use the cache ref to mount the cache kubeconfig into shard deployments

On-behalf-of: @SAP christoph.mewes@sap.com

Author: xrstf

internal/resources/cacheserver/certificates.go

@@ -28,7 +28,7 @@ import (
 
 // RootCACertificateReconciler creates a standalone CA just for a single cache-server.
 func RootCACertificateReconciler(server *operatorv1alpha1.CacheServer) reconciling.NamedCertificateReconcilerFactory {
-	name := resources.GetCacheServerCAName(server, operatorv1alpha1.RootCA)
+	name := resources.GetCacheServerCAName(server.Name, operatorv1alpha1.RootCA)
 	template := server.Spec.CertificateTemplates.CATemplate(operatorv1alpha1.RootCA)
 
 	if server.Spec.Certificates.IssuerRef == nil {
@@ -97,7 +97,7 @@ func ServerCertificateReconciler(server *operatorv1alpha1.CacheServer) reconcili
 				},
 
 				IssuerRef: certmanagermetav1.ObjectReference{
-					Name:  resources.GetCacheServerCAName(server, operatorv1alpha1.RootCA),
+					Name:  resources.GetCacheServerCAName(server.Name, operatorv1alpha1.RootCA),
 					Kind:  "Issuer",
 					Group: "cert-manager.io",
 				},

internal/resources/cacheserver/issuers.go

@@ -25,7 +25,7 @@ import (
 )
 
 func RootCAIssuerReconciler(server *operatorv1alpha1.CacheServer) reconciling.NamedIssuerReconcilerFactory {
-	name := resources.GetCacheServerCAName(server, operatorv1alpha1.RootCA)
+	name := resources.GetCacheServerCAName(server.Name, operatorv1alpha1.RootCA)
 
 	secretName := name
 	if server.Spec.Certificates.CASecretRef != nil {

internal/resources/cacheserver/kubeconfigs.go

@@ -17,8 +17,6 @@ limitations under the License.
 package cacheserver
 
 import (
-	"fmt"
-
 	k8creconciling "k8c.io/reconciler/pkg/reconciling"
 
 	corev1 "k8s.io/api/core/v1"
@@ -29,18 +27,14 @@ import (
 	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
 )
 
-func kubeconfigSecret(server *operatorv1alpha1.CacheServer) string {
-	return fmt.Sprintf("%s-kubeconfig", server.Name)
-}
-
 func KubeconfigReconciler(server *operatorv1alpha1.CacheServer) k8creconciling.NamedSecretReconcilerFactory {
 	const (
 		serverName  = "cache"
 		contextName = "cache"
 	)
 
 	return func() (string, k8creconciling.SecretReconciler) {
-		return kubeconfigSecret(server), func(secret *corev1.Secret) (*corev1.Secret, error) {
+		return resources.GetCacheServerKubeconfigName(server.Name), func(secret *corev1.Secret) (*corev1.Secret, error) {
 			var config *clientcmdapi.Config
 			if secret.Data == nil {
 				secret.Data = make(map[string][]byte)

internal/resources/resources.go

@@ -194,11 +194,11 @@ func GetRootShardCAName(r *operatorv1alpha1.RootShard, caName operatorv1alpha1.C
 	return fmt.Sprintf("%s-%s-ca", r.Name, caName)
 }
 
-func GetCacheServerCAName(s *operatorv1alpha1.CacheServer, caName operatorv1alpha1.CA) string {
+func GetCacheServerCAName(cacheServerName string, caName operatorv1alpha1.CA) string {
 	if caName == operatorv1alpha1.RootCA {
-		return fmt.Sprintf("%s-ca", s.Name)
+		return fmt.Sprintf("%s-ca", cacheServerName)
 	}
-	return fmt.Sprintf("%s-%s-ca", s.Name, caName)
+	return fmt.Sprintf("%s-%s-ca", cacheServerName, caName)
 }
 
 func GetFrontProxyResourceLabels(f *operatorv1alpha1.FrontProxy) map[string]string {
@@ -221,6 +221,10 @@ func GetFrontProxyDynamicKubeconfigName(r *operatorv1alpha1.RootShard, f *operat
 	return fmt.Sprintf("%s-%s-dynamic-kubeconfig", r.Name, f.Name)
 }
 
+func GetCacheServerKubeconfigName(cacheServerName string) string {
+	return fmt.Sprintf("%s-kubeconfig", cacheServerName)
+}
+
 func GetRootShardProxyConfigName(r *operatorv1alpha1.RootShard) string {
 	return fmt.Sprintf("%s-proxy-config", r.Name)
 }

internal/resources/rootshard/deployment.go

@@ -62,6 +62,15 @@ func getKubeconfigMountPath(certName operatorv1alpha1.Certificate) string {
 	return fmt.Sprintf("/etc/kcp/%s-kubeconfig", certName)
 }
 
+func getCacheServerKubeconfigMountPath() string {
+	return "/etc/cache-server/kubeconfig"
+}
+
+// getCacheServerCAMountPath has to match the code in the cacheserver package.
+func getCacheServerCAMountPath(caName operatorv1alpha1.CA) string {
+	return fmt.Sprintf("/etc/cache-server/tls/ca/%s", caName)
+}
+
 func DeploymentReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.NamedDeploymentReconcilerFactory {
 	return func() (string, reconciling.DeploymentReconciler) {
 		return resources.GetRootShardDeploymentName(rootShard), func(dep *appsv1.Deployment) (*appsv1.Deployment, error) {
@@ -132,6 +141,22 @@ func DeploymentReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.Nam
 				})
 			}
 
+			// If an external CacheServer is meant to be used, mount its kubeconfig and the
+			// certificate referenced in it.
+			if ref := rootShard.Spec.Cache.Reference; ref != nil {
+				secretMounts = append(secretMounts, utils.SecretMount{
+					VolumeName: "cache-server-kubeconfig",
+					SecretName: resources.GetCacheServerKubeconfigName(ref.Name),
+					MountPath:  getCacheServerKubeconfigMountPath(),
+				})
+
+				secretMounts = append(secretMounts, utils.SecretMount{
+					VolumeName: "cache-server-ca",
+					SecretName: resources.GetCacheServerCAName(ref.Name, operatorv1alpha1.RootCA),
+					MountPath:  getCacheServerCAMountPath(operatorv1alpha1.RootCA),
+				})
+			}
+
 			volumes := []corev1.Volume{}
 			volumeMounts := []corev1.VolumeMount{}
 
@@ -212,5 +237,9 @@ func getArgs(rootShard *operatorv1alpha1.RootShard) []string {
 		args = append(args, rootShard.Spec.ExtraArgs...)
 	}
 
+	if ref := rootShard.Spec.Cache.Reference; ref != nil {
+		args = append(args, fmt.Sprintf("--cache-kubeconfig=%s/kubeconfig", getCacheServerKubeconfigMountPath()))
+	}
+
 	return args
 }