diff --git a/assets/apps/0000_60_service-ca_05_deploy.yaml b/assets/apps/0000_60_service-ca_05_deploy.yaml index 547c3bdd52..fa2e9acdbc 100644 --- a/assets/apps/0000_60_service-ca_05_deploy.yaml +++ b/assets/apps/0000_60_service-ca_05_deploy.yaml @@ -46,11 +46,11 @@ spec: name: signing-cabundle volumes: - name: signing-key - hostPath: - path: {{.KeyDir}} + secret: + secretName: {{.TLSSecret}} - name: signing-cabundle - hostPath: - path: {{.CADir}} + configMap: + name: {{.CAConfigMap}} # nodeSelector: # node-role.kubernetes.io/master: "" priorityClassName: "system-cluster-critical" diff --git a/assets/core/0000_60_service-ca_04_configmap.yaml b/assets/core/0000_60_service-ca_04_configmap.yaml new file mode 100644 index 0000000000..959777cdba --- /dev/null +++ b/assets/core/0000_60_service-ca_04_configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-service-ca + name: signing-cabundle +data: + ca-bundle.crt: diff --git a/assets/core/0000_60_service-ca_04_secret.yaml b/assets/core/0000_60_service-ca_04_secret.yaml new file mode 100644 index 0000000000..6bbaac836e --- /dev/null +++ b/assets/core/0000_60_service-ca_04_secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: openshift-service-ca + name: signing-key +type: kubernetes.io/tls +data: + tls.crt: + tls.key: diff --git a/pkg/assets/apps/bindata.go b/pkg/assets/apps/bindata.go index 444e6bd06a..987a4140ab 100644 --- a/pkg/assets/apps/bindata.go +++ b/pkg/assets/apps/bindata.go @@ -227,11 +227,11 @@ spec: name: signing-cabundle volumes: - name: signing-key - hostPath: - path: {{.KeyDir}} + secret: + secretName: {{.TLSSecret}} - name: signing-cabundle - hostPath: - path: {{.CADir}} + configMap: + name: {{.CAConfigMap}} # nodeSelector: # node-role.kubernetes.io/master: "" priorityClassName: "system-cluster-critical" diff --git a/pkg/assets/core.go b/pkg/assets/core.go index 78cafc5af1..0314cf13ee 100755 --- a/pkg/assets/core.go +++ b/pkg/assets/core.go @@ -68,6 +68,35 @@ func (ns *nsApplier) Applier() error { return nil } +type secretApplier struct { + Client *coreclientv1.CoreV1Client + secret *corev1.Secret +} + +func (secret *secretApplier) Reader(objBytes []byte, render RenderFunc, params RenderParams) { + var err error + if render != nil { + objBytes, err = render(objBytes, params) + if err != nil { + panic(err) + } + } + obj, err := runtime.Decode(coreCodecs.UniversalDecoder(corev1.SchemeGroupVersion), objBytes) + if err != nil { + panic(err) + } + secret.secret = obj.(*corev1.Secret) +} + +func (secret *secretApplier) Applier() error { + _, err := secret.Client.Secrets(secret.secret.Namespace).Get(context.TODO(), secret.secret.Name, metav1.GetOptions{}) + if apierrors.IsNotFound(err) { + _, err := secret.Client.Secrets(secret.secret.Namespace).Create(context.TODO(), secret.secret, metav1.CreateOptions{}) + return err + } + return nil +} + type svcApplier struct { Client *coreclientv1.CoreV1Client svc *corev1.Service @@ -198,3 +227,43 @@ func ApplyConfigMaps(cores []string, kubeconfigPath string) error { cm.Client = coreClient(kubeconfigPath) return applyCore(cores, cm, nil, nil) } + +func ApplyConfigMapWithData(cmPath string, data map[string]string, kubeconfigPath string) error { + ctx := context.TODO() + cm := &cmApplier{} + cm.Client = coreClient(kubeconfigPath) + if err := applyCore([]string{cmPath}, cm, nil, nil); err != nil { + return err + } + c, err := cm.Client.ConfigMaps(cm.cm.Namespace).Get(ctx, cm.cm.Name, metav1.GetOptions{}) + if apierrors.IsNotFound(err) { + c, err = cm.Client.ConfigMaps(cm.cm.Namespace).Create(ctx, cm.cm, metav1.CreateOptions{}) + return err + } + c.Data = data + _, err = cm.Client.ConfigMaps(c.Namespace).Update(ctx, c, metav1.UpdateOptions{}) + if err != nil { + return err + } + return nil +} + +func ApplySecretWithData(secretPath string, data map[string][]byte, kubeconfigPath string) error { + ctx := context.TODO() + secret := &secretApplier{} + secret.Client = coreClient(kubeconfigPath) + if err := applyCore([]string{secretPath}, secret, nil, nil); err != nil { + return err + } + s, err := secret.Client.Secrets(secret.secret.Namespace).Get(ctx, secret.secret.Name, metav1.GetOptions{}) + if apierrors.IsNotFound(err) { + s, err = secret.Client.Secrets(secret.secret.Namespace).Create(ctx, secret.secret, metav1.CreateOptions{}) + return err + } + s.Data = data + _, err = secret.Client.Secrets(s.Namespace).Update(ctx, s, metav1.UpdateOptions{}) + if err != nil { + return err + } + return nil +} diff --git a/pkg/assets/core/bindata.go b/pkg/assets/core/bindata.go index 604800d503..dfacf35ac9 100644 --- a/pkg/assets/core/bindata.go +++ b/pkg/assets/core/bindata.go @@ -4,7 +4,9 @@ // assets/core/0000_00_flannel-service-account.yaml // assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml // assets/core/0000_60_service-ca_01_namespace.yaml +// assets/core/0000_60_service-ca_04_configmap.yaml // assets/core/0000_60_service-ca_04_sa.yaml +// assets/core/0000_60_service-ca_04_secret.yaml // assets/core/0000_70_dns_00-namespace.yaml // assets/core/0000_70_dns_01-configmap.yaml // assets/core/0000_70_dns_01-dns-service-account.yaml @@ -194,6 +196,30 @@ func assetsCore0000_60_serviceCa_01_namespaceYaml() (*asset, error) { return a, nil } +var _assetsCore0000_60_serviceCa_04_configmapYaml = []byte(`apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-service-ca + name: signing-cabundle +data: + ca-bundle.crt: +`) + +func assetsCore0000_60_serviceCa_04_configmapYamlBytes() ([]byte, error) { + return _assetsCore0000_60_serviceCa_04_configmapYaml, nil +} + +func assetsCore0000_60_serviceCa_04_configmapYaml() (*asset, error) { + bytes, err := assetsCore0000_60_serviceCa_04_configmapYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_60_service-ca_04_configmap.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCore0000_60_serviceCa_04_saYaml = []byte(`apiVersion: v1 kind: ServiceAccount metadata: @@ -216,6 +242,32 @@ func assetsCore0000_60_serviceCa_04_saYaml() (*asset, error) { return a, nil } +var _assetsCore0000_60_serviceCa_04_secretYaml = []byte(`apiVersion: v1 +kind: Secret +metadata: + namespace: openshift-service-ca + name: signing-key +type: kubernetes.io/tls +data: + tls.crt: + tls.key: +`) + +func assetsCore0000_60_serviceCa_04_secretYamlBytes() ([]byte, error) { + return _assetsCore0000_60_serviceCa_04_secretYaml, nil +} + +func assetsCore0000_60_serviceCa_04_secretYaml() (*asset, error) { + bytes, err := assetsCore0000_60_serviceCa_04_secretYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_60_service-ca_04_secret.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCore0000_70_dns_00NamespaceYaml = []byte(`kind: Namespace apiVersion: v1 metadata: @@ -642,7 +694,9 @@ var _bindata = map[string]func() (*asset, error){ "assets/core/0000_00_flannel-service-account.yaml": assetsCore0000_00_flannelServiceAccountYaml, "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, "assets/core/0000_60_service-ca_01_namespace.yaml": assetsCore0000_60_serviceCa_01_namespaceYaml, + "assets/core/0000_60_service-ca_04_configmap.yaml": assetsCore0000_60_serviceCa_04_configmapYaml, "assets/core/0000_60_service-ca_04_sa.yaml": assetsCore0000_60_serviceCa_04_saYaml, + "assets/core/0000_60_service-ca_04_secret.yaml": assetsCore0000_60_serviceCa_04_secretYaml, "assets/core/0000_70_dns_00-namespace.yaml": assetsCore0000_70_dns_00NamespaceYaml, "assets/core/0000_70_dns_01-configmap.yaml": assetsCore0000_70_dns_01ConfigmapYaml, "assets/core/0000_70_dns_01-dns-service-account.yaml": assetsCore0000_70_dns_01DnsServiceAccountYaml, @@ -704,7 +758,9 @@ var _bintree = &bintree{nil, map[string]*bintree{ "0000_00_flannel-service-account.yaml": {assetsCore0000_00_flannelServiceAccountYaml, map[string]*bintree{}}, "0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}}, "0000_60_service-ca_01_namespace.yaml": {assetsCore0000_60_serviceCa_01_namespaceYaml, map[string]*bintree{}}, + "0000_60_service-ca_04_configmap.yaml": {assetsCore0000_60_serviceCa_04_configmapYaml, map[string]*bintree{}}, "0000_60_service-ca_04_sa.yaml": {assetsCore0000_60_serviceCa_04_saYaml, map[string]*bintree{}}, + "0000_60_service-ca_04_secret.yaml": {assetsCore0000_60_serviceCa_04_secretYaml, map[string]*bintree{}}, "0000_70_dns_00-namespace.yaml": {assetsCore0000_70_dns_00NamespaceYaml, map[string]*bintree{}}, "0000_70_dns_01-configmap.yaml": {assetsCore0000_70_dns_01ConfigmapYaml, map[string]*bintree{}}, "0000_70_dns_01-dns-service-account.yaml": {assetsCore0000_70_dns_01DnsServiceAccountYaml, map[string]*bintree{}}, diff --git a/pkg/components/controllers.go b/pkg/components/controllers.go index 863491ef16..2bf6976bf3 100644 --- a/pkg/components/controllers.go +++ b/pkg/components/controllers.go @@ -1,6 +1,8 @@ package components import ( + "os" + "github.com/openshift/microshift/pkg/assets" "github.com/openshift/microshift/pkg/config" @@ -31,7 +33,32 @@ func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath strin sa = []string{ "assets/core/0000_60_service-ca_04_sa.yaml", } + secret = "assets/core/0000_60_service-ca_04_secret.yaml" + secretName = "signing-key" + cm = "assets/core/0000_60_service-ca_04_configmap.yaml" + cmName = "signing-cabundle" ) + caPath := cfg.DataDir + "/certs/ca-bundle/ca-bundle.crt" + tlsCrtPath := cfg.DataDir + "/resources/service-ca/secrets/service-ca/tls.crt" + tlsKeyPath := cfg.DataDir + "/resources/service-ca/secrets/service-ca/tls.key" + cmData := map[string]string{} + secretData := map[string][]byte{} + cabundle, err := os.ReadFile(caPath) + if err != nil { + return err + } + tlscrt, err := os.ReadFile(tlsCrtPath) + if err != nil { + return err + } + tlskey, err := os.ReadFile(tlsKeyPath) + if err != nil { + return err + } + cmData["ca-bundle.crt"] = string(cabundle) + secretData["tls.crt"] = tlscrt + secretData["tls.key"] = tlskey + if err := assets.ApplyNamespaces(ns, kubeconfigPath); err != nil { logrus.Warningf("failed to apply ns %v: %v", ns, err) return err @@ -56,7 +83,15 @@ func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath strin logrus.Warningf("failed to apply sa %v: %v", sa, err) return err } - if err := assets.ApplyDeployments(apps, renderSCController, assets.RenderParams{"DataDir": cfg.DataDir}, kubeconfigPath); err != nil { + if err := assets.ApplySecretWithData(secret, secretData, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply secret %v: %v", secret, err) + return err + } + if err := assets.ApplyConfigMapWithData(cm, cmData, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply sa %v: %v", cm, err) + return err + } + if err := assets.ApplyDeployments(apps, renderSCController, assets.RenderParams{"ConfigMap": cmName, "Secret": secretName}, kubeconfigPath); err != nil { logrus.Warningf("failed to apply apps %v: %v", apps, err) return err } diff --git a/pkg/components/render.go b/pkg/components/render.go index 594cd2fbb0..8a048f35b3 100755 --- a/pkg/components/render.go +++ b/pkg/components/render.go @@ -10,12 +10,12 @@ import ( func renderSCController(b []byte, p assets.RenderParams) ([]byte, error) { data := struct { - ReleaseImage assets.RenderParams - KeyDir, CADir string + ReleaseImage assets.RenderParams + CAConfigMap, TLSSecret string }{ ReleaseImage: release.Image, - KeyDir: p["DataDir"] + "/resources/service-ca/secrets/service-ca", - CADir: p["DataDir"] + "/certs/ca-bundle", + CAConfigMap: p["ConfigMap"], + TLSSecret: p["Secret"], } tpl := template.Must(template.New("sc").Parse(string(b))) var byteBuff bytes.Buffer