Merge pull request #19 from PillaiManish/eso-48

ESO-48: Implement the functionality to ensure Certificate, Secret resources stay in desired state

Author: openshift-merge-bot[bot]

api/v1alpha1/external_secrets_types.go

@@ -143,6 +143,13 @@ type BitwardenSecretManagerProvider struct {
 	// +kubebuilder:validation:Enum:="true";"false"
 	// +kubebuilder:validation:Optional
 	Enabled string `json:"enabled,omitempty"`
+
+	// SecretRef is the kubernetes secret containing the TLS key pair to be used for the bitwarden server.
+	// The issuer in CertManagerConfig will be utilized to generate the required certificate if the secret
+	// reference is not provided and CertManagerConfig is configured. The key names in secret for certificate
+	// must be `tls.crt`, for private key must be `tls.key` and for CA certificate key name must be `ca.crt`.
+	// +kubebuilder:validation:Optional
+	SecretRef SecretReference `json:"secretRef,omitempty"`
 }
 
 // WebhookConfig is for configuring external-secrets webhook specifics.

api/v1alpha1/meta.go

@@ -24,3 +24,10 @@ type ObjectReference struct {
 	// +optional
 	Group string `json:"group,omitempty"`
 }
+
+// SecretReference is a reference to the secret with the given name, which should exist
+// in the same namespace where it will be utilized.
+type SecretReference struct {
+	// Name of the secret resource being referred to.
+	Name string `json:"name"`
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,28 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-tls-certs
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: bitwarden-tls-certs
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.14.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  secretName: bitwarden-tls-certs
+  dnsNames:
+    - bitwarden-sdk-server.external-secrets.svc.cluster.local
+    - external-secrets-bitwarden-sdk-server.external-secrets.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: my-issuer
+  duration: "8760h"

bindata/external-secrets/certificate_bitwarden-tls-certs.yml

@@ -1018,6 +1018,20 @@ spec:
                         - "true"
                         - "false"
                         type: string
+                      secretRef:
+                        description: |-
+                          SecretRef is the kubernetes secret containing the TLS key pair to be used for the bitwarden server.
+                          The issuer in CertManagerConfig will be utilized to generate the required certificate if the secret
+                          reference is not provided and CertManagerConfig is configured. The key names in secret for certificate
+                          must be `tls.crt`, for private key must be `tls.key` and for CA certificate key name must be `ca.crt`.
+                        properties:
+                          name:
+                            description: Name of the secret resource being referred
+                              to.
+                            type: string
+                        required:
+                        - name
+                        type: object
                     type: object
                   logLevel:
                     default: 1

config/crd/bases/operator.openshift.io_externalsecrets.yaml

@@ -0,0 +1,192 @@
+package controller
+
+import (
+	"fmt"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	v1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+
+	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
+	"github.com/openshift/external-secrets-operator/pkg/operator/assets"
+)
+
+var (
+	serviceExternalSecretWebhookName string = "external-secrets-webhook"
+)
+
+func (r *ExternalSecretsReconciler) createOrApplyCertificates(es *operatorv1alpha1.ExternalSecrets, resourceLabels map[string]string, recon bool) error {
+	if isCertManagerConfigEnabled(es) {
+		if err := r.createOrApplyCertificate(es, resourceLabels, webhookCertificateAssetName, recon); err != nil {
+			return err
+		}
+	}
+
+	if isBitwardenConfigEnabled(es) {
+		bitwardenConfig := es.Spec.ExternalSecretsConfig.BitwardenSecretManagerProvider
+		if bitwardenConfig.SecretRef.Name != "" {
+			return r.assertSecretRefExists(es, es.Spec.ExternalSecretsConfig.BitwardenSecretManagerProvider)
+		}
+		if err := r.createOrApplyCertificate(es, resourceLabels, bitwardenCertificateAssetName, recon); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *ExternalSecretsReconciler) createOrApplyCertificate(es *operatorv1alpha1.ExternalSecrets, resourceLabels map[string]string, fileName string, recon bool) error {
+	desired, err := r.getCertificateObject(es, resourceLabels, fileName)
+	if err != nil {
+		return err
+	}
+
+	certificateName := fmt.Sprintf("%s/%s", desired.GetNamespace(), desired.GetName())
+	r.log.V(4).Info("reconciling certificate resource", "name", certificateName)
+	fetched := &certmanagerv1.Certificate{}
+	key := types.NamespacedName{
+		Name:      desired.GetName(),
+		Namespace: desired.GetNamespace(),
+	}
+	exist, err := r.Exists(r.ctx, key, fetched)
+	if err != nil {
+		return FromClientError(err, "failed to check %s certificate resource already exists", certificateName)
+	}
+
+	if exist && recon {
+		r.eventRecorder.Eventf(es, corev1.EventTypeWarning, "ResourceAlreadyExists", "%s certificate resource already exists, maybe from previous installation", certificateName)
+	}
+	if exist && hasObjectChanged(desired, fetched) {
+		r.log.V(1).Info("certificate has been modified, updating to desired state", "name", certificateName)
+		if err := r.UpdateWithRetry(r.ctx, desired); err != nil {
+			return FromClientError(err, "failed to update %s certificate resource", certificateName)
+		}
+		r.eventRecorder.Eventf(es, corev1.EventTypeNormal, "Reconciled", "certificate resource %s reconciled back to desired state", certificateName)
+	} else {
+		r.log.V(4).Info("certificate resource already exists and is in expected state", "name", certificateName)
+	}
+	if !exist {
+		if err := r.Create(r.ctx, desired); err != nil {
+			return FromClientError(err, "failed to create %s certificate resource", certificateName)
+		}
+		r.eventRecorder.Eventf(es, corev1.EventTypeNormal, "Reconciled", "certificate resource %s created", certificateName)
+	}
+
+	return nil
+}
+
+func (r *ExternalSecretsReconciler) getCertificateObject(es *operatorv1alpha1.ExternalSecrets, resourceLabels map[string]string, fileName string) (*certmanagerv1.Certificate, error) {
+	certificate := decodeCertificateObjBytes(assets.MustAsset(fileName))
+
+	updateNamespace(certificate, es)
+	updateResourceLabels(certificate, resourceLabels)
+
+	if err := r.updateCertificateParams(es, certificate); err != nil {
+		return nil, NewIrrecoverableError(err, "failed to update certificate resource for %s/%s deployment", getNamespace(es), es.GetName())
+	}
+
+	return certificate, nil
+}
+
+func (r *ExternalSecretsReconciler) updateCertificateParams(es *operatorv1alpha1.ExternalSecrets, certificate *certmanagerv1.Certificate) error {
+	certManageConfig := es.Spec.ExternalSecretsConfig.WebhookConfig.CertManagerConfig
+	externalSecretsNamespace := getNamespace(es)
+
+	if certManageConfig.IssuerRef.Name == "" {
+		return fmt.Errorf("issuerRef.Name not present")
+	}
+
+	certificate.Spec.IssuerRef = v1.ObjectReference{
+		Name:  certManageConfig.IssuerRef.Name,
+		Kind:  certManageConfig.IssuerRef.Kind,
+		Group: certManageConfig.IssuerRef.Group,
+	}
+
+	// Since Kind and Group configs are optional. certmanagerv1.IssuerKind will
+	// be used as default for Kind and certmanagerapi.GroupName as default for
+	// Group.
+	if certificate.Spec.IssuerRef.Kind == "" {
+		certificate.Spec.IssuerRef.Kind = issuerKind
+	}
+	if certificate.Spec.IssuerRef.Group == "" {
+		certificate.Spec.IssuerRef.Group = issuerGroup
+	}
+
+	if err := r.assertIssuerRefExists(certificate.Spec.IssuerRef, externalSecretsNamespace); err != nil {
+		return err
+	}
+
+	certificate.Spec.DNSNames = updateNamespaceForFQDN(certificate.Spec.DNSNames, externalSecretsNamespace)
+
+	if certManageConfig.CertificateRenewBefore != nil {
+		certificate.Spec.RenewBefore = certManageConfig.CertificateRenewBefore
+	}
+
+	if certManageConfig.CertificateDuration != nil {
+		certificate.Spec.Duration = certManageConfig.CertificateDuration
+	}
+
+	return nil
+}
+
+func (r *ExternalSecretsReconciler) assertIssuerRefExists(issueRef v1.ObjectReference, namespace string) error {
+	ifExists, err := r.getIssuer(issueRef, namespace)
+	if err != nil || !ifExists {
+		return FromClientError(err, "failed to fetch issuer")
+	}
+	return nil
+}
+
+func (r *ExternalSecretsReconciler) assertSecretRefExists(es *operatorv1alpha1.ExternalSecrets, bitwardenConfig *operatorv1alpha1.BitwardenSecretManagerProvider) error {
+	namespacedName := types.NamespacedName{
+		Name:      bitwardenConfig.SecretRef.Name,
+		Namespace: getNamespace(es),
+	}
+	object := &corev1.Secret{}
+
+	if err := r.Get(r.ctx, namespacedName, object); err != nil {
+		return fmt.Errorf("failed to fetch %q secret: %w", namespacedName, err)
+	}
+
+	return nil
+}
+
+func (r *ExternalSecretsReconciler) getIssuer(issuerRef v1.ObjectReference, namespace string) (bool, error) {
+	namespacedName := types.NamespacedName{
+		Name:      issuerRef.Name,
+		Namespace: namespace,
+	}
+
+	var object client.Object
+	switch strings.ToLower(issuerRef.Kind) {
+	case clusterIssuerKind:
+		object = &certmanagerv1.ClusterIssuer{}
+	case issuerKind:
+		object = &certmanagerv1.Issuer{}
+	}
+
+	if ifExists, err := r.Exists(r.ctx, namespacedName, object); err != nil {
+		return ifExists, fmt.Errorf("failed to fetch %q issuer: %w", namespacedName, err)
+	} else {
+		return ifExists, nil
+	}
+}
+
+func updateNamespaceForFQDN(fqdns []string, namespace string) []string {
+	updated := make([]string, 0, len(fqdns))
+	for _, fqdn := range fqdns {
+		parts := strings.Split(fqdn, ".")
+		// DNSNames for kubernetes service will be of the form
+		// <service-name>.<service-namespace>.svc.<cluster-domain>
+		if len(parts) >= 2 {
+			parts[1] = namespace
+			updated = append(updated, strings.Join(parts, "."))
+		} else {
+			updated = append(updated, fqdn)
+		}
+	}
+	return updated
+}