[TLS] Fix issuer labels when switch to custom issuer

stuggi · stuggi · commit 2cd527e25246 · 2024-05-23T07:48:57.000+02:00
Right now when first deploy with default TLS settings and later
switch to a custom issuer, we'll end up with two issuers to have
the CA identifier label. As a result the dataplane operator is
waiting as there are more then one issuer identified.

This changes to remove the identifier label on all issuers,
except the one configured for the current issuer. This allows to
switch
* from default issuer to customer
* from custom issuer back to default
* and from custom issuer to a different custom issuer

Jira: OSPRH-6746
diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go
@@ -54,6 +54,10 @@ const (
 	// RabbitMqContainerImage is the fall-back container image for RabbitMQ
 	RabbitMqContainerImage = "quay.io/podified-antelope-centos9/openstack-rabbitmq:current-podified"
 
+	// IngressCaName -
+	IngressCaName = tls.DefaultCAPrefix + string(service.EndpointPublic)
+	// InternalCaName -
+	InternalCaName = tls.DefaultCAPrefix + string(service.EndpointInternal)
 	// OvnDbCaName -
 	OvnDbCaName = tls.DefaultCAPrefix + "ovn"
 	// LibvirtCaName -
diff --git a/pkg/openstack/ca.go b/pkg/openstack/ca.go
@@ -17,7 +17,6 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	"golang.org/x/exp/slices"
@@ -100,12 +99,24 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	issuerLabels := map[string]string{certmanager.RootCAIssuerPublicLabel: ""}
 	issuerAnnotations := getIssuerAnnotations(&instance.Spec.TLS.Ingress.Cert)
 	if !instance.Spec.TLS.Ingress.Ca.IsCustomIssuer() {
+		// remove issuerLabels from any custom issuer in the namespace.
+		err := removeIssuerLabel(
+			ctx,
+			helper,
+			corev1.IngressCaName,
+			instance.Namespace,
+			issuerLabels,
+		)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+
 		ctrlResult, err = ensureRootCA(
 			ctx,
 			instance,
 			helper,
 			issuerReq,
-			tls.DefaultCAPrefix+string(service.EndpointPublic),
+			corev1.IngressCaName,
 			issuerLabels,
 			issuerAnnotations,
 			bundle,
@@ -166,12 +177,24 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	issuerLabels = map[string]string{certmanager.RootCAIssuerInternalLabel: ""}
 	issuerAnnotations = getIssuerAnnotations(&instance.Spec.TLS.PodLevel.Internal.Cert)
 	if !instance.Spec.TLS.PodLevel.Internal.Ca.IsCustomIssuer() {
+		// remove issuerLabels from any custom issuer in the namespace.
+		err := removeIssuerLabel(
+			ctx,
+			helper,
+			corev1.InternalCaName,
+			instance.Namespace,
+			issuerLabels,
+		)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+
 		ctrlResult, err = ensureRootCA(
 			ctx,
 			instance,
 			helper,
 			issuerReq,
-			tls.DefaultCAPrefix+string(service.EndpointInternal),
+			corev1.InternalCaName,
 			issuerLabels,
 			issuerAnnotations,
 			bundle,
@@ -232,6 +255,18 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	issuerLabels = map[string]string{certmanager.RootCAIssuerLibvirtLabel: ""}
 	issuerAnnotations = getIssuerAnnotations(&instance.Spec.TLS.PodLevel.Libvirt.Cert)
 	if !instance.Spec.TLS.PodLevel.Libvirt.Ca.IsCustomIssuer() {
+		// remove issuerLabels from any custom issuer in the namespace.
+		err := removeIssuerLabel(
+			ctx,
+			helper,
+			corev1.LibvirtCaName,
+			instance.Namespace,
+			issuerLabels,
+		)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+
 		ctrlResult, err = ensureRootCA(
 			ctx,
 			instance,
@@ -297,6 +332,18 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	issuerLabels = map[string]string{certmanager.RootCAIssuerOvnDBLabel: ""}
 	issuerAnnotations = getIssuerAnnotations(&instance.Spec.TLS.PodLevel.Ovn.Cert)
 	if !instance.Spec.TLS.PodLevel.Ovn.Ca.IsCustomIssuer() {
+		// remove issuerLabels from any custom issuer in the namespace.
+		err := removeIssuerLabel(
+			ctx,
+			helper,
+			corev1.OvnDbCaName,
+			instance.Namespace,
+			issuerLabels,
+		)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+
 		ctrlResult, err = ensureRootCA(
 			ctx,
 			instance,
@@ -765,8 +812,21 @@ func addIssuerLabelAnnotation(
 	labels map[string]string,
 	annotations map[string]string,
 ) (string, error) {
+	// remove issuer labels from all issuers in the namespace,
+	// except the one passed to the func.
+	err := removeIssuerLabel(
+		ctx,
+		helper,
+		name,
+		namespace,
+		labels,
+	)
+	if err != nil {
+		return "", err
+	}
+
 	var caCertSecretName string
-	// get  issuer
+	// get issuer
 	issuer, err := certmanager.GetIssuerByName(
 		ctx,
 		helper,
@@ -785,31 +845,83 @@ func addIssuerLabelAnnotation(
 	// merge annotations
 	issuer.Annotations = util.MergeMaps(issuer.Annotations, annotations)
 
+	err = patchIssuer(ctx, helper, beforeIssuer, issuer)
+	if err != nil {
+		return caCertSecretName, err
+	}
+
+	return caCertSecretName, nil
+}
+
+// remove issuer labels from all issuers in the namespace,
+// except the one passed to the func.
+func removeIssuerLabel(
+	ctx context.Context,
+	helper *helper.Helper,
+	name string,
+	namespace string,
+	labels map[string]string,
+) error {
+	if len(labels) > 0 {
+		issuerList := &certmgrv1.IssuerList{}
+		listOpts := []client.ListOption{
+			client.InNamespace(namespace),
+			client.MatchingLabels(labels),
+		}
+
+		err := helper.GetClient().List(ctx, issuerList, listOpts...)
+		if err != nil {
+			return fmt.Errorf("error getting issuer by label: %w", err)
+		}
+
+		for _, issuer := range issuerList.Items {
+			if issuer.Name != name {
+				beforeIssuer := issuer.DeepCopyObject().(client.Object)
+				for k := range labels {
+					delete(issuer.Labels, k)
+				}
+
+				err = patchIssuer(ctx, helper, beforeIssuer, &issuer)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+func patchIssuer(
+	ctx context.Context,
+	helper *helper.Helper,
+	beforeIssuer client.Object,
+	issuer *certmgrv1.Issuer,
+) error {
 	// patch issuer
 	patch := client.MergeFrom(beforeIssuer)
 	diff, err := patch.Data(issuer)
 	if err != nil {
-		return caCertSecretName, err
+		return err
 	}
-
 	// Unmarshal patch data into a local map for logging
 	patchDiff := map[string]interface{}{}
 	if err := json.Unmarshal(diff, &patchDiff); err != nil {
-		return caCertSecretName, err
+		return err
 	}
 
 	if _, ok := patchDiff["metadata"]; ok {
 		err = helper.GetClient().Patch(ctx, issuer, patch)
 		if k8s_errors.IsConflict(err) {
-			return caCertSecretName, fmt.Errorf("error metadata update conflict: %w", err)
+			return fmt.Errorf("error metadata update conflict: %w", err)
 		} else if err != nil && !k8s_errors.IsNotFound(err) {
-			return caCertSecretName, fmt.Errorf("error metadata update failed: %w", err)
+			return fmt.Errorf("error metadata update failed: %w", err)
 		}
 
-		helper.GetLogger().Info(fmt.Sprintf("Issuer %s labels patched - diff %+v", name, patchDiff["metadata"]))
+		helper.GetLogger().Info(fmt.Sprintf("Issuer %s labels patched - diff %+v", issuer.Name, patchDiff["metadata"]))
 	}
 
-	return caCertSecretName, nil
+	return nil
 }
 
 func getIssuerAnnotations(certConfig *corev1.CertConfig) map[string]string {
diff --git a/tests/functional/openstackoperator_controller_test.go b/tests/functional/openstackoperator_controller_test.go
@@ -25,7 +25,6 @@ import (
 	. "github.com/onsi/gomega"    //revive:disable:dot-imports
 
 	//revive:disable-next-line:dot-imports
-	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	. "github.com/openstack-k8s-operators/lib-common/modules/common/test/helpers"
 
 	k8s_corev1 "k8s.io/api/core/v1"
@@ -37,6 +36,7 @@ import (
 
 	routev1 "github.com/openshift/api/route/v1"
 	cinderv1 "github.com/openstack-k8s-operators/cinder-operator/api/v1beta1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -765,7 +765,7 @@ var _ = Describe("OpenStackOperator controller", func() {
 			Expect(OSCtlplane.Spec.Neutron.APIOverride.Route.Annotations).Should(HaveKeyWithValue("haproxy.router.openshift.io/timeout", "120s"))
 		})
 
-		It("should create selfsigned issuer and public+internal CA and issuer", func() {
+		It("should create selfsigned issuer and public, internal, libvirt and ovn CA and issuer", func() {
 			OSCtlplane := GetOpenStackControlPlane(names.OpenStackControlplaneName)
 
 			Expect(OSCtlplane.Spec.TLS.Ingress.Enabled).Should(BeTrue())
@@ -789,6 +789,7 @@ var _ = Describe("OpenStackOperator controller", func() {
 				issuer := crtmgr.GetIssuer(names.RootCAPublicName)
 				g.Expect(issuer).Should(Not(BeNil()))
 				g.Expect(issuer.Spec.CA.SecretName).Should(Equal(names.RootCAPublicName.Name))
+				g.Expect(issuer.Labels).Should(HaveKey(certmanager.RootCAIssuerPublicLabel))
 			}, timeout, interval).Should(Succeed())
 			Eventually(func(g Gomega) {
 				// ca cert
@@ -802,6 +803,7 @@ var _ = Describe("OpenStackOperator controller", func() {
 				issuer := crtmgr.GetIssuer(names.RootCAInternalName)
 				g.Expect(issuer).Should(Not(BeNil()))
 				g.Expect(issuer.Spec.CA.SecretName).Should(Equal(names.RootCAInternalName.Name))
+				g.Expect(issuer.Labels).Should(HaveKey(certmanager.RootCAIssuerInternalLabel))
 			}, timeout, interval).Should(Succeed())
 			Eventually(func(g Gomega) {
 				// ca cert
@@ -815,6 +817,7 @@ var _ = Describe("OpenStackOperator controller", func() {
 				issuer := crtmgr.GetIssuer(names.RootCAOvnName)
 				g.Expect(issuer).Should(Not(BeNil()))
 				g.Expect(issuer.Spec.CA.SecretName).Should(Equal(names.RootCAOvnName.Name))
+				g.Expect(issuer.Labels).Should(HaveKey(certmanager.RootCAIssuerOvnDBLabel))
 			}, timeout, interval).Should(Succeed())
 			Eventually(func(g Gomega) {
 				// ca cert
@@ -828,6 +831,7 @@ var _ = Describe("OpenStackOperator controller", func() {
 				issuer := crtmgr.GetIssuer(names.RootCALibvirtName)
 				g.Expect(issuer).Should(Not(BeNil()))
 				g.Expect(issuer.Spec.CA.SecretName).Should(Equal(names.RootCALibvirtName.Name))
+				g.Expect(issuer.Labels).Should(HaveKey(certmanager.RootCAIssuerLibvirtLabel))
 			}, timeout, interval).Should(Succeed())
 
 			th.ExpectCondition(
@@ -926,6 +930,64 @@ var _ = Describe("OpenStackOperator controller", func() {
 				)
 			}, timeout, interval).Should(Succeed())
 		})
+
+		When("The TLSe OpenStackControlplane instance switches to use a custom public issuer", func() {
+			BeforeEach(func() {
+				// create custom issuer
+				DeferCleanup(k8sClient.Delete, ctx, crtmgr.CreateIssuer(names.CustomIssuerName))
+				DeferCleanup(k8sClient.Delete, ctx, CreateCertSecret(names.CustomIssuerName))
+
+				// update ctlplane to use the custom isssuer
+				Eventually(func(g Gomega) {
+					OSCtlplane := GetOpenStackControlPlane(names.OpenStackControlplaneName)
+					OSCtlplane.Spec.TLS.Ingress.Ca.CustomIssuer = ptr.To(names.CustomIssuerName.Name)
+					g.Expect(k8sClient.Update(ctx, OSCtlplane)).Should(Succeed())
+				}, timeout, interval).Should(Succeed())
+			})
+
+			It("should remove the certmanager.RootCAIssuerPublicLabel label from the defaultIssuer", func() {
+				Eventually(func(g Gomega) {
+					issuer := crtmgr.GetIssuer(names.RootCAPublicName)
+					g.Expect(issuer).Should(Not(BeNil()))
+					g.Expect(issuer.Labels).Should(Not(HaveKey(certmanager.RootCAIssuerPublicLabel)))
+				}, timeout, interval).Should(Succeed())
+			})
+
+			It("should add the certmanager.RootCAIssuerPublicLabel label to the customIssuer", func() {
+				Eventually(func(g Gomega) {
+					issuer := crtmgr.GetIssuer(names.CustomIssuerName)
+					g.Expect(issuer).Should(Not(BeNil()))
+					g.Expect(issuer.Labels).Should(HaveKey(certmanager.RootCAIssuerPublicLabel))
+				}, timeout, interval).Should(Succeed())
+			})
+
+			When("The TLSe OpenStackControlplane instance switches again back to default public issuer", func() {
+				BeforeEach(func() {
+					// update ctlplane to NOT use the custom isssuer
+					Eventually(func(g Gomega) {
+						OSCtlplane := GetOpenStackControlPlane(names.OpenStackControlplaneName)
+						OSCtlplane.Spec.TLS.Ingress.Ca.CustomIssuer = nil
+						g.Expect(k8sClient.Update(ctx, OSCtlplane)).Should(Succeed())
+					}, timeout, interval).Should(Succeed())
+				})
+
+				It("should remove the certmanager.RootCAIssuerPublicLabel label from the defaultIssuer", func() {
+					Eventually(func(g Gomega) {
+						issuer := crtmgr.GetIssuer(names.RootCAPublicName)
+						g.Expect(issuer).Should(Not(BeNil()))
+						g.Expect(issuer.Labels).Should(HaveKey(certmanager.RootCAIssuerPublicLabel))
+					}, timeout, interval).Should(Succeed())
+				})
+
+				It("should add the certmanager.RootCAIssuerPublicLabel label to the customIssuer", func() {
+					Eventually(func(g Gomega) {
+						issuer := crtmgr.GetIssuer(names.CustomIssuerName)
+						g.Expect(issuer).Should(Not(BeNil()))
+						g.Expect(issuer.Labels).Should(Not(HaveKey(certmanager.RootCAIssuerPublicLabel)))
+					}, timeout, interval).Should(Succeed())
+				})
+			})
+		})
 	})
 
 	When("A TLSe OpenStackControlplane instance with custom public issuer is created", func() {
