move over TLS applying, as well as some clienthelper work

Azure · Jul 30, 2024 · 1895b7b · 1895b7b
1 parent 78feafb
commit 1895b7b
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 61 deletions.
diff --git a/pkg/cluster/apply.go b/pkg/cluster/apply.go
@@ -0,0 +1,54 @@
+package cluster
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/Azure/ARO-RP/pkg/env"
+	"github.com/Azure/ARO-RP/pkg/util/clienthelper"
+	utilpem "github.com/Azure/ARO-RP/pkg/util/pem"
+)
+
+func EnsureTLSSecretFromKeyvault(ctx context.Context, env env.Interface, ch clienthelper.Interface, target types.NamespacedName, certificateName string) error {
+	bundle, err := env.ClusterKeyvault().GetSecret(ctx, certificateName)
+	if err != nil {
+		return err
+	}
+
+	key, certs, err := utilpem.Parse([]byte(*bundle.Value))
+	if err != nil {
+		return err
+	}
+
+	b, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return err
+	}
+
+	var cb []byte
+	for _, cert := range certs {
+		cb = append(cb, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})...)
+	}
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      target.Name,
+			Namespace: target.Namespace,
+		},
+		Data: map[string][]byte{
+			corev1.TLSCertKey:       cb,
+			corev1.TLSPrivateKeyKey: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: b}),
+		},
+		Type: corev1.SecretTypeTLS,
+	}
+
+	return ch.Ensure(ctx, secret)
+}
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
@@ -23,7 +23,6 @@ import (
 	extensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/cluster/graph"
@@ -43,6 +42,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/network"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/privatedns"
 	"github.com/Azure/ARO-RP/pkg/util/billing"
+	"github.com/Azure/ARO-RP/pkg/util/clienthelper"
 	"github.com/Azure/ARO-RP/pkg/util/dns"
 	"github.com/Azure/ARO-RP/pkg/util/encryption"
 	utilgraph "github.com/Azure/ARO-RP/pkg/util/graph"
@@ -105,7 +105,7 @@ type manager struct {
 	graph   graph.Manager
 	rpBlob  azblob.Manager
 
-	client           client.Client
+	ch               clienthelper.Interface
 	kubernetescli    kubernetes.Interface
 	dynamiccli       dynamic.Interface
 	extensionscli    extensionsclient.Interface

diff --git a/pkg/cluster/install.go b/pkg/cluster/install.go
@@ -27,6 +27,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/database"
 	aroclient "github.com/Azure/ARO-RP/pkg/operator/clientset/versioned"
 	"github.com/Azure/ARO-RP/pkg/operator/deploy"
+	"github.com/Azure/ARO-RP/pkg/util/clienthelper"
 	utilgenerics "github.com/Azure/ARO-RP/pkg/util/generics"
 	"github.com/Azure/ARO-RP/pkg/util/restconfig"
 	"github.com/Azure/ARO-RP/pkg/util/steps"
@@ -534,9 +535,11 @@ func (m *manager) initializeKubernetesClients(ctx context.Context) error {
 		return err
 	}
 
-	m.client, err = client.New(restConfig, client.Options{
+	client, err := client.New(restConfig, client.Options{
 		Mapper: mapper,
 	})
+
+	m.ch = clienthelper.NewWithClient(m.log, client)
 	return err
 }
 

diff --git a/pkg/cluster/tls.go b/pkg/cluster/tls.go
@@ -5,20 +5,16 @@ package cluster
 
 import (
 	"context"
-	"crypto/x509"
-	"encoding/pem"
 
 	configv1 "github.com/openshift/api/config/v1"
 	corev1 "k8s.io/api/core/v1"
-	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/util/retry"
 
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/dns"
 	"github.com/Azure/ARO-RP/pkg/util/keyvault"
-	utilpem "github.com/Azure/ARO-RP/pkg/util/pem"
 )
 
 func (m *manager) createCertificates(ctx context.Context) error {
@@ -69,57 +65,6 @@ func (m *manager) createCertificates(ctx context.Context) error {
 	return nil
 }
 
-func (m *manager) ensureSecret(ctx context.Context, secrets corev1client.SecretInterface, certificateName string) error {
-	bundle, err := m.env.ClusterKeyvault().GetSecret(ctx, certificateName)
-	if err != nil {
-		return err
-	}
-
-	key, certs, err := utilpem.Parse([]byte(*bundle.Value))
-	if err != nil {
-		return err
-	}
-
-	b, err := x509.MarshalPKCS8PrivateKey(key)
-	if err != nil {
-		return err
-	}
-
-	var cb []byte
-	for _, cert := range certs {
-		cb = append(cb, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})...)
-	}
-
-	_, err = secrets.Create(ctx, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: certificateName,
-		},
-		Data: map[string][]byte{
-			corev1.TLSCertKey:       cb,
-			corev1.TLSPrivateKeyKey: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: b}),
-		},
-		Type: corev1.SecretTypeTLS,
-	}, metav1.CreateOptions{})
-	if kerrors.IsAlreadyExists(err) {
-		err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
-			s, err := secrets.Get(ctx, certificateName, metav1.GetOptions{})
-			if err != nil {
-				return err
-			}
-
-			s.Data = map[string][]byte{
-				corev1.TLSCertKey:       cb,
-				corev1.TLSPrivateKeyKey: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: b}),
-			}
-			s.Type = corev1.SecretTypeTLS
-
-			_, err = secrets.Update(ctx, s, metav1.UpdateOptions{})
-			return err
-		})
-	}
-	return err
-}
-
 func (m *manager) configureAPIServerCertificate(ctx context.Context) error {
 	if m.env.FeatureIsSet(env.FeatureDisableSignedCertificates) {
 		return nil
@@ -135,7 +80,7 @@ func (m *manager) configureAPIServerCertificate(ctx context.Context) error {
 	}
 
 	for _, namespace := range []string{"openshift-config", "openshift-azure-operator"} {
-		err = m.ensureSecret(ctx, m.kubernetescli.CoreV1().Secrets(namespace), m.doc.ID+"-apiserver")
+		err = EnsureTLSSecretFromKeyvault(ctx, m.env, m.ch, types.NamespacedName{Name: m.doc.ID + "-apiserver", Namespace: namespace}, m.doc.ID+"-apiserver")
 		if err != nil {
 			return err
 		}
@@ -178,7 +123,7 @@ func (m *manager) configureIngressCertificate(ctx context.Context) error {
 	}
 
 	for _, namespace := range []string{"openshift-ingress", "openshift-azure-operator"} {
-		err = m.ensureSecret(ctx, m.kubernetescli.CoreV1().Secrets(namespace), m.doc.ID+"-ingress")
+		err = EnsureTLSSecretFromKeyvault(ctx, m.env, m.ch, types.NamespacedName{Namespace: namespace, Name: m.doc.ID + "-ingress"}, m.doc.ID+"-ingress")
 		if err != nil {
 			return err
 		}

diff --git a/pkg/util/clienthelper/clienthelper.go b/pkg/util/clienthelper/clienthelper.go
@@ -38,6 +38,7 @@ type Interface interface {
 	EnsureDeleted(ctx context.Context, gvk schema.GroupVersionKind, key types.NamespacedName) error
 	Ensure(ctx context.Context, objs ...kruntime.Object) error
 	GetOne(ctx context.Context, key types.NamespacedName, obj kruntime.Object) error
+	Client() client.Client
 }
 
 type clientHelper struct {
@@ -66,6 +67,10 @@ func NewWithClient(log *logrus.Entry, client client.Client) Interface {
 	}
 }
 
+func (ch *clientHelper) Client() client.Client {
+	return ch.client
+}
+
 func (ch *clientHelper) EnsureDeleted(ctx context.Context, gvk schema.GroupVersionKind, key types.NamespacedName) error {
 	a := meta.AsPartialObjectMetadata(&metav1.ObjectMeta{
 		Name:      key.Name,