Skip to content

Commit

Permalink
NETOBSERV-773 Copy certificates across namespaces (#326)
Browse files Browse the repository at this point in the history 
* NETOBSERV-773 Copy certificates across namespaces

- Any certificate (secret/cm) can now be referenced from any namespace,
  which makes the operator watch the original and copy it to a target
namespace. It allows not only to deploy Loki (or Kafka) in any
namespace, but also fixes the issue of ebpf pods not having access to
kafka CA/key without manual intervention

And quite a big refactoring:
- New "watchers" and "volumes" packages
- Creation of volumes is now using a builder-style approach allowing to
  incrementally add volumes and get at the same time their path. It
avoid having discrepancies between mounted volumes and their related
path reference.
- Watching certificates (or any CM/secret) now uses digest hash of
  content instead of metadata, to avoid triggering pods restart when a
cm/secret was changed despite its content remaining the same
- Some things are moved around to make internal APIs easier to use, less
  parameters in functions, etc.
- New extensive integration tests on certificates management

Fix failing tests

* Watch loki statusTls certs

* Remove flaky test (they're already run in flowcollector_controller_test)
  • Loading branch information
@jotak
jotak authored May 31, 2023
1 parent d96d1ae commit ca61fad
Show file tree
Hide file tree
Showing 43 changed files with 2,278 additions and 1,105 deletions.
14 changes: 11 additions & 3 deletions api/v1alpha1/flowcollector_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,15 +573,17 @@ type OVNKubernetesConfig struct {
ContainerName string `json:"containerName,omitempty"`
}

type MountableType string

const (
CertRefTypeSecret = "secret"
CertRefTypeConfigMap = "configmap"
CertRefTypeSecret MountableType = "secret"
CertRefTypeConfigMap MountableType = "configmap"
)

type CertificateReference struct {
//+kubebuilder:validation:Enum=configmap;secret
// type for the certificate reference: "configmap" or "secret"
Type string `json:"type,omitempty"`
Type MountableType `json:"type,omitempty"`

// name of the config map or secret containing certificates
Name string `json:"name,omitempty"`
Expand All @@ -592,6 +594,12 @@ type CertificateReference struct {
// certKey defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.
// +optional
CertKey string `json:"certKey,omitempty"`

// namespace of the config map or secret containing certificates. If omitted, assumes same namespace as where NetObserv is deployed.
// If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
// +optional
//+kubebuilder:default:=""
Namespace string `json:"namespace,omitempty"`
}

// ClientTLS defines TLS client configuration
Expand Down
6 changes: 4 additions & 2 deletions api/v1alpha1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 11 additions & 3 deletions api/v1beta1/flowcollector_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -641,19 +641,27 @@ type OVNKubernetesConfig struct {
ContainerName string `json:"containerName,omitempty"`
}

type MountableType string

const (
CertRefTypeSecret = "secret"
CertRefTypeConfigMap = "configmap"
RefTypeSecret MountableType = "secret"
RefTypeConfigMap MountableType = "configmap"
)

type CertificateReference struct {
//+kubebuilder:validation:Enum=configmap;secret
// type for the certificate reference: "configmap" or "secret"
Type string `json:"type,omitempty"`
Type MountableType `json:"type,omitempty"`

// name of the config map or secret containing certificates
Name string `json:"name,omitempty"`

// namespace of the config map or secret containing certificates. If omitted, assumes same namespace as where NetObserv is deployed.
// If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
// +optional
//+kubebuilder:default:=""
Namespace string `json:"namespace,omitempty"`

// certFile defines the path to the certificate file name within the config map or secret
CertFile string `json:"certFile,omitempty"`

Expand Down
134 changes: 134 additions & 0 deletions bundle/manifests/flows.netobserv.io_flowcollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1025,6 +1025,15 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret
containing certificates. If omitted, assumes same
namespace as where NetObserv is deployed. If the
namespace is different, the config map or the
secret will be copied so that it can be mounted
as required.
type: string
type:
description: 'type for the certificate reference:
"configmap" or "secret"'
Expand Down Expand Up @@ -1061,6 +1070,15 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret
containing certificates. If omitted, assumes same
namespace as where NetObserv is deployed. If the
namespace is different, the config map or the
secret will be copied so that it can be mounted
as required.
type: string
type:
description: 'type for the certificate reference:
"configmap" or "secret"'
Expand Down Expand Up @@ -1121,6 +1139,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -1157,6 +1183,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -1275,6 +1309,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -1311,6 +1353,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -1992,6 +2042,15 @@ spec:
description: name of the config map or secret
containing certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret
containing certificates. If omitted, assumes
same namespace as where NetObserv is deployed.
If the namespace is different, the config map
or the secret will be copied so that it can
be mounted as required.
type: string
type:
description: 'type for the certificate reference:
"configmap" or "secret"'
Expand Down Expand Up @@ -3172,6 +3231,15 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret
containing certificates. If omitted, assumes same
namespace as where NetObserv is deployed. If the
namespace is different, the config map or the
secret will be copied so that it can be mounted
as required.
type: string
type:
description: 'type for the certificate reference:
"configmap" or "secret"'
Expand Down Expand Up @@ -3208,6 +3276,15 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret
containing certificates. If omitted, assumes same
namespace as where NetObserv is deployed. If the
namespace is different, the config map or the
secret will be copied so that it can be mounted
as required.
type: string
type:
description: 'type for the certificate reference:
"configmap" or "secret"'
Expand Down Expand Up @@ -3269,6 +3346,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -3305,6 +3390,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -3404,6 +3497,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -3440,6 +3541,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -3489,6 +3598,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -3525,6 +3642,14 @@ spec:
description: name of the config map or secret containing
certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret containing
certificates. If omitted, assumes same namespace as
where NetObserv is deployed. If the namespace is different,
the config map or the secret will be copied so that
it can be mounted as required.
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
Expand Down Expand Up @@ -4246,6 +4371,15 @@ spec:
description: name of the config map or secret
containing certificates
type: string
namespace:
default: ""
description: namespace of the config map or secret
containing certificates. If omitted, assumes
same namespace as where NetObserv is deployed.
If the namespace is different, the config map
or the secret will be copied so that it can
be mounted as required.
type: string
type:
description: 'type for the certificate reference:
"configmap" or "secret"'
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/netobserv-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -522,6 +522,7 @@ spec:
resources:
- configmaps
- namespaces
- secrets
- serviceaccounts
- services
verbs:
Expand All @@ -536,7 +537,6 @@ spec:
- ""
resources:
- endpoints
- secrets
verbs:
- get
- list
Expand Down
Loading

0 comments on commit ca61fad

Please sign in to comment.