConfigMap.Name, + Annotations: make(map[string]string), + }, Data: map[string]string{ "ca-bundle.crt": string(caBytes), }, - }, nil + } + if len(jiraComponent) != 0 { + cm.Annotations[annotations.OpenShiftComponent] = jiraComponent + } + if len(description) != 0 { + cm.Annotations[annotations.OpenShiftDescription] = description + } + return cm, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index abf5cf76bf..7f56eba474 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -416,7 +416,7 @@ github.com/openshift/client-go/security/clientset/versioned/fake github.com/openshift/client-go/security/clientset/versioned/scheme github.com/openshift/client-go/security/clientset/versioned/typed/security/v1 github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake -# github.com/openshift/library-go v0.0.0-20231102154438-cfcf2b4fbc87 => github.com/vrutkovs/library-go v0.0.0-20231122144858-bd3a034d7b33 +# github.com/openshift/library-go v0.0.0-20231102154438-cfcf2b4fbc87 => github.com/vrutkovs/library-go v0.0.0-20231128081504-a568dda48dc2 ## explicit; go 1.20 github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer github.com/openshift/library-go/pkg/certs @@ -1575,4 +1575,4 @@ sigs.k8s.io/structured-merge-diff/v4/value # sigs.k8s.io/yaml v1.3.0 ## explicit; go 1.12 sigs.k8s.io/yaml -# github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20231122144858-bd3a034d7b33 +# github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20231128081504-a568dda48dc2