Use the cluster wildcard certificate in ingress canary

Author: rfredette

pkg/manifests/assets/canary/daemonset.yaml

@@ -49,7 +49,7 @@ spec:
       volumes:
       - name: cert
         secret:
-          secretName: canary-serving-cert
+          # secret name is set at runtime
           defaultMode: 0420
   updateStrategy:
     type: RollingUpdate

pkg/manifests/assets/canary/service.yaml

@@ -2,10 +2,8 @@
 # Specific values are applied at runtime
 kind: Service
 apiVersion: v1
-metadata:
+metadata: {}
   # name and namespace are set at runtime.
-  annotations:
-      service.beta.openshift.io/serving-cert-secret-name: canary-serving-cert
 spec:
   type: ClusterIP
   ports:

pkg/operator/controller/canary/daemonset.go

@@ -7,17 +7,23 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 
+	operatorv1 "github.com/openshift/api/operator/v1"
 	"github.com/openshift/cluster-ingress-operator/pkg/manifests"
 	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 // ensureCanaryDaemonSet ensures the canary daemonset exists
 func (r *reconciler) ensureCanaryDaemonSet() (bool, *appsv1.DaemonSet, error) {
-	desired := desiredCanaryDaemonSet(r.config.CanaryImage)
+	secretName, err := r.canarySecretName(controller.CanaryDaemonSetName().Namespace)
+	if err != nil {
+		return false, nil, err
+	}
+	desired := desiredCanaryDaemonSet(r.config.CanaryImage, secretName.Name)
 	haveDs, current, err := r.currentCanaryDaemonSet()
 	if err != nil {
 		return false, nil, err
@@ -80,7 +86,7 @@ func (r *reconciler) updateCanaryDaemonSet(current, desired *appsv1.DaemonSet) (
 
 // desiredCanaryDaemonSet returns the desired canary daemonset read in
 // from manifests
-func desiredCanaryDaemonSet(canaryImage string) *appsv1.DaemonSet {
+func desiredCanaryDaemonSet(canaryImage, secretName string) *appsv1.DaemonSet {
 	daemonset := manifests.CanaryDaemonSet()
 	name := controller.CanaryDaemonSetName()
 	daemonset.Name = name.Name
@@ -97,6 +103,8 @@ func desiredCanaryDaemonSet(canaryImage string) *appsv1.DaemonSet {
 	daemonset.Spec.Template.Spec.Containers[0].Image = canaryImage
 	daemonset.Spec.Template.Spec.Containers[0].Command = []string{"ingress-operator", CanaryHealthcheckCommand}
 
+	daemonset.Spec.Template.Spec.Volumes[0].Secret.SecretName = secretName
+
 	return daemonset
 }
 
@@ -196,3 +204,15 @@ func cmpTolerations(a, b corev1.Toleration) bool {
 	}
 	return true
 }
+
+func (r *reconciler) canarySecretName(Namespace string) (types.NamespacedName, error) {
+	defaultIC := operatorv1.IngressController{}
+	defaultICName := types.NamespacedName{
+		Name:      manifests.DefaultIngressControllerName,
+		Namespace: r.config.Namespace,
+	}
+	if err := r.client.Get(context.TODO(), defaultICName, &defaultIC); err != nil {
+		return types.NamespacedName{}, err
+	}
+	return controller.RouterEffectiveDefaultCertificateSecretName(&defaultIC, Namespace), nil
+}

pkg/operator/controller/certificate/controller.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	logf "github.com/openshift/cluster-ingress-operator/pkg/log"
+	"github.com/openshift/cluster-ingress-operator/pkg/manifests"
 	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
 	ingresscontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller/ingress"
 
@@ -105,6 +106,33 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 			if _, err := r.ensureDefaultCertificateForIngress(ca, deployment.Namespace, deploymentRef, ingress); err != nil {
 				errs = append(errs, fmt.Errorf("failed to ensure default cert for %s: %v", ingress.Name, err))
 			}
+			if ingress.Name == manifests.DefaultIngressControllerName {
+				log.Info("ensuring canary certificate")
+				daemonset := &appsv1.DaemonSet{}
+				err = r.client.Get(ctx, controller.CanaryDaemonSetName(), daemonset)
+				if err != nil {
+					if errors.IsNotFound(err) {
+						// All ingresses should have a deployment, so this one may not have been
+						// created yet. Retry after a reasonable amount of time.
+						log.Info("canary daemonset not found; will retry default cert sync")
+						result.RequeueAfter = 5 * time.Second
+					} else {
+						errs = append(errs, fmt.Errorf("failed to get daemonset: %v", err))
+					}
+				} else {
+					trueVar := true
+					canaryRef := metav1.OwnerReference{
+						APIVersion: "apps/v1",
+						Kind:       "Daemonset",
+						Name:       daemonset.Name,
+						UID:        daemonset.UID,
+						Controller: &trueVar,
+					}
+					if _, err := r.ensureDefaultCertificateForIngress(ca, "openshift-ingress-canary", canaryRef, ingress); err != nil {
+						errs = append(errs, fmt.Errorf("failed to ensure canary cert for %s: %v", ingress.Name, err))
+					}
+				}
+			}
 		}
 	}
 

pkg/operator/controller/certificate/default_cert.go

@@ -48,14 +48,14 @@ func (r *reconciler) ensureDefaultCertificateForIngress(caSecret *corev1.Secret,
 		if deleted, err := r.deleteRouterDefaultCertificate(current); err != nil {
 			return true, fmt.Errorf("failed to delete default certificate: %v", err)
 		} else if deleted {
-			r.recorder.Eventf(ci, "Normal", "DeletedDefaultCertificate", "Deleted default wildcard certificate %q", current.Name)
+			r.recorder.Eventf(ci, "Normal", "DeletedDefaultCertificate", "Deleted default wildcard certificate %q in namespace %q", current.Name, current.Namespace)
 			return false, nil
 		}
 	case wantCert && !haveCert:
 		if created, err := r.createRouterDefaultCertificate(desired); err != nil {
 			return false, fmt.Errorf("failed to create default certificate: %v", err)
 		} else if created {
-			r.recorder.Eventf(ci, "Normal", "CreatedDefaultCertificate", "Created default wildcard certificate %q", desired.Name)
+			r.recorder.Eventf(ci, "Normal", "CreatedDefaultCertificate", "Created default wildcard certificate %q in namespace %q", desired.Name, desired.Namespace)
 			return true, nil
 		}
 	case wantCert && haveCert: