Skip to content

Commit 29a4292

Browse files
Nuckal777Nuckal777
authored
Move admission CA reconciliation into ground controller (#1011)
1 parent 81d8172 commit 29a4292

File tree

2 files changed

+46
-45
lines changed

2 files changed

+46
-45
lines changed

pkg/controller/ground.go

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@ const (
5555

5656
UpgradeEnableAnnotation = "kubernikus.cloud.sap/upgrade"
5757
SeedReconcileLabelKey = "kubernikus.cloud.sap/seed-reconcile"
58+
InjectAdmissionCAKey = "kubernikus.cloud.sap/inject-admission-ca"
5859
)
5960

6061
type GroundControl struct {
@@ -330,6 +331,9 @@ func (op *GroundControl) handler(key string) error {
330331
if err := op.ensureStorageContainers(kluster, klusterSecret); err != nil {
331332
return err
332333
}
334+
if err := op.ensureAdmissionCA(kluster, klusterSecret); err != nil {
335+
return err
336+
}
333337

334338
accessMode, err := util.PVAccessMode(op.Clients.Kubernetes, nil)
335339
if err != nil {
@@ -1141,6 +1145,48 @@ func (op *GroundControl) ensureStorageContainers(kluster *v1.Kluster, klusterSec
11411145
return nil
11421146
}
11431147

1148+
// inject admission CA in labeled namespaces
1149+
func (op *GroundControl) ensureAdmissionCA(kluster *v1.Kluster, klusterSecret *v1.Secret) error {
1150+
k8sClient, err := op.Clients.Satellites.ClientFor(kluster)
1151+
if err != nil {
1152+
return err
1153+
}
1154+
nsList, err := k8sClient.CoreV1().Namespaces().List(context.TODO(), meta_v1.ListOptions{LabelSelector: fmt.Sprintf("%s=true", InjectAdmissionCAKey)})
1155+
if err != nil {
1156+
return err
1157+
}
1158+
if nsList.Size() == 0 {
1159+
return nil
1160+
}
1161+
ca := map[string]string{"ca.crt": klusterSecret.Certificates.AdmissionCACertificate}
1162+
cm := api_v1.ConfigMap{
1163+
TypeMeta: meta_v1.TypeMeta{
1164+
Kind: "ConfigMap",
1165+
APIVersion: "v1",
1166+
},
1167+
ObjectMeta: meta_v1.ObjectMeta{
1168+
Name: "admission-auth-ca",
1169+
},
1170+
Data: ca,
1171+
}
1172+
for _, ns := range nsList.Items {
1173+
_, err = k8sClient.CoreV1().ConfigMaps(ns.Name).Create(context.TODO(), &cm, meta_v1.CreateOptions{})
1174+
if apierrors.IsAlreadyExists(err) {
1175+
_, err = k8sClient.CoreV1().ConfigMaps(ns.Name).Update(context.TODO(), &cm, meta_v1.UpdateOptions{})
1176+
}
1177+
if err != nil {
1178+
return fmt.Errorf("Admission CA certificate reconciliation in namespace %s failed: %s", ns.Name, err)
1179+
}
1180+
op.Logger.Log(
1181+
"msg", "Reconciled admission CA certificate",
1182+
"namespace", ns.Name,
1183+
"kluster", kluster.GetName(),
1184+
"project", kluster.Account(),
1185+
"v", 6)
1186+
}
1187+
return nil
1188+
}
1189+
11441190
func (op *GroundControl) podAdd(obj interface{}) {
11451191
pod := obj.(*api_v1.Pod)
11461192

pkg/controller/ground/reconciler.go

Lines changed: 0 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ import (
1414
"helm.sh/helm/v3/pkg/chartutil"
1515
"helm.sh/helm/v3/pkg/engine"
1616
"helm.sh/helm/v3/pkg/releaseutil"
17-
corev1 "k8s.io/api/core/v1"
1817
extensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
1918
"k8s.io/apimachinery/pkg/api/errors"
2019
"k8s.io/apimachinery/pkg/api/meta"
@@ -33,7 +32,6 @@ import (
3332
v1 "github.com/sapcc/kubernikus/pkg/apis/kubernikus/v1"
3433
"github.com/sapcc/kubernikus/pkg/client/openstack/project"
3534
"github.com/sapcc/kubernikus/pkg/controller/config"
36-
"github.com/sapcc/kubernikus/pkg/util"
3735
)
3836

3937
const SeedChartPath string = "charts/seed"
@@ -42,7 +40,6 @@ const ManagedByLabelKey string = "cloud.sap/managed-by"
4240
const ManagedByLabelValue string = "kubernikus"
4341
const SkipPatchKey string = "kubernikus.cloud.sap/skip-manage"
4442
const SkipPatchValue string = "true"
45-
const InjectAdmissionCAKey string = "kubernikus.cloud.sap/inject-admission-ca"
4643

4744
var recreateKinds map[string]struct{} = map[string]struct{}{
4845
"RoleBinding": {},
@@ -210,48 +207,6 @@ func (sr *SeedReconciler) ReconcileSeeding(chartPath string, values map[string]i
210207
return err
211208
}
212209

213-
// inject admission CA in labeled namespaces
214-
k8sClient, err := sr.Clients.Satellites.ClientFor(sr.Kluster)
215-
if err != nil {
216-
return err
217-
}
218-
nsList, err := k8sClient.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{LabelSelector: fmt.Sprintf("%s=true", InjectAdmissionCAKey)})
219-
if err != nil {
220-
return err
221-
}
222-
if nsList.Size() > 0 {
223-
secret, err := util.KlusterSecret(sr.Clients.Kubernetes, sr.Kluster)
224-
if err != nil {
225-
return fmt.Errorf("Couldn't get kluster secret: %s", err)
226-
}
227-
ca := map[string]string{"ca.crt": secret.Certificates.AdmissionCACertificate}
228-
cm := corev1.ConfigMap{
229-
TypeMeta: metav1.TypeMeta{
230-
Kind: "ConfigMap",
231-
APIVersion: "v1",
232-
},
233-
ObjectMeta: metav1.ObjectMeta{
234-
Name: "admission-auth-ca",
235-
},
236-
Data: ca,
237-
}
238-
for _, ns := range nsList.Items {
239-
_, err = k8sClient.CoreV1().ConfigMaps(ns.Name).Create(context.TODO(), &cm, metav1.CreateOptions{})
240-
if errors.IsAlreadyExists(err) {
241-
_, err = k8sClient.CoreV1().ConfigMaps(ns.Name).Update(context.TODO(), &cm, metav1.UpdateOptions{})
242-
}
243-
if err != nil {
244-
return fmt.Errorf("Admission CA certificate reconciliation in namespace %s failed: %s", ns.Name, err)
245-
}
246-
sr.Logger.Log(
247-
"msg", "Reconciling admission CA certificate",
248-
"namespace", ns.Name,
249-
"kluster", sr.Kluster.GetName(),
250-
"project", sr.Kluster.Account(),
251-
"v", 6)
252-
}
253-
}
254-
255210
sr.Logger.Log(
256211
"msg", "Seed reconciliation: successful",
257212
"kluster", sr.Kluster.GetName(),

0 commit comments

Comments
 (0)