K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters (#1850)

* fixed

* improve the fix

To fix the issue, we only need to modify the `WaitForCert` method by
adding a check to see if the secret has a controller reference to a
certificate

* create `Certificate` interface

* add e2e test

---------

Co-authored-by: Ivan Sokoryan <i.sokoryan@robo.cash>
Co-authored-by: Viacheslav Sarzhan <slava.sarzhan@percona.com>
Co-authored-by: George Kechagias <geo.kechagias@gmail.com>
Co-authored-by: Andrii Dema <a.dema@jazzserve.com>
Co-authored-by: Ege Güneş <ege.gunes@percona.com>

Author: 6 people

e2e-tests/arbiter/run

@@ -71,7 +71,7 @@ check_cr_config() {
 
 main() {
 	create_infra $namespace
-	deploy_cert_manager
+	deploy_cert_manager "--enable-certificate-owner-ref"
 
 	desc 'create secrets and start client'
 	kubectl_bin apply \

e2e-tests/functions

@@ -1251,6 +1251,10 @@ deploy_cert_manager() {
 	kubectl_bin create namespace cert-manager || :
 	kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || :
 	kubectl_bin apply -f "https://github.com/cert-manager/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null
+	for arg in "$@"; do
+		kubectl_bin patch deployment cert-manager -n cert-manager --type='json' \
+			-p='[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"'"$arg"'"}]'
+	done
 	kubectl_bin -n cert-manager wait pod -l app.kubernetes.io/instance=cert-manager --for=condition=ready
 	sleep 120
 }

pkg/controller/perconaservermongodb/ssl.go

@@ -191,7 +191,7 @@ func (r *ReconcilePerconaServerMongoDB) createSSLByCertManager(ctx context.Conte
 				return nil
 			}
 
-			caSecret, err := r.getSecret(ctx, cr, tls.CACertificateSecretName(cr))
+			caSecret, err := r.getSecret(ctx, cr, tls.CertificateCA(cr).SecretName())
 			if err != nil {
 				if k8serr.IsNotFound(err) {
 					return nil
@@ -393,14 +393,15 @@ func (r *ReconcilePerconaServerMongoDB) applyCertManagerCertificates(ctx context
 			return "", errors.Wrap(err, "apply ca issuer")
 		}
 
+		caCert := tls.CertificateCA(cr)
 		err = applyFunc(func() (util.ApplyStatus, error) {
-			return c.ApplyCACertificate(ctx, cr)
+			return c.ApplyCertificate(ctx, cr, caCert)
 		})
 		if err != nil {
 			return "", errors.Wrap(err, "create ca certificate")
 		}
 
-		err = c.WaitForCerts(ctx, cr, tls.CACertificateSecretName(cr))
+		err = c.WaitForCerts(ctx, cr, caCert)
 		if err != nil {
 			return "", errors.Wrap(err, "failed to wait for ca cert")
 		}
@@ -413,26 +414,27 @@ func (r *ReconcilePerconaServerMongoDB) applyCertManagerCertificates(ctx context
 		return "", errors.Wrap(err, "create issuer")
 	}
 
+	tlsCert := tls.CertificateTLS(cr, false)
 	err = applyFunc(func() (util.ApplyStatus, error) {
-		return c.ApplyCertificate(ctx, cr, false)
+		return c.ApplyCertificate(ctx, cr, tlsCert)
 	})
 	if err != nil {
 		return "", errors.Wrap(err, "create certificate")
 	}
 
-	secretNames := []string{tls.CertificateSecretName(cr, false)}
+	certificates := []tls.Certificate{tlsCert}
 
-	if tls.CertificateSecretName(cr, false) != tls.CertificateSecretName(cr, true) {
+	if internalCert := tls.CertificateTLS(cr, true); tlsCert.SecretName() != internalCert.SecretName() {
 		err = applyFunc(func() (util.ApplyStatus, error) {
-			return c.ApplyCertificate(ctx, cr, true)
+			return c.ApplyCertificate(ctx, cr, internalCert)
 		})
 		if err != nil {
 			return "", errors.Wrap(err, "create certificate")
 		}
-		secretNames = append(secretNames, tls.CertificateSecretName(cr, true))
+		certificates = append(certificates, internalCert)
 	}
 
-	err = c.WaitForCerts(ctx, cr, secretNames...)
+	err = c.WaitForCerts(ctx, cr, certificates...)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to wait for certs")
 	}

pkg/psmdb/tls/certificate.go

@@ -0,0 +1,135 @@
+package tls
+
+import (
+	"time"
+
+	cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1"
+	"github.com/percona/percona-server-mongodb-operator/pkg/naming"
+)
+
+type Certificate interface {
+	Name() string
+	SecretName() string
+	Object() *cm.Certificate
+}
+
+type caCert struct {
+	cr *api.PerconaServerMongoDB
+}
+
+func CertificateCA(cr *api.PerconaServerMongoDB) Certificate {
+	return &caCert{
+		cr: cr,
+	}
+}
+
+func (c *caCert) Name() string {
+	return c.cr.Name + "-ca-cert"
+}
+
+func (c *caCert) SecretName() string {
+	return c.Name()
+}
+
+func (c *caCert) Object() *cm.Certificate {
+	cr := c.cr
+
+	labels := naming.ClusterLabels(cr)
+	if cr.CompareVersion("1.17.0") < 0 {
+		labels = nil
+	}
+	return &cm.Certificate{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      c.Name(),
+			Namespace: cr.Namespace,
+			Labels:    labels,
+		},
+		Spec: cm.CertificateSpec{
+			SecretName: c.SecretName(),
+			CommonName: cr.Name + "-ca",
+			IsCA:       true,
+			IssuerRef: cmmeta.ObjectReference{
+				Name: caIssuerName(cr),
+				Kind: cm.IssuerKind,
+			},
+			Duration:    &metav1.Duration{Duration: time.Hour * 24 * 365},
+			RenewBefore: &metav1.Duration{Duration: 730 * time.Hour},
+		},
+	}
+}
+
+type tlsCert struct {
+	cr *api.PerconaServerMongoDB
+
+	internal bool
+}
+
+func CertificateTLS(cr *api.PerconaServerMongoDB, internal bool) Certificate {
+	return &tlsCert{
+		cr:       cr,
+		internal: internal,
+	}
+}
+
+func (c *tlsCert) Name() string {
+	if c.internal {
+		return c.cr.Name + "-ssl-internal"
+	}
+	return c.cr.Name + "-ssl"
+}
+
+func (c *tlsCert) SecretName() string {
+	if c.internal {
+		return api.SSLInternalSecretName(c.cr)
+	}
+
+	return api.SSLSecretName(c.cr)
+}
+
+func (c *tlsCert) Object() *cm.Certificate {
+	cr := c.cr
+
+	issuerKind := cm.IssuerKind
+	issuerGroup := ""
+	if cr.CompareVersion("1.16.0") >= 0 && cr.Spec.TLS != nil && cr.Spec.TLS.IssuerConf != nil {
+		issuerKind = cr.Spec.TLS.IssuerConf.Kind
+		issuerGroup = cr.Spec.TLS.IssuerConf.Group
+
+	}
+	isCA := false
+	if cr.CompareVersion("1.15.0") < 0 {
+		isCA = true
+	}
+
+	labels := naming.ClusterLabels(cr)
+	if cr.CompareVersion("1.17.0") < 0 {
+		labels = nil
+	}
+
+	return &cm.Certificate{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      c.Name(),
+			Namespace: cr.Namespace,
+			Labels:    labels,
+		},
+		Spec: cm.CertificateSpec{
+			Subject: &cm.X509Subject{
+				Organizations: []string{"PSMDB"},
+			},
+			CommonName: cr.Name,
+			SecretName: c.SecretName(),
+			DNSNames:   GetCertificateSans(cr),
+			IsCA:       isCA,
+			Duration:   &cr.Spec.TLS.CertValidityDuration,
+			IssuerRef: cmmeta.ObjectReference{
+				Name:  issuerName(cr),
+				Kind:  issuerKind,
+				Group: issuerGroup,
+			},
+		},
+	}
+}