Skip to content
This repository has been archived by the owner on Dec 16, 2024. It is now read-only.

Commit

Permalink
Merge pull request #667 from Kuadrant/fix-perms-tls-controller
Browse files Browse the repository at this point in the history 
fix perms around issuers
  • Loading branch information
@openshift-merge-bot
openshift-merge-bot[bot] authored Nov 13, 2023
2 parents 3019274 + e2fd5ef commit 3e7edf6
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 91 deletions.
96 changes: 46 additions & 50 deletions bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
annotations:
alm-examples: '[]'
capabilities: Basic Install
createdAt: "2023-11-10T09:41:24Z"
createdAt: "2023-11-10T17:08:34Z"
operators.operatorframework.io/builder: operator-sdk-v1.28.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
name: multicluster-gateway-controller.v0.0.0
Expand Down Expand Up @@ -332,13 +332,15 @@ spec:
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- cluster.open-cluster-management.io
resources:
Expand Down Expand Up @@ -504,55 +506,37 @@ spec:
serviceAccountName: mgc-policy-controller
deployments:
- label:
app.kubernetes.io/component: manager
app.kubernetes.io/created-by: multicluster-gateway-controller
app.kubernetes.io/instance: controller-manager
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: deployment
app.kubernetes.io/part-of: kuadrant
control-plane: controller-manager
name: mgc-controller-manager
control-plane: kuadrant-add-on-manager
name: mgc-add-on-manager
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
control-plane: kuadrant-add-on-manager
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
kubectl.kubernetes.io/default-container: controller
labels:
control-plane: controller-manager
control-plane: kuadrant-add-on-manager
spec:
containers:
- args:
- --metrics-bind-address=0.0.0.0:8080
- --leader-elect
command:
- /controller
image: quay.io/kuadrant/multicluster-gateway-controller:main
- /add-on-manager
envFrom:
- configMapRef:
name: controller-config
optional: true
image: quay.io/kuadrant/addon-manager:main
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 8080
name: metrics
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
name: controller
resources:
limits:
cpu: 500m
memory: 256Mi
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
Expand All @@ -563,46 +547,58 @@ spec:
- ALL
securityContext:
runAsNonRoot: true
serviceAccountName: mgc-controller-manager
serviceAccountName: mgc-add-on-manager
terminationGracePeriodSeconds: 10
- label:
app.kubernetes.io/component: add-on-manager
app.kubernetes.io/created-by: kuadrant-add-on-manager
app.kubernetes.io/instance: kuadrant-add-on-manager
app.kubernetes.io/component: manager
app.kubernetes.io/created-by: multicluster-gateway-controller
app.kubernetes.io/instance: controller-manager
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: deployment
app.kubernetes.io/part-of: kuadrant
control-plane: kuadrant-add-on-manager
name: mgc-kuadrant-add-on-manager
control-plane: controller-manager
name: mgc-controller-manager
spec:
replicas: 1
selector:
matchLabels:
control-plane: kuadrant-add-on-manager
control-plane: controller-manager
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: controller
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: kuadrant-add-on-manager
control-plane: controller-manager
spec:
containers:
- args:
- --metrics-bind-address=0.0.0.0:8080
- --leader-elect
command:
- /add-on-manager
envFrom:
- configMapRef:
name: controller-config
optional: true
image: quay.io/kuadrant/addon-manager:main
- /controller
image: quay.io/kuadrant/multicluster-gateway-controller:main
imagePullPolicy: Always
name: controller
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 8080
name: metrics
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 500m
memory: 128Mi
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
Expand All @@ -613,7 +609,7 @@ spec:
- ALL
securityContext:
runAsNonRoot: true
serviceAccountName: mgc-add-on-manager
serviceAccountName: mgc-controller-manager
terminationGracePeriodSeconds: 10
- label:
control-plane: policy-controller
Expand Down
8 changes: 1 addition & 7 deletions config/add-on-manager/manager.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,10 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuadrant-add-on-manager
name: add-on-manager
namespace: system
labels:
control-plane: kuadrant-add-on-manager
app.kubernetes.io/name: deployment
app.kubernetes.io/instance: kuadrant-add-on-manager
app.kubernetes.io/component: add-on-manager
app.kubernetes.io/created-by: kuadrant-add-on-manager
app.kubernetes.io/part-of: kuadrant
app.kubernetes.io/managed-by: kustomize
spec:
selector:
matchLabels:
Expand Down
2 changes: 2 additions & 0 deletions config/policy-controller/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,15 @@ rules:
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- cluster.open-cluster-management.io
resources:
Expand Down
4 changes: 2 additions & 2 deletions hack/make/policy_controller.make
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,8 @@ docker-push-policy-controller: ## Push docker image with the controller.

.PHONY: deploy-policy-controller
deploy-policy-controller: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
cd config/policy-controller && $(KUSTOMIZE) edit set image policy-controller=${POLICY_CONTROLLER_IMG}
$(KUSTOMIZE) --load-restrictor LoadRestrictionsNone build config/deploy/local | kubectl apply -f -
cd config/policy-controller/default && $(KUSTOMIZE) edit set image policy-controller=${POLICY_CONTROLLER_IMG}
$(KUSTOMIZE) --load-restrictor LoadRestrictionsNone build config/policy-controller/default | kubectl apply -f -
@if [ "$(METRICS)" = "true" ]; then\
$(KUSTOMIZE) build config/prometheus | kubectl apply -f -;\
fi
Expand Down
4 changes: 2 additions & 2 deletions pkg/controllers/tlspolicy/tlspolicy_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ type TLSPolicyReconciler struct {
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies,verbs=get;list;watch;update;patch;delete
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies/finalizers,verbs=update
//+kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;list;
//+kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;list;
//+kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;list;watch;
//+kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;list;watch;
//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
//+kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;create;update;patch;delete

Expand Down
38 changes: 8 additions & 30 deletions test/e2e/gateway_single_spoke_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -398,33 +398,6 @@ var _ = Describe("Gateway single target cluster", func() {
return fmt.Errorf("dns names for secret not as expected")
}).WithContext(ctx).WithTimeout(180 * time.Second).WithPolling(2 * time.Second).ShouldNot(HaveOccurred())
}

By("checking a wildcard cert is present via get request")
{
dialer := &net.Dialer{Resolver: authoritativeResolver}
dialContext := func(ctx context.Context, network, addr string) (net.Conn, error) {
return dialer.DialContext(ctx, network, addr)
}
http.DefaultTransport.(*http.Transport).DialContext = dialContext
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
otherHostname = gatewayapi.Hostname(strings.Join([]string{"other", tconfig.ManagedZone()}, "."))
var resp *http.Response
Eventually(func(ctx SpecContext) error {
httpClient := &http.Client{}
resp, err = httpClient.Get("https://" + string(otherHostname))
if err != nil {
GinkgoWriter.Printf("[debug] GET error: '%s'\n", err)
return err
}
err = TestCertificate(string(wildcardHostname), resp)
if err != nil {
GinkgoWriter.Printf("[debug] Cert error: '%s'\n", err)
return err
}
return nil
}).WithTimeout(600 * time.Second).WithPolling(10 * time.Second).WithContext(ctx).ShouldNot(HaveOccurred())
defer resp.Body.Close()
}
By("adding/removing listeners tls secrets are added/removed")
{
gw := &gatewayapi.Gateway{}
Expand All @@ -436,13 +409,18 @@ var _ = Describe("Gateway single target cluster", func() {
}
otherHostname = gatewayapi.Hostname(strings.Join([]string{"other", tconfig.ManagedZone()}, "."))
AddListener("other", otherHostname, gatewayapi.ObjectName(otherHostname), gw)
err = tconfig.HubClient().Update(ctx, gw)
Expect(err).ToNot(HaveOccurred())

expectedLiseners := 3
Eventually(func(ctx SpecContext) error {
err = tconfig.HubClient().Update(ctx, gw)
if err != nil {
return fmt.Errorf("failed to update gateway and add new listeners: %w", err)
}
checkGateway := &gatewayapi.Gateway{}
err = tconfig.HubClient().Get(ctx, client.ObjectKey{Name: testID, Namespace: tconfig.HubNamespace()}, checkGateway)
Expect(err).ToNot(HaveOccurred())
if err != nil {
return fmt.Errorf("failed to get updated gateway after adding listeners: %w", err)
}
if len(checkGateway.Spec.Listeners) == expectedLiseners {
return nil
}
Expand Down

0 comments on commit 3e7edf6

Please sign in to comment.