Merge pull request #4540 from alenkacz/av/tls-refactor

Refactor TLS certificates handling in k8s operator

src/go/k8s/controllers/redpanda/cluster_controller.go

@@ -150,15 +150,8 @@ func (r *ClusterReconciler) Reconcile(
 		headlessSvc.HeadlessServiceFQDN(r.clusterDomain),
 		headlessSvc.Key().Name,
 		nodeportSvc.Key(),
-		pki.RedpandaNodeCert(),
-		pki.RedpandaOperatorClientCert(),
-		pki.RedpandaAdminCert(),
-		pki.AdminAPINodeCert(),
-		pki.AdminAPIClientCert(),
-		pki.PandaproxyAPINodeCert(),
-		pki.PandaproxyAPIClientCert(),
-		pki.SchemaRegistryAPINodeCert(),
-		pki.SchemaRegistryAPIClientCert(),
+		pki.StatefulSetVolumeProvider(),
+		pki.AdminAPIConfigProvider(),
 		sa.Key().Name,
 		r.configuratorSettings,
 		configMapResource.GetNodeConfigHash,
@@ -204,7 +197,7 @@ func (r *ClusterReconciler) Reconcile(
 		secrets = append(secrets, schemaRegistrySu.Key())
 	}
 
-	err := r.setInitialSuperUserPassword(ctx, &redpandaCluster, headlessSvc.HeadlessServiceFQDN(r.clusterDomain), pki.AdminAPINodeCert(), pki.AdminAPIClientCert(), secrets)
+	err := r.setInitialSuperUserPassword(ctx, &redpandaCluster, headlessSvc.HeadlessServiceFQDN(r.clusterDomain), pki.AdminAPIConfigProvider(), secrets)
 
 	var e *resources.RequeueAfterError
 	if errors.As(err, &e) {
@@ -502,11 +495,10 @@ func (r *ClusterReconciler) setInitialSuperUserPassword(
 	ctx context.Context,
 	redpandaCluster *redpandav1alpha1.Cluster,
 	fqdn string,
-	adminAPINodeCertSecretKey client.ObjectKey,
-	adminAPIClientCertSecretKey client.ObjectKey,
+	adminTLSConfigProvider resources.AdminTLSConfigProvider,
 	objs []types.NamespacedName,
 ) error {
-	adminAPI, err := r.AdminAPIClientFactory(ctx, r, redpandaCluster, fqdn, adminAPINodeCertSecretKey, adminAPIClientCertSecretKey)
+	adminAPI, err := r.AdminAPIClientFactory(ctx, r, redpandaCluster, fqdn, adminTLSConfigProvider)
 	if err != nil && errors.Is(err, &adminutils.NoInternalAdminAPI{}) {
 		return nil
 	} else if err != nil {

src/go/k8s/controllers/redpanda/cluster_controller_configuration.go

@@ -77,7 +77,7 @@ func (r *ClusterReconciler) reconcileConfiguration(
 		}
 	}
 
-	adminAPI, err := r.AdminAPIClientFactory(ctx, r, redpandaCluster, fqdn, pki.AdminAPINodeCert(), pki.AdminAPIClientCert())
+	adminAPI, err := r.AdminAPIClientFactory(ctx, r, redpandaCluster, fqdn, pki.AdminAPIConfigProvider())
 	if err != nil {
 		return errorWithContext(err, "error creating the admin API client")
 	}

src/go/k8s/controllers/redpanda/cluster_controller_configuration_drift.go

@@ -123,7 +123,7 @@ func (r *ClusterConfigurationDriftReconciler) Reconcile(
 		return ctrl.Result{RequeueAfter: r.getDriftCheckPeriod()}, nil
 	}
 
-	adminAPI, err := r.AdminAPIClientFactory(ctx, r, &redpandaCluster, headlessSvc.HeadlessServiceFQDN(r.clusterDomain), pki.AdminAPINodeCert(), pki.AdminAPIClientCert())
+	adminAPI, err := r.AdminAPIClientFactory(ctx, r, &redpandaCluster, headlessSvc.HeadlessServiceFQDN(r.clusterDomain), pki.AdminAPIConfigProvider())
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("could not get admin API to check drifts on the cluster: %w", err)
 	}

src/go/k8s/controllers/redpanda/suite_test.go

@@ -90,8 +90,7 @@ var _ = BeforeSuite(func(done Done) {
 		_ client.Reader,
 		_ *redpandav1alpha1.Cluster,
 		_ string,
-		_ client.ObjectKey,
-		_ client.ObjectKey,
+		_ resources.AdminTLSConfigProvider,
 	) (adminutils.AdminAPIClient, error) {
 		return testAdminAPI, nil
 	}

src/go/k8s/pkg/admin/admin.go

@@ -16,6 +16,7 @@ import (
 	"fmt"
 
 	redpandav1alpha1 "github.com/redpanda-data/redpanda/src/go/k8s/apis/redpanda/v1alpha1"
+	"github.com/redpanda-data/redpanda/src/go/k8s/pkg/resources"
 	"github.com/redpanda-data/redpanda/src/go/rpk/pkg/api/admin"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -34,8 +35,7 @@ func NewInternalAdminAPI(
 	k8sClient client.Reader,
 	redpandaCluster *redpandav1alpha1.Cluster,
 	fqdn string,
-	adminAPINodeCertSecretKey client.ObjectKey,
-	adminAPIClientCertSecretKey client.ObjectKey,
+	adminTLSProvider resources.AdminTLSConfigProvider,
 ) (AdminAPIClient, error) {
 	adminInternal := redpandaCluster.AdminAPIInternal()
 	if adminInternal == nil {
@@ -45,7 +45,7 @@ func NewInternalAdminAPI(
 	var tlsConfig *tls.Config
 	if adminInternal.TLS.Enabled {
 		var err error
-		tlsConfig, err = GetTLSConfig(ctx, k8sClient, redpandaCluster, adminAPINodeCertSecretKey, adminAPIClientCertSecretKey)
+		tlsConfig, err = adminTLSProvider.GetTLSConfig(ctx, k8sClient)
 		if err != nil {
 			return nil, fmt.Errorf("could not create tls configuration for internal admin API: %w", err)
 		}
@@ -89,8 +89,7 @@ type AdminAPIClientFactory func(
 	k8sClient client.Reader,
 	redpandaCluster *redpandav1alpha1.Cluster,
 	fqdn string,
-	adminAPINodeCertSecretKey client.ObjectKey,
-	adminAPIClientCertSecretKey client.ObjectKey,
+	adminTLSProvider resources.AdminTLSConfigProvider,
 ) (AdminAPIClient, error)
 
 var _ AdminAPIClientFactory = NewInternalAdminAPI

src/go/k8s/pkg/resources/certmanager/admin_api.go

@@ -10,20 +10,8 @@
 // Package certmanager contains resources for TLS certificate handling using cert-manager
 package certmanager
 
-import "k8s.io/apimachinery/pkg/types"
-
 const (
 	adminAPI           = "admin"
 	adminAPIClientCert = "admin-api-client"
 	adminAPINodeCert   = "admin-api-node"
 )
-
-// AdminAPINodeCert returns the namespaced name for the Admin API certificate used by nodes
-func (r *PkiReconciler) AdminAPINodeCert() types.NamespacedName {
-	return types.NamespacedName{Name: r.pandaCluster.Name + "-" + adminAPINodeCert, Namespace: r.pandaCluster.Namespace}
-}
-
-// AdminAPIClientCert returns the namespaced name for the Admin API certificate used by clients
-func (r *PkiReconciler) AdminAPIClientCert() types.NamespacedName {
-	return types.NamespacedName{Name: r.pandaCluster.Name + "-" + adminAPIClientCert, Namespace: r.pandaCluster.Namespace}
-}

src/go/k8s/pkg/resources/certmanager/kafka_api.go

@@ -9,8 +9,6 @@
 
 package certmanager
 
-import "k8s.io/apimachinery/pkg/types"
-
 const (
 	kafkaAPI = "kafka"
 	// OperatorClientCert cert name - used by kubernetes operator to call KafkaAPI
@@ -22,26 +20,3 @@ const (
 	// RedpandaNodeCert cert name - node certificate
 	RedpandaNodeCert = "redpanda"
 )
-
-// RedpandaOperatorClientCert returns the namespaced name for the client certificate
-// used by the Kubernetes operator
-func (r *PkiReconciler) RedpandaOperatorClientCert() types.NamespacedName {
-	return types.NamespacedName{Name: r.pandaCluster.Name + "-" + OperatorClientCert, Namespace: r.pandaCluster.Namespace}
-}
-
-// RedpandaAdminCert returns the namespaced name for the certificate used by an administrator to query the Kafka API
-func (r *PkiReconciler) RedpandaAdminCert() types.NamespacedName {
-	return types.NamespacedName{Name: r.pandaCluster.Name + "-" + OperatorClientCert, Namespace: r.pandaCluster.Namespace}
-}
-
-// RedpandaNodeCert returns the namespaced name for Redpanda's node certificate
-func (r *PkiReconciler) RedpandaNodeCert() types.NamespacedName {
-	tlsListener := r.pandaCluster.KafkaTLSListener()
-	if tlsListener != nil && tlsListener.TLS.NodeSecretRef != nil {
-		return types.NamespacedName{
-			Name:      tlsListener.TLS.NodeSecretRef.Name,
-			Namespace: r.pandaCluster.Namespace,
-		}
-	}
-	return types.NamespacedName{Name: r.pandaCluster.Name + "-" + RedpandaNodeCert, Namespace: r.pandaCluster.Namespace}
-}

src/go/k8s/pkg/resources/certmanager/pandaproxy_api.go

@@ -10,20 +10,8 @@
 // Package certmanager contains resources for TLS certificate handling using cert-manager
 package certmanager
 
-import "k8s.io/apimachinery/pkg/types"
-
 const (
 	pandaproxyAPI           = "proxy"
 	pandaproxyAPIClientCert = "proxy-api-client"
 	pandaproxyAPINodeCert   = "proxy-api-node"
 )
-
-// PandaproxyAPINodeCert returns the namespaced name for the Pandaproxy API certificate used by nodes
-func (r *PkiReconciler) PandaproxyAPINodeCert() types.NamespacedName {
-	return types.NamespacedName{Name: r.pandaCluster.Name + "-" + pandaproxyAPINodeCert, Namespace: r.pandaCluster.Namespace}
-}
-
-// PandaproxyAPIClientCert returns the namespaced name for the Pandaproxy API certificate used by clients
-func (r *PkiReconciler) PandaproxyAPIClientCert() types.NamespacedName {
-	return types.NamespacedName{Name: r.pandaCluster.Name + "-" + pandaproxyAPIClientCert, Namespace: r.pandaCluster.Namespace}
-}