Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reload certificates in operator-ca-tls secrets #2133

Merged
merged 6 commits into from
May 28, 2024

Conversation

pjuarezd
Copy link
Member

@pjuarezd pjuarezd commented May 23, 2024

Listen for secret changes in the operator namespace and trust TLS certificates stored in secrets with the prefix "operator-ca-tls"

  • No longer copy the secret operator-ca-tls from the operator namespace to the tenants namespace. Since PR https://github.com/minio/operator/pull/1847 the secret operator-ca-tls is no longer mounted in the tenant, so there is no need to keep a copy in tenant namespace.
  • queue.NewNamedRateLimitingQueue is deprecated and has been replaced with the recommended queue.NewRateLimitingQueueWithConfig.
  • Remove the duplicated method getTLSSecret and invoke getCertificateSecret instead.
  • Rename generateTLSCert to generateTLSCertificateForService for better understanding.
  • Remove duplicated constants for 'public.crt', 'tls.crt', and 'ca.crt' in the github.com/minio/operator/pkg/common namespace.
  • Replace hardcoded strings 'public.crt', 'tls.crt', and 'ca.crt' with constants in the github.com/minio/operator/pkg/certs namespace.

Signed-off-by: pjuarezd [email protected]

@pjuarezd pjuarezd self-assigned this May 23, 2024
@pjuarezd pjuarezd requested a review from cniackz May 23, 2024 23:19
@pjuarezd pjuarezd changed the title Reload certificates Reload certificates in operator-ca-tls secrets May 24, 2024
@pjuarezd pjuarezd force-pushed the reload-certificates branch from 4c7c8f3 to 2a74ff6 Compare May 24, 2024 07:10
jiuker
jiuker previously approved these changes May 24, 2024
pkg/controller/main-controller.go Outdated Show resolved Hide resolved
pkg/controller/operator.go Outdated Show resolved Hide resolved
pkg/controller/operator.go Outdated Show resolved Hide resolved
pkg/controller/operator.go Outdated Show resolved Hide resolved
pjuarezd added 5 commits May 24, 2024 11:02
…tificates stored in secrets with the prefix "operator-ca-tls."

* No longer copy the secret `operator-ca-tls` from the operator namespace to the tenants namespace: Since [PR minio#1847](minio#1847), the secret `operator-ca-tls` is no longer mounted in the tenant, so there is no need to keep a copy.
* `queue.NewNamedRateLimitingQueue` is deprecated and has been replaced with the recommended `queue.NewRateLimitingQueueWithConfig`.
* Remove the duplicated method `getTLSSecret` and invoke `getCertificateSecret` instead.
* Rename [generateTLSCert](https://github.com/minio/operator/blob/1c2fa4f402cc2c91c9903e6da6e9a693c92b65e4/pkg/controller/tls.go#L108) to `generateTLSCertificateForService` for better understanding.
* Remove duplicated constants for 'public.crt', 'tls.crt', and 'ca.crt' in the `github.com/minio/operator/pkg/common` namespace.
* Replace hardcoded strings 'public.crt', 'tls.crt', and 'ca.crt' with constants in the `github.com/minio/operator/pkg/certs` namespace.

Signed-off-by: pjuarezd <[email protected]>
Signed-off-by: pjuarezd <[email protected]>
Signed-off-by: pjuarezd <[email protected]>
@pjuarezd pjuarezd force-pushed the reload-certificates branch from 2bfdd62 to 4b697b0 Compare May 24, 2024 18:13
Copy link
Contributor

@shtripat shtripat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@pjuarezd pjuarezd merged commit 4df07c1 into minio:master May 28, 2024
30 checks passed
pjuarezd added a commit to pjuarezd/operator that referenced this pull request May 28, 2024
…Tenant namespace

This was fixed by trusting CA's as soon as the secret changed on PR minio#2133

Signed-off-by: pjuarezd <[email protected]>
pjuarezd added a commit that referenced this pull request May 29, 2024
…nant namespace (#2137)

No longer needed to create `operator-ca-tls` prefixed secrets on the Tenant namespace

This was fixed by trusting CA's as soon as the secret changed on PR #2133

Signed-off-by: pjuarezd <[email protected]>
@djwfyi djwfyi mentioned this pull request Jul 18, 2024
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants