refactor(capsuleconfiguration): allowing to skip tls reconciler

2026-02-14 18:09:58 +00:00 · 2022-07-22 11:35:55 +02:00
parent 5a8a8ae77a
commit 098a74b565
5 changed files with 37 additions and 44 deletions
--- a/api/v1alpha1/capsuleconfiguration_annotations.go
+++ b/api/v1alpha1/capsuleconfiguration_annotations.go
@@ -8,5 +8,5 @@ const (
 	TLSSecretNameAnnotation                  = "capsule.clastix.io/tls-secret-name"
 	MutatingWebhookConfigurationName         = "capsule.clastix.io/mutating-webhook-configuration-name"
 	ValidatingWebhookConfigurationName       = "capsule.clastix.io/validating-webhook-configuration-name"
-	GenerateCertificatesAnnotationName       = "capsule.clastix.io/generate-certificates"
+	EnableTLSConfigurationAnnotationName     = "capsule.clastix.io/enable-tls-configuration"
 )
--- a/controllers/tls/manager.go
+++ b/controllers/tls/manager.go
@@ -177,31 +177,21 @@ func (r Reconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.R
 		return reconcile.Result{}, err
 	}

-	if r.Configuration.GenerateCertificates() {
-		certificate, err := cert.GetCertificateFromBytes(certSecret.Data[corev1.TLSCertKey])
-		if err != nil {
-			return reconcile.Result{}, err
-		}
-
-		now := time.Now()
-		requeueTime := certificate.NotAfter.Add(-(certificateExpirationThreshold - 1*time.Second))
-		rq := requeueTime.Sub(now)
-
-		r.Log.Info("Reconciliation completed, processing back in " + rq.String())
-
-		return reconcile.Result{Requeue: true, RequeueAfter: rq}, nil
+	certificate, err := cert.GetCertificateFromBytes(certSecret.Data[corev1.TLSCertKey])
+	if err != nil {
+		return reconcile.Result{}, err
 	}

-	return reconcile.Result{}, nil
+	now := time.Now()
+	requeueTime := certificate.NotAfter.Add(-(certificateExpirationThreshold - 1*time.Second))
+	rq := requeueTime.Sub(now)
+
+	r.Log.Info("Reconciliation completed, processing back in " + rq.String())
+
+	return reconcile.Result{Requeue: true, RequeueAfter: rq}, nil
 }

 func (r Reconciler) shouldUpdateCertificate(secret *corev1.Secret) bool {
-	if !r.Configuration.GenerateCertificates() {
-		r.Log.Info("Skipping TLS certificate generation as it is disabled in CapsuleConfiguration")
-
-		return false
-	}
-
 	if _, ok := secret.Data[corev1.ServiceAccountRootCAKey]; !ok {
 		return true
 	}
--- a/main.go
+++ b/main.go
@@ -142,29 +142,30 @@ func main() {

 	directCfg := configuration.NewCapsuleConfiguration(ctx, directClient, configurationName)

-	tlsReconciler := &tlscontroller.Reconciler{
-		Client:        directClient,
-		Log:           ctrl.Log.WithName("controllers").WithName("TLS"),
-		Namespace:     namespace,
-		Configuration: directCfg,
-	}
+	if directCfg.EnableTLSConfiguration() {
+		tlsReconciler := &tlscontroller.Reconciler{
+			Client:        directClient,
+			Log:           ctrl.Log.WithName("controllers").WithName("TLS"),
+			Namespace:     namespace,
+			Configuration: directCfg,
+		}

-	if err = tlsReconciler.SetupWithManager(manager); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Namespace")
-		os.Exit(1)
-	}
+		if err = tlsReconciler.SetupWithManager(manager); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "Namespace")
+			os.Exit(1)
+		}

-	tlsCert := &corev1.Secret{}
+		tlsCert := &corev1.Secret{}

-	if err = directClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
-		setupLog.Error(err, "unable to get Capsule TLS secret")
-		os.Exit(1)
-	}
-
-	// Reconcile TLS certificates before starting controllers and webhooks
-	if err = tlsReconciler.ReconcileCertificates(ctx, tlsCert); err != nil {
-		setupLog.Error(err, "unable to reconcile Capsule TLS secret")
-		os.Exit(1)
+		if err = directClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
+			setupLog.Error(err, "unable to get Capsule TLS secret")
+			os.Exit(1)
+		}
+		// Reconcile TLS certificates before starting controllers and webhooks
+		if err = tlsReconciler.ReconcileCertificates(ctx, tlsCert); err != nil {
+			setupLog.Error(err, "unable to reconcile Capsule TLS secret")
+			os.Exit(1)
+		}
 	}

 	if err = (&tenantcontroller.Manager{
--- a/pkg/configuration/client.go
+++ b/pkg/configuration/client.go
@@ -78,8 +78,8 @@ func (c capsuleConfiguration) TLSSecretName() (name string) {
 	return
 }

-func (c capsuleConfiguration) GenerateCertificates() bool {
-	annotationValue, ok := c.retrievalFn().Annotations[capsulev1alpha1.GenerateCertificatesAnnotationName]
+func (c capsuleConfiguration) EnableTLSConfiguration() bool {
+	annotationValue, ok := c.retrievalFn().Annotations[capsulev1alpha1.EnableTLSConfigurationAnnotationName]

 	if ok {
 		value, err := strconv.ParseBool(annotationValue)
--- a/pkg/configuration/configuration.go
+++ b/pkg/configuration/configuration.go
@@ -19,7 +19,9 @@ const (
 type Configuration interface {
 	ProtectedNamespaceRegexp() (*regexp.Regexp, error)
 	ForceTenantPrefix() bool
-	GenerateCertificates() bool
+	// EnableTLSConfiguration enabled the TLS reconciler, responsible for creating CA and TLS certificate required
+	// for the CRD conversion and webhooks.
+	EnableTLSConfiguration() bool
 	TLSSecretName() string
 	MutatingWebhookConfigurationName() string
 	ValidatingWebhookConfigurationName() string