From e7dd893c33bb21455c396a20c50adb3fb023a750 Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 14:58:35 -0400 Subject: [PATCH 01/10] testing --- pkg/constants/constants.go | 3 +++ pkg/resources/secrets/secrets.go | 4 ++-- pkg/resources/secrets/secrets_test.go | 6 +++--- pkg/vmo/secret.go | 15 ++++++++++++++- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 5d3adf00..e910d33e 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -136,3 +136,6 @@ const OciFlexVolumeProvisioner = "oracle.com/oci" const OciAvailabilityDomainLabel = "oci-availability-domain" const K8sDefaultStorageClassAnnotation = "storageclass.kubernetes.io/is-default-class" const K8sDefaultStorageClassBetaAnnotation = "storageclass.beta.kubernetes.io/is-default-class" + +// Monitoring namespace +const MonitoringNamespace = "monitoring" diff --git a/pkg/resources/secrets/secrets.go b/pkg/resources/secrets/secrets.go index a94cd322..45a38ccc 100644 --- a/pkg/resources/secrets/secrets.go +++ b/pkg/resources/secrets/secrets.go @@ -24,13 +24,13 @@ func New(sauron *vmcontrollerv1.VerrazzanoMonitoringInstance, secretName string, }, nil } -func NewTLS(sauron *vmcontrollerv1.VerrazzanoMonitoringInstance, secretName string, data map[string][]byte) (*corev1.Secret, error) { +func NewTLS(sauron *vmcontrollerv1.VerrazzanoMonitoringInstance, nameSpace string, secretName string, data map[string][]byte) (*corev1.Secret, error) { return &corev1.Secret{ Type: corev1.SecretTypeOpaque, ObjectMeta: metav1.ObjectMeta{ Labels: resources.GetMetaLabels(sauron), Name: secretName, - Namespace: sauron.Namespace, + Namespace: nameSpace, OwnerReferences: resources.GetOwnerReferences(sauron), }, Data: data, diff --git a/pkg/resources/secrets/secrets_test.go b/pkg/resources/secrets/secrets_test.go index f3fa45d3..903dce99 100644 --- a/pkg/resources/secrets/secrets_test.go +++ b/pkg/resources/secrets/secrets_test.go @@ -3,8 +3,8 @@ package secrets import ( - vmcontrollerv1 "github.com/verrazzano/verrazzano-monitoring-operator/pkg/apis/vmcontroller/v1" "github.com/stretchr/testify/assert" + vmcontrollerv1 "github.com/verrazzano/verrazzano-monitoring-operator/pkg/apis/vmcontroller/v1" "testing" ) @@ -43,14 +43,14 @@ func TestSauronWithCascadingDelete(t *testing.T) { }, } secret, _ := New(sauron, "secret", []byte{}) - tls, _ := NewTLS(sauron, "secret", map[string][]byte{}) + tls, _ := NewTLS(sauron, sauron.Namespace, "secret", map[string][]byte{}) assert.Equal(t, 1, len(secret.ObjectMeta.OwnerReferences), "OwnerReferences is not set with CascadingDelete true") assert.Equal(t, 1, len(tls.ObjectMeta.OwnerReferences), "OwnerReferences is not set with CascadingDelete true") // Without CascadingDelete sauron.Spec.CascadingDelete = false secret, _ = New(sauron, "secret", []byte{}) - tls, _ = NewTLS(sauron, "secret", map[string][]byte{}) + tls, _ = NewTLS(sauron, sauron.Namespace, "secret", map[string][]byte{}) assert.Equal(t, 0, len(secret.ObjectMeta.OwnerReferences), "OwnerReferences is set even with CascadingDelete false") assert.Equal(t, 0, len(tls.ObjectMeta.OwnerReferences), "OwnerReferences is set even with CascadingDelete false") } diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 0b7a6053..7c00342a 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -181,7 +181,7 @@ func CreateOrUpdateTLSSecrets(controller *Controller, sauron *vmcontrollerv1.Ver } return nil } - secret, err = secrets.NewTLS(sauron, sauron.Name+"-tls", secretData) + secret, err = secrets.NewTLS(sauron, sauron.Namespace, sauron.Name+"-tls", secretData) if err != nil { glog.Errorf("got an error trying to create a password hash, err: %s", err) return err @@ -192,6 +192,19 @@ func CreateOrUpdateTLSSecrets(controller *Controller, sauron *vmcontrollerv1.Ver return err } glog.V(6).Infof("Create TLS secret: %s", secretOut.Name) + + secret, err = secrets.NewTLS(sauron, constants.MonitoringNamespace, sauron.Name+"-tls", secretData) + if err != nil { + glog.Errorf("got an error trying to create the TLS secret object: %s", err) + return err + } + secretOut, err = controller.kubeclientset.CoreV1().Secrets(sauron.Namespace).Create(secret) + if err != nil { + glog.Errorf("Error trying to create a TLS secret in monitoring namespace, err: %s", err) + return err + } + glog.V(6).Infof("Create TLS secret in monitoring namespace: %s", secretOut.Name) + } return nil } From 18cac9700362affa976430cc6e44e98fa239770b Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 19:18:07 -0400 Subject: [PATCH 02/10] testing --- pkg/constants/constants.go | 3 +++ pkg/vmo/sauronspec.go | 5 +++++ pkg/vmo/secret.go | 23 +++++++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 5d3adf00..e910d33e 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -136,3 +136,6 @@ const OciFlexVolumeProvisioner = "oracle.com/oci" const OciAvailabilityDomainLabel = "oci-availability-domain" const K8sDefaultStorageClassAnnotation = "storageclass.kubernetes.io/is-default-class" const K8sDefaultStorageClassBetaAnnotation = "storageclass.beta.kubernetes.io/is-default-class" + +// Monitoring namespace +const MonitoringNamespace = "monitoring" diff --git a/pkg/vmo/sauronspec.go b/pkg/vmo/sauronspec.go index 849e6de9..b12b1755 100644 --- a/pkg/vmo/sauronspec.go +++ b/pkg/vmo/sauronspec.go @@ -36,6 +36,11 @@ func InitializeSauronSpec(controller *Controller, sauron *vmcontrollerv1.Verrazz glog.Errorf("Failed to create TLS Secrets for sauron: %v", err) } + err = CopyTLSSecretToMonitoringNS(controller, sauron) + if err != nil { + glog.Errorf("Failed to copy TLS Secret to monitoring namespace: %v", err) + } + // Set creation time if sauron.Status.CreationTime == nil { now := metav1.Now() diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 0b7a6053..4178b25a 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -252,3 +252,26 @@ func (c *Controller) loadAllAuthSecretData(ns, secretName string) (map[string]st return m, nil } + +// The prometheus pusher needs to access the ca.ctl cert in system-tls secret from within the pod. The secret must +// be in the monitoring namespace to access it as a volume. Copy the secret from the verrazzano-system +// namespace. +func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1.VerrazzanoMonitoringInstance) error { + + // The secret must be this name since the name is hardcoded in monitoring/deployments.do of verrazzano operator. + const secretName = "system-tls" + secret, err := controller.kubeclientset.CoreV1().Secrets(sauron.Namespace).Get(secretName, metav1.GetOptions{}) + if err != nil { + glog.Errorf("Error getting TLS secret %s from namespace %s, err: %s", secretName, sauron.Namespace, err) + return err + } + + _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(secret) + if err != nil { + glog.Errorf("caught an error trying to create a secret, err: %s", err) + return err + } + glog.V(6).Infof("Created TLS secret %s in namespace %s", secretName, constants.MonitoringNamespace) + + return nil +} From 70ff84fc4c1732f9bad00ac5fcfc247fe4a2d59b Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 19:26:18 -0400 Subject: [PATCH 03/10] testing --- pkg/resources/secrets/secrets.go | 4 ++-- pkg/resources/secrets/secrets_test.go | 4 ++-- pkg/vmo/secret.go | 15 +-------------- 3 files changed, 5 insertions(+), 18 deletions(-) diff --git a/pkg/resources/secrets/secrets.go b/pkg/resources/secrets/secrets.go index 45a38ccc..a94cd322 100644 --- a/pkg/resources/secrets/secrets.go +++ b/pkg/resources/secrets/secrets.go @@ -24,13 +24,13 @@ func New(sauron *vmcontrollerv1.VerrazzanoMonitoringInstance, secretName string, }, nil } -func NewTLS(sauron *vmcontrollerv1.VerrazzanoMonitoringInstance, nameSpace string, secretName string, data map[string][]byte) (*corev1.Secret, error) { +func NewTLS(sauron *vmcontrollerv1.VerrazzanoMonitoringInstance, secretName string, data map[string][]byte) (*corev1.Secret, error) { return &corev1.Secret{ Type: corev1.SecretTypeOpaque, ObjectMeta: metav1.ObjectMeta{ Labels: resources.GetMetaLabels(sauron), Name: secretName, - Namespace: nameSpace, + Namespace: sauron.Namespace, OwnerReferences: resources.GetOwnerReferences(sauron), }, Data: data, diff --git a/pkg/resources/secrets/secrets_test.go b/pkg/resources/secrets/secrets_test.go index 903dce99..a236b905 100644 --- a/pkg/resources/secrets/secrets_test.go +++ b/pkg/resources/secrets/secrets_test.go @@ -43,14 +43,14 @@ func TestSauronWithCascadingDelete(t *testing.T) { }, } secret, _ := New(sauron, "secret", []byte{}) - tls, _ := NewTLS(sauron, sauron.Namespace, "secret", map[string][]byte{}) + tls, _ := NewTLS(sauron, "secret", map[string][]byte{}) assert.Equal(t, 1, len(secret.ObjectMeta.OwnerReferences), "OwnerReferences is not set with CascadingDelete true") assert.Equal(t, 1, len(tls.ObjectMeta.OwnerReferences), "OwnerReferences is not set with CascadingDelete true") // Without CascadingDelete sauron.Spec.CascadingDelete = false secret, _ = New(sauron, "secret", []byte{}) - tls, _ = NewTLS(sauron, sauron.Namespace, "secret", map[string][]byte{}) + tls, _ = NewTLS(sauron, "secret", map[string][]byte{}) assert.Equal(t, 0, len(secret.ObjectMeta.OwnerReferences), "OwnerReferences is set even with CascadingDelete false") assert.Equal(t, 0, len(tls.ObjectMeta.OwnerReferences), "OwnerReferences is set even with CascadingDelete false") } diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 6570ec4e..4178b25a 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -181,7 +181,7 @@ func CreateOrUpdateTLSSecrets(controller *Controller, sauron *vmcontrollerv1.Ver } return nil } - secret, err = secrets.NewTLS(sauron, sauron.Namespace, sauron.Name+"-tls", secretData) + secret, err = secrets.NewTLS(sauron, sauron.Name+"-tls", secretData) if err != nil { glog.Errorf("got an error trying to create a password hash, err: %s", err) return err @@ -192,19 +192,6 @@ func CreateOrUpdateTLSSecrets(controller *Controller, sauron *vmcontrollerv1.Ver return err } glog.V(6).Infof("Create TLS secret: %s", secretOut.Name) - - secret, err = secrets.NewTLS(sauron, constants.MonitoringNamespace, sauron.Name+"-tls", secretData) - if err != nil { - glog.Errorf("got an error trying to create the TLS secret object: %s", err) - return err - } - secretOut, err = controller.kubeclientset.CoreV1().Secrets(sauron.Namespace).Create(secret) - if err != nil { - glog.Errorf("Error trying to create a TLS secret in monitoring namespace, err: %s", err) - return err - } - glog.V(6).Infof("Create TLS secret in monitoring namespace: %s", secretOut.Name) - } return nil } From fa88e98417b66b35931cfd32f1e976e3378507bf Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 20:18:32 -0400 Subject: [PATCH 04/10] testing --- pkg/vmo/secret.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 4178b25a..139b51f5 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -266,6 +266,7 @@ func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1. return err } + secret.Namespace = constants.MonitoringNamespace _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(secret) if err != nil { glog.Errorf("caught an error trying to create a secret, err: %s", err) From ab3c8217ff953122625ac52527177b28aaf4ba7e Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 20:41:31 -0400 Subject: [PATCH 05/10] testing --- pkg/vmo/secret.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 139b51f5..b975f917 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -6,6 +6,7 @@ import ( "crypto/sha1" "encoding/base64" "fmt" + corev1 "k8s.io/api/core/v1" "regexp" "strings" @@ -266,8 +267,15 @@ func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1. return err } - secret.Namespace = constants.MonitoringNamespace - _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(secret) + newSecret := corev1.Secret{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{}, + Data: secret.Data, + StringData: secret.StringData, + Type: secret.Type, + } + + _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(newSecret) if err != nil { glog.Errorf("caught an error trying to create a secret, err: %s", err) return err From 0cc04f5dfe6d0577407701f89a75ca724dc193c6 Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 20:47:30 -0400 Subject: [PATCH 06/10] testing --- pkg/vmo/secret.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index b975f917..c976eafb 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -275,7 +275,7 @@ func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1. Type: secret.Type, } - _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(newSecret) + _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(&newSecret) if err != nil { glog.Errorf("caught an error trying to create a secret, err: %s", err) return err From 05309133829ba05a0847bf86efd2dd2fd3ac91b5 Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 21:01:23 -0400 Subject: [PATCH 07/10] testing --- pkg/vmo/secret.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index c976eafb..42fe6153 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -268,13 +268,14 @@ func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1. } newSecret := corev1.Secret{ - TypeMeta: metav1.TypeMeta{}, - ObjectMeta: metav1.ObjectMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: secret.Name, + Namespace: constants.MonitoringNamespace, + }, Data: secret.Data, StringData: secret.StringData, Type: secret.Type, } - _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(&newSecret) if err != nil { glog.Errorf("caught an error trying to create a secret, err: %s", err) From c3227b37b1551823f00d330f84aa333389817477 Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 21:41:32 -0400 Subject: [PATCH 08/10] testing --- pkg/vmo/secret.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 42fe6153..31c0741d 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -267,6 +267,10 @@ func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1. return err } + // Always copy the secret even it is already exists, so try to delete it first. + controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Delete(secret.Name, &metav1.DeleteOptions{}) + + // Create the secret newSecret := corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secret.Name, From f46e6a0c0414ad206e07c9f8a9b530047d57e6fb Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 21:54:22 -0400 Subject: [PATCH 09/10] testing --- pkg/vmo/secret.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 31c0741d..c37a1cae 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -285,7 +285,7 @@ func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1. glog.Errorf("caught an error trying to create a secret, err: %s", err) return err } - glog.V(6).Infof("Created TLS secret %s in namespace %s", secretName, constants.MonitoringNamespace) + glog.Infof("Created TLS secret %s in namespace %s", secretName, constants.MonitoringNamespace) return nil } From 64d93a26eeba16b3a998cebd259b4878dc9c9ebc Mon Sep 17 00:00:00 2001 From: Paul Mackin Date: Mon, 22 Jun 2020 22:18:43 -0400 Subject: [PATCH 10/10] testing --- pkg/vmo/sauronspec.go | 2 +- pkg/vmo/secret.go | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/pkg/vmo/sauronspec.go b/pkg/vmo/sauronspec.go index b12b1755..dc0838fb 100644 --- a/pkg/vmo/sauronspec.go +++ b/pkg/vmo/sauronspec.go @@ -36,7 +36,7 @@ func InitializeSauronSpec(controller *Controller, sauron *vmcontrollerv1.Verrazz glog.Errorf("Failed to create TLS Secrets for sauron: %v", err) } - err = CopyTLSSecretToMonitoringNS(controller, sauron) + err = EnsureTlsSecretInMonitoringNS(controller, sauron) if err != nil { glog.Errorf("Failed to copy TLS Secret to monitoring namespace: %v", err) } diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index c37a1cae..3d69bc9c 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -257,19 +257,22 @@ func (c *Controller) loadAllAuthSecretData(ns, secretName string) (map[string]st // The prometheus pusher needs to access the ca.ctl cert in system-tls secret from within the pod. The secret must // be in the monitoring namespace to access it as a volume. Copy the secret from the verrazzano-system // namespace. -func CopyTLSSecretToMonitoringNS(controller *Controller, sauron *vmcontrollerv1.VerrazzanoMonitoringInstance) error { +func EnsureTlsSecretInMonitoringNS(controller *Controller, sauron *vmcontrollerv1.VerrazzanoMonitoringInstance) error { + const secretName = "system-tls" + + // Don't copy the secret if it already exists. + secret, err := controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Get(secretName, metav1.GetOptions{}) + if err == nil && secret != nil { + return nil + } // The secret must be this name since the name is hardcoded in monitoring/deployments.do of verrazzano operator. - const secretName = "system-tls" - secret, err := controller.kubeclientset.CoreV1().Secrets(sauron.Namespace).Get(secretName, metav1.GetOptions{}) + secret, err = controller.kubeclientset.CoreV1().Secrets(sauron.Namespace).Get(secretName, metav1.GetOptions{}) if err != nil { glog.Errorf("Error getting TLS secret %s from namespace %s, err: %s", secretName, sauron.Namespace, err) return err } - // Always copy the secret even it is already exists, so try to delete it first. - controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Delete(secret.Name, &metav1.DeleteOptions{}) - // Create the secret newSecret := corev1.Secret{ ObjectMeta: metav1.ObjectMeta{