cpo/c/hcp/*: Separate Aggregate Client trust chain

Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>

control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go

@@ -1279,10 +1279,26 @@ func (r *HostedControlPlaneReconciler) reconcilePKI(ctx context.Context, hcp *hy
 		return fmt.Errorf("failed to reconcile kas kubelet client secret: %w", err)
 	}
 
-	// KAS aggregator cert secret
+	// KAS aggregator client signer
+	kasAggregateClientSigner := manifests.AggregateClientSigner(hcp.Namespace)
+	if _, err := createOrUpdate(ctx, r, kasAggregateClientSigner, func() error {
+		return pki.ReconcileAggregateClientSigner(kasAggregateClientSigner, p.OwnerRef)
+	}); err != nil {
+		return fmt.Errorf("failed to reconcile root CA: %w", err)
+	}
+
+	// KAS aggregator client CA
+	kasAggregateClientCA := manifests.AggregateClientCAConfigMap(hcp.Namespace)
+	if _, err := createOrUpdate(ctx, r, kasAggregateClientCA, func() error {
+		return pki.ReconcileAggregateClientCA(kasAggregateClientCA, p.OwnerRef, kasAggregateClientSigner)
+	}); err != nil {
+		return fmt.Errorf("failed to reconcile combined CA: %w", err)
+	}
+
+	// KAS aggregator client cert
 	kasAggregatorCertSecret := manifests.KASAggregatorCertSecret(hcp.Namespace)
 	if _, err := createOrUpdate(ctx, r, kasAggregatorCertSecret, func() error {
-		return pki.ReconcileKASAggregatorCertSecret(kasAggregatorCertSecret, rootCASecret, p.OwnerRef)
+		return pki.ReconcileKASAggregatorCertSecret(kasAggregatorCertSecret, kasAggregateClientSigner, p.OwnerRef)
 	}); err != nil {
 		return fmt.Errorf("failed to reconcile kas aggregator secret: %w", err)
 	}

control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go

@@ -536,6 +536,7 @@ func kasVolumeAggregatorCert() *corev1.Volume {
 		Name: "aggregator-crt",
 	}
 }
+
 func buildKASVolumeAggregatorCert(v *corev1.Volume) {
 	if v.Secret == nil {
 		v.Secret = &corev1.SecretVolumeSource{}
@@ -554,7 +555,7 @@ func buildKASVolumeAggregatorCA(v *corev1.Volume) {
 		v.ConfigMap = &corev1.ConfigMapVolumeSource{}
 	}
 	v.ConfigMap.DefaultMode = pointer.Int32Ptr(420)
-	v.ConfigMap.Name = manifests.CombinedCAConfigMap("").Name
+	v.ConfigMap.Name = manifests.AggregateClientCAConfigMap("").Name
 }
 
 func kasVolumeEgressSelectorConfig() *corev1.Volume {

control-plane-operator/controllers/hostedcontrolplane/manifests/pki.go

@@ -32,6 +32,15 @@ func CombinedCAConfigMap(ns string) *corev1.ConfigMap {
 	}
 }
 
+func AggregateClientCAConfigMap(ns string) *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "aggregator-client-ca",
+			Namespace: ns,
+		},
+	}
+}
+
 func MetricsClientCertSecret(ns string) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -95,6 +104,24 @@ func KASKubeletClientCertSecret(ns string) *corev1.Secret {
 	}
 }
 
+func AggregateClientSigner(ns string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "kas-aggregator-client-signer",
+			Namespace: ns,
+		},
+	}
+}
+
+func KASAggregatorSignerSecret(ns string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "kas-aggregator-signer",
+			Namespace: ns,
+		},
+	}
+}
+
 func KASAggregatorCertSecret(ns string) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{

control-plane-operator/controllers/hostedcontrolplane/pki/ca.go

@@ -30,6 +30,14 @@ func reconcileAggregateCA(configMap *corev1.ConfigMap, ownerRef config.OwnerRef,
 	return nil
 }
 
+func ReconcileAggregateClientSigner(secret *corev1.Secret, ownerRef config.OwnerRef) error {
+	return reconcileSelfSignedCA(secret, ownerRef, "kas-aggregator-signer", "openshift")
+}
+
+func ReconcileAggregateClientCA(cm *corev1.ConfigMap, ownerRef config.OwnerRef, signer *corev1.Secret) error {
+	return reconcileAggregateCA(cm, ownerRef, signer)
+}
+
 func ReconcileRootCA(secret *corev1.Secret, ownerRef config.OwnerRef) error {
 	return reconcileSelfSignedCA(secret, ownerRef, "root-ca", "openshift")
 }