Add certrotationcontroller to generate loopback secrets

Author: Vadim Rutkovsky

pkg/controllers/certrotationcontroller/certrotationcontroller.go

@@ -0,0 +1,111 @@
+package certrotationcontroller
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	operatorv1 "github.com/openshift/api/operator/v1"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
+
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/condition"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/v1helpers"
+)
+
+type OperatorConditionStatusReporter struct {
+	// Plumbing:
+	OperatorClient v1helpers.OperatorClient
+}
+
+func (s *OperatorConditionStatusReporter) Report(ctx context.Context, controllerName string, syncErr error) (bool, error) {
+	newCondition := operatorv1.OperatorCondition{
+		Type:   fmt.Sprintf(condition.CertRotationDegradedConditionTypeFmt, controllerName),
+		Status: operatorv1.ConditionFalse,
+	}
+	if syncErr != nil {
+		newCondition.Status = operatorv1.ConditionTrue
+		newCondition.Reason = "CertificateRotationError"
+		newCondition.Message = syncErr.Error()
+	}
+	_, updated, updateErr := v1helpers.UpdateStatus(ctx, s.OperatorClient, v1helpers.UpdateConditionFn(newCondition))
+	return updated, updateErr
+}
+
+type CertRotationController struct {
+	certRotators []factory.Controller
+}
+
+func NewCertRotationController(
+	secretsGetter corev1client.SecretsGetter,
+	configMapsGetter corev1client.ConfigMapsGetter,
+	operatorClient v1helpers.OperatorClient,
+	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
+	eventRecorder events.Recorder,
+	day time.Duration,
+) (*CertRotationController, error) {
+	ret := &CertRotationController{}
+
+	targetNS := "openshift-oauth-apiserver"
+
+	certRotator := certrotation.NewCertRotationController(
+		"OAuthLoopbackCert",
+		certrotation.RotatedSigningCASecret{
+			Namespace: targetNS,
+			Name:      "loopback-signer",
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "oauth-apiserver",
+			},
+			Validity:               60 * day,
+			Refresh:                30 * day,
+			RefreshOnlyWhenExpired: false,
+			Informer:               kubeInformersForNamespaces.InformersFor(targetNS).Core().V1().Secrets(),
+			Lister:                 kubeInformersForNamespaces.InformersFor(targetNS).Core().V1().Secrets().Lister(),
+			Client:                 secretsGetter,
+			EventRecorder:          eventRecorder,
+		},
+		certrotation.CABundleConfigMap{
+			Namespace: targetNS,
+			Name:      "loopback-ca",
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "oauth-apiserver",
+			},
+			Informer:      kubeInformersForNamespaces.InformersFor(targetNS).Core().V1().ConfigMaps(),
+			Lister:        kubeInformersForNamespaces.InformersFor(targetNS).Core().V1().ConfigMaps().Lister(),
+			Client:        configMapsGetter,
+			EventRecorder: eventRecorder,
+		},
+		certrotation.RotatedSelfSignedCertKeySecret{
+			Namespace: targetNS,
+			Name:      "loopback",
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "oauth-apiserver",
+			},
+			Validity:               30 * day,
+			Refresh:                15 * day,
+			RefreshOnlyWhenExpired: false,
+			CertCreator: &certrotation.ServingRotation{
+				Hostnames: func() []string { return []string{"apiserver-loopback-client"} },
+			},
+			Informer:      kubeInformersForNamespaces.InformersFor(targetNS).Core().V1().Secrets(),
+			Lister:        kubeInformersForNamespaces.InformersFor(targetNS).Core().V1().Secrets().Lister(),
+			Client:        secretsGetter,
+			EventRecorder: eventRecorder,
+		},
+		eventRecorder,
+		&OperatorConditionStatusReporter{OperatorClient: operatorClient},
+	)
+
+	ret.certRotators = append(ret.certRotators, certRotator)
+
+	return ret, nil
+}
+
+func (c *CertRotationController) Run(ctx context.Context, workers int) {
+	syncCtx := context.WithValue(ctx, certrotation.RunOnceContextKey, false)
+	for _, certRotator := range c.certRotators {
+		go certRotator.Run(syncCtx, workers)
+	}
+}

pkg/operator/starter.go

@@ -16,6 +16,7 @@ import (
 	routev1 "github.com/openshift/api/route/v1"
 	applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1"
 	"github.com/openshift/cluster-authentication-operator/bindata"
+	"github.com/openshift/cluster-authentication-operator/pkg/controllers/certrotationcontroller"
 	"github.com/openshift/cluster-authentication-operator/pkg/controllers/configobservation/configobservercontroller"
 	componentroutesecretsync "github.com/openshift/cluster-authentication-operator/pkg/controllers/customroute"
 	"github.com/openshift/cluster-authentication-operator/pkg/controllers/deployment"
@@ -319,6 +320,18 @@ func prepareOauthOperator(
 		authOperatorInput.eventRecorder,
 	)
 
+	certRotationController, err := certrotationcontroller.NewCertRotationController(
+		v1helpers.CachedSecretGetter(authOperatorInput.kubeClient.CoreV1(), informerFactories.kubeInformersForNamespaces),
+		v1helpers.CachedConfigMapGetter(authOperatorInput.kubeClient.CoreV1(), informerFactories.kubeInformersForNamespaces),
+		authOperatorInput.authenticationOperatorClient,
+		informerFactories.kubeInformersForNamespaces,
+		authOperatorInput.eventRecorder,
+		time.Hour*24,
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	runOnceFns := []libraryapplyconfiguration.NamedRunOnce{
 		libraryapplyconfiguration.AdaptSyncFn(authOperatorInput.eventRecorder, "TODO-configObserver", configObserver.Sync),
 		libraryapplyconfiguration.AdaptSyncFn(authOperatorInput.eventRecorder, "TODO-deploymentController", deploymentController.Sync),
@@ -361,6 +374,7 @@ func prepareOauthOperator(
 		libraryapplyconfiguration.AdaptRunFn(trustDistributionController.Run),
 		libraryapplyconfiguration.AdaptRunFn(staleConditions.Run),
 		libraryapplyconfiguration.AdaptRunFn(ingressStateController.Run),
+		libraryapplyconfiguration.AdaptRunFn(certRotationController.Run),
 	}
 
 	if !enabledClusterCapabilities.Has("Console") {