mirror of
https://github.com/clastix/kamaji.git
synced 2026-04-15 06:56:47 +00:00
141 lines
4.8 KiB
Go
141 lines
4.8 KiB
Go
// Copyright 2022 Clastix Labs
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package resources
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/go-logr/logr"
|
|
corev1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
k8stypes "k8s.io/apimachinery/pkg/types"
|
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
|
ctrl "sigs.k8s.io/controller-runtime"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
|
|
|
|
kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
|
|
"github.com/clastix/kamaji/internal/kubeadm"
|
|
"github.com/clastix/kamaji/internal/utilities"
|
|
)
|
|
|
|
type APIServerCertificate struct {
|
|
resource *corev1.Secret
|
|
Client client.Client
|
|
Log logr.Logger
|
|
TmpDirectory string
|
|
}
|
|
|
|
func (r *APIServerCertificate) ShouldStatusBeUpdated(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
|
|
return tenantControlPlane.Status.Certificates.APIServer.Checksum != r.resource.GetAnnotations()["checksum"]
|
|
}
|
|
|
|
func (r *APIServerCertificate) ShouldCleanup(_ *kamajiv1alpha1.TenantControlPlane) bool {
|
|
return false
|
|
}
|
|
|
|
func (r *APIServerCertificate) CleanUp(context.Context, *kamajiv1alpha1.TenantControlPlane) (bool, error) {
|
|
return false, nil
|
|
}
|
|
|
|
func (r *APIServerCertificate) Define(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
|
|
r.resource = &corev1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: r.getPrefixedName(tenantControlPlane),
|
|
Namespace: tenantControlPlane.GetNamespace(),
|
|
},
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (r *APIServerCertificate) getPrefixedName(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) string {
|
|
return utilities.AddTenantPrefix(r.GetName(), tenantControlPlane)
|
|
}
|
|
|
|
func (r *APIServerCertificate) GetClient() client.Client {
|
|
return r.Client
|
|
}
|
|
|
|
func (r *APIServerCertificate) GetTmpDirectory() string {
|
|
return r.TmpDirectory
|
|
}
|
|
|
|
func (r *APIServerCertificate) CreateOrUpdate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) (res controllerutil.OperationResult, err error) {
|
|
return utilities.CreateOrUpdateWithConflict(ctx, r.Client, r.resource, r.mutate(ctx, tenantControlPlane))
|
|
}
|
|
|
|
func (r *APIServerCertificate) GetName() string {
|
|
return "api-server-certificate"
|
|
}
|
|
|
|
func (r *APIServerCertificate) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
|
|
tenantControlPlane.Status.Certificates.APIServer.LastUpdate = metav1.Now()
|
|
tenantControlPlane.Status.Certificates.APIServer.SecretName = r.resource.GetName()
|
|
tenantControlPlane.Status.Certificates.APIServer.Checksum = r.resource.GetAnnotations()["checksum"]
|
|
|
|
return nil
|
|
}
|
|
|
|
func (r *APIServerCertificate) mutate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) controllerutil.MutateFn {
|
|
return func() error {
|
|
if checksum := tenantControlPlane.Status.Certificates.APIServer.Checksum; len(checksum) > 0 && checksum == r.resource.GetAnnotations()["checksum"] {
|
|
isValid, err := kubeadm.IsCertificatePrivateKeyPairValid(
|
|
r.resource.Data[kubeadmconstants.APIServerCertName],
|
|
r.resource.Data[kubeadmconstants.APIServerKeyName],
|
|
)
|
|
if err != nil {
|
|
r.Log.Info(fmt.Sprintf("%s certificate-private_key pair is not valid: %s", kubeadmconstants.APIServerCertAndKeyBaseName, err.Error()))
|
|
}
|
|
if isValid {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
config, err := getStoredKubeadmConfiguration(ctx, r, tenantControlPlane)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
namespacedName := k8stypes.NamespacedName{Namespace: tenantControlPlane.GetNamespace(), Name: tenantControlPlane.Status.Certificates.CA.SecretName}
|
|
secretCA := &corev1.Secret{}
|
|
if err = r.Client.Get(ctx, namespacedName, secretCA); err != nil {
|
|
return err
|
|
}
|
|
|
|
ca := kubeadm.CertificatePrivateKeyPair{
|
|
Name: kubeadmconstants.CACertAndKeyBaseName,
|
|
Certificate: secretCA.Data[kubeadmconstants.CACertName],
|
|
PrivateKey: secretCA.Data[kubeadmconstants.CAKeyName],
|
|
}
|
|
certificateKeyPair, err := kubeadm.GenerateCertificatePrivateKeyPair(kubeadmconstants.APIServerCertAndKeyBaseName, config, ca)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
r.resource.Data = map[string][]byte{
|
|
kubeadmconstants.APIServerCertName: certificateKeyPair.Certificate,
|
|
kubeadmconstants.APIServerKeyName: certificateKeyPair.PrivateKey,
|
|
}
|
|
|
|
annotations := r.resource.GetAnnotations()
|
|
if annotations == nil {
|
|
annotations = map[string]string{}
|
|
}
|
|
annotations["checksum"] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
|
|
r.resource.SetAnnotations(annotations)
|
|
|
|
r.resource.SetLabels(utilities.MergeMaps(
|
|
utilities.KamajiLabels(),
|
|
map[string]string{
|
|
"kamaji.clastix.io/name": tenantControlPlane.GetName(),
|
|
"kamaji.clastix.io/component": r.GetName(),
|
|
},
|
|
))
|
|
|
|
return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
|
|
}
|
|
}
|