add runtime config for Otel CA cert updates

Author: pdabelf5

internal/configs/configmaps.go

@@ -988,6 +988,11 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
 		ResolverValid:     config.ZoneSync.ResolverValid,
 	}
 
+	mainOtelExporterTrustedCA := ""
+	if config.MainOtelExporterTrustedCA != "" {
+		mainOtelExporterTrustedCA = fmt.Sprintf("%s-%s-%s", os.Getenv("POD_NAMESPACE"), config.MainOtelExporterTrustedCA, CACrtKey)
+	}
+
 	nginxCfg := &version1.MainConfig{
 		AccessLog:                          config.MainAccessLog,
 		DefaultServerAccessLogOff:          config.DefaultServerAccessLogOff,
@@ -1012,7 +1017,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
 		MainOtelLoadModule:                 config.MainOtelLoadModule,
 		MainOtelGlobalTraceEnabled:         config.MainOtelGlobalTraceEnabled,
 		MainOtelExporterEndpoint:           config.MainOtelExporterEndpoint,
-		MainOtelExporterTrustedCA:          fmt.Sprintf("%s-%s-%s", os.Getenv("POD_NAMESPACE"), config.MainOtelExporterTrustedCA, CACrtKey),
+		MainOtelExporterTrustedCA:          mainOtelExporterTrustedCA,
 		MainOtelExporterHeaderName:         config.MainOtelExporterHeaderName,
 		MainOtelExporterHeaderValue:        config.MainOtelExporterHeaderValue,
 		MainOtelServiceName:                config.MainOtelServiceName,

internal/configs/configurator.go

@@ -826,8 +826,11 @@ func generateTLSPassthroughHostsConfig(tlsPassthroughPairs map[string]tlsPassthr
 // AddOrUpdateCASecret writes the secret content to disk returning the files added/updated
 func (cnf *Configurator) AddOrUpdateCASecret(secret *api_v1.Secret, crtFileName, crlFileName string) string {
 	crtData, crlData := GenerateCAFileContent(secret)
+	crlFilePath := ""
 	crtFilePath := cnf.nginxManager.CreateSecret(crtFileName, crtData, nginx.ReadWriteOnlyFileMode)
-	crlFilePath := cnf.nginxManager.CreateSecret(crlFileName, crlData, nginx.ReadWriteOnlyFileMode)
+	if len(crlData) > 0 {
+		crlFilePath = cnf.nginxManager.CreateSecret(crlFileName, crlData, nginx.ReadWriteOnlyFileMode)
+	}
 	return fmt.Sprintf("%s %s", crtFilePath, crlFilePath)
 }
 

internal/k8s/controller.go

@@ -102,11 +102,12 @@ type podEndpoint struct {
 }
 
 type specialSecrets struct {
-	defaultServerSecret string
-	wildcardTLSSecret   string
-	licenseSecret       string
-	clientAuthSecret    string
-	trustedCertSecret   string
+	defaultServerSecret   string
+	wildcardTLSSecret     string
+	licenseSecret         string
+	clientAuthSecret      string
+	mgmtTrustedCertSecret string
+	otelTrustedCertSecret string
 }
 
 type controllerMetadata struct {
@@ -247,14 +248,19 @@ type NewLoadBalancerControllerInput struct {
 
 // NewLoadBalancerController creates a controller
 func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalancerController {
+	otelTrustedCertSecret := ""
+	if input.NginxConfigurator.CfgParams.MainOtelExporterTrustedCA != "" {
+		otelTrustedCertSecret = fmt.Sprintf("%s/%s", input.ControllerNamespace, input.NginxConfigurator.CfgParams.MainOtelExporterTrustedCA)
+	}
 	specialSecrets := specialSecrets{
-		defaultServerSecret: input.DefaultServerSecret,
-		wildcardTLSSecret:   input.WildcardTLSSecret,
+		defaultServerSecret:   input.DefaultServerSecret,
+		wildcardTLSSecret:     input.WildcardTLSSecret,
+		otelTrustedCertSecret: otelTrustedCertSecret,
 	}
 	if input.IsNginxPlus {
 		specialSecrets.licenseSecret = fmt.Sprintf("%s/%s", input.ControllerNamespace, input.NginxConfigurator.MgmtCfgParams.Secrets.License)
 		specialSecrets.clientAuthSecret = fmt.Sprintf("%s/%s", input.ControllerNamespace, input.NginxConfigurator.MgmtCfgParams.Secrets.ClientAuth)
-		specialSecrets.trustedCertSecret = fmt.Sprintf("%s/%s", input.ControllerNamespace, input.NginxConfigurator.MgmtCfgParams.Secrets.TrustedCert)
+		specialSecrets.mgmtTrustedCertSecret = fmt.Sprintf("%s/%s", input.ControllerNamespace, input.NginxConfigurator.MgmtCfgParams.Secrets.TrustedCert)
 	}
 	lbc := &LoadBalancerController{
 		client:                       input.KubeClient,
@@ -924,7 +930,7 @@ func (lbc *LoadBalancerController) updateAllConfigs() {
 			if _, hasCRL := secret.Data[configs.CACrlKey]; hasCRL {
 				lbc.configurator.MgmtCfgParams.Secrets.TrustedCRL = secret.Name
 			}
-			lbc.specialSecrets.trustedCertSecret = fmt.Sprintf("%s/%s", secret.Namespace, secret.Name)
+			lbc.specialSecrets.mgmtTrustedCertSecret = fmt.Sprintf("%s/%s", secret.Namespace, secret.Name)
 			lbc.handleSpecialSecretUpdate(secret, reloadNginx)
 		}
 		// update special ClientAuth secret in mgmtConfigParams
@@ -937,6 +943,15 @@ func (lbc *LoadBalancerController) updateAllConfigs() {
 			lbc.handleSpecialSecretUpdate(secret, reloadNginx)
 		}
 	}
+	// update special Otel CA secret in configParams
+	if cfgParams.MainOtelExporterTrustedCA != "" {
+		secret, err := lbc.client.CoreV1().Secrets(lbc.configMap.GetNamespace()).Get(context.TODO(), cfgParams.MainOtelExporterTrustedCA, meta_v1.GetOptions{})
+		if err != nil {
+			nl.Errorf(lbc.Logger, "secret %s/%s: %v", lbc.configMap.GetNamespace(), cfgParams.MainOtelExporterTrustedCA, err)
+		}
+		lbc.specialSecrets.otelTrustedCertSecret = fmt.Sprintf("%s/%s", secret.Namespace, secret.Name)
+		lbc.handleSpecialSecretUpdate(secret, reloadNginx)
+	}
 	resources := lbc.configuration.GetResources()
 	nl.Debugf(lbc.Logger, "Updating %v resources", len(resources))
 	resourceExes := lbc.createExtendedResources(resources)
@@ -1843,7 +1858,9 @@ func (lbc *LoadBalancerController) isSpecialSecret(secretName string) bool {
 		return true
 	case lbc.specialSecrets.clientAuthSecret:
 		return true
-	case lbc.specialSecrets.trustedCertSecret:
+	case lbc.specialSecrets.mgmtTrustedCertSecret:
+		return true
+	case lbc.specialSecrets.otelTrustedCertSecret:
 		return true
 	default:
 		return false
@@ -1918,7 +1935,12 @@ func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secr
 		if ok := lbc.performNGINXReload(secret); !ok {
 			return
 		}
-	case lbc.specialSecrets.trustedCertSecret:
+	case lbc.specialSecrets.mgmtTrustedCertSecret:
+		lbc.updateAllConfigs()
+		if ok := lbc.performNGINXReload(secret); !ok {
+			return
+		}
+	case lbc.specialSecrets.otelTrustedCertSecret:
 		lbc.updateAllConfigs()
 		if ok := lbc.performNGINXReload(secret); !ok {
 			return
@@ -1944,7 +1966,12 @@ func (lbc *LoadBalancerController) writeSpecialSecrets(secret *api_v1.Secret, sp
 			return false
 		}
 	case secrets.SecretTypeCA:
-		lbc.configurator.AddOrUpdateCASecret(secret, fmt.Sprintf("mgmt/%s", configs.CACrtKey), fmt.Sprintf("mgmt/%s", configs.CACrlKey))
+		if lbc.specialSecrets.mgmtTrustedCertSecret != "" {
+			lbc.configurator.AddOrUpdateCASecret(secret, fmt.Sprintf("mgmt/%s", configs.CACrtKey), fmt.Sprintf("mgmt/%s", configs.CACrlKey))
+		}
+		if lbc.specialSecrets.otelTrustedCertSecret != "" {
+			lbc.configurator.AddOrUpdateCASecret(secret, fmt.Sprintf("%s-%s-%s", lbc.metadata.namespace, lbc.configurator.CfgParams.MainOtelExporterTrustedCA, configs.CACrtKey), "")
+		}
 	case api_v1.SecretTypeTLS:
 		// if the secret name matches the specified
 		if secretNsName == mgmtClientAuthNamespaceName {
@@ -1981,7 +2008,7 @@ func (lbc *LoadBalancerController) specialSecretValidation(secretNsName string,
 			return false
 		}
 	}
-	if secretNsName == lbc.specialSecrets.trustedCertSecret {
+	if secretNsName == lbc.specialSecrets.mgmtTrustedCertSecret {
 		err := secrets.ValidateCASecret(secret)
 		if err != nil {
 			nl.Errorf(lbc.Logger, "Couldn't validate the special Secret %v: %v", secretNsName, err)
@@ -1997,6 +2024,14 @@ func (lbc *LoadBalancerController) specialSecretValidation(secretNsName string,
 			return false
 		}
 	}
+	if secretNsName == lbc.specialSecrets.otelTrustedCertSecret {
+		err := secrets.ValidateCASecret(secret)
+		if err != nil {
+			nl.Errorf(lbc.Logger, "Couldn't validate the special Secret %v: %v", secretNsName, err)
+			lbc.recorder.Eventf(lbc.metadata.pod, api_v1.EventTypeWarning, nl.EventReasonRejected, "the special Secret %v was rejected, using the previous version: %v", secretNsName, err)
+			return false
+		}
+	}
 	return true
 }