Merge pull request #782 from pgier/cleanup-thanos-ruler-ca-bundle

Bug 1821666: pkg/tasks: thanos ruler cleanup
openshift · May 20, 2020 · f5d857d · f5d857d
2 parents 82fbac5 + 037400f
commit f5d857d
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 20 deletions.
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -352,38 +352,42 @@ func (c *Client) DeleteConfigMap(cm *v1.ConfigMap) error {
 	return err
 }
 
-func (c *Client) DeleteHashedConfigMap(newHash, prefix string) error {
+// DeleteHashedConfigMap deletes all configmaps in the given namespace which have
+// the specified prefix, and DO NOT have the given hash.
+func (c *Client) DeleteHashedConfigMap(namespace, prefix, newHash string) error {
 	ls := "monitoring.openshift.io/name=" + prefix + ",monitoring.openshift.io/hash!=" + newHash
-	configMaps, err := c.KubernetesInterface().CoreV1().ConfigMaps(c.namespace).List(metav1.ListOptions{
+	configMaps, err := c.KubernetesInterface().CoreV1().ConfigMaps(namespace).List(metav1.ListOptions{
 		LabelSelector: ls,
 	})
 	if err != nil {
-		return errors.Wrapf(err, "error listing configmaps with label selector %s", ls)
+		return errors.Wrapf(err, "error listing configmaps in namespace %s with label selector %s", namespace, ls)
 	}
 
-	for i := range configMaps.Items {
-		err := c.KubernetesInterface().CoreV1().ConfigMaps(c.namespace).Delete(configMaps.Items[i].Name, &metav1.DeleteOptions{})
+	for _, cm := range configMaps.Items {
+		err := c.KubernetesInterface().CoreV1().ConfigMaps(namespace).Delete(cm.Name, &metav1.DeleteOptions{})
 		if err != nil {
-			return errors.Wrapf(err, "error deleting configmap: %s", configMaps.Items[i].Name)
+			return errors.Wrapf(err, "error deleting configmap: %s/%s", namespace, cm.Name)
 		}
 	}
 
 	return nil
 }
 
-func (c *Client) DeleteHashedSecret(newHash, prefix string) error {
+// DeleteHashedSecret deletes all secrets in the given namespace which have
+// the specified prefix, and DO NOT have the given hash.
+func (c *Client) DeleteHashedSecret(namespace, prefix, newHash string) error {
 	ls := "monitoring.openshift.io/name=" + prefix + ",monitoring.openshift.io/hash!=" + newHash
-	configMaps, err := c.KubernetesInterface().CoreV1().Secrets(c.namespace).List(metav1.ListOptions{
+	secrets, err := c.KubernetesInterface().CoreV1().Secrets(namespace).List(metav1.ListOptions{
 		LabelSelector: ls,
 	})
 	if err != nil {
-		return errors.Wrapf(err, "error listing secrets with label selector %s", ls)
+		return errors.Wrapf(err, "error listing secrets in namespace %s with label selector %s", namespace, ls)
 	}
 
-	for i := range configMaps.Items {
-		err := c.KubernetesInterface().CoreV1().Secrets(c.namespace).Delete(configMaps.Items[i].Name, &metav1.DeleteOptions{})
+	for _, s := range secrets.Items {
+		err := c.KubernetesInterface().CoreV1().Secrets(namespace).Delete(s.Name, &metav1.DeleteOptions{})
 		if err != nil {
-			return errors.Wrapf(err, "error deleting secret: %s", configMaps.Items[i].Name)
+			return errors.Wrapf(err, "error deleting secret: %s/%s", namespace, s.Name)
 		}
 	}
 

diff --git a/pkg/tasks/helpers.go b/pkg/tasks/helpers.go
@@ -79,8 +79,9 @@ func (cbs *caBundleSyncer) syncTrustedCABundle(trustedCA *v1.ConfigMap) (*v1.Con
 	}
 
 	err = cbs.client.DeleteHashedConfigMap(
-		string(hashedCM.Labels["monitoring.openshift.io/hash"]),
+		trustedCA.GetNamespace(),
 		cbs.prefix,
+		string(hashedCM.Labels["monitoring.openshift.io/hash"]),
 	)
 	return hashedCM, errors.Wrap(err, "deleting old trusted CA bundle configmaps failed")
 }
diff --git a/pkg/tasks/prometheus.go b/pkg/tasks/prometheus.go
@@ -270,8 +270,9 @@ func (t *PrometheusTask) Run() error {
 	}
 
 	err = t.client.DeleteHashedSecret(
-		string(s.Labels["monitoring.openshift.io/hash"]),
+		s.GetNamespace(),
 		"prometheus-k8s-grpc-tls",
+		string(s.Labels["monitoring.openshift.io/hash"]),
 	)
 	if err != nil {
 		return errors.Wrap(err, "error creating Prometheus Client GRPC TLS secret")

diff --git a/pkg/tasks/prometheus_user_workload.go b/pkg/tasks/prometheus_user_workload.go
@@ -169,8 +169,9 @@ func (t *PrometheusUserWorkloadTask) create() error {
 	}
 
 	err = t.client.DeleteHashedSecret(
-		string(s.Labels["monitoring.openshift.io/hash"]),
+		s.GetNamespace(),
 		"prometheus-user-workload-grpc-tls",
+		string(s.Labels["monitoring.openshift.io/hash"]),
 	)
 	if err != nil {
 		return errors.Wrap(err, "error creating UserWorkload Prometheus Client GRPC TLS secret")

diff --git a/pkg/tasks/thanos_querier.go b/pkg/tasks/thanos_querier.go
@@ -168,8 +168,9 @@ func (t *ThanosQuerierTask) Run() error {
 	}
 
 	err = t.client.DeleteHashedSecret(
-		string(s.Labels["monitoring.openshift.io/hash"]),
+		s.GetNamespace(),
 		"thanos-querier-grpc-tls",
+		string(s.Labels["monitoring.openshift.io/hash"]),
 	)
 	if err != nil {
 		return errors.Wrap(err, "error creating Thanos Querier Client GRPC TLS secret")

diff --git a/pkg/tasks/thanos_ruler_user_workload.go b/pkg/tasks/thanos_ruler_user_workload.go
@@ -191,8 +191,9 @@ func (t *ThanosRulerUserWorkloadTask) create() error {
 		}
 
 		err = t.client.DeleteHashedSecret(
-			string(grpcSecret.Labels["monitoring.openshift.io/hash"]),
+			grpcSecret.GetNamespace(),
 			"thanos-ruler-user-workload-grpc-tls",
+			string(grpcSecret.Labels["monitoring.openshift.io/hash"]),
 		)
 		if err != nil {
 			return errors.Wrap(err, "error deleting expired UserWorkload Thanos Ruler GRPC TLS secret")
@@ -293,12 +294,12 @@ func (t *ThanosRulerUserWorkloadTask) destroy() error {
 		return errors.Wrap(err, "deleting Thanos Ruler ServiceAccount failed")
 	}
 
-	s, err := t.factory.ThanosRulerOauthCookieSecret()
+	oauthSecret, err := t.factory.ThanosRulerOauthCookieSecret()
 	if err != nil {
 		return errors.Wrap(err, "initializing Thanos Ruler OAuth Cookie Secret failed")
 	}
 
-	err = t.client.DeleteSecret(s)
+	err = t.client.DeleteSecret(oauthSecret)
 	if err != nil {
 		return errors.Wrap(err, "deleting Thanos Ruler OAuth Cookie Secret failed")
 	}
@@ -313,6 +314,11 @@ func (t *ThanosRulerUserWorkloadTask) destroy() error {
 		return errors.Wrap(err, "deleting Thanos Ruler trusted CA bundle ConfigMap failed")
 	}
 
+	err = t.client.DeleteHashedConfigMap(trustedCA.GetNamespace(), "thanos-ruler", "")
+	if err != nil {
+		return errors.Wrap(err, "deleting all hashed Thanos Ruler trusted CA bundle ConfigMap failed")
+	}
+
 	grpcTLS, err := t.factory.GRPCSecret(nil)
 	if err != nil {
 		return errors.Wrap(err, "initializing UserWorkload Thanos Ruler GRPC secret failed")
@@ -328,7 +334,7 @@ func (t *ThanosRulerUserWorkloadTask) destroy() error {
 		return errors.Wrap(err, "error initializing UserWorkload Thanos Ruler GRPC TLS secret")
 	}
 
-	grpcSecret, err = t.factory.HashSecret(s,
+	grpcSecret, err = t.factory.HashSecret(grpcSecret,
 		"ca.crt", string(grpcTLS.Data["ca.crt"]),
 		"server.crt", string(grpcTLS.Data["prometheus-server.crt"]),
 		"server.key", string(grpcTLS.Data["prometheus-server.key"]),