Skip to content

Commit e8b1fde

Browse files
piyush-tiwarigalovics
piyush-tiwari
and
galovics
committed
honor secret updates, modify cert names for tls secret to be secret-uid unique
- change certificate name created to oci-nic-<secret-uid> - add watching for secret add/update - add etag to cabundle and cert cache, start using cabundle cache - create certificates and cabundles with hashes for secret type TLS - start updating certs for secret type artifacts - start updating ca bundles for secret type artifacts - prune certificates when updating for secret type artifacts Co-authored-by: Arnold Gálovics <[email protected]> Co-authored-by: Piyush Tiwari <[email protected]>
1 parent 0b5f5f8 commit e8b1fde

File tree

16 files changed

+1604
-338
lines changed

16 files changed

+1604
-338
lines changed

main.go

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ package main
1111
import (
1212
"context"
1313
"flag"
14+
corev1 "k8s.io/api/core/v1"
1415
"net/http"
1516
"os"
1617
"os/signal"
@@ -144,7 +145,12 @@ func main() {
144145
}
145146
}()
146147

147-
informerFactory := informers.NewSharedInformerFactory(client, 1*time.Minute)
148+
informerFactory := informers.NewSharedInformerFactoryWithOptions(client, 1*time.Minute,
149+
informers.WithCustomResyncConfig(
150+
map[metav1.Object]time.Duration{
151+
&corev1.Secret{}: 0,
152+
},
153+
))
148154

149155
// listen for interrupts or the Linux SIGTERM signal and cancel
150156
// our context, which the leader election code will observe and
@@ -157,13 +163,13 @@ func main() {
157163
cancel()
158164
}()
159165

160-
ingressClassInformer, ingressInformer, serviceInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer := setupInformers(informerFactory, ctx, classParamInformer)
166+
ingressClassInformer, ingressInformer, serviceInformer, secretInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer := setupInformers(informerFactory, ctx, classParamInformer)
161167

162168
server.SetupWebhookServer(ingressInformer, serviceInformer, client, ctx)
163169
mux := http.NewServeMux()
164170
reg, err := server.SetupMetricsServer(opts.MetricsBackend, opts.MetricsPort, mux, ctx)
165171

166-
run := server.SetUpControllers(opts, ingressClassInformer, ingressInformer, client, serviceInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer, c, reg)
172+
run := server.SetUpControllers(opts, ingressClassInformer, ingressInformer, client, serviceInformer, secretInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer, c, reg)
167173

168174
metric.ServeMetrics(opts.MetricsPort, mux)
169175
// we use the Lease lock type since edits to Leases are less common
@@ -214,7 +220,7 @@ func main() {
214220
})
215221
}
216222

217-
func setupInformers(informerFactory informers.SharedInformerFactory, ctx context.Context, classParamInformer ctrcache.Informer) (networkinginformers.IngressClassInformer, networkinginformers.IngressInformer, v1.ServiceInformer, v1.EndpointsInformer, v1.PodInformer, v1.NodeInformer, v1.ServiceAccountInformer) {
223+
func setupInformers(informerFactory informers.SharedInformerFactory, ctx context.Context, classParamInformer ctrcache.Informer) (networkinginformers.IngressClassInformer, networkinginformers.IngressInformer, v1.ServiceInformer, v1.SecretInformer, v1.EndpointsInformer, v1.PodInformer, v1.NodeInformer, v1.ServiceAccountInformer) {
218224
ingressClassInformer := informerFactory.Networking().V1().IngressClasses()
219225
go ingressClassInformer.Informer().Run(ctx.Done())
220226

@@ -224,6 +230,9 @@ func setupInformers(informerFactory informers.SharedInformerFactory, ctx context
224230
serviceInformer := informerFactory.Core().V1().Services()
225231
go serviceInformer.Informer().Run(ctx.Done())
226232

233+
secretInformer := informerFactory.Core().V1().Secrets()
234+
go secretInformer.Informer().Run(ctx.Done())
235+
227236
endpointInformer := informerFactory.Core().V1().Endpoints()
228237
go endpointInformer.Informer().Run(ctx.Done())
229238

@@ -245,6 +254,7 @@ func setupInformers(informerFactory informers.SharedInformerFactory, ctx context
245254
ingressClassInformer.Informer().HasSynced,
246255
ingressInformer.Informer().HasSynced,
247256
serviceInformer.Informer().HasSynced,
257+
secretInformer.Informer().HasSynced,
248258
endpointInformer.Informer().HasSynced,
249259
podInformer.Informer().HasSynced,
250260
classParamInformer.HasSynced,
@@ -253,5 +263,5 @@ func setupInformers(informerFactory informers.SharedInformerFactory, ctx context
253263

254264
klog.Fatal("failed to sync informers")
255265
}
256-
return ingressClassInformer, ingressInformer, serviceInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer
266+
return ingressClassInformer, ingressInformer, serviceInformer, secretInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer
257267
}

pkg/certificate/certificate.go

Lines changed: 131 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ package certificate
1111

1212
import (
1313
"context"
14+
"fmt"
1415
"net/http"
1516
"sync"
1617
"time"
@@ -22,6 +23,10 @@ import (
2223
"k8s.io/klog/v2"
2324
)
2425

26+
const (
27+
certificateServiceTimeout = 2 * time.Minute
28+
)
29+
2530
type CertificatesClient struct {
2631
ManagementClient CertificateManagementInterface
2732
CertificatesClient CertificateInterface
@@ -42,9 +47,9 @@ func New(managementClient CertificateManagementInterface,
4247
}
4348
}
4449

45-
func (certificatesClient *CertificatesClient) SetCertCache(cert *certificatesmanagement.Certificate) {
50+
func (certificatesClient *CertificatesClient) SetCertCache(cert *certificatesmanagement.Certificate, etag string) {
4651
certificatesClient.certMu.Lock()
47-
certificatesClient.CertCache[*cert.Id] = &CertCacheObj{Cert: cert, Age: time.Now()}
52+
certificatesClient.CertCache[*cert.Id] = &CertCacheObj{Cert: cert, Age: time.Now(), Etag: etag}
4853
certificatesClient.certMu.Unlock()
4954
}
5055

@@ -54,9 +59,9 @@ func (certificatesClient *CertificatesClient) GetFromCertCache(certId string) *C
5459
return certificatesClient.CertCache[certId]
5560
}
5661

57-
func (certificatesClient *CertificatesClient) SetCaBundleCache(caBundle *certificatesmanagement.CaBundle) {
62+
func (certificatesClient *CertificatesClient) SetCaBundleCache(caBundle *certificatesmanagement.CaBundle, etag string) {
5863
certificatesClient.caMu.Lock()
59-
certificatesClient.CaBundleCache[*caBundle.Id] = &CaBundleCacheObj{CaBundle: caBundle, Age: time.Now()}
64+
certificatesClient.CaBundleCache[*caBundle.Id] = &CaBundleCacheObj{CaBundle: caBundle, Age: time.Now(), Etag: etag}
6065
certificatesClient.caMu.Unlock()
6166
}
6267

@@ -67,37 +72,37 @@ func (certificatesClient *CertificatesClient) GetFromCaBundleCache(id string) *C
6772
}
6873

6974
func (certificatesClient *CertificatesClient) CreateCertificate(ctx context.Context,
70-
req certificatesmanagement.CreateCertificateRequest) (*certificatesmanagement.Certificate, error) {
75+
req certificatesmanagement.CreateCertificateRequest) (*certificatesmanagement.Certificate, string, error) {
7176
resp, err := certificatesClient.ManagementClient.CreateCertificate(ctx, req)
7277
if err != nil {
7378
klog.Errorf("Error creating certificate %s, %s ", *req.Name, err.Error())
74-
return nil, err
79+
return nil, "", err
7580
}
7681

77-
return &resp.Certificate, nil
82+
return certificatesClient.waitForActiveCertificate(ctx, *resp.Certificate.Id)
7883
}
7984

8085
func (certificatesClient *CertificatesClient) CreateCaBundle(ctx context.Context,
81-
req certificatesmanagement.CreateCaBundleRequest) (*certificatesmanagement.CaBundle, error) {
86+
req certificatesmanagement.CreateCaBundleRequest) (*certificatesmanagement.CaBundle, string, error) {
8287
resp, err := certificatesClient.ManagementClient.CreateCaBundle(ctx, req)
8388
if err != nil {
8489
klog.Errorf("Error creating ca bundle %s, %s ", *req.Name, err.Error())
85-
return nil, err
90+
return nil, "", err
8691
}
8792

88-
return &resp.CaBundle, nil
93+
return certificatesClient.waitForActiveCaBundle(ctx, *resp.CaBundle.Id)
8994
}
9095

9196
func (certificatesClient *CertificatesClient) GetCertificate(ctx context.Context,
92-
req certificatesmanagement.GetCertificateRequest) (*certificatesmanagement.Certificate, error) {
97+
req certificatesmanagement.GetCertificateRequest) (*certificatesmanagement.Certificate, string, error) {
9398
klog.Infof("Getting certificate for ocid %s ", *req.CertificateId)
9499
resp, err := certificatesClient.ManagementClient.GetCertificate(ctx, req)
95100
if err != nil {
96101
klog.Errorf("Error getting certificate %s, %s ", *req.CertificateId, err.Error())
97-
return nil, err
102+
return nil, "", err
98103
}
99104

100-
return &resp.Certificate, nil
105+
return &resp.Certificate, *resp.Etag, nil
101106
}
102107

103108
func (certificatesClient *CertificatesClient) ListCertificates(ctx context.Context,
@@ -112,6 +117,21 @@ func (certificatesClient *CertificatesClient) ListCertificates(ctx context.Conte
112117
return &resp.CertificateCollection, resp.OpcNextPage, nil
113118
}
114119

120+
func (certificatesClient *CertificatesClient) UpdateCertificate(ctx context.Context,
121+
req certificatesmanagement.UpdateCertificateRequest) (*certificatesmanagement.Certificate, string, error) {
122+
_, err := certificatesClient.ManagementClient.UpdateCertificate(ctx, req)
123+
if err != nil {
124+
if !util.IsServiceError(err, 409) {
125+
klog.Errorf("Error updating certificate %s: %s", *req.CertificateId, err)
126+
} else {
127+
klog.Errorf("Error updating certificate %s due to 409-Conflict", *req.CertificateId)
128+
}
129+
return nil, "", err
130+
}
131+
132+
return certificatesClient.waitForActiveCertificate(ctx, *req.CertificateId)
133+
}
134+
115135
func (certificatesClient *CertificatesClient) ScheduleCertificateDeletion(ctx context.Context,
116136
req certificatesmanagement.ScheduleCertificateDeletionRequest) error {
117137
_, err := certificatesClient.ManagementClient.ScheduleCertificateDeletion(ctx, req)
@@ -122,16 +142,68 @@ func (certificatesClient *CertificatesClient) ScheduleCertificateDeletion(ctx co
122142
return nil
123143
}
124144

145+
func (certificatesClient *CertificatesClient) ListCertificateVersions(ctx context.Context,
146+
req certificatesmanagement.ListCertificateVersionsRequest) (*certificatesmanagement.CertificateVersionCollection, *string, error) {
147+
resp, err := certificatesClient.ManagementClient.ListCertificateVersions(ctx, req)
148+
if err != nil {
149+
klog.Errorf("Error listing certificate versions for request %s, %s ", util.PrettyPrint(req), err.Error())
150+
return nil, nil, err
151+
}
152+
153+
return &resp.CertificateVersionCollection, resp.OpcNextPage, nil
154+
}
155+
156+
func (certificatesClient *CertificatesClient) ScheduleCertificateVersionDeletion(ctx context.Context,
157+
req certificatesmanagement.ScheduleCertificateVersionDeletionRequest) (*certificatesmanagement.Certificate, string, error) {
158+
klog.Infof("Scheduling version %d of Certificate %s for deletion", *req.CertificateVersionNumber, *req.CertificateId)
159+
_, err := certificatesClient.ManagementClient.ScheduleCertificateVersionDeletion(ctx, req)
160+
if err != nil {
161+
klog.Errorf("Error scheduling certificate version for deletion, certificateId %s, version %d, %s ",
162+
*req.CertificateId, *req.CertificateVersionNumber, err.Error())
163+
return nil, "", err
164+
}
165+
166+
return certificatesClient.waitForActiveCertificate(ctx, *req.CertificateId)
167+
}
168+
169+
func (certificatesClient *CertificatesClient) waitForActiveCertificate(ctx context.Context,
170+
certificateId string) (*certificatesmanagement.Certificate, string, error) {
171+
timeoutCtx, cancel := context.WithTimeout(ctx, certificateServiceTimeout)
172+
defer cancel()
173+
174+
for {
175+
resp, err := certificatesClient.ManagementClient.GetCertificate(timeoutCtx, certificatesmanagement.GetCertificateRequest{
176+
CertificateId: &certificateId,
177+
})
178+
if err != nil {
179+
return nil, "", err
180+
}
181+
182+
if resp.Certificate.LifecycleState == certificatesmanagement.CertificateLifecycleStateActive {
183+
return &resp.Certificate, *resp.Etag, nil
184+
}
185+
186+
if resp.Certificate.LifecycleState != certificatesmanagement.CertificateLifecycleStateUpdating &&
187+
resp.Certificate.LifecycleState != certificatesmanagement.CertificateLifecycleStateCreating {
188+
return nil, "", fmt.Errorf("certificate %s went into an unexpected state %s while updating",
189+
*resp.Certificate.Id, resp.Certificate.LifecycleState)
190+
}
191+
192+
klog.Infof("Certificate %s still not active, waiting", certificateId)
193+
time.Sleep(3 * time.Second)
194+
}
195+
}
196+
125197
func (certificatesClient *CertificatesClient) GetCaBundle(ctx context.Context,
126-
req certificatesmanagement.GetCaBundleRequest) (*certificatesmanagement.CaBundle, error) {
198+
req certificatesmanagement.GetCaBundleRequest) (*certificatesmanagement.CaBundle, string, error) {
127199
klog.Infof("Getting ca bundle with ocid %s ", *req.CaBundleId)
128200
resp, err := certificatesClient.ManagementClient.GetCaBundle(ctx, req)
129201
if err != nil {
130202
klog.Errorf("Error getting certificate %s, %s ", *req.CaBundleId, err.Error())
131-
return nil, err
203+
return nil, "", err
132204
}
133205

134-
return &resp.CaBundle, nil
206+
return &resp.CaBundle, *resp.Etag, nil
135207
}
136208

137209
func (certificatesClient *CertificatesClient) ListCaBundles(ctx context.Context,
@@ -146,6 +218,21 @@ func (certificatesClient *CertificatesClient) ListCaBundles(ctx context.Context,
146218
return &resp.CaBundleCollection, nil
147219
}
148220

221+
func (certificatesClient *CertificatesClient) UpdateCaBundle(ctx context.Context,
222+
req certificatesmanagement.UpdateCaBundleRequest) (*certificatesmanagement.CaBundle, string, error) {
223+
_, err := certificatesClient.ManagementClient.UpdateCaBundle(ctx, req)
224+
if err != nil {
225+
if !util.IsServiceError(err, 409) {
226+
klog.Errorf("Error updating ca bundle %s: %s", *req.CaBundleId, err)
227+
} else {
228+
klog.Errorf("Error updating ca bundle %s due to 409-Conflict", *req.CaBundleId)
229+
}
230+
return nil, "", err
231+
}
232+
233+
return certificatesClient.waitForActiveCaBundle(ctx, *req.CaBundleId)
234+
}
235+
149236
func (certificatesClient *CertificatesClient) DeleteCaBundle(ctx context.Context,
150237
req certificatesmanagement.DeleteCaBundleRequest) (*http.Response, error) {
151238
klog.Infof("Deleting ca bundle with ocid %s ", *req.CaBundleId)
@@ -158,6 +245,34 @@ func (certificatesClient *CertificatesClient) DeleteCaBundle(ctx context.Context
158245
return resp.HTTPResponse(), nil
159246
}
160247

248+
func (certificatesClient *CertificatesClient) waitForActiveCaBundle(ctx context.Context,
249+
caBundleId string) (*certificatesmanagement.CaBundle, string, error) {
250+
timeoutCtx, cancel := context.WithTimeout(ctx, certificateServiceTimeout)
251+
defer cancel()
252+
253+
for {
254+
resp, err := certificatesClient.ManagementClient.GetCaBundle(timeoutCtx, certificatesmanagement.GetCaBundleRequest{
255+
CaBundleId: &caBundleId,
256+
})
257+
if err != nil {
258+
return nil, "", err
259+
}
260+
261+
if resp.CaBundle.LifecycleState == certificatesmanagement.CaBundleLifecycleStateActive {
262+
return &resp.CaBundle, *resp.Etag, nil
263+
}
264+
265+
if resp.CaBundle.LifecycleState != certificatesmanagement.CaBundleLifecycleStateUpdating &&
266+
resp.CaBundle.LifecycleState != certificatesmanagement.CaBundleLifecycleStateCreating {
267+
return nil, "", fmt.Errorf("ca bundle %s went into an unexpected state %s while updating",
268+
*resp.CaBundle.Id, resp.CaBundle.LifecycleState)
269+
}
270+
271+
klog.Infof("cabundle %s still not active, waiting", caBundleId)
272+
time.Sleep(3 * time.Second)
273+
}
274+
}
275+
161276
func (certificatesClient *CertificatesClient) GetCertificateBundle(ctx context.Context,
162277
req certificates.GetCertificateBundleRequest) (certificates.CertificateBundle, error) {
163278
klog.Infof("Getting certificate bundle for certificate ocid %s ", *req.CertificateId)

0 commit comments

Comments
 (0)