[Bugfix] Reconcile after TLS secret recreation (#768)

ajanikow · web-flow · commit df5630fa28da · 2021-07-28T16:41:36.000+02:00
diff --git a/go.mod b/go.mod
@@ -35,8 +35,8 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/gin-gonic/gin v1.7.2
 	github.com/github-release/github-release v0.10.0 // indirect
-	github.com/golang-jwt/jwt v3.2.1+incompatible
 	github.com/go-playground/validator/v10 v10.8.0 // indirect
+	github.com/golang-jwt/jwt v3.2.1+incompatible
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
diff --git a/pkg/deployment/resources/certificates_tls.go b/pkg/deployment/resources/certificates_tls.go
@@ -78,14 +78,14 @@ func createTLSCACertificate(ctx context.Context, log zerolog.Logger, secrets k8s
 // createTLSServerCertificate creates a TLS certificate for a specific server and stores
 // it in a secret with the given name.
 func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets v1.SecretInterface, serverNames []string, spec api.TLSSpec,
-	secretName string, ownerRef *metav1.OwnerReference) error {
+	secretName string, ownerRef *metav1.OwnerReference) (bool, error) {
 
 	log = log.With().Str("secret", secretName).Logger()
 	// Load alt names
 	dnsNames, ipAddresses, emailAddress, err := spec.GetParsedAltNames()
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to get alternate names")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 
 	// Load CA certificate
@@ -94,12 +94,12 @@ func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets
 	caCert, caKey, _, err := k8sutil.GetCASecret(ctxChild, secrets, spec.GetCASecretName(), nil)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to load CA certificate")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 	ca, err := certificates.LoadCAFromPEM(caCert, caKey)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to decode CA certificate")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 
 	options := certificates.CreateCertificateOptions{
@@ -114,7 +114,7 @@ func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets
 	cert, priv, err := certificates.CreateCertificate(options, &ca)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to create server certificate")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 	keyfile := strings.TrimSpace(cert) + "\n" +
 		strings.TrimSpace(priv)
@@ -128,8 +128,8 @@ func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets
 		} else {
 			log.Debug().Err(err).Msg("Failed to create server Secret")
 		}
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 	log.Debug().Msg("Created server Secret")
-	return nil
+	return true, nil
 }
diff --git a/pkg/deployment/resources/pod_creator.go b/pkg/deployment/resources/pod_creator.go
@@ -570,7 +570,7 @@ func (r *Resources) createPodForMember(ctx context.Context, spec api.DeploymentS
 				}
 			}
 			owner := apiObject.AsOwner()
-			err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.Sync.TLS, tlsKeyfileSecretName, &owner)
+			_, err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.Sync.TLS, tlsKeyfileSecretName, &owner)
 			if err != nil && !k8sutil.IsAlreadyExists(err) {
 				return errors.WithStack(errors.Wrapf(err, "Failed to create TLS keyfile secret"))
 			}
diff --git a/pkg/deployment/resources/secrets.go b/pkg/deployment/resources/secrets.go
@@ -166,9 +166,10 @@ func (r *Resources) EnsureSecrets(ctx context.Context, log zerolog.Logger, cache
 						serverNames = append(serverNames, ip)
 					}
 					owner := member.AsOwner()
-					errCert := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.TLS, tlsKeyfileSecretName, &owner)
-					if err := reconcileRequired.WithError(errCert); err != nil && !k8sutil.IsAlreadyExists(err) {
+					if created, err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.TLS, tlsKeyfileSecretName, &owner); err != nil && !k8sutil.IsAlreadyExists(err) {
 						return errors.WithStack(errors.Wrapf(err, "Failed to create TLS keyfile secret"))
+					} else if created {
+						reconcileRequired.Required()
 					}
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -570,7 +570,7 @@ func (r *Resources) createPodForMember(ctx context.Context, spec api.DeploymentS`
`570`	`570`	`}`
`571`	`571`	`}`
`572`	`572`	`owner := apiObject.AsOwner()`
`573`		`- err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.Sync.TLS, tlsKeyfileSecretName, &owner)`
	`573`	`+ _, err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.Sync.TLS, tlsKeyfileSecretName, &owner)`
`574`	`574`	`if err != nil && !k8sutil.IsAlreadyExists(err) {`
`575`	`575`	`return errors.WithStack(errors.Wrapf(err, "Failed to create TLS keyfile secret"))`
`576`	`576`	`}`
Original file line number	Diff line number	Diff line change
`@@ -166,9 +166,10 @@ func (r *Resources) EnsureSecrets(ctx context.Context, log zerolog.Logger, cache`
`166`	`166`	`serverNames = append(serverNames, ip)`
`167`	`167`	`}`
`168`	`168`	`owner := member.AsOwner()`
`169`		`- errCert := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.TLS, tlsKeyfileSecretName, &owner)`
`170`		`- if err := reconcileRequired.WithError(errCert); err != nil && !k8sutil.IsAlreadyExists(err) {`
	`169`	`+ if created, err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.TLS, tlsKeyfileSecretName, &owner); err != nil && !k8sutil.IsAlreadyExists(err) {`
`171`	`170`	`return errors.WithStack(errors.Wrapf(err, "Failed to create TLS keyfile secret"))`
	`171`	`+ } else if created {`
	`172`	`+ reconcileRequired.Required()`
`172`	`173`	`}`
`173`	`174`	`}`
`174`	`175`	`}`