Move Calico API server from calico-apiserver namespace to calico-system for OSS (#3989)

* move apiserver component from calico-apiserver ns to calico-system for OSS

* Add APIServer finalizer only to the deployment

* cleanup the apiserver deployment while switching between variant

* correct cleanupdeployment

* Update func name for cleanup deployment

Author: vara2504

pkg/controller/apiserver/apiserver_controller.go

@@ -21,6 +21,7 @@ import (
 	"github.com/go-logr/logr"
 	appsv1 "k8s.io/api/apps/v1"
 
+	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -52,7 +53,6 @@ import (
 	"github.com/tigera/operator/pkg/render"
 	rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement"
 	"github.com/tigera/operator/pkg/render/common/authentication"
-	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/networkpolicy"
 	"github.com/tigera/operator/pkg/render/monitor"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
@@ -78,7 +78,7 @@ func Add(mgr manager.Manager, opts options.AddOptions) error {
 		go utils.WaitToAddTierWatch(networkpolicy.TigeraComponentTierName, c, opts.K8sClientset, log, r.tierWatchReady)
 
 		go utils.WaitToAddNetworkPolicyWatches(c, opts.K8sClientset, log, []types.NamespacedName{
-			{Name: render.APIServerPolicyName, Namespace: rmeta.APIServerNamespace(operatorv1.TigeraSecureEnterprise)},
+			{Name: render.APIServerPolicyName, Namespace: render.APIServerNamespace},
 		})
 	}
 
@@ -139,7 +139,7 @@ func add(c ctrlruntime.Controller, r *ReconcileAPIServer) error {
 			return fmt.Errorf("apiserver-controller failed to watch primary resource: %v", err)
 		}
 
-		for _, namespace := range []string{common.OperatorNamespace(), rmeta.APIServerNamespace(operatorv1.TigeraSecureEnterprise)} {
+		for _, namespace := range []string{common.OperatorNamespace(), render.APIServerNamespace} {
 			for _, secretName := range []string{render.VoltronTunnelSecretName, render.ManagerTLSSecretName} {
 				if err = utils.AddSecretsWatch(c, secretName, namespace); err != nil {
 					return fmt.Errorf("apiserver-controller failed to watch the Secret resource: %v", err)
@@ -156,10 +156,7 @@ func add(c ctrlruntime.Controller, r *ReconcileAPIServer) error {
 	}
 
 	// Watch for the namespace(s) managed by this controller.
-	if err = c.WatchObject(&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: rmeta.APIServerNamespace(operatorv1.Calico)}}, &handler.EnqueueRequestForObject{}); err != nil {
-		return fmt.Errorf("apiserver-controller failed to watch resource: %w", err)
-	}
-	if err = c.WatchObject(&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: rmeta.APIServerNamespace(operatorv1.TigeraSecureEnterprise)}}, &handler.EnqueueRequestForObject{}); err != nil {
+	if err = c.WatchObject(&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: render.APIServerNamespace}}, &handler.EnqueueRequestForObject{}); err != nil {
 		return fmt.Errorf("apiserver-controller failed to watch resource: %w", err)
 	}
 
@@ -261,7 +258,6 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 		r.status.SetDegraded(operatorv1.ResourceNotReady, "Waiting for Installation Variant to be set", nil, reqLogger)
 		return reconcile.Result{}, nil
 	}
-	ns := rmeta.APIServerNamespace(installationSpec.Variant)
 
 	certificateManager, err := certificatemanager.Create(r.client, installationSpec, r.clusterDomain, common.OperatorNamespace())
 	if err != nil {
@@ -271,13 +267,13 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 
 	// We need separate certificates for OSS vs Enterprise.
 	secretName := render.ProjectCalicoAPIServerTLSSecretName(installationSpec.Variant)
-	tlsSecret, err := certificateManager.GetOrCreateKeyPair(r.client, secretName, common.OperatorNamespace(), dns.GetServiceDNSNames(render.ProjectCalicoAPIServerServiceName(installationSpec.Variant), rmeta.APIServerNamespace(installationSpec.Variant), r.clusterDomain))
+	tlsSecret, err := certificateManager.GetOrCreateKeyPair(r.client, secretName, common.OperatorNamespace(), dns.GetServiceDNSNames(render.ProjectCalicoAPIServerServiceName(installationSpec.Variant), render.APIServerNamespace, r.clusterDomain))
 	if err != nil {
 		r.status.SetDegraded(operatorv1.ResourceCreateError, "Unable to get or create tls key pair", err, reqLogger)
 		return reconcile.Result{}, err
 	}
 
-	certificateManager.AddToStatusManager(r.status, ns)
+	certificateManager.AddToStatusManager(r.status, render.APIServerNamespace)
 
 	pullSecrets, err := utils.GetNetworkingPullSecrets(installationSpec, r.client)
 	if err != nil {
@@ -439,7 +435,7 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 		MultiTenant:                 r.multiTenant,
 		KeyValidatorConfig:          keyValidatorConfig,
 		KubernetesVersion:           r.kubernetesVersion,
-		CanCleanupOlderResources:    r.canCleanupLegacyNamespace(ctx, reqLogger),
+		CanCleanupOlderResources:    r.canCleanupLegacyNamespace(ctx, installationSpec.Variant, reqLogger),
 	}
 
 	var components []render.Component
@@ -460,7 +456,7 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 	components = append(components,
 		component,
 		rcertificatemanagement.CertificateManagement(&rcertificatemanagement.Config{
-			Namespace:       rmeta.APIServerNamespace(installationSpec.Variant),
+			Namespace:       render.APIServerNamespace,
 			ServiceAccounts: []string{render.APIServerServiceAccountName(installationSpec.Variant)},
 			KeyPairOptions: []rcertificatemanagement.KeyPairOption{
 				rcertificatemanagement.NewKeyPairOption(tlsSecret, true, true),
@@ -515,12 +511,8 @@ func validateAPIServerResource(instance *operatorv1.APIServer) error {
 // prior to the CNI plugin being removed.
 func (r *ReconcileAPIServer) maintainFinalizer(ctx context.Context, apiserver client.Object) error {
 	// These objects require graceful termination before the CNI plugin is torn down.
-	_, spec, err := utils.GetInstallation(context.Background(), r.client)
-	if err != nil {
-		return err
-	}
-	apiServerNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: rmeta.APIServerNamespace(spec.Variant)}}
-	return utils.MaintainInstallationFinalizer(ctx, r.client, apiserver, render.APIServerFinalizer, apiServerNamespace)
+	apiServerDeployment := v1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "calico-apiserver", Namespace: render.APIServerNamespace}}
+	return utils.MaintainInstallationFinalizer(ctx, r.client, apiserver, render.APIServerFinalizer, &apiServerDeployment)
 }
 
 // canCleanupLegacyNamespace determines whether the legacy "tigera-system" namespace
@@ -529,12 +521,16 @@ func (r *ReconcileAPIServer) maintainFinalizer(ctx context.Context, apiserver cl
 // - The new API server deployment in "calico-system" exists and is available.
 // - The old API server deployment in "tigera-system" is either removed or inactive.
 // - Both the APIServer custom resource and the TigeraStatus for 'apiserver' are in the Ready state
-func (r *ReconcileAPIServer) canCleanupLegacyNamespace(ctx context.Context, logger logr.Logger) bool {
-	const (
-		newNamespace   = "calico-system"
-		oldNamespace   = "tigera-system"
-		deploymentName = "tigera-apiserver"
-	)
+func (r *ReconcileAPIServer) canCleanupLegacyNamespace(ctx context.Context, variant operatorv1.ProductVariant, logger logr.Logger) bool {
+
+	newNamespace := "calico-system"
+	oldNamespace := "tigera-system"
+	deploymentName := "tigera-apiserver"
+
+	if variant == operatorv1.Calico {
+		oldNamespace = "calico-apiserver"
+		deploymentName = "calico-apiserver"
+	}
 
 	// Fetch the new API server deployment in calico-system
 	newDeploy := &appsv1.Deployment{}

pkg/controller/apiserver/apiserver_controller_test.go

@@ -152,6 +152,7 @@ var _ = Describe("apiserver controller tests", func() {
 		mockStatus.On("ClearDegraded")
 		mockStatus.On("AddCertificateSigningRequests", mock.Anything)
 		mockStatus.On("RemoveCertificateSigningRequests", mock.Anything)
+		mockStatus.On("RemoveDeployments", mock.Anything)
 		mockStatus.On("ReadyToMonitor")
 		mockStatus.On("SetMetaData", mock.Anything).Return()
 		mockStatus.On("SetDegraded", operatorv1.ResourceReadError, mock.Anything, mock.Anything, mock.Anything).Return().Maybe()
@@ -836,7 +837,7 @@ var _ = Describe("apiserver controller tests", func() {
 			}
 			_, err = r.Reconcile(ctx, reconcile.Request{})
 			Expect(err).ShouldNot(HaveOccurred())
-			canCleanedUp := r.canCleanupLegacyNamespace(ctx, logf.Log.WithName("test"))
+			canCleanedUp := r.canCleanupLegacyNamespace(ctx, installation.Spec.Variant, logf.Log.WithName("test"))
 			Expect(canCleanedUp).To(BeTrue())
 		})
 
@@ -856,7 +857,7 @@ var _ = Describe("apiserver controller tests", func() {
 			}
 			_, err = r.Reconcile(ctx, reconcile.Request{})
 			Expect(err).ShouldNot(HaveOccurred())
-			canCleanedUp := r.canCleanupLegacyNamespace(ctx, logf.Log.WithName("test"))
+			canCleanedUp := r.canCleanupLegacyNamespace(ctx, installation.Spec.Variant, logf.Log.WithName("test"))
 			Expect(canCleanedUp).To(BeFalse())
 		})
 
@@ -882,7 +883,7 @@ var _ = Describe("apiserver controller tests", func() {
 			}
 			_, err = r.Reconcile(ctx, reconcile.Request{})
 			Expect(err).ShouldNot(HaveOccurred())
-			canCleanedUp := r.canCleanupLegacyNamespace(ctx, logf.Log.WithName("test"))
+			canCleanedUp := r.canCleanupLegacyNamespace(ctx, installation.Spec.Variant, logf.Log.WithName("test"))
 			Expect(canCleanedUp).To(BeFalse())
 		})
 
@@ -916,7 +917,7 @@ var _ = Describe("apiserver controller tests", func() {
 			}
 			_, err = r.Reconcile(ctx, reconcile.Request{})
 			Expect(err).ShouldNot(HaveOccurred())
-			canCleanedUp := r.canCleanupLegacyNamespace(ctx, logf.Log.WithName("test"))
+			canCleanedUp := r.canCleanupLegacyNamespace(ctx, installation.Spec.Variant, logf.Log.WithName("test"))
 			Expect(canCleanedUp).To(BeFalse())
 		})
 	})

pkg/controller/tiers/tiers_controller.go

@@ -42,7 +42,6 @@ import (
 	"github.com/tigera/operator/pkg/controller/utils"
 	"github.com/tigera/operator/pkg/ctrlruntime"
 	"github.com/tigera/operator/pkg/render"
-	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/networkpolicy"
 	"github.com/tigera/operator/pkg/render/logstorage/eck"
 	"github.com/tigera/operator/pkg/render/logstorage/kibana"
@@ -194,7 +193,6 @@ func (r *ReconcileTiers) prepareTiersConfig(ctx context.Context, reqLogger logr.
 		render.PacketCaptureNamespace,
 		render.PolicyRecommendationNamespace,
 		common.TigeraPrometheusNamespace,
-		rmeta.APIServerNamespace(operatorv1.TigeraSecureEnterprise),
 		"tigera-skraper",
 	}
 	if r.multiTenant {