Skip to content

Commit 4f7f29d

Browse files
committed
Use the cluster wildcard certificate in ingress canary
1 parent 871b2b2 commit 4f7f29d

File tree

5 files changed

+54
-8
lines changed

5 files changed

+54
-8
lines changed

pkg/manifests/assets/canary/daemonset.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ spec:
4949
volumes:
5050
- name: cert
5151
secret:
52-
secretName: canary-serving-cert
52+
# secret name is set at runtime
5353
defaultMode: 0420
5454
updateStrategy:
5555
type: RollingUpdate

pkg/manifests/assets/canary/service.yaml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,8 @@
22
# Specific values are applied at runtime
33
kind: Service
44
apiVersion: v1
5-
metadata:
5+
metadata: {}
66
# name and namespace are set at runtime.
7-
annotations:
8-
service.beta.openshift.io/serving-cert-secret-name: canary-serving-cert
97
spec:
108
type: ClusterIP
119
ports:

pkg/operator/controller/canary/daemonset.go

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,17 +7,23 @@ import (
77
"github.com/google/go-cmp/cmp"
88
"github.com/google/go-cmp/cmp/cmpopts"
99

10+
operatorv1 "github.com/openshift/api/operator/v1"
1011
"github.com/openshift/cluster-ingress-operator/pkg/manifests"
1112
"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
1213

1314
appsv1 "k8s.io/api/apps/v1"
1415
corev1 "k8s.io/api/core/v1"
1516
"k8s.io/apimachinery/pkg/api/errors"
17+
"k8s.io/apimachinery/pkg/types"
1618
)
1719

1820
// ensureCanaryDaemonSet ensures the canary daemonset exists
1921
func (r *reconciler) ensureCanaryDaemonSet() (bool, *appsv1.DaemonSet, error) {
20-
desired := desiredCanaryDaemonSet(r.config.CanaryImage)
22+
secretName, err := r.canarySecretName(controller.CanaryDaemonSetName().Namespace)
23+
if err != nil {
24+
return false, nil, err
25+
}
26+
desired := desiredCanaryDaemonSet(r.config.CanaryImage, secretName.Name)
2127
haveDs, current, err := r.currentCanaryDaemonSet()
2228
if err != nil {
2329
return false, nil, err
@@ -80,7 +86,7 @@ func (r *reconciler) updateCanaryDaemonSet(current, desired *appsv1.DaemonSet) (
8086

8187
// desiredCanaryDaemonSet returns the desired canary daemonset read in
8288
// from manifests
83-
func desiredCanaryDaemonSet(canaryImage string) *appsv1.DaemonSet {
89+
func desiredCanaryDaemonSet(canaryImage, secretName string) *appsv1.DaemonSet {
8490
daemonset := manifests.CanaryDaemonSet()
8591
name := controller.CanaryDaemonSetName()
8692
daemonset.Name = name.Name
@@ -97,6 +103,8 @@ func desiredCanaryDaemonSet(canaryImage string) *appsv1.DaemonSet {
97103
daemonset.Spec.Template.Spec.Containers[0].Image = canaryImage
98104
daemonset.Spec.Template.Spec.Containers[0].Command = []string{"ingress-operator", CanaryHealthcheckCommand}
99105

106+
daemonset.Spec.Template.Spec.Volumes[0].Secret.SecretName = secretName
107+
100108
return daemonset
101109
}
102110

@@ -196,3 +204,15 @@ func cmpTolerations(a, b corev1.Toleration) bool {
196204
}
197205
return true
198206
}
207+
208+
func (r *reconciler) canarySecretName(Namespace string) (types.NamespacedName, error) {
209+
defaultIC := operatorv1.IngressController{}
210+
defaultICName := types.NamespacedName{
211+
Name: manifests.DefaultIngressControllerName,
212+
Namespace: r.config.Namespace,
213+
}
214+
if err := r.client.Get(context.TODO(), defaultICName, &defaultIC); err != nil {
215+
return types.NamespacedName{}, err
216+
}
217+
return controller.RouterEffectiveDefaultCertificateSecretName(&defaultIC, Namespace), nil
218+
}

pkg/operator/controller/certificate/controller.go

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"time"
1111

1212
logf "github.com/openshift/cluster-ingress-operator/pkg/log"
13+
"github.com/openshift/cluster-ingress-operator/pkg/manifests"
1314
"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
1415
ingresscontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller/ingress"
1516

@@ -105,6 +106,33 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
105106
if _, err := r.ensureDefaultCertificateForIngress(ca, deployment.Namespace, deploymentRef, ingress); err != nil {
106107
errs = append(errs, fmt.Errorf("failed to ensure default cert for %s: %v", ingress.Name, err))
107108
}
109+
if ingress.Name == manifests.DefaultIngressControllerName {
110+
log.Info("ensuring canary certificate")
111+
daemonset := &appsv1.DaemonSet{}
112+
err = r.client.Get(ctx, controller.CanaryDaemonSetName(), daemonset)
113+
if err != nil {
114+
if errors.IsNotFound(err) {
115+
// All ingresses should have a deployment, so this one may not have been
116+
// created yet. Retry after a reasonable amount of time.
117+
log.Info("canary daemonset not found; will retry default cert sync")
118+
result.RequeueAfter = 5 * time.Second
119+
} else {
120+
errs = append(errs, fmt.Errorf("failed to get daemonset: %v", err))
121+
}
122+
} else {
123+
trueVar := true
124+
canaryRef := metav1.OwnerReference{
125+
APIVersion: "apps/v1",
126+
Kind: "Daemonset",
127+
Name: daemonset.Name,
128+
UID: daemonset.UID,
129+
Controller: &trueVar,
130+
}
131+
if _, err := r.ensureDefaultCertificateForIngress(ca, "openshift-ingress-canary", canaryRef, ingress); err != nil {
132+
errs = append(errs, fmt.Errorf("failed to ensure canary cert for %s: %v", ingress.Name, err))
133+
}
134+
}
135+
}
108136
}
109137
}
110138

pkg/operator/controller/certificate/default_cert.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,14 +48,14 @@ func (r *reconciler) ensureDefaultCertificateForIngress(caSecret *corev1.Secret,
4848
if deleted, err := r.deleteRouterDefaultCertificate(current); err != nil {
4949
return true, fmt.Errorf("failed to delete default certificate: %v", err)
5050
} else if deleted {
51-
r.recorder.Eventf(ci, "Normal", "DeletedDefaultCertificate", "Deleted default wildcard certificate %q", current.Name)
51+
r.recorder.Eventf(ci, "Normal", "DeletedDefaultCertificate", "Deleted default wildcard certificate %q in namespace %q", current.Name, current.Namespace)
5252
return false, nil
5353
}
5454
case wantCert && !haveCert:
5555
if created, err := r.createRouterDefaultCertificate(desired); err != nil {
5656
return false, fmt.Errorf("failed to create default certificate: %v", err)
5757
} else if created {
58-
r.recorder.Eventf(ci, "Normal", "CreatedDefaultCertificate", "Created default wildcard certificate %q", desired.Name)
58+
r.recorder.Eventf(ci, "Normal", "CreatedDefaultCertificate", "Created default wildcard certificate %q in namespace %q", desired.Name, desired.Namespace)
5959
return true, nil
6060
}
6161
case wantCert && haveCert:

0 commit comments

Comments
 (0)