Skip to content

Commit

Permalink
chore: Improve handling of unchanged certificates (#86)
Browse files Browse the repository at this point in the history
  • Loading branch information
@miketonks-form3
miketonks-form3 committed Jul 8, 2024
1 parent f5fca95 commit 41a0ff8
Show file tree
Hide file tree
Showing 14 changed files with 86 additions and 115 deletions.
9 changes: 2 additions & 7 deletions api/v1alpha1/certificatechaos_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,20 +48,15 @@ type CertificateChaosSpec struct {
// Duration represents the duration of the chaos action.
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// +optional
// +kubebuilder:default="90m"
Duration *string `json:"duration,omitempty" webhook:"Duration"`

// CertificateExpiry represents the expiry period for the requested certificate.
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// +optional
// +kubebuilder:default="1h"
CertificateExpiry *metav1.Duration `json:"certificateExpiry,omitempty"`
CertificateExpiry *metav1.Duration `json:"certificateExpiry"`

// RenewBefore represents when the cert-manager should rotate the certificate.
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// +optional
// +kubebuilder:default="30m"
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
RenewBefore *metav1.Duration `json:"renewBefore"`

// RemoteCluster represents the remote cluster where the chaos will be deployed
// +optional
Expand Down
5 changes: 2 additions & 3 deletions config/crd/bases/chaos-mesh.org_certificatechaos.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,11 @@ spec:
description: Spec defines the behavior of a certificate chaos experiment
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry period for the
requested certificate. Valid time units are "ns", "us" (or "µs"),
"ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration of the chaos action.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type: string
Expand All @@ -50,7 +48,6 @@ spec:
chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager should rotate
the certificate. Valid time units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".
Expand Down Expand Up @@ -115,6 +112,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
status:
Expand Down
15 changes: 6 additions & 9 deletions config/crd/bases/chaos-mesh.org_schedules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,13 +283,11 @@ spec:
creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry period for
the requested certificate. Valid time units are "ns", "us" (or
"µs"), "ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration of the chaos action.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type: string
Expand All @@ -298,7 +296,6 @@ spec:
the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager should
rotate the certificate. Valid time units are "ns", "us" (or
"µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -363,6 +360,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
ciliumChaos:
Expand Down Expand Up @@ -4109,13 +4108,11 @@ spec:
that a user creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry
period for the requested certificate. Valid time units
are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration of the
chaos action. Valid time units are "ns", "us" (or
"µs"), "ms", "s", "m", "h".
Expand All @@ -4125,7 +4122,6 @@ spec:
where the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager
should rotate the certificate. Valid time units are
"ns", "us" (or "µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -4194,6 +4190,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
children:
Expand Down Expand Up @@ -7814,14 +7812,12 @@ spec:
that a user creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry
period for the requested certificate. Valid time
units are "ns", "us" (or "µs"), "ms", "s", "m",
"h".
type: string
duration:
default: 90m
description: Duration represents the duration of
the chaos action. Valid time units are "ns", "us"
(or "µs"), "ms", "s", "m", "h".
Expand All @@ -7831,7 +7827,6 @@ spec:
cluster where the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager
should rotate the certificate. Valid time units
are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -7903,6 +7898,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
ciliumChaos:
Expand Down
20 changes: 8 additions & 12 deletions config/crd/bases/chaos-mesh.org_workflownodes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -289,13 +289,11 @@ spec:
creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry period for
the requested certificate. Valid time units are "ns", "us" (or
"µs"), "ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration of the chaos action.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type: string
Expand All @@ -304,7 +302,6 @@ spec:
the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager should
rotate the certificate. Valid time units are "ns", "us" (or
"µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -369,6 +366,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
children:
Expand Down Expand Up @@ -3757,13 +3756,11 @@ spec:
a user creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry period
for the requested certificate. Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration of the chaos
action. Valid time units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".
Expand All @@ -3773,7 +3770,6 @@ spec:
the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager
should rotate the certificate. Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -3839,6 +3835,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
ciliumChaos:
Expand Down Expand Up @@ -7670,14 +7668,12 @@ spec:
that a user creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry
period for the requested certificate. Valid time
units are "ns", "us" (or "µs"), "ms", "s", "m",
"h".
type: string
duration:
default: 90m
description: Duration represents the duration of
the chaos action. Valid time units are "ns", "us"
(or "µs"), "ms", "s", "m", "h".
Expand All @@ -7687,7 +7683,6 @@ spec:
cluster where the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager
should rotate the certificate. Valid time units
are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -7759,6 +7754,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
children:
Expand Down Expand Up @@ -11490,14 +11487,12 @@ spec:
pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the
expiry period for the requested certificate.
Valid time units are "ns", "us" (or "µs"),
"ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration
of the chaos action. Valid time units are
"ns", "us" (or "µs"), "ms", "s", "m", "h".
Expand All @@ -11507,7 +11502,6 @@ spec:
cluster where the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the
cert-manager should rotate the certificate.
Valid time units are "ns", "us" (or "µs"),
Expand Down Expand Up @@ -11582,6 +11576,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
ciliumChaos:
Expand Down
10 changes: 4 additions & 6 deletions config/crd/bases/chaos-mesh.org_workflows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,13 +302,11 @@ spec:
a user creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry period
for the requested certificate. Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration of the chaos
action. Valid time units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".
Expand All @@ -318,7 +316,6 @@ spec:
where the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager
should rotate the certificate. Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -384,6 +381,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
children:
Expand Down Expand Up @@ -3902,13 +3901,11 @@ spec:
that a user creates on a chaos experiment about pods.
properties:
certificateExpiry:
default: 1h
description: CertificateExpiry represents the expiry
period for the requested certificate. Valid time units
are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type: string
duration:
default: 90m
description: Duration represents the duration of the
chaos action. Valid time units are "ns", "us" (or
"µs"), "ms", "s", "m", "h".
Expand All @@ -3918,7 +3915,6 @@ spec:
where the chaos will be deployed
type: string
renewBefore:
default: 30m
description: RenewBefore represents when the cert-manager
should rotate the certificate. Valid time units are
"ns", "us" (or "µs"), "ms", "s", "m", "h".
Expand Down Expand Up @@ -3987,6 +3983,8 @@ spec:
type: array
type: object
required:
- certificateExpiry
- renewBefore
- selector
type: object
ciliumChaos:
Expand Down
25 changes: 18 additions & 7 deletions controllers/chaosimpl/certificatechaos/impl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,26 +97,33 @@ func (impl *Impl) Apply(ctx context.Context, index int, records []*v1alpha1.Reco
return FluxSuspended, nil

case FluxSuspended:
var cert cmv1.Certificate
err = impl.Get(ctx, namespacedName, &cert)
cert := &cmv1.Certificate{}
err = impl.Get(ctx, namespacedName, cert)
if err != nil {
if apiErrors.IsNotFound(err) {
return v1alpha1.Injected, nil
}
return v1alpha1.NotInjected, err
}

// Update actual certificate
if err = impl.updateCertificate(ctx, &cert, chaos.Spec.CertificateExpiry, chaos.Spec.RenewBefore); err != nil {
impl.Log.Error(err, "Updating Certificate", "resource", cert.Name)
return record.Phase, err
var phase v1alpha1.Phase
// Check for changes - in case of exact match, there is no need to update
if certificateChanged(cert, chaos) {
// Update actual certificate
if err = impl.updateCertificate(ctx, cert, chaos.Spec.CertificateExpiry, chaos.Spec.RenewBefore); err != nil {
impl.Log.Error(err, "Updating Certificate", "resource", cert.Name)
return record.Phase, err
}
phase = CertUpdated
} else {
phase = CertReady
}
newInstance := chaos.Status.Instances[record.Id]
newInstance.OriginalExpiry = cert.Spec.Duration
newInstance.OriginalRenewBefore = cert.Spec.RenewBefore
newInstance.SecretName = cert.Spec.SecretName
chaos.Status.Instances[record.Id] = newInstance
return CertUpdated, nil
return phase, nil

case CertUpdated:
impl.Log.Info("Checking if Certificate is ready", "certificate", namespacedName.String())
Expand Down Expand Up @@ -163,6 +170,10 @@ func (impl *Impl) Apply(ctx context.Context, index int, records []*v1alpha1.Reco
return v1alpha1.Injected, nil
}

func certificateChanged(cert *cmv1.Certificate, chaos *v1alpha1.CertificateChaos) bool {
return !(cert.Spec.Duration == chaos.Spec.CertificateExpiry && cert.Spec.RenewBefore == chaos.Spec.RenewBefore)
}

func (impl *Impl) getPodOwnersUsingSecret(ctx context.Context, podsList *v1.PodList, secretName string) (map[Dependent]bool, error) {
owners := make(map[Dependent]bool)
for _, pod := range podsList.Items {
Expand Down
Loading

0 comments on commit 41a0ff8

Please sign in to comment.