From 39d3cd1e64d656568f341d2edebe762fb4c0a49b Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Fri, 11 Aug 2023 15:19:30 +0300 Subject: [PATCH 01/11] K8SPSMDB-956: fix problems with TLS certificate renewal https://jira.percona.com/browse/K8SPSMDB-956 --- deploy/rbac.yaml | 1 + e2e-tests/conf/cmctl.yml | 28 ++++ .../certificate_some-name-ssl-internal.yml | 47 +++++++ .../compare/certificate_some-name-ssl.yml | 47 +++++++ .../issuer_some-name-psmdb-ca-issuer.yml | 12 ++ .../compare/issuer_some-name-psmdb-issuer.yml | 13 ++ .../tls-issue-cert-manager/conf/some-name.yml | 45 ++++++ e2e-tests/tls-issue-cert-manager/run | 113 +++++++++++++++ pkg/controller/perconaservermongodb/ssl.go | 132 ++++++++++++------ 9 files changed, 393 insertions(+), 45 deletions(-) create mode 100644 e2e-tests/conf/cmctl.yml create mode 100644 e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl-internal.yml create mode 100644 e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl.yml create mode 100644 e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-ca-issuer.yml create mode 100644 e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-issuer.yml create mode 100644 e2e-tests/tls-issue-cert-manager/conf/some-name.yml create mode 100755 e2e-tests/tls-issue-cert-manager/run diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index 4683735938..a58c21025f 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -100,6 +100,7 @@ rules: resources: - issuers - certificates + - certificates/status verbs: - get - list diff --git a/e2e-tests/conf/cmctl.yml b/e2e-tests/conf/cmctl.yml new file mode 100644 index 0000000000..0fa44ab954 --- /dev/null +++ b/e2e-tests/conf/cmctl.yml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cmctl +spec: + replicas: 1 + selector: + matchLabels: + name: cmctl + template: + metadata: + labels: + name: cmctl + spec: + serviceAccountName: percona-server-mongodb-operator + containers: + - name: cmctl + image: debian + imagePullPolicy: Always + command: + - /bin/bash + - -c + - | + apt-get update && apt-get install -y curl \ + && curl -fsSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-linux-amd64.tar.gz \ + && tar xzf cmctl.tar.gz \ + && sleep 100500 + restartPolicy: Always diff --git a/e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl-internal.yml b/e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl-internal.yml new file mode 100644 index 0000000000..5da1f33d73 --- /dev/null +++ b/e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl-internal.yml @@ -0,0 +1,47 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + generation: 1 + name: some-name-ssl-internal + ownerReferences: + - blockOwnerDeletion: true + controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: Issuer + name: some-name-psmdb-issuer + secretName: some-name-ssl-internal + subject: + organizations: + - PSMDB diff --git a/e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl.yml b/e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl.yml new file mode 100644 index 0000000000..485444ce02 --- /dev/null +++ b/e2e-tests/tls-issue-cert-manager/compare/certificate_some-name-ssl.yml @@ -0,0 +1,47 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + generation: 1 + name: some-name-ssl + ownerReferences: + - blockOwnerDeletion: true + controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: Issuer + name: some-name-psmdb-issuer + secretName: some-name-ssl + subject: + organizations: + - PSMDB diff --git a/e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-ca-issuer.yml b/e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-ca-issuer.yml new file mode 100644 index 0000000000..1fc30a752e --- /dev/null +++ b/e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-ca-issuer.yml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + generation: 1 + name: some-name-psmdb-ca-issuer + ownerReferences: + - blockOwnerDeletion: true + controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + selfSigned: {} diff --git a/e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-issuer.yml b/e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-issuer.yml new file mode 100644 index 0000000000..28614ee5e2 --- /dev/null +++ b/e2e-tests/tls-issue-cert-manager/compare/issuer_some-name-psmdb-issuer.yml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + generation: 1 + name: some-name-psmdb-issuer + ownerReferences: + - blockOwnerDeletion: true + controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + ca: + secretName: some-name-ca-cert diff --git a/e2e-tests/tls-issue-cert-manager/conf/some-name.yml b/e2e-tests/tls-issue-cert-manager/conf/some-name.yml new file mode 100644 index 0000000000..ae2549952b --- /dev/null +++ b/e2e-tests/tls-issue-cert-manager/conf/some-name.yml @@ -0,0 +1,45 @@ +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDB +metadata: + name: some-name +spec: + #platform: openshift + image: + imagePullPolicy: Always + backup: + enabled: false + replsets: + - name: rs0 + affinity: + antiAffinityTopologyKey: none + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + expose: + enabled: false + exposeType: ClusterIP + size: 3 + sharding: + enabled: true + configsvrReplSet: + size: 3 + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 3Gi + expose: + enabled: false + mongos: + size: 3 + secrets: + users: some-users diff --git a/e2e-tests/tls-issue-cert-manager/run b/e2e-tests/tls-issue-cert-manager/run new file mode 100755 index 0000000000..3123c551f7 --- /dev/null +++ b/e2e-tests/tls-issue-cert-manager/run @@ -0,0 +1,113 @@ +#!/bin/bash + +set -o errexit + +test_dir=$(realpath $(dirname $0)) +. "${test_dir}/../functions" +set_debug + + +renew-certificate() { + certificate="$1" + + desc "renew $certificate" + + local pod_name + pod_name=$(kubectl_bin get pods --selector=name=cmctl -o 'jsonpath={.items[].metadata.name}') + + local revision + revision=$(kubectl_bin get certificate "$certificate" -o 'jsonpath={.status.revision}') + + kubectl_bin exec "$pod_name" -- ./cmctl renew "$certificate" + + # wait for new revision + for i in {1..10}; do + local new_revision + new_revision=$(kubectl_bin get certificate "$certificate" -o 'jsonpath={.status.revision}') + if [ "$((revision + 1))" == "$new_revision" ]; then + break + fi + sleep 1 + done +} + +check_tls_secret() { + local secret_name=$1 + check_secret_data_key "$secret_name" 'ca.crt' + check_secret_data_key "$secret_name" 'tls.crt' + check_secret_data_key "$secret_name" 'tls.key' +} + +check_secret_data_key() { + local secret_name=$1 + local data_key=$2 + local secret_data + + secret_data=$(kubectl_bin get "secrets/${secret_name}" -o json | jq ".data[\"${data_key}\"]") + if [ -z "$secret_data" ]; then + exit 1 + fi +} + +main() { + deploy_cert_manager + create_infra "$namespace" + + desc 'create secrets and start client' + kubectl_bin apply -f "$conf_dir/secrets.yml" + kubectl_bin apply -f "$conf_dir/client_with_tls.yml" + kubectl_bin apply -f "$conf_dir/cmctl.yml" + + cluster="some-name" + desc "create first PSMDB cluster $cluster" + apply_cluster "$test_dir/conf/$cluster.yml" + + desc 'check if all Pods started' + wait_for_running $cluster-rs0 3 + wait_for_running $cluster-cfg 3 "false" + wait_for_running $cluster-mongos 3 + + desc 'check if certificates issued with certmanager' + check_tls_secret "$cluster-ssl" + + desc 'check if CA issuer created' + compare_kubectl issuer/$cluster-psmdb-ca-issuer + + desc 'check if issuer created' + compare_kubectl issuer/$cluster-psmdb-issuer + + desc 'check if certificate issued' + compare_kubectl certificate/$cluster-ssl + + desc 'check if internal certificate issued' + compare_kubectl certificate/$cluster-ssl-internal + + renew-certificate "some-name-ssl" + sleep 10 + wait_for_running $cluster-rs0 3 + wait_for_running $cluster-cfg 3 "false" + wait_for_running $cluster-mongos 3 + + renew-certificate "some-name-ssl-internal" + sleep 10 + wait_for_running $cluster-rs0 3 + wait_for_running $cluster-cfg 3 "false" + wait_for_running $cluster-mongos 3 + + desc 'check if CA issuer created' + compare_kubectl issuer/$cluster-psmdb-ca-issuer + + desc 'check if issuer created' + compare_kubectl issuer/$cluster-psmdb-issuer + + desc 'check if certificate issued' + compare_kubectl certificate/$cluster-ssl + + desc 'check if internal certificate issued' + compare_kubectl certificate/$cluster-ssl-internal + + destroy "$namespace" + desc 'test passed' +} + +main diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go index e41ba5f4ff..bd6d996740 100644 --- a/pkg/controller/perconaservermongodb/ssl.go +++ b/pkg/controller/perconaservermongodb/ssl.go @@ -10,7 +10,10 @@ import ( corev1 "k8s.io/api/core/v1" k8serr "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" logf "sigs.k8s.io/controller-runtime/pkg/log" api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1" @@ -57,89 +60,128 @@ func (r *ReconcilePerconaServerMongoDB) reconsileSSL(ctx context.Context, cr *ap } func (r *ReconcilePerconaServerMongoDB) createSSLByCertManager(ctx context.Context, cr *api.PerconaServerMongoDB) error { - issuerKind := "Issuer" - issuerName := cr.Name + "-psmdb-ca" - certificateDNSNames := []string{"localhost"} + issuerName := cr.Name + "-psmdb-issuer" + caIssuerName := cr.Name + "-psmdb-ca-issuer" - for _, replset := range cr.Spec.Replsets { - certificateDNSNames = append(certificateDNSNames, getCertificateSans(cr, replset)...) + err := createIssuer(ctx, r.client, cr, r.scheme, caIssuerName, "") + if err != nil && !k8serr.IsAlreadyExists(err) { + return errors.Wrap(err, "create issuer") } - certificateDNSNames = append(certificateDNSNames, getShardingSans(cr)...) - owner, err := OwnerRef(cr, r.scheme) + + caSecretName := cr.Name + "-ca-cert" + + err = createCACertificate(ctx, r.client, cr, r.scheme, caIssuerName, caSecretName) + if err != nil && !k8serr.IsAlreadyExists(err) { + return errors.Wrap(err, "create ca certificate") + } + + err = createIssuer(ctx, r.client, cr, r.scheme, issuerName, caSecretName) if err != nil { - return err + return errors.Wrap(err, "create issuer") } - ownerReferences := []metav1.OwnerReference{owner} - err = r.client.Create(ctx, &cm.Issuer{ + + err = createCertificate(ctx, r.client, cr, r.scheme, cr.Name+"-ssl", issuerName, cr.Spec.Secrets.SSL) + if err != nil && !k8serr.IsAlreadyExists(err) { + return errors.Wrap(err, "create certificate") + } + if cr.Spec.Secrets.SSL == cr.Spec.Secrets.SSLInternal { + return r.waitForCerts(ctx, cr, cr.Namespace, cr.Spec.Secrets.SSL) + } + + err = createCertificate(ctx, r.client, cr, r.scheme, cr.Name+"-ssl-internal", issuerName, cr.Spec.Secrets.SSLInternal) + if err != nil && !k8serr.IsAlreadyExists(err) { + return errors.Wrap(err, "create internal certificate") + } + + return r.waitForCerts(ctx, cr, cr.Namespace, cr.Spec.Secrets.SSL, cr.Spec.Secrets.SSLInternal) +} + +func createIssuer(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, scheme *runtime.Scheme, issuerName, caCertSecret string) error { + issuer := &cm.Issuer{ ObjectMeta: metav1.ObjectMeta{ - Name: issuerName, - Namespace: cr.Namespace, - OwnerReferences: ownerReferences, + Name: issuerName, + Namespace: cr.Namespace, }, Spec: cm.IssuerSpec{ IssuerConfig: cm.IssuerConfig{ SelfSigned: &cm.SelfSignedIssuer{}, }, }, - }) - if err != nil && !k8serr.IsAlreadyExists(err) { - return errors.Wrap(err, "create issuer") + } + if caCertSecret != "" { + issuer.Spec = cm.IssuerSpec{ + IssuerConfig: cm.IssuerConfig{ + CA: &cm.CAIssuer{ + SecretName: caCertSecret, + }, + }, + } + } + + if err := controllerutil.SetControllerReference(cr, issuer, scheme); err != nil { + return errors.Wrap(err, "set controller reference") } - err = r.client.Create(ctx, &cm.Certificate{ + return cl.Create(ctx, issuer) +} + +func createCACertificate(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, scheme *runtime.Scheme, issuerName, secretName string) error { + cert := &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ - Name: cr.Name + "-ssl", - Namespace: cr.Namespace, - OwnerReferences: ownerReferences, + Name: cr.Name + "-ca-cert", + Namespace: cr.Namespace, }, Spec: cm.CertificateSpec{ - Subject: &cm.X509Subject{ - Organizations: []string{"PSMDB"}, - }, - CommonName: cr.Name, - SecretName: cr.Spec.Secrets.SSL, - DNSNames: certificateDNSNames, + SecretName: secretName, + CommonName: cr.Name + "-ca", IsCA: true, - Duration: &cr.Spec.TLS.CertValidityDuration, IssuerRef: cmmeta.ObjectReference{ Name: issuerName, - Kind: issuerKind, + Kind: cm.IssuerKind, }, + Duration: &metav1.Duration{Duration: time.Hour * 24 * 365}, + RenewBefore: &metav1.Duration{Duration: 730 * time.Hour}, }, - }) - if err != nil && !k8serr.IsAlreadyExists(err) { - return errors.Wrap(err, "create certificate") } - if cr.Spec.Secrets.SSL == cr.Spec.Secrets.SSLInternal { - return r.waitForCerts(ctx, cr, cr.Namespace, cr.Spec.Secrets.SSL) + + if err := controllerutil.SetControllerReference(cr, cert, scheme); err != nil { + return errors.Wrap(err, "set controller reference") + } + return cl.Create(ctx, cert) +} + +func createCertificate(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, scheme *runtime.Scheme, certName, issuerName, secretName string) error { + certificateDNSNames := []string{"localhost"} + for _, replset := range cr.Spec.Replsets { + certificateDNSNames = append(certificateDNSNames, getCertificateSans(cr, replset)...) } + certificateDNSNames = append(certificateDNSNames, getShardingSans(cr)...) - err = r.client.Create(ctx, &cm.Certificate{ + cert := &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ - Name: cr.Name + "-ssl-internal", - Namespace: cr.Namespace, - OwnerReferences: ownerReferences, + Name: certName, + Namespace: cr.Namespace, }, Spec: cm.CertificateSpec{ Subject: &cm.X509Subject{ Organizations: []string{"PSMDB"}, }, CommonName: cr.Name, - SecretName: cr.Spec.Secrets.SSLInternal, + SecretName: secretName, DNSNames: certificateDNSNames, - IsCA: true, + IsCA: false, Duration: &cr.Spec.TLS.CertValidityDuration, IssuerRef: cmmeta.ObjectReference{ Name: issuerName, - Kind: issuerKind, + Kind: cm.IssuerKind, }, }, - }) - if err != nil && !k8serr.IsAlreadyExists(err) { - return errors.Wrap(err, "create internal certificate") } - return r.waitForCerts(ctx, cr, cr.Namespace, cr.Spec.Secrets.SSL, cr.Spec.Secrets.SSLInternal) + if err := controllerutil.SetControllerReference(cr, cert, scheme); err != nil { + return errors.Wrap(err, "set controller reference") + } + return cl.Create(ctx, cert) } func (r *ReconcilePerconaServerMongoDB) waitForCerts(ctx context.Context, cr *api.PerconaServerMongoDB, namespace string, secretsList ...string) error { @@ -164,7 +206,7 @@ func (r *ReconcilePerconaServerMongoDB) waitForCerts(ctx context.Context, cr *ap } else if err == nil { sucessCount++ if len(secret.OwnerReferences) == 0 { - if err = setControllerReference(cr, secret, r.scheme); err != nil { + if err = controllerutil.SetControllerReference(cr, secret, r.scheme); err != nil { return errors.Wrap(err, "set controller reference") } if err = r.client.Update(ctx, secret); err != nil { From 6fc9ed7b323a32608ce47ce04c30663a6d743d32 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Fri, 11 Aug 2023 16:45:22 +0300 Subject: [PATCH 02/11] refactor --- pkg/controller/perconaservermongodb/ssl.go | 218 ++------------------- pkg/psmdb/tls/certmanager.go | 200 +++++++++++++++++++ pkg/psmdb/tls/tls.go | 47 ++++- 3 files changed, 262 insertions(+), 203 deletions(-) create mode 100644 pkg/psmdb/tls/certmanager.go diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go index bd6d996740..0196672b0a 100644 --- a/pkg/controller/perconaservermongodb/ssl.go +++ b/pkg/controller/perconaservermongodb/ssl.go @@ -2,18 +2,12 @@ package perconaservermongodb import ( "context" - "time" - cm "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" k8serr "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" logf "sigs.k8s.io/controller-runtime/pkg/log" api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1" @@ -60,175 +54,46 @@ func (r *ReconcilePerconaServerMongoDB) reconsileSSL(ctx context.Context, cr *ap } func (r *ReconcilePerconaServerMongoDB) createSSLByCertManager(ctx context.Context, cr *api.PerconaServerMongoDB) error { - issuerName := cr.Name + "-psmdb-issuer" - caIssuerName := cr.Name + "-psmdb-ca-issuer" + c := tls.NewCertManagerController(r.client, r.scheme) - err := createIssuer(ctx, r.client, cr, r.scheme, caIssuerName, "") - if err != nil && !k8serr.IsAlreadyExists(err) { - return errors.Wrap(err, "create issuer") - } - - caSecretName := cr.Name + "-ca-cert" + if cr.CompareVersion("1.15.0") >= 0 { + err := c.CreateCAIssuer(ctx, cr) + if err != nil && !k8serr.IsAlreadyExists(err) { + return errors.Wrap(err, "create certificate") + } - err = createCACertificate(ctx, r.client, cr, r.scheme, caIssuerName, caSecretName) - if err != nil && !k8serr.IsAlreadyExists(err) { - return errors.Wrap(err, "create ca certificate") + err = c.CreateCACertificate(ctx, cr) + if err != nil && !k8serr.IsAlreadyExists(err) { + return errors.Wrap(err, "create ca certificate") + } } - err = createIssuer(ctx, r.client, cr, r.scheme, issuerName, caSecretName) - if err != nil { + err := c.CreateIssuer(ctx, cr) + if err != nil && !k8serr.IsAlreadyExists(err) { return errors.Wrap(err, "create issuer") } - err = createCertificate(ctx, r.client, cr, r.scheme, cr.Name+"-ssl", issuerName, cr.Spec.Secrets.SSL) + err = c.CreateCertificate(ctx, cr, false) if err != nil && !k8serr.IsAlreadyExists(err) { return errors.Wrap(err, "create certificate") } - if cr.Spec.Secrets.SSL == cr.Spec.Secrets.SSLInternal { - return r.waitForCerts(ctx, cr, cr.Namespace, cr.Spec.Secrets.SSL) - } - - err = createCertificate(ctx, r.client, cr, r.scheme, cr.Name+"-ssl-internal", issuerName, cr.Spec.Secrets.SSLInternal) - if err != nil && !k8serr.IsAlreadyExists(err) { - return errors.Wrap(err, "create internal certificate") - } - - return r.waitForCerts(ctx, cr, cr.Namespace, cr.Spec.Secrets.SSL, cr.Spec.Secrets.SSLInternal) -} - -func createIssuer(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, scheme *runtime.Scheme, issuerName, caCertSecret string) error { - issuer := &cm.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: issuerName, - Namespace: cr.Namespace, - }, - Spec: cm.IssuerSpec{ - IssuerConfig: cm.IssuerConfig{ - SelfSigned: &cm.SelfSignedIssuer{}, - }, - }, - } - if caCertSecret != "" { - issuer.Spec = cm.IssuerSpec{ - IssuerConfig: cm.IssuerConfig{ - CA: &cm.CAIssuer{ - SecretName: caCertSecret, - }, - }, - } - } - - if err := controllerutil.SetControllerReference(cr, issuer, scheme); err != nil { - return errors.Wrap(err, "set controller reference") - } - - return cl.Create(ctx, issuer) -} - -func createCACertificate(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, scheme *runtime.Scheme, issuerName, secretName string) error { - cert := &cm.Certificate{ - ObjectMeta: metav1.ObjectMeta{ - Name: cr.Name + "-ca-cert", - Namespace: cr.Namespace, - }, - Spec: cm.CertificateSpec{ - SecretName: secretName, - CommonName: cr.Name + "-ca", - IsCA: true, - IssuerRef: cmmeta.ObjectReference{ - Name: issuerName, - Kind: cm.IssuerKind, - }, - Duration: &metav1.Duration{Duration: time.Hour * 24 * 365}, - RenewBefore: &metav1.Duration{Duration: 730 * time.Hour}, - }, - } - if err := controllerutil.SetControllerReference(cr, cert, scheme); err != nil { - return errors.Wrap(err, "set controller reference") + if tls.CertificateSecretName(cr, false) == tls.CertificateSecretName(cr, true) { + return c.WaitForCerts(ctx, cr, tls.CertificateSecretName(cr, false)) } - return cl.Create(ctx, cert) -} - -func createCertificate(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, scheme *runtime.Scheme, certName, issuerName, secretName string) error { - certificateDNSNames := []string{"localhost"} - for _, replset := range cr.Spec.Replsets { - certificateDNSNames = append(certificateDNSNames, getCertificateSans(cr, replset)...) - } - certificateDNSNames = append(certificateDNSNames, getShardingSans(cr)...) - cert := &cm.Certificate{ - ObjectMeta: metav1.ObjectMeta{ - Name: certName, - Namespace: cr.Namespace, - }, - Spec: cm.CertificateSpec{ - Subject: &cm.X509Subject{ - Organizations: []string{"PSMDB"}, - }, - CommonName: cr.Name, - SecretName: secretName, - DNSNames: certificateDNSNames, - IsCA: false, - Duration: &cr.Spec.TLS.CertValidityDuration, - IssuerRef: cmmeta.ObjectReference{ - Name: issuerName, - Kind: cm.IssuerKind, - }, - }, + err = c.CreateCertificate(ctx, cr, true) + if err != nil && !k8serr.IsAlreadyExists(err) { + return errors.Wrap(err, "create certificate") } - if err := controllerutil.SetControllerReference(cr, cert, scheme); err != nil { - return errors.Wrap(err, "set controller reference") - } - return cl.Create(ctx, cert) -} - -func (r *ReconcilePerconaServerMongoDB) waitForCerts(ctx context.Context, cr *api.PerconaServerMongoDB, namespace string, secretsList ...string) error { - ticker := time.NewTicker(1 * time.Second) - timeoutTimer := time.NewTimer(30 * time.Second) - defer timeoutTimer.Stop() - defer ticker.Stop() - for { - select { - case <-timeoutTimer.C: - return errors.Errorf("timeout: can't get tls certificates from certmanager, %s", secretsList) - case <-ticker.C: - sucessCount := 0 - for _, secretName := range secretsList { - secret := &corev1.Secret{} - err := r.client.Get(ctx, types.NamespacedName{ - Name: secretName, - Namespace: namespace, - }, secret) - if err != nil && !k8serr.IsNotFound(err) { - return err - } else if err == nil { - sucessCount++ - if len(secret.OwnerReferences) == 0 { - if err = controllerutil.SetControllerReference(cr, secret, r.scheme); err != nil { - return errors.Wrap(err, "set controller reference") - } - if err = r.client.Update(ctx, secret); err != nil { - return errors.Wrap(err, "failed to update secret") - } - } - } - } - if sucessCount == len(secretsList) { - return nil - } - } - } + return c.WaitForCerts(ctx, cr, tls.CertificateSecretName(cr, false), tls.CertificateSecretName(cr, true)) } func (r *ReconcilePerconaServerMongoDB) createSSLManually(ctx context.Context, cr *api.PerconaServerMongoDB) error { data := make(map[string][]byte) - certificateDNSNames := []string{"localhost"} - for _, replset := range cr.Spec.Replsets { - certificateDNSNames = append(certificateDNSNames, getCertificateSans(cr, replset)...) - } - certificateDNSNames = append(certificateDNSNames, getShardingSans(cr)...) + certificateDNSNames := tls.GetCertificateSans(cr) + caCert, tlsCert, key, err := tls.Issue(certificateDNSNames) if err != nil { return errors.Wrap(err, "create proxy certificate") @@ -298,44 +163,3 @@ func (r *ReconcilePerconaServerMongoDB) createSSLSecret(ctx context.Context, sec return nil } - -func getShardingSans(cr *api.PerconaServerMongoDB) []string { - sans := []string{ - cr.Name + "-mongos", - cr.Name + "-mongos" + "." + cr.Namespace, - cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, - "*." + cr.Name + "-mongos", - "*." + cr.Name + "-mongos" + "." + cr.Namespace, - "*." + cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, - cr.Name + "-" + api.ConfigReplSetName, - cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace, - cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, - "*." + cr.Name + "-" + api.ConfigReplSetName, - "*." + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace, - "*." + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, - cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, - "*." + cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, - cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, - "*." + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, - } - return sans -} - -func getCertificateSans(cr *api.PerconaServerMongoDB, replset *api.ReplsetSpec) []string { - sans := []string{ - cr.Name + "-" + replset.Name, - cr.Name + "-" + replset.Name + "." + cr.Namespace, - cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, - "*." + cr.Name + "-" + replset.Name, - "*." + cr.Name + "-" + replset.Name + "." + cr.Namespace, - "*." + cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, - cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, - "*." + cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, - } - - if cr.CompareVersion("1.13.0") >= 0 { - sans = append(sans, "*."+cr.Namespace+"."+cr.Spec.MultiCluster.DNSSuffix) - } - - return sans -} diff --git a/pkg/psmdb/tls/certmanager.go b/pkg/psmdb/tls/certmanager.go new file mode 100644 index 0000000000..dcddeb9b6a --- /dev/null +++ b/pkg/psmdb/tls/certmanager.go @@ -0,0 +1,200 @@ +package tls + +import ( + "context" + "time" + + cm "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" + "github.com/pkg/errors" + corev1 "k8s.io/api/core/v1" + k8serrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + + api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1" +) + +type CertManagerController struct { + cl client.Client + scheme *runtime.Scheme +} + +func NewCertManagerController(cl client.Client, scheme *runtime.Scheme) *CertManagerController { + return &CertManagerController{ + cl: cl, + scheme: scheme, + } +} + +func certificateName(cr *api.PerconaServerMongoDB, internal bool) string { + if internal { + return cr.Name + "-ssl-internal" + } + return cr.Name + "-ssl" +} + +func CertificateSecretName(cr *api.PerconaServerMongoDB, internal bool) string { + if internal { + return cr.Spec.Secrets.SSLInternal + } + + return cr.Spec.Secrets.SSL +} + +func issuerName(cr *api.PerconaServerMongoDB) string { + if cr.CompareVersion("1.15.0") < 0 { + return cr.Name + "-psmdb-ca" + } + return cr.Name + "-psmdb-issuer" +} + +func caIssuerName(cr *api.PerconaServerMongoDB) string { + return cr.Name + "-psmdb-ca-issuer" +} + +func caSecretName(cr *api.PerconaServerMongoDB) string { + return cr.Name + "-ca-cert" +} + +func (c *CertManagerController) create(ctx context.Context, cr *api.PerconaServerMongoDB, obj client.Object) error { + if err := controllerutil.SetControllerReference(cr, obj, c.scheme); err != nil { + return errors.Wrap(err, "set controller reference") + } + return c.cl.Create(ctx, obj) +} + +func (c *CertManagerController) CreateIssuer(ctx context.Context, cr *api.PerconaServerMongoDB) error { + issuer := &cm.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: issuerName(cr), + Namespace: cr.Namespace, + }, + Spec: cm.IssuerSpec{ + IssuerConfig: cm.IssuerConfig{ + CA: &cm.CAIssuer{ + SecretName: caSecretName(cr), + }, + }, + }, + } + + if cr.CompareVersion("1.15.0") < 0 { + issuer.Spec = cm.IssuerSpec{ + IssuerConfig: cm.IssuerConfig{ + SelfSigned: &cm.SelfSignedIssuer{}, + }, + } + } + + return c.create(ctx, cr, issuer) +} + +func (c *CertManagerController) CreateCAIssuer(ctx context.Context, cr *api.PerconaServerMongoDB) error { + issuer := &cm.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: caIssuerName(cr), + Namespace: cr.Namespace, + }, + Spec: cm.IssuerSpec{ + IssuerConfig: cm.IssuerConfig{ + SelfSigned: &cm.SelfSignedIssuer{}, + }, + }, + } + + return c.create(ctx, cr, issuer) +} + +func (c *CertManagerController) CreateCertificate(ctx context.Context, cr *api.PerconaServerMongoDB, internal bool) error { + isCA := false + if cr.CompareVersion("1.15.0") < 0 { + isCA = true + } + + certificate := &cm.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Name: certificateName(cr, internal), + Namespace: cr.Namespace, + }, + Spec: cm.CertificateSpec{ + Subject: &cm.X509Subject{ + Organizations: []string{"PSMDB"}, + }, + CommonName: cr.Name, + SecretName: CertificateSecretName(cr, internal), + DNSNames: GetCertificateSans(cr), + IsCA: isCA, + Duration: &cr.Spec.TLS.CertValidityDuration, + IssuerRef: cmmeta.ObjectReference{ + Name: issuerName(cr), + Kind: cm.IssuerKind, + }, + }, + } + + return c.create(ctx, cr, certificate) +} + +func (c *CertManagerController) CreateCACertificate(ctx context.Context, cr *api.PerconaServerMongoDB) error { + cert := &cm.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Name: caSecretName(cr), + Namespace: cr.Namespace, + }, + Spec: cm.CertificateSpec{ + SecretName: caSecretName(cr), + CommonName: cr.Name + "-ca", + IsCA: true, + IssuerRef: cmmeta.ObjectReference{ + Name: caIssuerName(cr), + Kind: cm.IssuerKind, + }, + Duration: &metav1.Duration{Duration: time.Hour * 24 * 365}, + RenewBefore: &metav1.Duration{Duration: 730 * time.Hour}, + }, + } + + return c.create(ctx, cr, cert) +} + +func (c *CertManagerController) WaitForCerts(ctx context.Context, cr *api.PerconaServerMongoDB, secretsList ...string) error { + ticker := time.NewTicker(1 * time.Second) + timeoutTimer := time.NewTimer(30 * time.Second) + defer timeoutTimer.Stop() + defer ticker.Stop() + for { + select { + case <-timeoutTimer.C: + return errors.Errorf("timeout: can't get tls certificates from certmanager, %s", secretsList) + case <-ticker.C: + successCount := 0 + for _, secretName := range secretsList { + secret := &corev1.Secret{} + err := c.cl.Get(ctx, types.NamespacedName{ + Name: secretName, + Namespace: cr.Namespace, + }, secret) + if err != nil && !k8serrors.IsNotFound(err) { + return err + } else if err == nil { + successCount++ + if len(secret.OwnerReferences) == 0 { + if err = controllerutil.SetControllerReference(cr, secret, c.scheme); err != nil { + return errors.Wrap(err, "set controller reference") + } + if err = c.cl.Update(ctx, secret); err != nil { + return errors.Wrap(err, "failed to update secret") + } + } + } + } + if successCount == len(secretsList) { + return nil + } + } + } +} diff --git a/pkg/psmdb/tls/tls.go b/pkg/psmdb/tls/tls.go index c7bbc31337..17fbfbd187 100644 --- a/pkg/psmdb/tls/tls.go +++ b/pkg/psmdb/tls/tls.go @@ -137,12 +137,47 @@ func Config(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerM }, nil } -func ParseTLSCert(tlsCert []byte) (*x509.Certificate, error) { - block, _ := pem.Decode(tlsCert) +func getShardingSans(cr *api.PerconaServerMongoDB) []string { + sans := []string{ + cr.Name + "-mongos", + cr.Name + "-mongos" + "." + cr.Namespace, + cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, + "*." + cr.Name + "-mongos", + "*." + cr.Name + "-mongos" + "." + cr.Namespace, + "*." + cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, + cr.Name + "-" + api.ConfigReplSetName, + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace, + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, + "*." + cr.Name + "-" + api.ConfigReplSetName, + "*." + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace, + "*." + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, + cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, + "*." + cr.Name + "-mongos" + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, + "*." + cr.Name + "-" + api.ConfigReplSetName + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, + } + return sans +} - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return nil, errors.Wrap(err, "parse certificate") +func GetCertificateSans(cr *api.PerconaServerMongoDB) []string { + sans := []string{"localhost"} + for _, replset := range cr.Spec.Replsets { + sans = append(sans, []string{ + cr.Name + "-" + replset.Name, + cr.Name + "-" + replset.Name + "." + cr.Namespace, + cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, + "*." + cr.Name + "-" + replset.Name, + "*." + cr.Name + "-" + replset.Name + "." + cr.Namespace, + "*." + cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.ClusterServiceDNSSuffix, + cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, + "*." + cr.Name + "-" + replset.Name + "." + cr.Namespace + "." + cr.Spec.MultiCluster.DNSSuffix, + }...) + } + if cr.CompareVersion("1.13.0") >= 0 { + sans = append(sans, "*."+cr.Namespace+"."+cr.Spec.MultiCluster.DNSSuffix) } - return cert, nil + + sans = append(sans, getShardingSans(cr)...) + + return sans } From b889932be348c25f3cd45c3740139fa5c7a7a4b4 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Sat, 19 Aug 2023 00:47:49 +0300 Subject: [PATCH 03/11] add `tls-issue-cert-manager` test to `csv` files --- e2e-tests/run-distro.csv | 1 + e2e-tests/run-minikube.csv | 1 + e2e-tests/run-pr.csv | 1 + e2e-tests/run-release.csv | 1 + e2e-tests/tls-issue-cert-manager/run | 1 - 5 files changed, 4 insertions(+), 1 deletion(-) diff --git a/e2e-tests/run-distro.csv b/e2e-tests/run-distro.csv index 48eae85cad..6e3d02ed8f 100644 --- a/e2e-tests/run-distro.csv +++ b/e2e-tests/run-distro.csv @@ -17,6 +17,7 @@ pitr-sharded recover-no-primary rs-shard-migration scaling +tls-issue-cert-manager upgrade upgrade-sharded users diff --git a/e2e-tests/run-minikube.csv b/e2e-tests/run-minikube.csv index 33c58f302e..e87e084262 100644 --- a/e2e-tests/run-minikube.csv +++ b/e2e-tests/run-minikube.csv @@ -13,6 +13,7 @@ scheduled-backup security-context self-healing-chaos smart-update +tls-issue-cert-manager upgrade-consistency users version-service diff --git a/e2e-tests/run-pr.csv b/e2e-tests/run-pr.csv index ea43ddfc3e..e54da9002d 100644 --- a/e2e-tests/run-pr.csv +++ b/e2e-tests/run-pr.csv @@ -31,6 +31,7 @@ service-per-pod serviceless-external-nodes smart-update storage +tls-issue-cert-manager upgrade upgrade-consistency upgrade-sharded diff --git a/e2e-tests/run-release.csv b/e2e-tests/run-release.csv index 15c1dde6bb..12c2248cc4 100644 --- a/e2e-tests/run-release.csv +++ b/e2e-tests/run-release.csv @@ -32,6 +32,7 @@ service-per-pod serviceless-external-nodes smart-update storage +tls-issue-cert-manager upgrade upgrade-consistency upgrade-sharded diff --git a/e2e-tests/tls-issue-cert-manager/run b/e2e-tests/tls-issue-cert-manager/run index 3123c551f7..82d19ec0bb 100755 --- a/e2e-tests/tls-issue-cert-manager/run +++ b/e2e-tests/tls-issue-cert-manager/run @@ -6,7 +6,6 @@ test_dir=$(realpath $(dirname $0)) . "${test_dir}/../functions" set_debug - renew-certificate() { certificate="$1" From fc1c9f7a3b8785e1f6da5a5aef66c29452151676 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Mon, 21 Aug 2023 16:30:52 +0300 Subject: [PATCH 04/11] wait for ca certs --- pkg/controller/perconaservermongodb/ssl.go | 5 +++++ pkg/psmdb/tls/certmanager.go | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go index 0196672b0a..1848bccfef 100644 --- a/pkg/controller/perconaservermongodb/ssl.go +++ b/pkg/controller/perconaservermongodb/ssl.go @@ -66,6 +66,11 @@ func (r *ReconcilePerconaServerMongoDB) createSSLByCertManager(ctx context.Conte if err != nil && !k8serr.IsAlreadyExists(err) { return errors.Wrap(err, "create ca certificate") } + + err = c.WaitForCerts(ctx, cr, tls.CACertificateSecretName(cr)) + if err != nil { + return errors.Wrap(err, "failed to wait for ca cert") + } } err := c.CreateIssuer(ctx, cr) diff --git a/pkg/psmdb/tls/certmanager.go b/pkg/psmdb/tls/certmanager.go index dcddeb9b6a..cbfb6e58a9 100644 --- a/pkg/psmdb/tls/certmanager.go +++ b/pkg/psmdb/tls/certmanager.go @@ -56,7 +56,7 @@ func caIssuerName(cr *api.PerconaServerMongoDB) string { return cr.Name + "-psmdb-ca-issuer" } -func caSecretName(cr *api.PerconaServerMongoDB) string { +func CACertificateSecretName(cr *api.PerconaServerMongoDB) string { return cr.Name + "-ca-cert" } @@ -76,7 +76,7 @@ func (c *CertManagerController) CreateIssuer(ctx context.Context, cr *api.Percon Spec: cm.IssuerSpec{ IssuerConfig: cm.IssuerConfig{ CA: &cm.CAIssuer{ - SecretName: caSecretName(cr), + SecretName: CACertificateSecretName(cr), }, }, }, @@ -142,11 +142,11 @@ func (c *CertManagerController) CreateCertificate(ctx context.Context, cr *api.P func (c *CertManagerController) CreateCACertificate(ctx context.Context, cr *api.PerconaServerMongoDB) error { cert := &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ - Name: caSecretName(cr), + Name: CACertificateSecretName(cr), Namespace: cr.Namespace, }, Spec: cm.CertificateSpec{ - SecretName: caSecretName(cr), + SecretName: CACertificateSecretName(cr), CommonName: cr.Name + "-ca", IsCA: true, IssuerRef: cmmeta.ObjectReference{ From 422dd5f38f50058188156f91f34bc58920962e3a Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Thu, 31 Aug 2023 00:27:04 +0300 Subject: [PATCH 05/11] update `cert-manager` --- cmd/manager/main.go | 2 +- e2e-tests/functions | 2 +- go.mod | 11 +++++---- go.sum | 28 ++++++++++++---------- pkg/controller/perconaservermongodb/ssl.go | 2 +- pkg/psmdb/tls/certmanager.go | 4 ++-- 6 files changed, 26 insertions(+), 23 deletions(-) diff --git a/cmd/manager/main.go b/cmd/manager/main.go index b3ea8040f2..e4e523fd95 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -11,8 +11,8 @@ import ( // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" + certmgrscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme" "github.com/go-logr/logr" - certmgrscheme "github.com/jetstack/cert-manager/pkg/client/clientset/versioned/scheme" uzap "go.uber.org/zap" "go.uber.org/zap/zapcore" k8sruntime "k8s.io/apimachinery/pkg/runtime" diff --git a/e2e-tests/functions b/e2e-tests/functions index 3384eb2573..d3f0176be2 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -16,7 +16,7 @@ SKIP_BACKUPS_TO_AWS_GCP_AZURE=${SKIP_BACKUPS_TO_AWS_GCP_AZURE:-1} PMM_SERVER_VER=${PMM_SERVER_VER:-"9.9.9"} IMAGE_PMM_SERVER_REPO=${IMAGE_PMM_SERVER_REPO:-"perconalab/pmm-server"} IMAGE_PMM_SERVER_TAG=${IMAGE_PMM_SERVER_TAG:-"dev-latest"} -CERT_MANAGER_VER="1.8.0" +CERT_MANAGER_VER="1.12.3" tmp_dir=$(mktemp -d) sed=$(which gsed || which sed) date=$(which gdate || which date) diff --git a/go.mod b/go.mod index 08c116a7c5..4c72d83279 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.20 require ( github.com/Percona-Lab/percona-version-service v0.0.0-20230216094301-f9489c81b52a github.com/alecthomas/kingpin v2.2.6+incompatible + github.com/cert-manager/cert-manager v1.12.3 github.com/go-logr/logr v1.2.4 github.com/go-openapi/errors v0.20.4 github.com/go-openapi/runtime v0.26.0 @@ -13,7 +14,6 @@ require ( github.com/go-openapi/validate v0.22.1 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.2 github.com/hashicorp/go-version v1.6.0 - github.com/jetstack/cert-manager v1.6.1 github.com/percona/percona-backup-mongodb v1.8.1-0.20230725073611-5d2c6eeb81be github.com/pkg/errors v0.9.1 github.com/robfig/cron/v3 v3.0.1 @@ -96,11 +96,11 @@ require ( github.com/xdg-go/scram v1.1.2 // indirect github.com/xdg-go/stringprep v1.0.4 // indirect github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a // indirect - go.opentelemetry.io/otel v1.14.0 // indirect - go.opentelemetry.io/otel/trace v1.14.0 // indirect + go.opentelemetry.io/otel v1.15.0 // indirect + go.opentelemetry.io/otel/trace v1.15.0 // indirect go.uber.org/multierr v1.10.0 // indirect golang.org/x/crypto v0.11.0 // indirect - golang.org/x/mod v0.9.0 // indirect + golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.13.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect golang.org/x/sys v0.10.0 // indirect @@ -119,7 +119,8 @@ require ( k8s.io/component-base v0.27.2 // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect + sigs.k8s.io/gateway-api v0.7.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index abf9634ba7..0601b063d6 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -github.com/Azure/azure-sdk-for-go v56.2.0+incompatible h1:2GrG1JkTSMqLquy1pqVsjeRJhNtZLjss2+rx8ogZXx4= +github.com/Azure/azure-sdk-for-go v67.3.0+incompatible h1:QEvenaO+Y9ShPeCWsSAtolzVUcb0T0tPeek5TDsovuM= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0 h1:VuHAcMq8pU1IWNT/m5yRaGqbK0BiQKHT8X4DTp9CHdI= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0/go.mod h1:tZoQYdDZNOiIjdSn0dVWVfl0NEPGOJqVLzSrcFk4Is0= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8= @@ -57,6 +57,8 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cert-manager/cert-manager v1.12.3 h1:3gZkP7hHI2CjgX5qZ1Tm98YbHVXB2NGAZPVbOLb3AjU= +github.com/cert-manager/cert-manager v1.12.3/go.mod h1:/RYHUvK9cxuU5dbRyhb7g6am9jCcZc8huF3AnADE+nA= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -319,8 +321,6 @@ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANyt github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc= github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= -github.com/jetstack/cert-manager v1.6.1 h1:VME4bVID2gVTfebO5X4Nq9FvKvvi3+VLcA0mmtYlKuw= -github.com/jetstack/cert-manager v1.6.1/go.mod h1:1nXjnzzsYcIFvl4eLTkVqpvh9NQogkCq4FaCmgvNDDY= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= @@ -419,8 +419,8 @@ github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -559,11 +559,11 @@ go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAV go.mongodb.org/mongo-driver v1.12.1 h1:nLkghSU8fQNaK7oUmDhQFsnrtcoNy7Z6LVFKsEecqgE= go.mongodb.org/mongo-driver v1.12.1/go.mod h1:/rGBTebI3XYboVmgz+Wv3Bcbl3aD0QF9zl6kDDw18rQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opentelemetry.io/otel v1.14.0 h1:/79Huy8wbf5DnIPhemGB+zEPVwnN6fuQybr/SRXa6hM= -go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU= -go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvxGzY= -go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M= -go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8= +go.opentelemetry.io/otel v1.15.0 h1:NIl24d4eiLJPM0vKn4HjLYM+UZf6gSfi9Z+NmCxkWbk= +go.opentelemetry.io/otel v1.15.0/go.mod h1:qfwLEbWhLPk5gyWrne4XnF0lC8wtywbuJbgfAE3zbek= +go.opentelemetry.io/otel/sdk v1.15.0 h1:jZTCkRRd08nxD6w7rIaZeDNGZGGQstH3SfLQ3ZsKICk= +go.opentelemetry.io/otel/trace v1.15.0 h1:5Fwje4O2ooOxkfyqI/kJwxWotggDLix4BSAvpE1wlpo= +go.opentelemetry.io/otel/trace v1.15.0/go.mod h1:CUsmE2Ht1CRkvE8OsMESvraoZrrcgD1J2W8GV1ev0Y4= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= @@ -603,8 +603,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs= -golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -855,13 +855,15 @@ k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5Ohx k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU= +k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= +sigs.k8s.io/gateway-api v0.7.0 h1:/mG8yyJNBifqvuVLW5gwlI4CQs0NR/5q4BKUlf1bVdY= +sigs.k8s.io/gateway-api v0.7.0/go.mod h1:Xv0+ZMxX0lu1nSSDIIPEfbVztgNZ+3cfiYrJsa2Ooso= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go index 1848bccfef..3a647773ca 100644 --- a/pkg/controller/perconaservermongodb/ssl.go +++ b/pkg/controller/perconaservermongodb/ssl.go @@ -59,7 +59,7 @@ func (r *ReconcilePerconaServerMongoDB) createSSLByCertManager(ctx context.Conte if cr.CompareVersion("1.15.0") >= 0 { err := c.CreateCAIssuer(ctx, cr) if err != nil && !k8serr.IsAlreadyExists(err) { - return errors.Wrap(err, "create certificate") + return errors.Wrap(err, "create ca issuer") } err = c.CreateCACertificate(ctx, cr) diff --git a/pkg/psmdb/tls/certmanager.go b/pkg/psmdb/tls/certmanager.go index cbfb6e58a9..6158f1d91e 100644 --- a/pkg/psmdb/tls/certmanager.go +++ b/pkg/psmdb/tls/certmanager.go @@ -4,8 +4,8 @@ import ( "context" "time" - cm "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" + cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" From 7a6e8ce367813cdeb22e35093ba211050afddeb2 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Thu, 31 Aug 2023 11:41:39 +0300 Subject: [PATCH 06/11] fix cert-manager test --- e2e-tests/functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index d3f0176be2..0415ac324b 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -846,7 +846,8 @@ deploy_cert_manager() { kubectl_bin create namespace cert-manager || : kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || : kubectl_bin apply -f "https://github.com/jetstack/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null - sleep 30 + kubectl_bin -n cert-manager wait pod -l app.kubernetes.io/instance=cert-manager --for=condition=ready + sleep 60 } delete_crd() { From 8b3af4a9c1a41d9f17d302eb3eef9f3474ec0448 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Thu, 7 Sep 2023 15:02:42 +0300 Subject: [PATCH 07/11] increase sleep in `deploy_cert_manager` --- e2e-tests/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 0415ac324b..79c0d23ea1 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -847,7 +847,7 @@ deploy_cert_manager() { kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || : kubectl_bin apply -f "https://github.com/jetstack/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null kubectl_bin -n cert-manager wait pod -l app.kubernetes.io/instance=cert-manager --for=condition=ready - sleep 60 + sleep 80 } delete_crd() { From 906706dd194e3a03d25358825177492699dcbebb Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Fri, 8 Sep 2023 08:02:55 +0300 Subject: [PATCH 08/11] add more sleep --- e2e-tests/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index ffec224ca6..d7d82f50c5 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -847,7 +847,7 @@ deploy_cert_manager() { kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || : kubectl_bin apply -f "https://github.com/jetstack/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null kubectl_bin -n cert-manager wait pod -l app.kubernetes.io/instance=cert-manager --for=condition=ready - sleep 80 + sleep 120 } delete_crd() { From b0c41238d78e18ad7e0325bc19df4f74778bd75b Mon Sep 17 00:00:00 2001 From: Viacheslav Sarzhan Date: Fri, 8 Sep 2023 16:53:45 +0300 Subject: [PATCH 09/11] fix deploy/bundle.yaml --- deploy/bundle.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index db61206df0..4458765181 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -17488,6 +17488,7 @@ rules: resources: - issuers - certificates + - certificates/status verbs: - get - list From 6958601ba0c737d1cbdcea8a095b0ea4446d38fe Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Fri, 8 Sep 2023 21:30:08 +0300 Subject: [PATCH 10/11] fix `tls-issue-cert-manager` for cluster wide --- deploy/bundle.yaml | 1 - deploy/rbac.yaml | 1 - e2e-tests/conf/cmctl.yml | 2 +- e2e-tests/tls-issue-cert-manager/run | 13 +++++++++++-- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index 4458765181..db61206df0 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -17488,7 +17488,6 @@ rules: resources: - issuers - certificates - - certificates/status verbs: - get - list diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index a58c21025f..4683735938 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -100,7 +100,6 @@ rules: resources: - issuers - certificates - - certificates/status verbs: - get - list diff --git a/e2e-tests/conf/cmctl.yml b/e2e-tests/conf/cmctl.yml index 0fa44ab954..49beb075b5 100644 --- a/e2e-tests/conf/cmctl.yml +++ b/e2e-tests/conf/cmctl.yml @@ -12,7 +12,7 @@ spec: labels: name: cmctl spec: - serviceAccountName: percona-server-mongodb-operator + serviceAccountName: cmctl containers: - name: cmctl image: debian diff --git a/e2e-tests/tls-issue-cert-manager/run b/e2e-tests/tls-issue-cert-manager/run index 82d19ec0bb..2d6022a917 100755 --- a/e2e-tests/tls-issue-cert-manager/run +++ b/e2e-tests/tls-issue-cert-manager/run @@ -48,14 +48,23 @@ check_secret_data_key() { fi } +deploy_cmctl() { + local service_account="cmctl" + + $sed -e "s/percona-server-mongodb-operator/$service_account/g" "${src_dir}/deploy/rbac.yaml" \ + | yq '(select(.rules).rules[] | select(contains({"apiGroups": ["cert-manager.io"]}))).resources += "certificates/status"' \ + | kubectl_bin apply -f - + kubectl_bin apply -f "$conf_dir/cmctl.yml" +} + main() { - deploy_cert_manager create_infra "$namespace" + deploy_cert_manager desc 'create secrets and start client' kubectl_bin apply -f "$conf_dir/secrets.yml" kubectl_bin apply -f "$conf_dir/client_with_tls.yml" - kubectl_bin apply -f "$conf_dir/cmctl.yml" + deploy_cmctl cluster="some-name" desc "create first PSMDB cluster $cluster" From 9d7d0c69336bb54acb08ac47712de2b46f42fedb Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Fri, 8 Sep 2023 21:41:05 +0300 Subject: [PATCH 11/11] update `cert-manager` url --- e2e-tests/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index d7d82f50c5..d8d13f7c2d 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -845,7 +845,7 @@ deploy_cert_manager() { kubectl_bin create namespace cert-manager || : kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || : - kubectl_bin apply -f "https://github.com/jetstack/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null + kubectl_bin apply -f "https://github.com/cert-manager/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null kubectl_bin -n cert-manager wait pod -l app.kubernetes.io/instance=cert-manager --for=condition=ready sleep 120 } @@ -892,7 +892,7 @@ destroy() { delete_crd - kubectl_bin delete -f "https://github.com/jetstack/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" 2>/dev/null || : + kubectl_bin delete -f "https://github.com/cert-manager/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" 2>/dev/null || : if [ -n "$OPENSHIFT" ]; then oc delete --grace-period=0 --force=true project "$namespace" & if [ -n "$OPERATOR_NS" ]; then