Skip to content

Add rbac to delete secrets#3870

Merged
asincu merged 2 commits intotigera:masterfrom
asincu:add_delete_secrets_rbac
Apr 8, 2025
Merged

Add rbac to delete secrets#3870
asincu merged 2 commits intotigera:masterfrom
asincu:add_delete_secrets_rbac

Conversation

@asincu
Copy link
Contributor

@asincu asincu commented Apr 7, 2025
edited
Loading

Description

When connecting a managed cluster to a management single tenant cluster,
es-kube-controllers are responsible for copying the voltron linseed
certificate via the tunnel. Before this operation, es kube controllers
will first reconcile users. Any failure in reconciling users will lead
to the certificate not being copied over. The first step in user
reconciliation is to delete secret for decommisioned users or
components, like curator. A failure because of missing RBAC will result
the certificate not copied over, namespaces for fluentD, commpliance and
intrusion controller not being created in the managed cluster. Single
tenant management clusters with external elasticsearch are configured
using external elasticsearch controller and rendered.

Error logs from ES Kube Controllers

2025-04-07 21:02:02.709 [INFO][15] kube-controllers/reconcile_elasticsearch_configuration.go 61: Reconciling Elasticsearch credentials cluster="tigera-labs" key=tigera-operator/tigera-secure-es-http-certs-public
2025-04-07 21:02:04.491 [ERROR][15] kube-controllers/reconcile_elasticsearch_configuration.go 386: Error while deleting verification secret tigera-elasticsearch/tigera-ee-curator-tigera-labs-gateway-verification-credentials (via mgmt client) cluster="tigera-labs" error=secrets "tigera-ee-curator-tigera-labs-gateway-verification-credentials" is forbidden: User "system:serviceaccount:calico-system:calico-kube-controllers" cannot delete resource "secrets" in API group "" in the namespace "tigera-elasticsearch" key=tigera-operator/tigera-secure-es-http-certs-public

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@asincu asincu requested a review from a team as a code owner April 7, 2025 23:11
@marvin-tigera marvin-tigera added this to the v1.39.0 milestone Apr 7, 2025
@asincu asincu force-pushed the add_delete_secrets_rbac branch 4 times, most recently from 8f41836 to 9408a95 Compare April 8, 2025 06:10
tmjd
tmjd reviewed Apr 8, 2025
View reviewed changes
tmjd
tmjd approved these changes Apr 8, 2025
View reviewed changes
Copy link
Member

@tmjd tmjd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've approved even though I've added a comment as my comment could be done in a follow up PR.

asincu added 2 commits April 8, 2025 10:45
@asincu
Add rbac to delete secrets for external controller
c2fcced 
When connecting a managed cluster to a management single tenant cluster,
es-kube-controllers are responsible for copying the voltron linseed
certificate via the tunnel. Before this operation, es kube controllers
will first reconcile users. Any failure in reconciling users will lead
to the certificate not being copied over. The first step in user
reconciliation is to delete secret for decommisioned users or
components, like curator. A failure because of missing RBAC will result
the certificate not copied over, namespaces for fluentD, commpliance and
intrusion controller not being created in the managed cluster. Single
tenant management clusters with external elasticsearch are configured
using external elasticsearch controller and rendered.
@asincu
Fix! Update CRDs
cc9283f
@asincu asincu force-pushed the add_delete_secrets_rbac branch from 9408a95 to cc9283f Compare April 8, 2025 17:46
tmjd
tmjd approved these changes Apr 8, 2025
View reviewed changes
Copy link
Member

@tmjd tmjd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@asincu asincu merged commit 4e64d30 into tigera:master Apr 8, 2025
5 checks passed
asincu added a commit to asincu/operator that referenced this pull request Apr 8, 2025
@asincu
Add rbac to delete secrets (tigera#3870)
daa62a8 
* Add rbac to delete secrets for external controller

When connecting a managed cluster to a management single tenant cluster,
es-kube-controllers are responsible for copying the voltron linseed
certificate via the tunnel. Before this operation, es kube controllers
will first reconcile users. Any failure in reconciling users will lead
to the certificate not being copied over. The first step in user
reconciliation is to delete secret for decommisioned users or
components, like curator. A failure because of missing RBAC will result
the certificate not copied over, namespaces for fluentD, commpliance and
intrusion controller not being created in the managed cluster. Single
tenant management clusters with external elasticsearch are configured
using external elasticsearch controller and rendered.

* Fix! Update CRDs
asincu added a commit to asincu/operator that referenced this pull request Apr 8, 2025
@asincu
Add rbac to delete secrets (tigera#3870)
10b344d 
* Add rbac to delete secrets for external controller

When connecting a managed cluster to a management single tenant cluster,
es-kube-controllers are responsible for copying the voltron linseed
certificate via the tunnel. Before this operation, es kube controllers
will first reconcile users. Any failure in reconciling users will lead
to the certificate not being copied over. The first step in user
reconciliation is to delete secret for decommisioned users or
components, like curator. A failure because of missing RBAC will result
the certificate not copied over, namespaces for fluentD, commpliance and
intrusion controller not being created in the managed cluster. Single
tenant management clusters with external elasticsearch are configured
using external elasticsearch controller and rendered.

* Fix! Update CRDs
asincu added a commit that referenced this pull request Apr 8, 2025
@asincu
Add rbac to delete secrets (#3870) (#3873)
0bd845f 
* Add rbac to delete secrets for external controller

When connecting a managed cluster to a management single tenant cluster,
es-kube-controllers are responsible for copying the voltron linseed
certificate via the tunnel. Before this operation, es kube controllers
will first reconcile users. Any failure in reconciling users will lead
to the certificate not being copied over. The first step in user
reconciliation is to delete secret for decommisioned users or
components, like curator. A failure because of missing RBAC will result
the certificate not copied over, namespaces for fluentD, commpliance and
intrusion controller not being created in the managed cluster. Single
tenant management clusters with external elasticsearch are configured
using external elasticsearch controller and rendered.

* Fix! Update CRDs
asincu added a commit that referenced this pull request Apr 8, 2025
@asincu
Merge pull request #3874 from asincu/cherry_pick_add_rbac_secrets_1_38
1bce927 
[cherry-pick][v1.38] Add rbac to delete secrets (#3870)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmjd tmjd tmjd approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-not-required

Projects

None yet

Milestone

v1.39.0

Development

Successfully merging this pull request may close these issues.

4 participants

@asincu @tmjd @rene-dekker @marvin-tigera