Ci 1558 3.18 (#3402)

* Fix deadlock situation where two controller rely on the other to finish successfully. * Don't block controllers when the certs they are trusting are missing key usages when there is a mutual dependency between two controllers. Secrets controller is now adding internal-manager-tls to its bundle, rather than manager-tls. The internal secret is the one that is used for component-to-component authentication, while manager-tls is used for browser-to-manager TLS.
tigera · Jul 3, 2024 · 969ab70 · 969ab70
1 parent 25da49f
commit 969ab70
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 21 deletions.
diff --git a/pkg/controller/logstorage/secrets/secret_controller.go b/pkg/controller/logstorage/secrets/secret_controller.go
@@ -469,7 +469,7 @@ func (r *SecretSubController) collectUpstreamCerts(log logr.Logger, helper utils
 		monitor.PrometheusClientTLSSecretName: common.OperatorNamespace(),
 
 		// Get certificate for es-proxy, which Linseed and es-gateway need to trust.
-		render.ManagerTLSSecretName: helper.TruthNamespace(),
+		render.ManagerInternalTLSSecretName: helper.TruthNamespace(),
 
 		// Get certificate for fluentd, which Linseed needs to trust in a standalone or management cluster.
 		render.FluentdPrometheusTLSSecretName: common.OperatorNamespace(),
@@ -503,8 +503,15 @@ func (r *SecretSubController) collectUpstreamCerts(log logr.Logger, helper utils
 	for certName, certNamespace := range certs {
 		cert, err := cm.GetCertificate(r.client, certName, certNamespace)
 		if err != nil {
-			r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get certificate", err, log)
-			return nil, err
+			if certificatemanager.IsCertExtKeyUsageError(err) {
+				// This secret is missing required key usages. Another controller will need to replace this secret with a
+				// new valid secret, before this controller will read and use it. The other controller may depend on this
+				// controller completing successfully. Therefore, we skip and continue.
+				log.Info(fmt.Sprintf("skipping %s/%s secret it will be added when it is updated: %s", common.OperatorNamespace(), certName, err))
+			} else {
+				r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get certificate", err, log)
+				return nil, err
+			}
 		} else if cert == nil {
 			msg := fmt.Sprintf("%s/%s secret not available yet, will add it if/when it becomes available", certNamespace, certName)
 			log.Info(msg)

diff --git a/pkg/controller/logstorage/secrets/secret_controller_test.go b/pkg/controller/logstorage/secrets/secret_controller_test.go
@@ -15,6 +15,7 @@
 package secrets
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 
@@ -32,6 +33,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -51,6 +53,7 @@ import (
 	"github.com/tigera/operator/pkg/render/common/secret"
 	"github.com/tigera/operator/pkg/render/logstorage/esgateway"
 	"github.com/tigera/operator/pkg/render/logstorage/esmetrics"
+	"github.com/tigera/operator/pkg/tls"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 	"github.com/tigera/operator/test"
 )
@@ -95,12 +98,13 @@ func NewSecretControllerWithShims(
 
 var _ = Describe("LogStorage Secrets controller", func() {
 	var (
-		cli        client.Client
-		readyFlag  *utils.ReadyFlag
-		scheme     *runtime.Scheme
-		ctx        context.Context
-		install    *operatorv1.Installation
-		mockStatus *status.MockStatus
+		cli                client.Client
+		readyFlag          *utils.ReadyFlag
+		scheme             *runtime.Scheme
+		ctx                context.Context
+		install            *operatorv1.Installation
+		mockStatus         *status.MockStatus
+		certificateManager certificatemanager.CertificateManager
 	)
 
 	BeforeEach(func() {
@@ -149,9 +153,10 @@ var _ = Describe("LogStorage Secrets controller", func() {
 		mockStatus.On("ClearDegraded")
 
 		// Create a CA secret for the test, and create its KeyPair.
-		cm, err := certificatemanager.Create(cli, &install.Spec, dns.DefaultClusterDomain, common.OperatorNamespace(), certificatemanager.AllowCACreation())
+		var err error
+		certificateManager, err = certificatemanager.Create(cli, &install.Spec, dns.DefaultClusterDomain, common.OperatorNamespace(), certificatemanager.AllowCACreation())
 		Expect(err).ShouldNot(HaveOccurred())
-		Expect(cli.Create(ctx, cm.KeyPair().Secret(common.OperatorNamespace()))).ShouldNot(HaveOccurred())
+		Expect(cli.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))).ShouldNot(HaveOccurred())
 	})
 
 	It("should wait for the cluster CA to be provisioned", func() {
@@ -210,6 +215,37 @@ var _ = Describe("LogStorage Secrets controller", func() {
 		ExpectSecrets(ctx, cli, expected)
 	})
 
+	It("should not trip up when a cert with missing key usages is configured for other components", func() {
+
+		// Create a LogStorage instance with a default configuration.
+		ls := &operatorv1.LogStorage{}
+		ls.Name = "tigera-secure"
+		ls.Status.State = operatorv1.TigeraStatusReady
+		CreateLogStorage(cli, ls)
+
+		By("Creating a fluentd certificate secret without all necessary usages")
+		cryptoCA, err := tls.MakeCA(rmeta.TigeraOperatorCAIssuerPrefix)
+		Expect(err).NotTo(HaveOccurred())
+		tlsCfg, err := cryptoCA.MakeServerCertForDuration(sets.NewString("test"), rmeta.DefaultCertificateDuration, tls.SetServerAuth)
+		Expect(err).NotTo(HaveOccurred())
+		keyContent, crtContent := &bytes.Buffer{}, &bytes.Buffer{}
+		Expect(tlsCfg.WriteCertConfig(crtContent, keyContent)).NotTo(HaveOccurred())
+		privateKeyPEM, certificatePEM := keyContent.Bytes(), crtContent.Bytes()
+		fluentdCert, err := certificateManager.GetOrCreateKeyPair(cli, render.FluentdPrometheusTLSSecretName, common.OperatorNamespace(), []string{""})
+		Expect(err).NotTo(HaveOccurred())
+		fluentdSecret := fluentdCert.Secret(common.OperatorNamespace())
+		fluentdSecret.Data[corev1.TLSCertKey] = certificatePEM
+		fluentdSecret.Data[corev1.TLSPrivateKeyKey] = privateKeyPEM
+		Expect(err).NotTo(HaveOccurred())
+		r, err := NewSecretControllerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, dns.DefaultClusterDomain)
+		Expect(err).ShouldNot(HaveOccurred())
+		Expect(r.client.Create(ctx, fluentdSecret)).NotTo(HaveOccurred())
+
+		By("reconciling the controller after a bad secret was created, we expect no problems, because bad secrets should be skipped")
+		_, err = r.Reconcile(ctx, reconcile.Request{})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
 	It("test that LogStorage reconciles if the user-supplied certs have any DNS names", func() {
 		// This test currently just validates that user-provided certs will reconcile and not return an error and won't be
 		// overwritten by the operator. This test will change once we add validation for user-provided certs.

diff --git a/pkg/controller/monitor/monitor_controller.go b/pkg/controller/monitor/monitor_controller.go
@@ -36,6 +36,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
+
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/controller/certificatemanager"
@@ -286,8 +287,15 @@ func (r *ReconcileMonitor) Reconcile(ctx context.Context, request reconcile.Requ
 		if err == nil {
 			trustedBundle.AddCertificates(certificate)
 		} else {
-			r.status.SetDegraded(operatorv1.ResourceReadError, "Error fetching TLS certificate", err, reqLogger)
-			return reconcile.Result{}, err
+			if certificatemanager.IsCertExtKeyUsageError(err) {
+				// This secret is missing required key usages. Another controller will need to replace this secret with a
+				// new valid secret, before this controller will read and use it. The other controller may depend on this
+				// controller completing successfully. Therefore, we skip and continue.
+				log.Info(fmt.Sprintf("skipping %s/%s secret it will be added when it is updated: %s", common.OperatorNamespace(), certificateName, err))
+			} else {
+				r.status.SetDegraded(operatorv1.ResourceReadError, "Error fetching TLS certificate", err, reqLogger)
+				return reconcile.Result{}, err
+			}
 		}
 	}
 	certificateManager.AddToStatusManager(r.status, common.TigeraPrometheusNamespace)

diff --git a/pkg/controller/monitor/monitor_controller_test.go b/pkg/controller/monitor/monitor_controller_test.go
@@ -15,6 +15,7 @@
 package monitor
 
 import (
+	"bytes"
 	"context"
 
 	. "github.com/onsi/ginkgo"
@@ -29,6 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -42,16 +44,21 @@ import (
 	"github.com/tigera/operator/pkg/controller/status"
 	"github.com/tigera/operator/pkg/controller/utils"
 	"github.com/tigera/operator/pkg/render"
+	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/monitor"
+	"github.com/tigera/operator/pkg/tls"
 )
 
 var _ = Describe("Monitor controller tests", func() {
-	var cli client.Client
-	var ctx context.Context
-	var mockStatus *status.MockStatus
-	var r ReconcileMonitor
-	var scheme *runtime.Scheme
-	var installation *operatorv1.Installation
+	var (
+		cli                client.Client
+		ctx                context.Context
+		mockStatus         *status.MockStatus
+		r                  ReconcileMonitor
+		scheme             *runtime.Scheme
+		installation       *operatorv1.Installation
+		certificateManager certificatemanager.CertificateManager
+	)
 
 	BeforeEach(func() {
 		// The schema contains all objects that should be known to the fake client when the test runs.
@@ -115,9 +122,10 @@ var _ = Describe("Monitor controller tests", func() {
 
 		// Create a certificate manager and provision the CA to unblock the controller. Generally this would be done by
 		// the cluster CA controller and is a prerequisite for the monitor controller to function.
-		cm, err := certificatemanager.Create(cli, &installation.Spec, "cluster.local", common.OperatorNamespace(), certificatemanager.AllowCACreation())
+		var err error
+		certificateManager, err = certificatemanager.Create(cli, &installation.Spec, "cluster.local", common.OperatorNamespace(), certificatemanager.AllowCACreation())
 		Expect(err).NotTo(HaveOccurred())
-		Expect(cli.Create(ctx, cm.KeyPair().Secret(common.OperatorNamespace()))).NotTo(HaveOccurred())
+		Expect(cli.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))).NotTo(HaveOccurred())
 
 		// Mark that watches were successful.
 		r.prometheusReady.MarkAsReady()
@@ -155,6 +163,28 @@ var _ = Describe("Monitor controller tests", func() {
 			Expect(cli.Get(ctx, client.ObjectKey{Name: monitor.FluentdMetrics, Namespace: common.TigeraPrometheusNamespace}, sm)).NotTo(HaveOccurred())
 		})
 
+		It("should create Prometheus related resources even when a cert with missing key usages is configured for other components", func() {
+			By("Creating a fluentd certificate secret without all necessary usages")
+			cryptoCA, err := tls.MakeCA(rmeta.TigeraOperatorCAIssuerPrefix)
+			Expect(err).NotTo(HaveOccurred())
+			tlsCfg, err := cryptoCA.MakeServerCertForDuration(sets.NewString("test"), rmeta.DefaultCertificateDuration, tls.SetServerAuth)
+			Expect(err).NotTo(HaveOccurred())
+			keyContent, crtContent := &bytes.Buffer{}, &bytes.Buffer{}
+			Expect(tlsCfg.WriteCertConfig(crtContent, keyContent)).NotTo(HaveOccurred())
+			privateKeyPEM, certificatePEM := keyContent.Bytes(), crtContent.Bytes()
+			fluentdCert, err := certificateManager.GetOrCreateKeyPair(cli, render.FluentdPrometheusTLSSecretName, common.OperatorNamespace(), []string{""})
+			Expect(err).NotTo(HaveOccurred())
+			fluentdSecret := fluentdCert.Secret(common.OperatorNamespace())
+			fluentdSecret.Data[corev1.TLSCertKey] = certificatePEM
+			fluentdSecret.Data[corev1.TLSPrivateKeyKey] = privateKeyPEM
+			Expect(err).NotTo(HaveOccurred())
+			Expect(r.client.Create(ctx, fluentdSecret)).NotTo(HaveOccurred())
+
+			By("reconciling the controller after a bad secret was created, we expect no problems, because bad secrets should be skipped")
+			_, err = r.Reconcile(ctx, reconcile.Request{})
+			Expect(err).NotTo(HaveOccurred())
+		})
+
 		It("should render allow-tigera policy when tier and policy watch are ready", func() {
 			_, err := r.Reconcile(ctx, reconcile.Request{})
 			Expect(err).ShouldNot(HaveOccurred())