Skip to content

Commit 8892eeb

Browse files
openshift-merge-robotopenshift-merge-robot
authored
Merge pull request #428 from perdasilva/OCPBUGS-5294-backport-cert-rotation-fix
OCPBUGS-5294: backport cert rotation fix
2 parents ca59a21 + f778e0d commit 8892eeb

File tree

67 files changed

+1372
-788
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

67 files changed

+1372
-788
lines changed

.golangci.yaml

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
run:
2+
timeout: 5m
3+
skip-dirs:
4+
- pkg/lib
5+
- pkg/api
6+
- pkg/fakes
7+
- pkg/package-server/apis
8+
- test/e2e
9+
10+
linters:
11+
enable:
12+
- depguard
13+
- gofmt
14+
- goimports
15+
- importas
16+
- misspell
17+
- stylecheck
18+
- tparallel
19+
- unconvert
20+
- whitespace
21+
disable:
22+
- errcheck
23+
24+
linters-settings:
25+
importas:
26+
alias:
27+
- pkg: k8s.io/api/core/v1
28+
alias: corev1
29+
- pkg: k8s.io/api/apps/v1
30+
alias: appsv1
31+
- pkg: k8s.io/apimachinery/pkg/apis/meta/v1
32+
alias: metav1
33+
- pkg: k8s.io/apimachinery/pkg/api/errors
34+
alias: apierrors
35+
- pkg: github.com/operator-framework/api/pkg/operators/v1alpha1
36+
alias: operatorsv1alpha1
37+
- pkg: github.com/operator-framework/api/pkg/operators/v1
38+
alias: operatorsv1
39+
- pkg: github.com/operator-framework/api/pkg/operators/v2
40+
alias: operatorsv2
41+
42+
issues:
43+
max-issues-per-linter: 0
44+
max-same-issues: 0
45+
46+
output:
47+
format: tab
48+
sort-results: true

staging/operator-lifecycle-manager/cmd/olm/main.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ import (
1313
configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
1414
"github.com/sirupsen/logrus"
1515
"github.com/spf13/pflag"
16-
v1 "k8s.io/api/core/v1"
16+
corev1 "k8s.io/api/core/v1"
1717
"k8s.io/klog"
1818
ctrl "sigs.k8s.io/controller-runtime"
1919

@@ -103,8 +103,8 @@ func main() {
103103
// the empty string, the resulting array will be `[]string{""}`.
104104
namespaces := strings.Split(*watchedNamespaces, ",")
105105
for _, ns := range namespaces {
106-
if ns == v1.NamespaceAll {
107-
namespaces = []string{v1.NamespaceAll}
106+
if ns == corev1.NamespaceAll {
107+
namespaces = []string{corev1.NamespaceAll}
108108
break
109109
}
110110
}

staging/operator-lifecycle-manager/pkg/controller/install/apiservice.go

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ import (
66
"strings"
77

88
log "github.com/sirupsen/logrus"
9-
k8serrors "k8s.io/apimachinery/pkg/api/errors"
9+
apierrors "k8s.io/apimachinery/pkg/api/errors"
1010
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1111
apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
1212

@@ -26,7 +26,7 @@ func (i *StrategyDeploymentInstaller) createOrUpdateAPIService(caPEM []byte, des
2626
exists := true
2727
apiService, err := i.strategyClient.GetOpLister().APIRegistrationV1().APIServiceLister().Get(apiServiceName)
2828
if err != nil {
29-
if !k8serrors.IsNotFound(err) {
29+
if !apierrors.IsNotFound(err) {
3030
return err
3131
}
3232

@@ -120,14 +120,14 @@ func IsAPIServiceAdoptable(opLister operatorlister.OperatorLister, target *v1alp
120120

121121
// Get the CSV that target replaces
122122
replacing, replaceGetErr := opLister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(target.GetNamespace()).Get(target.Spec.Replaces)
123-
if replaceGetErr != nil && !k8serrors.IsNotFound(replaceGetErr) && !k8serrors.IsGone(replaceGetErr) {
123+
if replaceGetErr != nil && !apierrors.IsNotFound(replaceGetErr) && !apierrors.IsGone(replaceGetErr) {
124124
err = replaceGetErr
125125
return
126126
}
127127

128128
// Get the current owner CSV of the APIService
129129
currentOwnerCSV, ownerGetErr := opLister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(ownerNamespace).Get(ownerName)
130-
if ownerGetErr != nil && !k8serrors.IsNotFound(ownerGetErr) && !k8serrors.IsGone(ownerGetErr) {
130+
if ownerGetErr != nil && !apierrors.IsNotFound(ownerGetErr) && !apierrors.IsGone(ownerGetErr) {
131131
err = ownerGetErr
132132
return
133133
}
@@ -179,13 +179,13 @@ func (i *StrategyDeploymentInstaller) deleteLegacyAPIServiceResources(desc apiSe
179179
// Attempt to delete the legacy Service.
180180
existingService, err := i.strategyClient.GetOpClient().GetService(namespace, legacyServiceName)
181181
if err != nil {
182-
if !k8serrors.IsNotFound(err) {
182+
if !apierrors.IsNotFound(err) {
183183
return err
184184
}
185185
} else if ownerutil.AdoptableLabels(existingService.GetLabels(), true, i.owner) {
186186
logger.Infof("Deleting Service with legacy APIService name %s", existingService.Name)
187187
err = i.strategyClient.GetOpClient().DeleteService(namespace, legacyServiceName, &metav1.DeleteOptions{})
188-
if err != nil && !k8serrors.IsNotFound(err) {
188+
if err != nil && !apierrors.IsNotFound(err) {
189189
return err
190190
}
191191
} else {
@@ -198,13 +198,13 @@ func (i *StrategyDeploymentInstaller) deleteLegacyAPIServiceResources(desc apiSe
198198
// Attempt to delete the legacy Secret.
199199
existingSecret, err := i.strategyClient.GetOpClient().GetSecret(namespace, SecretName(apiServiceName))
200200
if err != nil {
201-
if !k8serrors.IsNotFound(err) {
201+
if !apierrors.IsNotFound(err) {
202202
return err
203203
}
204204
} else if ownerutil.AdoptableLabels(existingSecret.GetLabels(), true, i.owner) {
205205
logger.Infof("Deleting Secret with legacy APIService name %s", existingSecret.Name)
206206
err = i.strategyClient.GetOpClient().DeleteSecret(namespace, SecretName(apiServiceName), &metav1.DeleteOptions{})
207-
if err != nil && !k8serrors.IsNotFound(err) {
207+
if err != nil && !apierrors.IsNotFound(err) {
208208
return err
209209
}
210210
} else {
@@ -214,13 +214,13 @@ func (i *StrategyDeploymentInstaller) deleteLegacyAPIServiceResources(desc apiSe
214214
// Attempt to delete the legacy Role.
215215
existingRole, err := i.strategyClient.GetOpClient().GetRole(namespace, SecretName(apiServiceName))
216216
if err != nil {
217-
if !k8serrors.IsNotFound(err) {
217+
if !apierrors.IsNotFound(err) {
218218
return err
219219
}
220220
} else if ownerutil.AdoptableLabels(existingRole.GetLabels(), true, i.owner) {
221221
logger.Infof("Deleting Role with legacy APIService name %s", existingRole.Name)
222222
err = i.strategyClient.GetOpClient().DeleteRole(namespace, SecretName(apiServiceName), &metav1.DeleteOptions{})
223-
if err != nil && !k8serrors.IsNotFound(err) {
223+
if err != nil && !apierrors.IsNotFound(err) {
224224
return err
225225
}
226226
} else {
@@ -230,13 +230,13 @@ func (i *StrategyDeploymentInstaller) deleteLegacyAPIServiceResources(desc apiSe
230230
// Attempt to delete the legacy secret RoleBinding.
231231
existingRoleBinding, err := i.strategyClient.GetOpClient().GetRoleBinding(namespace, SecretName(apiServiceName))
232232
if err != nil {
233-
if !k8serrors.IsNotFound(err) {
233+
if !apierrors.IsNotFound(err) {
234234
return err
235235
}
236236
} else if ownerutil.AdoptableLabels(existingRoleBinding.GetLabels(), true, i.owner) {
237237
logger.Infof("Deleting RoleBinding with legacy APIService name %s", existingRoleBinding.Name)
238238
err = i.strategyClient.GetOpClient().DeleteRoleBinding(namespace, SecretName(apiServiceName), &metav1.DeleteOptions{})
239-
if err != nil && !k8serrors.IsNotFound(err) {
239+
if err != nil && !apierrors.IsNotFound(err) {
240240
return err
241241
}
242242
} else {
@@ -246,13 +246,13 @@ func (i *StrategyDeploymentInstaller) deleteLegacyAPIServiceResources(desc apiSe
246246
// Attempt to delete the legacy ClusterRoleBinding.
247247
existingClusterRoleBinding, err := i.strategyClient.GetOpClient().GetClusterRoleBinding(apiServiceName + "-system:auth-delegator")
248248
if err != nil {
249-
if !k8serrors.IsNotFound(err) {
249+
if !apierrors.IsNotFound(err) {
250250
return err
251251
}
252252
} else if ownerutil.AdoptableLabels(existingClusterRoleBinding.GetLabels(), true, i.owner) {
253253
logger.Infof("Deleting ClusterRoleBinding with legacy APIService name %s", existingClusterRoleBinding.Name)
254254
err = i.strategyClient.GetOpClient().DeleteClusterRoleBinding(apiServiceName+"-system:auth-delegator", &metav1.DeleteOptions{})
255-
if err != nil && !k8serrors.IsNotFound(err) {
255+
if err != nil && !apierrors.IsNotFound(err) {
256256
return err
257257
}
258258
} else {
@@ -262,13 +262,13 @@ func (i *StrategyDeploymentInstaller) deleteLegacyAPIServiceResources(desc apiSe
262262
// Attempt to delete the legacy AuthReadingRoleBinding.
263263
existingRoleBinding, err = i.strategyClient.GetOpClient().GetRoleBinding(KubeSystem, apiServiceName+"-auth-reader")
264264
if err != nil {
265-
if !k8serrors.IsNotFound(err) {
265+
if !apierrors.IsNotFound(err) {
266266
return err
267267
}
268268
} else if ownerutil.AdoptableLabels(existingRoleBinding.GetLabels(), true, i.owner) {
269269
logger.Infof("Deleting RoleBinding with legacy APIService name %s", existingRoleBinding.Name)
270270
err = i.strategyClient.GetOpClient().DeleteRoleBinding(KubeSystem, apiServiceName+"-auth-reader", &metav1.DeleteOptions{})
271-
if err != nil && !k8serrors.IsNotFound(err) {
271+
if err != nil && !apierrors.IsNotFound(err) {
272272
return err
273273
}
274274
} else {

staging/operator-lifecycle-manager/pkg/controller/install/certresources.go

Lines changed: 37 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ import (
99
appsv1 "k8s.io/api/apps/v1"
1010
corev1 "k8s.io/api/core/v1"
1111
rbacv1 "k8s.io/api/rbac/v1"
12-
k8serrors "k8s.io/apimachinery/pkg/api/errors"
12+
apierrors "k8s.io/apimachinery/pkg/api/errors"
1313
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1414
"k8s.io/apimachinery/pkg/util/intstr"
1515

@@ -160,7 +160,7 @@ func (i *StrategyDeploymentInstaller) getCertResources() []certResource {
160160
}
161161

162162
func (i *StrategyDeploymentInstaller) certResourcesForDeployment(deploymentName string) []certResource {
163-
result := []certResource{}
163+
var result []certResource
164164
for _, desc := range i.getCertResources() {
165165
if desc.getDeploymentName() == deploymentName {
166166
result = append(result, desc)
@@ -185,13 +185,12 @@ func (i *StrategyDeploymentInstaller) installCertRequirements(strategy Strategy)
185185
}
186186

187187
// Create the CA
188-
expiration := time.Now().Add(DefaultCertValidFor)
189-
ca, err := certs.GenerateCA(expiration, Organization)
188+
i.certificateExpirationTime = CalculateCertExpiration(time.Now())
189+
ca, err := certs.GenerateCA(i.certificateExpirationTime, Organization)
190190
if err != nil {
191191
logger.Debug("failed to generate CA")
192192
return nil, err
193193
}
194-
rotateAt := expiration.Add(-1 * DefaultCertMinFresh)
195194

196195
for n, sddSpec := range strategyDetailsDeployment.DeploymentSpecs {
197196
certResources := i.certResourcesForDeployment(sddSpec.Name)
@@ -202,7 +201,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirements(strategy Strategy)
202201
}
203202

204203
// Update the deployment for each certResource
205-
newDepSpec, caPEM, err := i.installCertRequirementsForDeployment(sddSpec.Name, ca, rotateAt, sddSpec.Spec, getServicePorts(certResources))
204+
newDepSpec, caPEM, err := i.installCertRequirementsForDeployment(sddSpec.Name, ca, i.certificateExpirationTime, sddSpec.Spec, getServicePorts(certResources))
206205
if err != nil {
207206
return nil, err
208207
}
@@ -214,6 +213,14 @@ func (i *StrategyDeploymentInstaller) installCertRequirements(strategy Strategy)
214213
return strategyDetailsDeployment, nil
215214
}
216215

216+
func (i *StrategyDeploymentInstaller) CertsRotateAt() time.Time {
217+
return CalculateCertRotatesAt(i.certificateExpirationTime)
218+
}
219+
220+
func (i *StrategyDeploymentInstaller) CertsRotated() bool {
221+
return i.certificatesRotated
222+
}
223+
217224
func ShouldRotateCerts(csv *v1alpha1.ClusterServiceVersion) bool {
218225
now := metav1.Now()
219226
if !csv.Status.CertsRotateAt.IsZero() && csv.Status.CertsRotateAt.Before(&now) {
@@ -223,7 +230,15 @@ func ShouldRotateCerts(csv *v1alpha1.ClusterServiceVersion) bool {
223230
return false
224231
}
225232

226-
func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deploymentName string, ca *certs.KeyPair, rotateAt time.Time, depSpec appsv1.DeploymentSpec, ports []corev1.ServicePort) (*appsv1.DeploymentSpec, []byte, error) {
233+
func CalculateCertExpiration(startingFrom time.Time) time.Time {
234+
return startingFrom.Add(DefaultCertValidFor)
235+
}
236+
237+
func CalculateCertRotatesAt(certExpirationTime time.Time) time.Time {
238+
return certExpirationTime.Add(-1 * DefaultCertMinFresh)
239+
}
240+
241+
func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deploymentName string, ca *certs.KeyPair, expiration time.Time, depSpec appsv1.DeploymentSpec, ports []corev1.ServicePort) (*appsv1.DeploymentSpec, []byte, error) {
227242
logger := log.WithFields(log.Fields{})
228243

229244
// Create a service for the deployment
@@ -246,7 +261,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
246261

247262
// Delete the Service to replace
248263
deleteErr := i.strategyClient.GetOpClient().DeleteService(service.GetNamespace(), service.GetName(), &metav1.DeleteOptions{})
249-
if deleteErr != nil && !k8serrors.IsNotFound(deleteErr) {
264+
if deleteErr != nil && !apierrors.IsNotFound(deleteErr) {
250265
return nil, nil, fmt.Errorf("could not delete existing service %s", service.GetName())
251266
}
252267
}
@@ -263,7 +278,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
263278
fmt.Sprintf("%s.%s", service.GetName(), i.owner.GetNamespace()),
264279
fmt.Sprintf("%s.%s.svc", service.GetName(), i.owner.GetNamespace()),
265280
}
266-
servingPair, err := certGenerator.Generate(rotateAt, Organization, ca, hosts)
281+
servingPair, err := certGenerator.Generate(expiration, Organization, ca, hosts)
267282
if err != nil {
268283
logger.Warnf("could not generate signed certs for hosts %v", hosts)
269284
return nil, nil, err
@@ -311,16 +326,18 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
311326
secret = existingSecret
312327
caPEM = existingCAPEM
313328
caHash = certs.PEMSHA256(caPEM)
314-
} else if _, err := i.strategyClient.GetOpClient().UpdateSecret(secret); err != nil {
315-
logger.Warnf("could not update secret %s", secret.GetName())
316-
return nil, nil, err
329+
} else {
330+
if _, err := i.strategyClient.GetOpClient().UpdateSecret(secret); err != nil {
331+
logger.Warnf("could not update secret %s", secret.GetName())
332+
return nil, nil, err
333+
}
334+
i.certificatesRotated = true
317335
}
318-
319-
} else if k8serrors.IsNotFound(err) {
336+
} else if apierrors.IsNotFound(err) {
320337
// Create the secret
321338
ownerutil.AddNonBlockingOwner(secret, i.owner)
322339
if _, err := i.strategyClient.GetOpClient().CreateSecret(secret); err != nil {
323-
if !k8serrors.IsAlreadyExists(err) {
340+
if !apierrors.IsAlreadyExists(err) {
324341
log.Warnf("could not create secret %s: %v", secret.GetName(), err)
325342
return nil, nil, err
326343
}
@@ -331,6 +348,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
331348
return nil, nil, err
332349
}
333350
}
351+
i.certificatesRotated = true
334352
} else {
335353
return nil, nil, err
336354
}
@@ -361,7 +379,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
361379
logger.Warnf("could not update secret role %s", secretRole.GetName())
362380
return nil, nil, err
363381
}
364-
} else if k8serrors.IsNotFound(err) {
382+
} else if apierrors.IsNotFound(err) {
365383
// Create the role
366384
ownerutil.AddNonBlockingOwner(secretRole, i.owner)
367385
_, err = i.strategyClient.GetOpClient().CreateRole(secretRole)
@@ -407,7 +425,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
407425
logger.Warnf("could not update secret rolebinding %s", secretRoleBinding.GetName())
408426
return nil, nil, err
409427
}
410-
} else if k8serrors.IsNotFound(err) {
428+
} else if apierrors.IsNotFound(err) {
411429
// Create the role
412430
ownerutil.AddNonBlockingOwner(secretRoleBinding, i.owner)
413431
_, err = i.strategyClient.GetOpClient().CreateRoleBinding(secretRoleBinding)
@@ -452,7 +470,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
452470
logger.Warnf("could not update auth delegator clusterrolebinding %s", authDelegatorClusterRoleBinding.GetName())
453471
return nil, nil, err
454472
}
455-
} else if k8serrors.IsNotFound(err) {
473+
} else if apierrors.IsNotFound(err) {
456474
// Create the role.
457475
if err := ownerutil.AddOwnerLabels(authDelegatorClusterRoleBinding, i.owner); err != nil {
458476
return nil, nil, err
@@ -499,7 +517,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
499517
logger.Warnf("could not update auth reader role binding %s", authReaderRoleBinding.GetName())
500518
return nil, nil, err
501519
}
502-
} else if k8serrors.IsNotFound(err) {
520+
} else if apierrors.IsNotFound(err) {
503521
// Create the role.
504522
if err := ownerutil.AddOwnerLabels(authReaderRoleBinding, i.owner); err != nil {
505523
return nil, nil, err

0 commit comments

Comments
 (0)