Skip to content

Commit b98abe3

Browse files
qbarrandqbarrand
authored
Add CA ConfigMaps in each namespace for sign jobs (kubernetes-sigs#361)
Signing Jobs can be created in any namespace, while the ConfigMaps containing the OpenShift CA certificates from the bundle are only present in the operator's namespace. In each namespace containing a Module or targeted by a ManagedClusterModule, create two ConfigMaps for each CA certificate type. Those ConfigMaps are populated by other OpenShift controllers. When creating a signing Job, look for those ConfigMaps in the Job's namespace and mount them accordingly. Set the ConfigMaps owner references appropriately so that they are deleted when all Modules / ManagedClusterModules that might need it are deleted.
1 parent 5af377d commit b98abe3

17 files changed

+945
-42
lines changed

Makefile

+10
Original file line numberDiff line numberDiff line change
@@ -193,16 +193,26 @@ uninstall: manifests ## Uninstall CRDs from the K8s cluster specified in ~/.kube
193193
oc delete -k $(KUSTOMIZE_CONFIG_CRD) --ignore-not-found=$(ignore-not-found)
194194

195195
KUSTOMIZE_CONFIG_DEFAULT ?= config/default
196+
KUSTOMIZE_CONFIG_HUB_DEFAULT ?= config/default-hub
196197

197198
.PHONY: deploy
198199
deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
199200
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
200201
oc apply -k $(KUSTOMIZE_CONFIG_DEFAULT)
201202

203+
.PHONY: deploy-hub
204+
deploy-hub: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
205+
cd config/manager-hub && $(KUSTOMIZE) edit set image controller=$(HUB_IMG)
206+
oc apply -k $(KUSTOMIZE_CONFIG_HUB_DEFAULT)
207+
202208
.PHONY: undeploy
203209
undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
204210
oc delete -k $(KUSTOMIZE_CONFIG_DEFAULT) --ignore-not-found=$(ignore-not-found)
205211

212+
.PHONY: undeploy-hub
213+
undeploy-hub: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
214+
oc delete -k $(KUSTOMIZE_CONFIG_HUB_DEFAULT) --ignore-not-found=$(ignore-not-found)
215+
206216
CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
207217
.PHONY: controller-gen
208218
controller-gen: ## Download controller-gen locally if necessary.

bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -89,8 +89,11 @@ spec:
8989
resources:
9090
- configmaps
9191
verbs:
92+
- create
93+
- delete
9294
- get
9395
- list
96+
- patch
9497
- watch
9598
- apiGroups:
9699
- ""
@@ -100,6 +103,14 @@ spec:
100103
- get
101104
- list
102105
- watch
106+
- apiGroups:
107+
- ""
108+
resources:
109+
- serviceaccounts
110+
verbs:
111+
- get
112+
- list
113+
- watch
103114
- apiGroups:
104115
- hub.kmm.sigs.x-k8s.io
105116
resources:

bundle/manifests/kernel-module-management.clusterserviceversion.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -137,8 +137,11 @@ spec:
137137
resources:
138138
- configmaps
139139
verbs:
140+
- create
141+
- delete
140142
- get
141143
- list
144+
- patch
142145
- watch
143146
- apiGroups:
144147
- ""

cmd/manager-hub/main.go

+6-1
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ import (
4646
"github.com/rh-ecosystem-edge/kernel-module-management/internal/auth"
4747
"github.com/rh-ecosystem-edge/kernel-module-management/internal/build"
4848
"github.com/rh-ecosystem-edge/kernel-module-management/internal/build/buildconfig"
49+
"github.com/rh-ecosystem-edge/kernel-module-management/internal/ca"
4950
"github.com/rh-ecosystem-edge/kernel-module-management/internal/cluster"
5051
"github.com/rh-ecosystem-edge/kernel-module-management/internal/cmd"
5152
"github.com/rh-ecosystem-edge/kernel-module-management/internal/constants"
@@ -135,8 +136,10 @@ func main() {
135136
registryAPI,
136137
)
137138

139+
caHelper := ca.NewHelper(client, scheme)
140+
138141
signAPI := signjob.NewSignJobManager(
139-
signjob.NewSigner(client, scheme, sign.NewSignerHelper(), jobHelperAPI),
142+
signjob.NewSigner(client, scheme, sign.NewSignerHelper(), jobHelperAPI, caHelper),
140143
jobHelperAPI,
141144
authFactory,
142145
registryAPI,
@@ -158,6 +161,8 @@ func main() {
158161
cluster.NewClusterAPI(client, module.NewKernelMapper(), buildAPI, signAPI, operatorNamespace),
159162
statusupdater.NewManagedClusterModuleStatusUpdater(client),
160163
filterAPI,
164+
caHelper,
165+
operatorNamespace,
161166
)
162167

163168
if err = mcmr.SetupWithManager(mgr); err != nil {

cmd/manager/main.go

+4-1
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424

2525
buildv1 "github.com/openshift/api/build/v1"
2626
imagev1 "github.com/openshift/api/image/v1"
27+
"github.com/rh-ecosystem-edge/kernel-module-management/internal/ca"
2728
"github.com/rh-ecosystem-edge/kernel-module-management/internal/constants"
2829
"k8s.io/apimachinery/pkg/runtime"
2930
"k8s.io/apimachinery/pkg/types"
@@ -138,9 +139,10 @@ func main() {
138139
)
139140

140141
jobHelperAPI := utils.NewJobHelper(client)
142+
caHelper := ca.NewHelper(client, scheme)
141143

142144
signAPI := signjob.NewSignJobManager(
143-
signjob.NewSigner(client, scheme, sign.NewSignerHelper(), jobHelperAPI),
145+
signjob.NewSigner(client, scheme, sign.NewSignerHelper(), jobHelperAPI, caHelper),
144146
jobHelperAPI,
145147
authFactory,
146148
registryAPI,
@@ -159,6 +161,7 @@ func main() {
159161
metricsAPI,
160162
filterAPI,
161163
statusupdater.NewModuleStatusUpdater(client, metricsAPI),
164+
caHelper,
162165
)
163166

164167
if err = mc.SetupWithManager(mgr, constants.KernelLabel); err != nil {

config/rbac-hub/role.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,11 @@ rules:
3838
resources:
3939
- configmaps
4040
verbs:
41+
- create
42+
- delete
4143
- get
4244
- list
45+
- patch
4346
- watch
4447
- apiGroups:
4548
- ""
@@ -49,6 +52,14 @@ rules:
4952
- get
5053
- list
5154
- watch
55+
- apiGroups:
56+
- ""
57+
resources:
58+
- serviceaccounts
59+
verbs:
60+
- get
61+
- list
62+
- watch
5263
- apiGroups:
5364
- hub.kmm.sigs.x-k8s.io
5465
resources:

config/rbac/role.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,11 @@ rules:
6060
resources:
6161
- configmaps
6262
verbs:
63+
- create
64+
- delete
6365
- get
6466
- list
67+
- patch
6568
- watch
6669
- apiGroups:
6770
- ""

controllers/hub/managedclustermodule_reconciler.go

+27-8
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"context"
2121
"fmt"
2222

23+
"github.com/rh-ecosystem-edge/kernel-module-management/internal/ca"
2324
batchv1 "k8s.io/api/batch/v1"
2425
k8serrors "k8s.io/apimachinery/pkg/api/errors"
2526
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -50,7 +51,9 @@ type ManagedClusterModuleReconciler struct {
5051
clusterAPI cluster.ClusterAPI
5152
statusupdaterAPI statusupdater.ManagedClusterModuleStatusUpdater
5253

53-
filter *filter.Filter
54+
filter *filter.Filter
55+
caHelper ca.Helper
56+
defaultJobNamespace string
5457
}
5558

5659
//+kubebuilder:rbac:groups=hub.kmm.sigs.x-k8s.io,resources=managedclustermodules,verbs=get;list;watch;update;patch
@@ -59,22 +62,28 @@ type ManagedClusterModuleReconciler struct {
5962
//+kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;patch;delete
6063
//+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch
6164
//+kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;list;watch;delete
62-
//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
65+
//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=create;delete;get;list;patch;watch
6366
//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch
67+
//+kubebuilder:rbac:groups="core",resources=serviceaccounts,verbs=get;list;watch
6468
//+kubebuilder:rbac:groups=build.openshift.io,resources=builds,verbs=get;list;create;delete;watch;patch
6569

6670
func NewManagedClusterModuleReconciler(
6771
client client.Client,
6872
manifestAPI manifestwork.ManifestWorkCreator,
6973
clusterAPI cluster.ClusterAPI,
7074
statusupdaterAPI statusupdater.ManagedClusterModuleStatusUpdater,
71-
filter *filter.Filter) *ManagedClusterModuleReconciler {
75+
filter *filter.Filter,
76+
caHelper ca.Helper,
77+
defaultJobNamespace string,
78+
) *ManagedClusterModuleReconciler {
7279
return &ManagedClusterModuleReconciler{
73-
client: client,
74-
manifestAPI: manifestAPI,
75-
clusterAPI: clusterAPI,
76-
statusupdaterAPI: statusupdaterAPI,
77-
filter: filter,
80+
client: client,
81+
manifestAPI: manifestAPI,
82+
clusterAPI: clusterAPI,
83+
statusupdaterAPI: statusupdaterAPI,
84+
filter: filter,
85+
caHelper: caHelper,
86+
defaultJobNamespace: defaultJobNamespace,
7887
}
7988
}
8089

@@ -93,6 +102,16 @@ func (r *ManagedClusterModuleReconciler) Reconcile(ctx context.Context, req ctrl
93102
return res, fmt.Errorf("failed to get the requested CR: %v", err)
94103
}
95104

105+
namespace := mcm.Spec.JobNamespace
106+
107+
if namespace == "" {
108+
namespace = r.defaultJobNamespace
109+
}
110+
111+
if err = r.caHelper.Sync(ctx, namespace, mcm); err != nil {
112+
return ctrl.Result{}, fmt.Errorf("failed to synchronize CA ConfigMaps: %v", err)
113+
}
114+
96115
logger.Info("Requested KMMO ManagedClusterModule")
97116

98117
clusters, err := r.clusterAPI.SelectedManagedClusters(ctx, mcm)

0 commit comments

Comments
 (0)