Merge pull request #351 from stuggi/tls_public_endpoint

Allow route overrides list in NewRoute() and add EnsureCert()
openstack-k8s-operators · Oct 3, 2023 · ac38125 · ac38125
2 parents c2a11da + 231c496
commit ac38125
Show file tree

Hide file tree

Showing 5 changed files with 231 additions and 48 deletions.
diff --git a/modules/certmanager/certificate.go b/modules/certmanager/certificate.go
@@ -22,13 +22,18 @@ import (
 	"time"
 
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	certmgrmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
+	k8s_corev1 "k8s.io/api/core/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 )
 
 // Certificate -
@@ -65,7 +70,6 @@ func Cert(
 	namespace string,
 	labels map[string]string,
 	spec certmgrv1.CertificateSpec,
-
 ) *certmgrv1.Certificate {
 	return &certmgrv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -128,3 +132,75 @@ func (c *Certificate) Delete(
 
 	return nil
 }
+
+// EnsureCert - creates a certificate for hostnames, ensures the sercret has the required key/cert and return the secret
+func EnsureCert(
+	ctx context.Context,
+	helper *helper.Helper,
+	issuerName string,
+	certName string,
+	duration *time.Duration,
+	hostnames []string,
+	labels map[string]string,
+) (*k8s_corev1.Secret, ctrl.Result, error) {
+	// get issuer
+	issuer := &certmgrv1.Issuer{}
+	namespace := helper.GetBeforeObject().GetNamespace()
+
+	err := helper.GetClient().Get(ctx, types.NamespacedName{Name: issuerName, Namespace: namespace}, issuer)
+	if err != nil {
+		err = fmt.Errorf("Error getting issuer %s/%s - %w", issuerName, namespace, err)
+
+		return nil, ctrl.Result{}, err
+	}
+
+	// default the cert duration to one year (default is 90days)
+	if duration == nil {
+		duration = ptr.To(time.Hour * 24 * 365)
+	}
+
+	certSecretName := "cert-" + certName
+	certReq := Cert(
+		certName,
+		namespace,
+		labels,
+		certmgrv1.CertificateSpec{
+			CommonName: hostnames[0],
+			DNSNames:   hostnames,
+			Duration: &metav1.Duration{
+				Duration: *duration,
+			},
+			IssuerRef: certmgrmetav1.ObjectReference{
+				Name:  issuer.Name,
+				Kind:  issuer.Kind,
+				Group: issuer.GroupVersionKind().Group,
+			},
+			SecretName: certSecretName,
+			// TODO Usages, e.g. for client cert
+		},
+	)
+
+	cert := NewCertificate(certReq, 5)
+	ctrlResult, err := cert.CreateOrPatch(ctx, helper)
+	if err != nil {
+		return nil, ctrlResult, err
+	} else if (ctrlResult != ctrl.Result{}) {
+		return nil, ctrlResult, nil
+	}
+
+	// get cert secret
+	certSecret, _, err := secret.GetSecret(ctx, helper, certSecretName, namespace)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	// check if secret has the right keys
+	_, hasTLSKey := certSecret.Data["tls.key"]
+	_, hasTLSCert := certSecret.Data["tls.crt"]
+	if !hasTLSCert || !hasTLSKey {
+		err := fmt.Errorf("TLS secret %s in namespace %s does not have the fields tls.crt and tls.key", certSecretName, namespace)
+		return nil, ctrl.Result{}, err
+	}
+
+	return certSecret, ctrl.Result{}, nil
+}
diff --git a/modules/certmanager/go.mod b/modules/certmanager/go.mod
@@ -75,7 +75,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect; indirect // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect; indirect // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )

diff --git a/modules/common/endpoint/endpoint.go b/modules/common/endpoint/endpoint.go
@@ -194,6 +194,10 @@ func ExposeEndpoints(
 			// Create the route if it is public endpoint
 			if endpointType == service.EndpointPublic {
 				// Create the route
+				routeOverride := []route.OverrideSpec{}
+				if data.RouteOverride != nil {
+					routeOverride = append(routeOverride, *data.RouteOverride)
+				}
 				// TODO TLS
 				route, err := route.NewRoute(
 					route.GenericRoute(&route.GenericRouteDetails{
@@ -204,7 +208,7 @@ func ExposeEndpoints(
 						TargetPortName: endpointName,
 					}),
 					timeout,
-					data.RouteOverride,
+					routeOverride,
 				)
 				if err != nil {
 					return endpointMap, ctrl.Result{}, err

diff --git a/modules/common/route/route.go b/modules/common/route/route.go
@@ -38,15 +38,15 @@ import (
 func NewRoute(
 	route *routev1.Route,
 	timeout time.Duration,
-	override *OverrideSpec,
+	overrides []OverrideSpec,
 ) (*Route, error) {
 	r := &Route{
 		route:   route,
 		timeout: timeout,
 	}
 
 	// patch route with possible overrides of Labels, Annotations and Spec
-	if override != nil {
+	for _, override := range overrides {
 		if override.EmbeddedLabelsAnnotations != nil {
 			if override.Labels != nil {
 				r.route.Labels = util.MergeStringMaps(override.Labels, r.route.Labels)