No longer needed to recreate operator-ca-tls prefixed secrets on Tenant namespace (#2137)

No longer needed to create `operator-ca-tls` prefixed secrets on the Tenant namespace

This was fixed by trusting CA's as soon as the secret changed on PR #2133

Signed-off-by: pjuarezd <[email protected]>

Author: pjuarezd

pkg/controller/monitoring.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"strings"
 	"time"
 
 	"github.com/minio/madmin-go/v3"
@@ -119,12 +118,6 @@ func (c *Controller) updateHealthStatusForTenant(tenant *miniov2.Tenant) error {
 	// get cluster health for tenant
 	healthResult, err := aClnt.Healthy(hctx, madmin.HealthOpts{})
 	if err != nil {
-		if strings.Contains(err.Error(), "failed to verify certificate") {
-			err := c.reloadTenantExternalCerts(tenant)
-			if err != nil {
-				return err
-			}
-		}
 		// show the error and continue
 		klog.Infof("'%s/%s' Failed to get cluster health: %v", tenant.Namespace, tenant.Name, err)
 		return nil

pkg/controller/operator.go

@@ -384,9 +384,12 @@ func (c *Controller) checkOpenshiftSignerCACertInOperatorNamespace(ctx context.C
 				},
 			}
 			_, err = c.kubeClientSet.CoreV1().Secrets(namespace).Create(ctx, csrSignerSecret, metav1.CreateOptions{})
-			// Reload CA certificates
-			c.createTransport()
-			return err
+			if err != nil {
+				return err
+			}
+			// Add the CA certificate to the trusted Root CA's
+			c.trustPEMInSecretField(csrSignerSecret, certs.TLSCertFile)
+			return nil
 		}
 		return err
 	}
@@ -397,9 +400,9 @@ func (c *Controller) checkOpenshiftSignerCACertInOperatorNamespace(ctx context.C
 		if err != nil {
 			return err
 		}
-		klog.Infof("'%s/%s' secret changed, updating '%s/%s' secret", OpenshiftKubeControllerNamespace, OpenshiftCATLSSecretName, namespace, OperatorCSRSignerCASecretName)
-		// Reload CA certificates
-		c.createTransport()
+		klog.Infof("'%s/%s' secret changed, updated '%s/%s' secret", OpenshiftKubeControllerNamespace, OpenshiftCATLSSecretName, namespace, OperatorCSRSignerCASecretName)
+		// Add the CA certificate to the trusted Root CA's
+		c.trustPEMInSecretField(csrSignerSecret, certs.TLSCertFile)
 	}
 	return nil
 }

pkg/controller/tenants.go

@@ -19,12 +19,6 @@ package controller
 import (
 	"context"
 	"errors"
-	"strings"
-
-	"github.com/minio/operator/pkg/certs"
-
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/klog/v2"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -51,93 +45,6 @@ func (c *Controller) getTenantConfiguration(ctx context.Context, tenant *miniov2
 	return tenantConfiguration, nil
 }
 
-// renewCert will renew one certificate at a time
-func (c *Controller) renewCert(secret corev1.Secret, index int, tenant *miniov2.Tenant) error {
-	// If the secret does not start with "operator-ca-tls-" then no need to continue
-	if !strings.HasPrefix(secret.Name, OperatorCATLSSecretPrefix) {
-		return nil
-	}
-	klog.Infof("%d external secret found: %s", index, secret.Name)
-	klog.Info("We are going to renew the external certificate for the tenant...")
-	// Get the new certificate generated by cert-manager
-	tenantSecretName := tenant.Spec.ExternalCertSecret[0].Name
-	data, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(context.Background(), tenantSecretName, metav1.GetOptions{})
-	if err != nil {
-		klog.Errorf("Couldn't get the certificate due to error %s", err)
-		return err
-	}
-	if data == nil || len(data.Data) <= 0 {
-		klog.Errorf("certificate's data can't be empty: %s", data)
-		return errors.New("empty cert data")
-	}
-	CACertificate := data.Data[certs.CAPublicCertFile]
-	if CACertificate == nil || len(CACertificate) <= 0 {
-		klog.Errorf("ca.crt certificate data can't be empty: %s", CACertificate)
-		return errors.New("empty cert ca data")
-	}
-	klog.Info("certificate data is not empty, proceed with renewal")
-	// Delete the secret that starts with operator-ca-tls- because it is expired
-	err = c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Delete(context.Background(), secret.Name, metav1.DeleteOptions{})
-	if err != nil {
-		klog.Infof("There was an error when deleting the secret: %s", err)
-		return err
-	}
-	// Create the new secret that contains the new certificate
-	newSecret := &corev1.Secret{
-		Type: "Opaque",
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      secret.Name,
-			Namespace: miniov2.GetNSFromFile(),
-		},
-		Data: map[string][]byte{
-			certs.CAPublicCertFile: CACertificate,
-		},
-	}
-	_, err = c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Create(context.Background(), newSecret, metav1.CreateOptions{})
-	if err != nil {
-		klog.Errorf("Secret not created %s", err)
-		return err
-	}
-	// Reload CA certificates
-	c.createTransport()
-	// Rollout the Operator Deployment to use new certificate and trust the tenant.
-	operatorDeployment, err := c.kubeClientSet.AppsV1().Deployments(miniov2.GetNSFromFile()).Get(context.Background(), miniov2.GetNSFromFile(), metav1.GetOptions{})
-	if err != nil || operatorDeployment == nil {
-		klog.Errorf("Couldn't retrieve the deployment %s", err)
-		return err
-	}
-	operatorDeployment.Spec.Template.ObjectMeta.Name = miniov2.GetNSFromFile()
-	operatorDeployment, err = c.kubeClientSet.AppsV1().Deployments(miniov2.GetNSFromFile()).Update(context.Background(), operatorDeployment, metav1.UpdateOptions{})
-	if err != nil {
-		klog.Errorf("There was an error on deployment update %s", err)
-		return err
-	}
-	klog.Info("external certificate successfully renewed for the tenant")
-	return nil
-}
-
-// reloadTenantExternalCerts reloads Tenant external certificates
-func (c *Controller) reloadTenantExternalCerts(tenant *miniov2.Tenant) error {
-	externalCertSecret := tenant.Spec.ExternalCertSecret
-	if externalCertSecret != nil {
-		// Check that there is a secret that starts with "operator-ca-tls-" to proceed with the renewal
-		secretsAvailableAtOperatorNS, err := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).List(context.Background(), metav1.ListOptions{})
-		if err != nil {
-			klog.Info("No external certificates are found under the multi-tenancy architecture to handle.")
-			return nil
-		}
-		klog.Info("there are secret(s) for the operator")
-		for index, secret := range secretsAvailableAtOperatorNS.Items {
-			err = c.renewCert(secret, index, tenant)
-			if err != nil {
-				klog.Errorf("There was an error while renewing the cert: %s", err)
-				return err
-			}
-		}
-	}
-	return nil
-}
-
 // getTenantCredentials returns a combination of env, credsSecret and Configuration tenant credentials
 func (c *Controller) getTenantCredentials(ctx context.Context, tenant *miniov2.Tenant) (map[string][]byte, error) {
 	// Configuration for tenant can be passed using 2 different sources, tenant.spec.env and config.env secret