Merge pull request #2 from verrazzano/pmackin-monitoring-secret

Create system-tls secret in monitoring namespace
verrazzano · Jun 23, 2020 · ef32979 · ef32979
2 parents f9c60df + 64d93a2
commit ef32979
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -136,3 +136,6 @@ const OciFlexVolumeProvisioner = "oracle.com/oci"
 const OciAvailabilityDomainLabel = "oci-availability-domain"
 const K8sDefaultStorageClassAnnotation = "storageclass.kubernetes.io/is-default-class"
 const K8sDefaultStorageClassBetaAnnotation = "storageclass.beta.kubernetes.io/is-default-class"
+
+// Monitoring namespace
+const MonitoringNamespace = "monitoring"
diff --git a/pkg/resources/secrets/secrets_test.go b/pkg/resources/secrets/secrets_test.go
@@ -3,8 +3,8 @@
 package secrets
 
 import (
-	vmcontrollerv1 "github.com/verrazzano/verrazzano-monitoring-operator/pkg/apis/vmcontroller/v1"
 	"github.com/stretchr/testify/assert"
+	vmcontrollerv1 "github.com/verrazzano/verrazzano-monitoring-operator/pkg/apis/vmcontroller/v1"
 	"testing"
 )
 

diff --git a/pkg/vmo/sauronspec.go b/pkg/vmo/sauronspec.go
@@ -36,6 +36,11 @@ func InitializeSauronSpec(controller *Controller, sauron *vmcontrollerv1.Verrazz
 		glog.Errorf("Failed to create TLS Secrets for sauron: %v", err)
 	}
 
+	err = EnsureTlsSecretInMonitoringNS(controller, sauron)
+	if err != nil {
+		glog.Errorf("Failed to copy TLS Secret to monitoring namespace: %v", err)
+	}
+
 	// Set creation time
 	if sauron.Status.CreationTime == nil {
 		now := metav1.Now()

diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go
@@ -6,6 +6,7 @@ import (
 	"crypto/sha1"
 	"encoding/base64"
 	"fmt"
+	corev1 "k8s.io/api/core/v1"
 	"regexp"
 	"strings"
 
@@ -252,3 +253,42 @@ func (c *Controller) loadAllAuthSecretData(ns, secretName string) (map[string]st
 
 	return m, nil
 }
+
+// The prometheus pusher needs to access the ca.ctl cert in system-tls secret from within the pod.  The secret must
+// be in the monitoring namespace to access it as a volume.  Copy the secret from the verrazzano-system
+// namespace.
+func EnsureTlsSecretInMonitoringNS(controller *Controller, sauron *vmcontrollerv1.VerrazzanoMonitoringInstance) error {
+	const secretName = "system-tls"
+
+	// Don't copy the secret if it already exists.
+	secret, err := controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Get(secretName, metav1.GetOptions{})
+	if err == nil && secret != nil {
+		return nil
+	}
+
+	// The secret must be this name since the name is hardcoded in monitoring/deployments.do of verrazzano operator.
+	secret, err = controller.kubeclientset.CoreV1().Secrets(sauron.Namespace).Get(secretName, metav1.GetOptions{})
+	if err != nil {
+		glog.Errorf("Error getting TLS secret %s from namespace %s, err: %s", secretName, sauron.Namespace, err)
+		return err
+	}
+
+	// Create the secret
+	newSecret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secret.Name,
+			Namespace: constants.MonitoringNamespace,
+		},
+		Data:       secret.Data,
+		StringData: secret.StringData,
+		Type:       secret.Type,
+	}
+	_, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(&newSecret)
+	if err != nil {
+		glog.Errorf("caught an error trying to create a secret, err: %s", err)
+		return err
+	}
+	glog.Infof("Created TLS secret %s in namespace %s", secretName, constants.MonitoringNamespace)
+
+	return nil
+}