Merge pull request #1504 from yuqi-zhang/bot-4.11

[release-4.11] OCPBUGS-16059: mcs cert: account for environments that use IP directly
openshift · Aug 1, 2023 · f56bc26 · f56bc26
2 parents 7e1b2fb + 9220ae0
commit f56bc26
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 12 deletions.
diff --git a/pkg/cli/admin/ocpcertificates/regeneratemco/command.go b/pkg/cli/admin/ocpcertificates/regeneratemco/command.go
@@ -21,19 +21,22 @@ const (
 	keyExpiry  = caExpiry
 	keyRefresh = caRefresh
 
-	mcoNamespace   = "openshift-machine-config-operator"
-	mapiNamespace  = "openshift-machine-api"
-	controllerName = "OCMachineConfigServerRotator"
-	mcsName        = "machine-config-server"
+	mcoNamespace        = "openshift-machine-config-operator"
+	mapiNamespace       = "openshift-machine-api"
+	kubeSystemNamespace = "kube-system"
+	controllerName      = "OCMachineConfigServerRotator"
+	mcsName             = "machine-config-server"
 
 	// mcsTlsSecretName is created by the installer and is not owned by default
 	mcsTlsSecretName = mcsName + "-tls"
 
 	// newMCSCASecret is the location of the CA after rotation
-	newMCSCASecret = "machine-config-server-ca"
-	userDataKey    = "userData"
+	newMCSCASecret  = "machine-config-server-ca"
+	userDataKey     = "userData"
+	rootCAConfigmap = "root-ca"
+	rootCACertKey   = "ca.crt"
 
-	// mcoManagedWorkerSecret is the unused, MCO-managed stub ignition for workers
+	// mcoManagedWorkerSecret is the MCO-managed stub ignition for workers, used only in BareMetal IPI
 	mcoManagedWorkerSecret = "worker-user-data-managed"
 	// mcoManagedMasterSecret is the unused, MCO-managed stub ignition for masters
 	mcoManagedMasterSecret = "master-user-data-managed"

diff --git a/pkg/cli/admin/ocpcertificates/regeneratemco/rotatecerts.go b/pkg/cli/admin/ocpcertificates/regeneratemco/rotatecerts.go
@@ -6,6 +6,7 @@ import (
 	"net/url"
 	"time"
 
+	configv1 "github.com/openshift/api/config/v1"
 	configclient "github.com/openshift/client-go/config/clientset/versioned"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/certrotation"
@@ -33,14 +34,17 @@ func (o *RegenerateMCOOptions) Run(ctx context.Context) error {
 		return err
 	}
 
-	host, err := oconfig.ConfigV1().Infrastructures().Get(ctx, "cluster", metav1.GetOptions{})
+	cfg, err := oconfig.ConfigV1().Infrastructures().Get(ctx, "cluster", metav1.GetOptions{})
 	if err != nil {
 		return fmt.Errorf("unable to get cluster infrastructure resource: %w", err)
 	}
-	if host.Status.APIServerInternalURL == "" {
+
+	serverIPs := getServerIPsFromInfra(cfg)
+
+	if cfg.Status.APIServerInternalURL == "" {
 		return fmt.Errorf("no APIServerInternalURL found in cluster infrastructure resource")
 	}
-	apiserverIntURL, err := url.Parse(host.Status.APIServerInternalURL)
+	apiserverIntURL, err := url.Parse(cfg.Status.APIServerInternalURL)
 	if err != nil {
 		return fmt.Errorf("failed to parse %s: %w", apiserverIntURL, err)
 	}
@@ -77,7 +81,7 @@ func (o *RegenerateMCOOptions) Run(ctx context.Context) error {
 			Validity:  keyExpiry,
 			Refresh:   keyRefresh,
 			CertCreator: &certrotation.ServingRotation{
-				Hostnames: func() []string { return []string{apiserverIntURL.Hostname()} },
+				Hostnames: func() []string { return append([]string{apiserverIntURL.Hostname()}, serverIPs...) },
 			},
 			Lister:        inf.Core().V1().Secrets().Lister(),
 			Informer:      inf.Core().V1().Secrets(),
@@ -120,3 +124,23 @@ func (o *RegenerateMCOOptions) Run(ctx context.Context) error {
 	}
 	return nil
 }
+
+func getServerIPsFromInfra(cfg *configv1.Infrastructure) []string {
+	if cfg.Status.PlatformStatus == nil {
+		return []string{}
+	}
+	switch cfg.Status.PlatformStatus.Type {
+	case configv1.BareMetalPlatformType:
+		return []string{cfg.Status.PlatformStatus.BareMetal.APIServerInternalIP}
+	case configv1.OvirtPlatformType:
+		return []string{cfg.Status.PlatformStatus.Ovirt.APIServerInternalIP}
+	case configv1.OpenStackPlatformType:
+		return []string{cfg.Status.PlatformStatus.OpenStack.APIServerInternalIP}
+	case configv1.VSpherePlatformType:
+		return []string{cfg.Status.PlatformStatus.VSphere.APIServerInternalIP}
+	case configv1.NutanixPlatformType:
+		return []string{cfg.Status.PlatformStatus.Nutanix.APIServerInternalIP}
+	default:
+		return []string{}
+	}
+}
diff --git a/pkg/cli/admin/ocpcertificates/regeneratemco/updatesecrets.go b/pkg/cli/admin/ocpcertificates/regeneratemco/updatesecrets.go
@@ -6,8 +6,11 @@ import (
 	"encoding/json"
 	"fmt"
 
+	configv1 "github.com/openshift/api/config/v1"
+	configclient "github.com/openshift/client-go/config/clientset/versioned"
 	"github.com/vincent-petithory/dataurl"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
@@ -47,7 +50,7 @@ func (o *RegenerateMCOOptions) updateSecrets(ctx context.Context) error {
 		return fmt.Errorf("cannot list MAO secrets: %w", err)
 	}
 	for _, secret := range secretList.Items {
-		// These two are managed by the MCO but unused. Skip them since the MCO will write them back.
+		// These two are managed by and only used for BareMetal IPI. Skip them since the MCO will write them back.
 		if secret.Name == mcoManagedWorkerSecret || secret.Name == mcoManagedMasterSecret {
 			continue
 		}
@@ -101,5 +104,33 @@ func (o *RegenerateMCOOptions) updateSecrets(ctx context.Context) error {
 		fmt.Fprintf(o.IOStreams.Out, "Successfully modified user-data secret %s\n", secret.Name)
 	}
 
+	// For Baremetal IPI, the worker-user-data-managed machineset is being used for scaling,
+	// so we need to do update the source (root-ca configmap) which will also cause all nodes to reboot.
+	oconfig, err := configclient.NewForConfig(clientConfig)
+	if err != nil {
+		return err
+	}
+	cfg, err := oconfig.ConfigV1().Infrastructures().Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("unable to get cluster infrastructure resource: %w", err)
+	}
+	if cfg.Status.Platform == configv1.BareMetalPlatformType {
+		kubeSystemRootCA, err := clientset.CoreV1().ConfigMaps(kubeSystemNamespace).Get(ctx, rootCAConfigmap, metav1.GetOptions{})
+		if err != nil {
+			if errors.IsNotFound(err) {
+				fmt.Fprintf(o.IOStreams.Out, "Could not find configmap %s/%s on platform %s, skipping. This may cause issues when scaling nodes.", kubeSystemNamespace, rootCAConfigmap, configv1.BareMetalPlatformType)
+				return nil
+			}
+			return fmt.Errorf("unable to get configmap %s/%s: %w", kubeSystemNamespace, rootCAConfigmap, err)
+		}
+
+		kubeSystemRootCA.Data[rootCACertKey] = string(caCert)
+		_, err = clientset.CoreV1().ConfigMaps(kubeSystemNamespace).Update(ctx, kubeSystemRootCA, metav1.UpdateOptions{})
+		if err != nil {
+			return fmt.Errorf("could not update configmap %s: %w", rootCAConfigmap, err)
+		}
+		fmt.Fprintf(o.IOStreams.Out, "Successfully updated configmap %s/%s, nodes will now reboot.\n", kubeSystemNamespace, rootCAConfigmap)
+	}
+
 	return nil
 }