Add CABundle to storage drivers

dmage · dmage · commit 8808d50feb73 · 2022-05-31T10:29:38.000+02:00
diff --git a/pkg/client/listers.go b/pkg/client/listers.go
@@ -21,6 +21,20 @@ type StorageListers struct {
 	Secrets                kcorelisters.SecretNamespaceLister
 }
 
+func NewStorageListers(
+	infrastructures configlisters.InfrastructureLister,
+	openshiftConfig kcorelisters.ConfigMapNamespaceLister,
+	openshiftConfigManaged kcorelisters.ConfigMapNamespaceLister,
+	secrets kcorelisters.SecretNamespaceLister,
+) *StorageListers {
+	return &StorageListers{
+		Infrastructures:        infrastructures,
+		OpenShiftConfig:        openshiftConfig,
+		OpenShiftConfigManaged: openshiftConfigManaged,
+		Secrets:                secrets,
+	}
+}
+
 type Listers struct {
 	StorageListers
 	Deployments          kappslisters.DeploymentNamespaceLister
diff --git a/pkg/operator/imageregistrycertificates.go b/pkg/operator/imageregistrycertificates.go
@@ -10,61 +10,91 @@ import (
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	corev1listers "k8s.io/client-go/listers/core/v1"
+	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
 	configv1informers "github.com/openshift/client-go/config/informers/externalversions/config/v1"
 	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
+	imageregistryv1informers "github.com/openshift/client-go/imageregistry/informers/externalversions/imageregistry/v1"
+	imageregistryv1listers "github.com/openshift/client-go/imageregistry/listers/imageregistry/v1"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
+	"github.com/openshift/cluster-image-registry-operator/pkg/client"
 	"github.com/openshift/cluster-image-registry-operator/pkg/defaults"
 	"github.com/openshift/cluster-image-registry-operator/pkg/resource"
 )
 
 type ImageRegistryCertificatesController struct {
-	coreClient            corev1client.CoreV1Interface
-	operatorClient        v1helpers.OperatorClient
-	configMapLister       corev1listers.ConfigMapNamespaceLister
-	serviceLister         corev1listers.ServiceNamespaceLister
-	imageConfigLister     configv1listers.ImageLister
-	openshiftConfigLister corev1listers.ConfigMapNamespaceLister
+	kubeconfig                *restclient.Config
+	coreClient                corev1client.CoreV1Interface
+	operatorClient            v1helpers.OperatorClient
+	configMapLister           corev1listers.ConfigMapNamespaceLister
+	serviceLister             corev1listers.ServiceNamespaceLister
+	imageConfigLister         configv1listers.ImageLister
+	openshiftConfigLister     corev1listers.ConfigMapNamespaceLister
+	imageRegistryConfigLister imageregistryv1listers.ConfigLister
+	storageListers            *client.StorageListers
 
 	cachesToSync []cache.InformerSynced
 	queue        workqueue.RateLimitingInterface
 }
 
 func NewImageRegistryCertificatesController(
+	kubeconfig *restclient.Config,
 	coreClient corev1client.CoreV1Interface,
 	operatorClient v1helpers.OperatorClient,
 	configMapInformer corev1informers.ConfigMapInformer,
+	secretInformer corev1informers.SecretInformer,
 	serviceInformer corev1informers.ServiceInformer,
 	imageConfigInformer configv1informers.ImageInformer,
+	infrastructureInformer configv1informers.InfrastructureInformer,
 	openshiftConfigInformer corev1informers.ConfigMapInformer,
+	openshiftConfigManagedInformer corev1informers.ConfigMapInformer,
+	imageRegistryConfigInformer imageregistryv1informers.ConfigInformer,
 ) *ImageRegistryCertificatesController {
 	c := &ImageRegistryCertificatesController{
-		coreClient:            coreClient,
-		operatorClient:        operatorClient,
-		configMapLister:       configMapInformer.Lister().ConfigMaps(defaults.ImageRegistryOperatorNamespace),
-		serviceLister:         serviceInformer.Lister().Services(defaults.ImageRegistryOperatorNamespace),
-		imageConfigLister:     imageConfigInformer.Lister(),
-		openshiftConfigLister: openshiftConfigInformer.Lister().ConfigMaps(defaults.OpenShiftConfigNamespace),
-		queue:                 workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "ImageRegistryCertificatesController"),
+		kubeconfig:                kubeconfig,
+		coreClient:                coreClient,
+		operatorClient:            operatorClient,
+		configMapLister:           configMapInformer.Lister().ConfigMaps(defaults.ImageRegistryOperatorNamespace),
+		serviceLister:             serviceInformer.Lister().Services(defaults.ImageRegistryOperatorNamespace),
+		imageConfigLister:         imageConfigInformer.Lister(),
+		openshiftConfigLister:     openshiftConfigInformer.Lister().ConfigMaps(defaults.OpenShiftConfigNamespace),
+		imageRegistryConfigLister: imageRegistryConfigInformer.Lister(),
+		queue:                     workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "ImageRegistryCertificatesController"),
 	}
 
 	configMapInformer.Informer().AddEventHandler(c.eventHandler())
 	c.cachesToSync = append(c.cachesToSync, configMapInformer.Informer().HasSynced)
 
+	secretInformer.Informer().AddEventHandler(c.eventHandler())
+	c.cachesToSync = append(c.cachesToSync, secretInformer.Informer().HasSynced)
+
 	serviceInformer.Informer().AddEventHandler(c.eventHandler())
 	c.cachesToSync = append(c.cachesToSync, serviceInformer.Informer().HasSynced)
 
 	imageConfigInformer.Informer().AddEventHandler(c.eventHandler())
 	c.cachesToSync = append(c.cachesToSync, imageConfigInformer.Informer().HasSynced)
 
+	infrastructureInformer.Informer().AddEventHandler(c.eventHandler())
+	c.cachesToSync = append(c.cachesToSync, infrastructureInformer.Informer().HasSynced)
+
 	openshiftConfigInformer.Informer().AddEventHandler(c.eventHandler())
 	c.cachesToSync = append(c.cachesToSync, openshiftConfigInformer.Informer().HasSynced)
 
+	openshiftConfigManagedInformer.Informer().AddEventHandler(c.eventHandler())
+	c.cachesToSync = append(c.cachesToSync, openshiftConfigManagedInformer.Informer().HasSynced)
+
+	c.storageListers = client.NewStorageListers(
+		infrastructureInformer.Lister(),
+		c.openshiftConfigLister,
+		openshiftConfigManagedInformer.Lister().ConfigMaps(defaults.OpenShiftConfigManagedNamespace),
+		secretInformer.Lister().Secrets(defaults.ImageRegistryOperatorNamespace),
+	)
+
 	return c
 }
 
@@ -102,7 +132,8 @@ func (c *ImageRegistryCertificatesController) processNextWorkItem() bool {
 
 func (c *ImageRegistryCertificatesController) sync() error {
 	ctx := context.TODO()
-	g := resource.NewGeneratorCAConfig(c.configMapLister, c.imageConfigLister, c.openshiftConfigLister, c.serviceLister, c.coreClient)
+
+	g := resource.NewGeneratorCAConfig(c.configMapLister, c.imageConfigLister, c.openshiftConfigLister, c.serviceLister, c.imageRegistryConfigLister, c.storageListers, c.kubeconfig, c.coreClient)
 	err := resource.ApplyMutator(g)
 	if err != nil {
 		_, _, updateError := v1helpers.UpdateStatus(
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -98,12 +98,17 @@ func RunOperator(ctx context.Context, kubeconfig *restclient.Config) error {
 	)
 
 	imageRegistryCertificatesController := NewImageRegistryCertificatesController(
+		kubeconfig,
 		kubeClient.CoreV1(),
 		configOperatorClient,
 		kubeInformers.Core().V1().ConfigMaps(),
+		kubeInformers.Core().V1().Secrets(),
 		kubeInformers.Core().V1().Services(),
 		configInformers.Config().V1().Images(),
+		configInformers.Config().V1().Infrastructures(),
 		kubeInformersForOpenShiftConfig.Core().V1().ConfigMaps(),
+		kubeInformersForOpenShiftConfigManaged.Core().V1().ConfigMaps(),
+		imageregistryInformers.Imageregistry().V1().Configs(),
 	)
 
 	nodeCADaemonController := NewNodeCADaemonController(
diff --git a/pkg/resource/caconfig.go b/pkg/resource/caconfig.go
@@ -11,30 +11,50 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	coreset "k8s.io/client-go/kubernetes/typed/core/v1"
 	corelisters "k8s.io/client-go/listers/core/v1"
+	restclient "k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 
+	operatorv1 "github.com/openshift/api/operator/v1"
 	configlisters "github.com/openshift/client-go/config/listers/config/v1"
+	imageregistryv1listers "github.com/openshift/client-go/imageregistry/listers/imageregistry/v1"
 
+	"github.com/openshift/cluster-image-registry-operator/pkg/client"
 	"github.com/openshift/cluster-image-registry-operator/pkg/defaults"
+	"github.com/openshift/cluster-image-registry-operator/pkg/storage"
 )
 
 var _ Mutator = &generatorCAConfig{}
 
 type generatorCAConfig struct {
-	lister                corelisters.ConfigMapNamespaceLister
-	imageConfigLister     configlisters.ImageLister
-	openshiftConfigLister corelisters.ConfigMapNamespaceLister
-	serviceLister         corelisters.ServiceNamespaceLister
-	client                coreset.CoreV1Interface
+	lister                    corelisters.ConfigMapNamespaceLister
+	imageConfigLister         configlisters.ImageLister
+	openshiftConfigLister     corelisters.ConfigMapNamespaceLister
+	serviceLister             corelisters.ServiceNamespaceLister
+	imageRegistryConfigLister imageregistryv1listers.ConfigLister
+	storageListers            *client.StorageListers
+	kubeconfig                *restclient.Config
+	client                    coreset.CoreV1Interface
 }
 
-func NewGeneratorCAConfig(lister corelisters.ConfigMapNamespaceLister, imageConfigLister configlisters.ImageLister, openshiftConfigLister corelisters.ConfigMapNamespaceLister, serviceLister corelisters.ServiceNamespaceLister, client coreset.CoreV1Interface) Mutator {
+func NewGeneratorCAConfig(
+	lister corelisters.ConfigMapNamespaceLister,
+	imageConfigLister configlisters.ImageLister,
+	openshiftConfigLister corelisters.ConfigMapNamespaceLister,
+	serviceLister corelisters.ServiceNamespaceLister,
+	imageRegistryConfigLister imageregistryv1listers.ConfigLister,
+	storageListers *client.StorageListers,
+	kubeconfig *restclient.Config,
+	client coreset.CoreV1Interface,
+) Mutator {
 	return &generatorCAConfig{
-		lister:                lister,
-		imageConfigLister:     imageConfigLister,
-		openshiftConfigLister: openshiftConfigLister,
-		serviceLister:         serviceLister,
-		client:                client,
+		lister:                    lister,
+		imageConfigLister:         imageConfigLister,
+		openshiftConfigLister:     openshiftConfigLister,
+		serviceLister:             serviceLister,
+		imageRegistryConfigLister: imageRegistryConfigLister,
+		storageListers:            storageListers,
+		kubeconfig:                kubeconfig,
+		client:                    client,
 	}
 }
 
@@ -50,6 +70,30 @@ func (gcac *generatorCAConfig) GetName() string {
 	return defaults.ImageRegistryCertificatesName
 }
 
+func (gcac *generatorCAConfig) storageDriver() (storage.Driver, error) {
+	imageRegistryConfig, err := gcac.imageRegistryConfigLister.Get("cluster")
+	if errors.IsNotFound(err) {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+
+	if imageRegistryConfig.Spec.ManagementState == operatorv1.Removed {
+		// The certificates controller does not need to know about
+		// storage when the management state is Removed.
+		return nil, nil
+	}
+
+	driver, err := storage.NewDriver(&imageRegistryConfig.Spec.Storage, gcac.kubeconfig, gcac.storageListers)
+	if err == storage.ErrStorageNotConfigured || storage.IsMultiStoragesError(err) {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+
+	return driver, nil
+}
+
 func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 	cm := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
@@ -102,14 +146,18 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 		}
 	}
 
-	cp_ca, err := gcac.openshiftConfigLister.Get("cloud-provider-config")
-	if errors.IsNotFound(err) {
-		klog.V(4).Infof("missing the cloud-provider-config configmap: %s", err)
-	} else if err != nil {
+	driver, err := gcac.storageDriver()
+	if err != nil {
 		return cm, err
-	} else {
-		if cert, ok := cp_ca.Data["ca-bundle.pem"]; ok {
-			cm.Data["cloud-provider-ca-bundle.pem"] = cert
+	}
+	if driver != nil {
+		storageCABundle, _, err := driver.CABundle()
+		if err != nil {
+			return cm, err
+		}
+		if storageCABundle != "" {
+			klog.V(4).Infof("using storage ca bundle (%d bytes)", len(storageCABundle))
+			cm.Data["storage-ca-bundle.pem"] = storageCABundle
 		}
 	}
 
diff --git a/pkg/resource/deployment_test.go b/pkg/resource/deployment_test.go
@@ -182,6 +182,10 @@ func waitForUpdatedSecret(ctx context.Context, kubeClient kubeclient.Interface,
 
 type testDriver struct{}
 
+func (d *testDriver) CABundle() (string, bool, error) {
+	return "", false, nil
+}
+
 func (d *testDriver) ConfigEnv() (envvar.List, error) {
 	return nil, nil
 }
diff --git a/pkg/resource/podtemplatespec_test.go b/pkg/resource/podtemplatespec_test.go
@@ -506,7 +506,7 @@ func TestMakePodTemplateSpecS3CloudFront(t *testing.T) {
 	testBuilder.AddNamespaces(imageRegNs)
 
 	fixture := testBuilder.Build()
-	s3Storage := s3.NewDriver(ctx, config.Spec.Storage.S3, fixture.Listers)
+	s3Storage := s3.NewDriver(ctx, config.Spec.Storage.S3, &fixture.Listers.StorageListers)
 	pod, _, err := makePodTemplateSpec(fixture.KubeClient.CoreV1(), fixture.Listers.ProxyConfigs, s3Storage, config)
 	if err != nil {
 		t.Fatalf("error creating pod template: %v", err)
diff --git a/pkg/storage/azure/azure.go b/pkg/storage/azure/azure.go
@@ -338,6 +338,10 @@ func (d *driver) getKey(cfg *Azure, environment autorestazure.Environment) (stri
 	return key, nil
 }
 
+func (d *driver) CABundle() (string, bool, error) {
+	return "", true, nil
+}
+
 // ConfigEnv configures the environment variables that will be used in the
 // image registry deployment.
 func (d *driver) ConfigEnv() (envs envvar.List, err error) {
diff --git a/pkg/storage/emptydir/emptydir.go b/pkg/storage/emptydir/emptydir.go
@@ -27,6 +27,10 @@ func NewDriver(c *imageregistryv1.ImageRegistryConfigStorageEmptyDir) *driver {
 	}
 }
 
+func (d *driver) CABundle() (string, bool, error) {
+	return "", false, nil
+}
+
 func (d *driver) ConfigEnv() (envs envvar.List, err error) {
 	envs = append(envs,
 		envvar.EnvVar{Name: "REGISTRY_STORAGE", Value: "filesystem"},
diff --git a/pkg/storage/gcs/gcs.go b/pkg/storage/gcs/gcs.go
@@ -121,6 +121,10 @@ func GetConfig(listers *regopclient.StorageListers) (*GCS, error) {
 	return gcsConfig, nil
 }
 
+func (d *driver) CABundle() (string, bool, error) {
+	return "", true, nil
+}
+
 func (d *driver) ConfigEnv() (envs envvar.List, err error) {
 	envs = append(envs,
 		envvar.EnvVar{Name: "REGISTRY_STORAGE", Value: "gcs"},
diff --git a/pkg/storage/ibmcos/ibmcos.go b/pkg/storage/ibmcos/ibmcos.go
@@ -69,6 +69,11 @@ func NewDriver(ctx context.Context, c *imageregistryv1.ImageRegistryConfigStorag
 	}
 }
 
+// CABundle returns a additional CA bundle for IBM COS.
+func (d *driver) CABundle() (string, bool, error) {
+	return "", true, nil
+}
+
 // ConfigEnv configures the environment variables that will be
 // used in the image registry deployment.
 func (d *driver) ConfigEnv() (envs envvar.List, err error) {
diff --git a/pkg/storage/oss/oss.go b/pkg/storage/oss/oss.go
@@ -56,6 +56,10 @@ func NewDriver(ctx context.Context, c *imageregistryv1.ImageRegistryConfigStorag
 	}
 }
 
+func (d *driver) CABundle() (string, bool, error) {
+	return "", true, nil
+}
+
 // UpdateEffectiveConfig updates the driver's local effective OSS configuration
 // based on infrastructure settings and any custom overrides.
 func (d *driver) UpdateEffectiveConfig() error {
diff --git a/pkg/storage/pvc/pvc.go b/pkg/storage/pvc/pvc.go
@@ -51,6 +51,10 @@ func NewDriver(c *imageregistryv1.ImageRegistryConfigStoragePVC, kubeconfig *res
 	}, nil
 }
 
+func (d *driver) CABundle() (string, bool, error) {
+	return "", false, nil
+}
+
 func (d *driver) ConfigEnv() (envs envvar.List, err error) {
 	envs = append(envs,
 		envvar.EnvVar{Name: "REGISTRY_STORAGE", Value: "filesystem"},
diff --git a/pkg/storage/s3/s3.go b/pkg/storage/s3/s3.go
diff --git a/pkg/storage/storage.go b/pkg/storage/storage.go
diff --git a/pkg/storage/swift/swift.go b/pkg/storage/swift/swift.go

Original file line number	Diff line number	Diff line change
`@@ -182,6 +182,10 @@ func waitForUpdatedSecret(ctx context.Context, kubeClient kubeclient.Interface,`
`182`	`182`
`183`	`183`	`type testDriver struct{}`
`184`	`184`
	`185`	`+func (d *testDriver) CABundle() (string, bool, error) {`
	`186`	`+ return "", false, nil`
	`187`	`+}`
	`188`	`+`
`185`	`189`	`func (d *testDriver) ConfigEnv() (envvar.List, error) {`
`186`	`190`	`return nil, nil`
`187`	`191`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,10 @@ func NewDriver(c imageregistryv1.ImageRegistryConfigStorageEmptyDir) driver {`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`
	`30`	`+func (d *driver) CABundle() (string, bool, error) {`
	`31`	`+ return "", false, nil`
	`32`	`+}`
	`33`	`+`
`30`	`34`	`func (d *driver) ConfigEnv() (envs envvar.List, err error) {`
`31`	`35`	`envs = append(envs,`
`32`	`36`	`envvar.EnvVar{Name: "REGISTRY_STORAGE", Value: "filesystem"},`
Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,11 @@ func NewDriver(ctx context.Context, c *imageregistryv1.ImageRegistryConfigStorag`
`69`	`69`	`}`
`70`	`70`	`}`
`71`	`71`
	`72`	`+// CABundle returns a additional CA bundle for IBM COS.`
	`73`	`+func (d *driver) CABundle() (string, bool, error) {`
	`74`	`+ return "", true, nil`
	`75`	`+}`
	`76`	`+`
`72`	`77`	`// ConfigEnv configures the environment variables that will be`
`73`	`78`	`// used in the image registry deployment.`
`74`	`79`	`func (d *driver) ConfigEnv() (envs envvar.List, err error) {`