Add storage CA bundle to registry certs

dmage · dmage · commit f9d38b3781ca · 2022-05-31T10:29:40.000+02:00
diff --git a/pkg/resource/caconfig.go b/pkg/resource/caconfig.go
@@ -70,28 +70,30 @@ func (gcac *generatorCAConfig) GetName() string {
 	return defaults.ImageRegistryCertificatesName
 }
 
-func (gcac *generatorCAConfig) storageDriver() (storage.Driver, error) {
+func (gcac *generatorCAConfig) storageDriver() (storage.Driver, bool, error) {
 	imageRegistryConfig, err := gcac.imageRegistryConfigLister.Get("cluster")
 	if errors.IsNotFound(err) {
-		return nil, nil
+		return nil, false, nil
 	} else if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 
 	if imageRegistryConfig.Spec.ManagementState == operatorv1.Removed {
 		// The certificates controller does not need to know about
 		// storage when the management state is Removed.
-		return nil, nil
+		return nil, false, nil
 	}
 
 	driver, err := storage.NewDriver(&imageRegistryConfig.Spec.Storage, gcac.kubeconfig, gcac.storageListers)
 	if err == storage.ErrStorageNotConfigured || storage.IsMultiStoragesError(err) {
-		return nil, nil
+		return nil, false, nil
 	} else if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 
-	return driver, nil
+	canRedirect := !imageRegistryConfig.Spec.DisableRedirect
+
+	return driver, canRedirect, nil
 }
 
 func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
@@ -104,6 +106,8 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 		BinaryData: map[string][]byte{},
 	}
 
+	var ownHostnameKeys []string
+
 	serviceCA, err := gcac.lister.Get(defaults.ServiceCAName)
 	if errors.IsNotFound(err) {
 		klog.V(4).Infof("missing the service CA configmap: %s", err)
@@ -119,7 +123,9 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 				klog.Infof("unable to get the service name to add service-ca.crt")
 			} else {
 				for _, internalHostname := range internalHostnames {
-					cm.Data[strings.Replace(internalHostname, ":", "..", -1)] = cert
+					key := strings.Replace(internalHostname, ":", "..", -1)
+					ownHostnameKeys = append(ownHostnameKeys, key)
+					cm.Data[key] = cert
 				}
 			}
 		} else {
@@ -146,7 +152,7 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 		}
 	}
 
-	driver, err := gcac.storageDriver()
+	driver, canRedirect, err := gcac.storageDriver()
 	if err != nil {
 		return cm, err
 	}
@@ -158,6 +164,12 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {
 		if storageCABundle != "" {
 			klog.V(4).Infof("using storage ca bundle (%d bytes)", len(storageCABundle))
 			cm.Data["storage-ca-bundle.pem"] = storageCABundle
+			if canRedirect {
+				klog.V(4).Infof("injecting storage ca bundle into registry certificates...")
+				for _, key := range ownHostnameKeys {
+					cm.Data[key] += "\n" + storageCABundle
+				}
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -70,28 +70,30 @@ func (gcac *generatorCAConfig) GetName() string {`
`70`	`70`	`return defaults.ImageRegistryCertificatesName`
`71`	`71`	`}`
`72`	`72`
`73`		`-func (gcac *generatorCAConfig) storageDriver() (storage.Driver, error) {`
	`73`	`+func (gcac *generatorCAConfig) storageDriver() (storage.Driver, bool, error) {`
`74`	`74`	`imageRegistryConfig, err := gcac.imageRegistryConfigLister.Get("cluster")`
`75`	`75`	`if errors.IsNotFound(err) {`
`76`		`- return nil, nil`
	`76`	`+ return nil, false, nil`
`77`	`77`	`} else if err != nil {`
`78`		`- return nil, err`
	`78`	`+ return nil, false, err`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`if imageRegistryConfig.Spec.ManagementState == operatorv1.Removed {`
`82`	`82`	`// The certificates controller does not need to know about`
`83`	`83`	`// storage when the management state is Removed.`
`84`		`- return nil, nil`
	`84`	`+ return nil, false, nil`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`driver, err := storage.NewDriver(&imageRegistryConfig.Spec.Storage, gcac.kubeconfig, gcac.storageListers)`
`88`	`88`	`if err == storage.ErrStorageNotConfigured \|\| storage.IsMultiStoragesError(err) {`
`89`		`- return nil, nil`
	`89`	`+ return nil, false, nil`
`90`	`90`	`} else if err != nil {`
`91`		`- return nil, err`
	`91`	`+ return nil, false, err`
`92`	`92`	`}`
`93`	`93`
`94`		`- return driver, nil`
	`94`	`+ canRedirect := !imageRegistryConfig.Spec.DisableRedirect`
	`95`	`+`
	`96`	`+ return driver, canRedirect, nil`
`95`	`97`	`}`
`96`	`98`
`97`	`99`	`func (gcac *generatorCAConfig) expected() (runtime.Object, error) {`
`@@ -104,6 +106,8 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {`
`104`	`106`	`BinaryData: map[string][]byte{},`
`105`	`107`	`}`
`106`	`108`
	`109`	`+ var ownHostnameKeys []string`
	`110`	`+`
`107`	`111`	`serviceCA, err := gcac.lister.Get(defaults.ServiceCAName)`
`108`	`112`	`if errors.IsNotFound(err) {`
`109`	`113`	`klog.V(4).Infof("missing the service CA configmap: %s", err)`
`@@ -119,7 +123,9 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {`
`119`	`123`	`klog.Infof("unable to get the service name to add service-ca.crt")`
`120`	`124`	`} else {`
`121`	`125`	`for _, internalHostname := range internalHostnames {`
`122`		`- cm.Data[strings.Replace(internalHostname, ":", "..", -1)] = cert`
	`126`	`+ key := strings.Replace(internalHostname, ":", "..", -1)`
	`127`	`+ ownHostnameKeys = append(ownHostnameKeys, key)`
	`128`	`+ cm.Data[key] = cert`
`123`	`129`	`}`
`124`	`130`	`}`
`125`	`131`	`} else {`
`@@ -146,7 +152,7 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {`
`146`	`152`	`}`
`147`	`153`	`}`
`148`	`154`
`149`		`- driver, err := gcac.storageDriver()`
	`155`	`+ driver, canRedirect, err := gcac.storageDriver()`
`150`	`156`	`if err != nil {`
`151`	`157`	`return cm, err`
`152`	`158`	`}`
`@@ -158,6 +164,12 @@ func (gcac *generatorCAConfig) expected() (runtime.Object, error) {`
`158`	`164`	`if storageCABundle != "" {`
`159`	`165`	`klog.V(4).Infof("using storage ca bundle (%d bytes)", len(storageCABundle))`
`160`	`166`	`cm.Data["storage-ca-bundle.pem"] = storageCABundle`
	`167`	`+ if canRedirect {`
	`168`	`+ klog.V(4).Infof("injecting storage ca bundle into registry certificates...")`
	`169`	`+ for _, key := range ownHostnameKeys {`
	`170`	`+ cm.Data[key] += "\n" + storageCABundle`
	`171`	`+ }`
	`172`	`+ }`
`161`	`173`	`}`
`162`	`174`	`}`
`163`	`175`