Merge pull request #372 from alecmerdler/PROJQUAY-1306

Properly Rename Extra CA Certificates (PROJQUAY-1306)

controllers/quay/features.go

@@ -3,11 +3,13 @@ package controllers
 import (
 	"context"
 	"strings"
+	"time"
 
 	objectbucket "github.com/kube-object-storage/lib-bucket-provisioner/pkg/apis/objectbucket.io/v1alpha1"
 	routev1 "github.com/openshift/api/route/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
@@ -23,30 +25,49 @@ const (
 )
 
 func (r *QuayRegistryReconciler) checkRoutesAvailable(quay *v1.QuayRegistry) (*v1.QuayRegistry, error) {
-	var routes routev1.RouteList
-	err := r.Client.List(context.Background(), &routes)
-	if err == nil {
-		r.Log.Info("cluster supports `Routes` API")
-		existingAnnotations := quay.GetAnnotations()
-		if existingAnnotations == nil {
-			existingAnnotations = map[string]string{}
-		}
+	fakeRoute, err := v1.EnsureOwnerReference(quay, &routev1.Route{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      quay.GetName() + "-test-route",
+			Namespace: quay.GetNamespace(),
+		},
+		Spec: routev1.RouteSpec{To: routev1.RouteTargetReference{Kind: "Service", Name: "none"}},
+	})
+
+	if err != nil {
+		return quay, err
+	}
 
-		existingAnnotations[v1.SupportsRoutesAnnotation] = "true"
+	if err := r.Client.Create(context.Background(), fakeRoute); err != nil {
+		return quay, err
+	}
 
-		if _, ok := existingAnnotations[v1.ClusterHostnameAnnotation]; !ok && len(routes.Items) > 0 {
-			for _, route := range routes.Items {
-				if len(route.Status.Ingress) > 0 {
-					existingAnnotations[v1.ClusterHostnameAnnotation] = route.Status.Ingress[0].RouterCanonicalHostname
-					r.Log.Info("detected router canonical hostname: " + route.Status.Ingress[0].RouterCanonicalHostname)
-					break
-				}
-			}
-		}
+	r.Log.Info("cluster supports `Routes` API")
 
-		quay.SetAnnotations(existingAnnotations)
+	// Wait until `status.ingress` is populated.
+	time.Sleep(time.Millisecond * 500)
+
+	if err := r.Client.Get(context.Background(), types.NamespacedName{Name: quay.GetName() + "-test-route", Namespace: quay.GetNamespace()}, fakeRoute); err != nil {
+		return quay, err
 	}
 
+	existingAnnotations := quay.GetAnnotations()
+	if existingAnnotations == nil {
+		existingAnnotations = map[string]string{}
+	}
+
+	existingAnnotations[v1.SupportsRoutesAnnotation] = "true"
+
+	if _, ok := existingAnnotations[v1.ClusterHostnameAnnotation]; !ok {
+		existingAnnotations[v1.ClusterHostnameAnnotation] = fakeRoute.(*routev1.Route).Status.Ingress[0].RouterCanonicalHostname
+		r.Log.Info("detected router canonical hostname: " + existingAnnotations[v1.ClusterHostnameAnnotation])
+	}
+
+	if err := r.Client.Delete(context.Background(), fakeRoute); err != nil {
+		return quay, err
+	}
+
+	quay.SetAnnotations(existingAnnotations)
+
 	return quay, nil
 }
 

deploy/manifests/quay-operator/0.0.1/quay-operator.clusterserviceversion.yaml

@@ -138,7 +138,7 @@ spec:
                     fieldRef:
                       fieldPath: metadata.annotations['olm.targetNamespaces']
                 - name: RELATED_IMAGE_COMPONENT_QUAY
-                  value: quay.io/projectquay/quay@sha256:acd4fa1d6c4045020c8b5483a4de5741692240e7137b6cb4a12bdadffe8bdfac
+                  value: quay.io/projectquay/quay@sha256:a544ee36a20cb24d02a5f7b70daef776b169e3b2cdfc8f5dcf605475067ac8b0
                 - name: RELATED_IMAGE_COMPONENT_CLAIR
                   value: quay.io/projectquay/clair@sha256:70c99feceb4c0973540d22e740659cd8d616775d3ad1c1698ddf71d0221f3ce6
                 - name: RELATED_IMAGE_COMPONENT_POSTGRES

kustomize/base/config.deployment.yaml

@@ -23,7 +23,7 @@ spec:
             name: cluster-service-ca
       containers:
         - name: quay-config-editor
-          image: quay.io/projectquay/quay@sha256:acd4fa1d6c4045020c8b5483a4de5741692240e7137b6cb4a12bdadffe8bdfac
+          image: quay.io/projectquay/quay@sha256:a544ee36a20cb24d02a5f7b70daef776b169e3b2cdfc8f5dcf605475067ac8b0
           ports:
             - containerPort: 8080
               protocol: TCP

kustomize/base/quay.deployment.yaml

@@ -23,7 +23,7 @@ spec:
             name: cluster-service-ca
       containers:
         - name: quay-app
-          image: quay.io/projectquay/quay@sha256:acd4fa1d6c4045020c8b5483a4de5741692240e7137b6cb4a12bdadffe8bdfac
+          image: quay.io/projectquay/quay@sha256:a544ee36a20cb24d02a5f7b70daef776b169e3b2cdfc8f5dcf605475067ac8b0
           env:
             - name: QE_K8S_CONFIG_SECRET
               # FIXME(alecmerdler): Using `vars` is kinda ugly because it's basically templating, but this needs to be the generated `Secret` name...

kustomize/base/upgrade.deployment.yaml

@@ -23,7 +23,7 @@ spec:
             name: cluster-service-ca
       containers:
         - name: quay-app-upgrade
-          image: quay.io/projectquay/quay@sha256:acd4fa1d6c4045020c8b5483a4de5741692240e7137b6cb4a12bdadffe8bdfac
+          image: quay.io/projectquay/quay@sha256:a544ee36a20cb24d02a5f7b70daef776b169e3b2cdfc8f5dcf605475067ac8b0
           env:
             - name: QE_K8S_CONFIG_SECRET
               # FIXME(alecmerdler): Using `vars` is kinda ugly because it's basically templating, but this needs to be the generated `Secret` name...

kustomize/components/clair/upgrade.deployment.patch.yaml

@@ -11,7 +11,7 @@ spec:
       # Init conatainer needed to wait for Clair to initialize (can take minutes) before attempting to validate config.
       initContainers:
         - name: quay-app-upgrade-init
-          image: quay.io/projectquay/quay@sha256:acd4fa1d6c4045020c8b5483a4de5741692240e7137b6cb4a12bdadffe8bdfac
+          image: quay.io/projectquay/quay@sha256:a544ee36a20cb24d02a5f7b70daef776b169e3b2cdfc8f5dcf605475067ac8b0
           command:
             - /bin/sh
             - -c

kustomize/components/mirror/mirror.deployment.yaml

@@ -30,7 +30,7 @@ spec:
                       path: quay-ssl.cert
       initContainers:
         - name: quay-mirror-init
-          image: quay.io/projectquay/quay@sha256:acd4fa1d6c4045020c8b5483a4de5741692240e7137b6cb4a12bdadffe8bdfac
+          image: quay.io/projectquay/quay@sha256:a544ee36a20cb24d02a5f7b70daef776b169e3b2cdfc8f5dcf605475067ac8b0
           command:
             - /bin/sh
             - -c
@@ -40,7 +40,7 @@ spec:
               value: $(QUAY_APP_SERVICE_HOST)
       containers:
         - name: quay-mirror
-          image: quay.io/projectquay/quay@sha256:acd4fa1d6c4045020c8b5483a4de5741692240e7137b6cb4a12bdadffe8bdfac
+          image: quay.io/projectquay/quay@sha256:a544ee36a20cb24d02a5f7b70daef776b169e3b2cdfc8f5dcf605475067ac8b0
           command: ["/quay-registry/quay-entrypoint.sh"]
           args: ["repomirror-nomigrate"]
           env:

pkg/configure/configure.go

@@ -122,15 +122,20 @@ func createUpdatedSecret(reconfigureRequest request) corev1.Secret {
 	if len(reconfigureRequest.Namespace) == 0 {
 		panic("namespace not provided")
 	}
+
 	if len(reconfigureRequest.QuayRegistryName) == 0 {
 		panic("quayRegistryName not provided")
 	}
 
 	secretData["config.yaml"] = encode(reconfigureRequest.Config)
 	for fullFilePathname, encodedCert := range reconfigureRequest.Certs {
-		log.Println("including cert in secret: " + fullFilePathname)
 		certName := strings.Split(fullFilePathname, "/")[len(strings.Split(fullFilePathname, "/"))-1]
-		secretData["extra_ca_cert_"+strings.ReplaceAll(certName, "extra_ca_cert_", "")] = encodedCert
+		if strings.HasPrefix(fullFilePathname, "extra_ca_certs/") {
+			certName = "extra_ca_cert_" + strings.ReplaceAll(certName, "extra_ca_cert_", "")
+		}
+		secretData[certName] = encodedCert
+
+		log.Println("including cert in secret: " + certName)
 	}
 
 	newSecret := corev1.Secret{