pkg: add registry certificate to openshift-config-managed ns

this certificate contains the storage ca and the service ca, making it
nearly identical to the image-registry-certificates, except that it does
not contains the additionalTrustedCA from
images.config.openshift.io/cluster.

Author: flavianmissi

pkg/defaults/defaults.go

@@ -29,6 +29,12 @@ const (
 	// CAs to be trusted during image pullthrough
 	ImageRegistryCertificatesName = "image-registry-certificates"
 
+	// ImageRegistryCAName is the name of the configmap managed by the registry operator
+	// on the openshift-config-managed namespace. This config map is nearly identical to
+	// ImageRegistryCertificatesName, but it does not include the additionalTrustedCA
+	// from images.config.openshift.io/cluster.
+	ImageRegistryCAName = "image-registry-ca"
+
 	// ImageRegistryPrivateConfiguration is the name of a secret that is managed by the
 	// registry operator and which provides credentials to the registry for things like
 	// accessing S3 storage

pkg/operator/imageregistrycertificates.go

@@ -32,6 +32,7 @@ type ImageRegistryCertificatesController struct {
 	coreClient                corev1client.CoreV1Interface
 	operatorClient            v1helpers.OperatorClient
 	configMapLister           corev1listers.ConfigMapNamespaceLister
+	configMapManagedLister    corev1listers.ConfigMapNamespaceLister
 	serviceLister             corev1listers.ServiceNamespaceLister
 	imageConfigLister         configv1listers.ImageLister
 	openshiftConfigLister     corev1listers.ConfigMapNamespaceLister
@@ -60,6 +61,7 @@ func NewImageRegistryCertificatesController(
 		coreClient:                coreClient,
 		operatorClient:            operatorClient,
 		configMapLister:           configMapInformer.Lister().ConfigMaps(defaults.ImageRegistryOperatorNamespace),
+		configMapManagedLister:    configMapInformer.Lister().ConfigMaps(defaults.OpenShiftConfigManagedNamespace),
 		serviceLister:             serviceInformer.Lister().Services(defaults.ImageRegistryOperatorNamespace),
 		imageConfigLister:         imageConfigInformer.Lister(),
 		openshiftConfigLister:     openshiftConfigInformer.Lister().ConfigMaps(defaults.OpenShiftConfigNamespace),
@@ -162,6 +164,30 @@ func (c *ImageRegistryCertificatesController) sync() error {
 		return utilerrors.NewAggregate([]error{err, updateError})
 	}
 
+	g = resource.NewGeneratorImageRegistryCA(
+		c.configMapManagedLister,
+		c.imageConfigLister,
+		c.openshiftConfigLister,
+		c.serviceLister,
+		c.imageRegistryConfigLister,
+		c.storageListers,
+		c.kubeconfig,
+		c.coreClient,
+	)
+	err = resource.ApplyMutator(g)
+	if err != nil {
+		_, _, updateError := v1helpers.UpdateStatus(
+			ctx,
+			c.operatorClient,
+			v1helpers.UpdateConditionFn(operatorv1.OperatorCondition{
+				Type:    "ImageRegistryCertificatesControllerDegraded",
+				Status:  operatorv1.ConditionTrue,
+				Reason:  "Error",
+				Message: err.Error(),
+			}))
+		return utilerrors.NewAggregate([]error{err, updateError})
+	}
+
 	_, _, err = v1helpers.UpdateStatus(
 		ctx,
 		c.operatorClient,

pkg/resource/caconfig.go

@@ -112,12 +112,12 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 	if errors.IsNotFound(err) {
 		klog.V(4).Infof("missing the service CA configmap: %s", err)
 	} else if err != nil {
-		return cm, err
+		return cm, fmt.Errorf("%s: %s", gcac.GetName(), err)
 	} else {
 		if cert, ok := serviceCA.Data["service-ca.crt"]; ok {
 			internalHostnames, err := getServiceHostnames(gcac.serviceLister, defaults.ServiceName)
 			if err != nil {
-				return cm, err
+				return cm, fmt.Errorf("%s: %s", gcac.GetName(), err)
 			}
 			if len(internalHostnames) == 0 {
 				klog.Infof("unable to get the service name to add service-ca.crt")
@@ -137,11 +137,11 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 	if errors.IsNotFound(err) {
 		klog.V(4).Infof("missing the image config: %s", err)
 	} else if err != nil {
-		return cm, err
+		return cm, fmt.Errorf("%s: %s", gcac.GetName(), err)
 	} else if caConfigName := imageConfig.Spec.AdditionalTrustedCA.Name; caConfigName != "" {
 		upstreamConfig, err := gcac.openshiftConfigLister.Get(caConfigName)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("%s: %s", gcac.GetName(), err)
 		}
 
 		for k, v := range upstreamConfig.Data {
@@ -154,12 +154,12 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 
 	driver, canRedirect, err := gcac.storageDriver()
 	if err != nil {
-		return cm, err
+		return cm, fmt.Errorf("%s: %s", gcac.GetName(), err)
 	}
 	if driver != nil {
 		storageCABundle, _, err := driver.CABundle()
 		if err != nil {
-			return cm, err
+			return cm, fmt.Errorf("%s: %s", gcac.GetName(), err)
 		}
 		if storageCABundle != "" {
 			klog.V(4).Infof("using storage ca bundle (%d bytes)", len(storageCABundle))

pkg/resource/imageregistryca.go

@@ -0,0 +1,187 @@
+package resource
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	coreset "k8s.io/client-go/kubernetes/typed/core/v1"
+	corelisters "k8s.io/client-go/listers/core/v1"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
+
+	operatorv1 "github.com/openshift/api/operator/v1"
+	configlisters "github.com/openshift/client-go/config/listers/config/v1"
+	imageregistryv1listers "github.com/openshift/client-go/imageregistry/listers/imageregistry/v1"
+
+	"github.com/openshift/cluster-image-registry-operator/pkg/client"
+	"github.com/openshift/cluster-image-registry-operator/pkg/defaults"
+	"github.com/openshift/cluster-image-registry-operator/pkg/storage"
+)
+
+var _ Mutator = &generatorImageRegistryCA{}
+
+type generatorImageRegistryCA struct {
+	lister                    corelisters.ConfigMapNamespaceLister
+	imageConfigLister         configlisters.ImageLister
+	openshiftConfigLister     corelisters.ConfigMapNamespaceLister
+	serviceLister             corelisters.ServiceNamespaceLister
+	imageRegistryConfigLister imageregistryv1listers.ConfigLister
+	storageListers            *client.StorageListers
+	kubeconfig                *restclient.Config
+	client                    coreset.CoreV1Interface
+}
+
+func NewGeneratorImageRegistryCA(
+	lister corelisters.ConfigMapNamespaceLister,
+	imageConfigLister configlisters.ImageLister,
+	openshiftConfigLister corelisters.ConfigMapNamespaceLister,
+	serviceLister corelisters.ServiceNamespaceLister,
+	imageRegistryConfigLister imageregistryv1listers.ConfigLister,
+	storageListers *client.StorageListers,
+	kubeconfig *restclient.Config,
+	client coreset.CoreV1Interface,
+) Mutator {
+	return &generatorImageRegistryCA{
+		lister:                    lister,
+		imageConfigLister:         imageConfigLister,
+		openshiftConfigLister:     openshiftConfigLister,
+		serviceLister:             serviceLister,
+		imageRegistryConfigLister: imageRegistryConfigLister,
+		storageListers:            storageListers,
+		kubeconfig:                kubeconfig,
+		client:                    client,
+	}
+}
+
+func (girca *generatorImageRegistryCA) Type() runtime.Object {
+	return &corev1.ConfigMap{}
+}
+
+func (girca *generatorImageRegistryCA) GetNamespace() string {
+	return defaults.OpenShiftConfigManagedNamespace
+}
+
+func (girca *generatorImageRegistryCA) GetName() string {
+	return defaults.ImageRegistryCAName
+}
+
+func (girca *generatorImageRegistryCA) storageDriver() (storage.Driver, bool, error) {
+	imageRegistryConfig, err := girca.imageRegistryConfigLister.Get("cluster")
+	if errors.IsNotFound(err) {
+		return nil, false, nil
+	} else if err != nil {
+		return nil, false, err
+	}
+
+	if imageRegistryConfig.Spec.ManagementState == operatorv1.Removed {
+		// The certificates controller does not need to know about
+		// storage when the management state is Removed.
+		return nil, false, nil
+	}
+
+	driver, err := storage.NewDriver(&imageRegistryConfig.Spec.Storage, girca.kubeconfig, girca.storageListers)
+	if err == storage.ErrStorageNotConfigured || storage.IsMultiStoragesError(err) {
+		return nil, false, nil
+	} else if err != nil {
+		return nil, false, err
+	}
+
+	canRedirect := !imageRegistryConfig.Spec.DisableRedirect
+
+	return driver, canRedirect, nil
+}
+
+func (girca *generatorImageRegistryCA) expected() (runtime.Object, error) {
+	cm := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      girca.GetName(),
+			Namespace: girca.GetNamespace(),
+		},
+		Data:       map[string]string{},
+		BinaryData: map[string][]byte{},
+	}
+
+	var ownHostnameKeys []string
+
+	serviceCA, err := girca.lister.Get(defaults.ServiceCAName)
+	if errors.IsNotFound(err) {
+		klog.V(4).Infof("missing the service CA configmap: %s", err)
+	} else if err != nil {
+		return cm, fmt.Errorf("%s: %s", girca.GetName(), err)
+	} else {
+		if cert, ok := serviceCA.Data["service-ca.crt"]; ok {
+			internalHostnames, err := getServiceHostnames(girca.serviceLister, defaults.ServiceName)
+			if err != nil {
+				return cm, fmt.Errorf("%s: %s", girca.GetName(), err)
+			}
+			if len(internalHostnames) == 0 {
+				klog.Infof("unable to get the service name to add service-ca.crt")
+			} else {
+				for _, internalHostname := range internalHostnames {
+					key := strings.Replace(internalHostname, ":", "..", -1)
+					ownHostnameKeys = append(ownHostnameKeys, key)
+					cm.Data[key] = cert
+				}
+			}
+		} else {
+			klog.Infof("the service CA is not injected yet")
+		}
+	}
+
+	driver, canRedirect, err := girca.storageDriver()
+	if err != nil {
+		return cm, fmt.Errorf("%s: %s", girca.GetName(), err)
+	}
+	if driver != nil {
+		storageCABundle, _, err := driver.CABundle()
+		if err != nil {
+			return cm, fmt.Errorf("%s: %s", girca.GetName(), err)
+		}
+		if storageCABundle != "" {
+			klog.V(4).Infof("using storage ca bundle (%d bytes)", len(storageCABundle))
+			if canRedirect {
+				klog.V(4).Infof("injecting storage ca bundle into registry certificates...")
+				for _, key := range ownHostnameKeys {
+					cm.Data[key] += "\n" + storageCABundle
+				}
+			}
+		}
+	}
+
+	return cm, nil
+}
+
+func (girca *generatorImageRegistryCA) Get() (runtime.Object, error) {
+	return girca.lister.Get(girca.GetName())
+}
+
+func (girca *generatorImageRegistryCA) Create() (runtime.Object, error) {
+	return commonCreate(girca, func(obj runtime.Object) (runtime.Object, error) {
+		return girca.client.ConfigMaps(girca.GetNamespace()).Create(
+			context.TODO(), obj.(*corev1.ConfigMap), metav1.CreateOptions{},
+		)
+	})
+}
+
+func (girca *generatorImageRegistryCA) Update(o runtime.Object) (runtime.Object, bool, error) {
+	return commonUpdate(girca, o, func(obj runtime.Object) (runtime.Object, error) {
+		return girca.client.ConfigMaps(girca.GetNamespace()).Update(
+			context.TODO(), obj.(*corev1.ConfigMap), metav1.UpdateOptions{},
+		)
+	})
+}
+
+func (girca *generatorImageRegistryCA) Delete(opts metav1.DeleteOptions) error {
+	return girca.client.ConfigMaps(girca.GetNamespace()).Delete(
+		context.TODO(), girca.GetName(), opts,
+	)
+}
+
+func (g *generatorImageRegistryCA) Owned() bool {
+	return true
+}