From 6610bd5897419dab54e461ad2e625f0996a457ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wilson=20J=C3=BAnior?= Date: Mon, 19 Aug 2024 11:09:13 -0300 Subject: [PATCH] refact: move pod auto-restart by certificate changes to operator responsability --- controllers/controller.go | 140 ++++++++++++++---- controllers/controller_test.go | 6 +- controllers/rpaasinstance_controller.go | 16 +- .../controllers/certificates/cert_manager.go | 26 ++-- .../certificates/cert_manager_test.go | 11 +- .../controllers/certificates/certificates.go | 72 ++++----- .../certificates/certificates_test.go | 17 +-- .../certificates/dynamic_certificates.go | 19 --- 8 files changed, 179 insertions(+), 128 deletions(-) delete mode 100644 internal/controllers/certificates/dynamic_certificates.go diff --git a/controllers/controller.go b/controllers/controller.go index 27e407833..d54cb0820 100644 --- a/controllers/controller.go +++ b/controllers/controller.go @@ -20,6 +20,7 @@ import ( "strings" "text/template" + cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "github.com/imdario/mergo" kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1" "github.com/sirupsen/logrus" @@ -42,6 +43,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "github.com/tsuru/rpaas-operator/api/v1alpha1" + "github.com/tsuru/rpaas-operator/internal/controllers/certificates" controllerUtil "github.com/tsuru/rpaas-operator/internal/controllers/util" "github.com/tsuru/rpaas-operator/internal/pkg/rpaas/nginx" "github.com/tsuru/rpaas-operator/pkg/util" @@ -1088,32 +1090,40 @@ func mergeServiceWithDNS(instance *v1alpha1.RpaasInstance) *nginxv1alpha1.NginxS return s } -func newNginx(instanceMergedWithFlavors *v1alpha1.RpaasInstance, plan *v1alpha1.RpaasPlan, configMap *corev1.ConfigMap) *nginxv1alpha1.Nginx { +type newNginxOptions struct { + instanceMergedWithFlavors *v1alpha1.RpaasInstance + plan *v1alpha1.RpaasPlan + configMap *corev1.ConfigMap + certManagerCertificates []cmv1.Certificate + certificateSecrets []corev1.Secret +} + +func newNginx(opts newNginxOptions) *nginxv1alpha1.Nginx { var cacheConfig nginxv1alpha1.NginxCacheSpec - if v1alpha1.BoolValue(plan.Spec.Config.CacheEnabled) { - cacheConfig.Path = plan.Spec.Config.CachePath + if v1alpha1.BoolValue(opts.plan.Spec.Config.CacheEnabled) { + cacheConfig.Path = opts.plan.Spec.Config.CachePath cacheConfig.InMemory = true - if plan.Spec.Config.CacheSize != nil && !plan.Spec.Config.CacheSize.IsZero() { - cacheConfig.Size = plan.Spec.Config.CacheSize + if opts.plan.Spec.Config.CacheSize != nil && !opts.plan.Spec.Config.CacheSize.IsZero() { + cacheConfig.Size = opts.plan.Spec.Config.CacheSize } } - instanceMergedWithFlavors.Spec.Service = mergeServiceWithDNS(instanceMergedWithFlavors) + opts.instanceMergedWithFlavors.Spec.Service = mergeServiceWithDNS(opts.instanceMergedWithFlavors) - if s := instanceMergedWithFlavors.Spec.Service; s != nil { - s.Labels = instanceMergedWithFlavors.GetBaseLabels(s.Labels) + if s := opts.instanceMergedWithFlavors.Spec.Service; s != nil { + s.Labels = opts.instanceMergedWithFlavors.GetBaseLabels(s.Labels) } - if ing := instanceMergedWithFlavors.Spec.Ingress; ing != nil { - ing.Labels = instanceMergedWithFlavors.GetBaseLabels(ing.Labels) + if ing := opts.instanceMergedWithFlavors.Spec.Ingress; ing != nil { + ing.Labels = opts.instanceMergedWithFlavors.GetBaseLabels(ing.Labels) } - replicas := instanceMergedWithFlavors.Spec.Replicas - if shutdown := instanceMergedWithFlavors.Spec.Shutdown; shutdown { + replicas := opts.instanceMergedWithFlavors.Spec.Replicas + if shutdown := opts.instanceMergedWithFlavors.Spec.Shutdown; shutdown { replicas = ptr.To(int32(0)) } - if isAutoscaleEnabled(&instanceMergedWithFlavors.Spec) { + if isAutoscaleEnabled(&opts.instanceMergedWithFlavors.Spec) { // NOTE: we should avoid changing the number of replicas as it's managed by HPA. replicas = nil } @@ -1124,32 +1134,31 @@ func newNginx(instanceMergedWithFlavors *v1alpha1.RpaasInstance, plan *v1alpha1. APIVersion: "nginx.tsuru.io/v1alpha1", }, ObjectMeta: metav1.ObjectMeta{ - Name: instanceMergedWithFlavors.Name, - Namespace: instanceMergedWithFlavors.Namespace, + Name: opts.instanceMergedWithFlavors.Name, + Namespace: opts.instanceMergedWithFlavors.Namespace, OwnerReferences: []metav1.OwnerReference{ - *metav1.NewControllerRef(instanceMergedWithFlavors, schema.GroupVersionKind{ + *metav1.NewControllerRef(opts.instanceMergedWithFlavors, schema.GroupVersionKind{ Group: v1alpha1.GroupVersion.Group, Version: v1alpha1.GroupVersion.Version, Kind: "RpaasInstance", }), }, - Labels: instanceMergedWithFlavors.GetBaseLabels(nil), + Labels: opts.instanceMergedWithFlavors.GetBaseLabels(nil), }, Spec: nginxv1alpha1.NginxSpec{ - Image: plan.Spec.Image, + Image: opts.plan.Spec.Image, Replicas: replicas, Config: &nginxv1alpha1.ConfigRef{ - Name: configMap.Name, + Name: opts.configMap.Name, Kind: nginxv1alpha1.ConfigKindConfigMap, }, - Resources: plan.Spec.Resources, - Service: instanceMergedWithFlavors.Spec.Service.DeepCopy(), + Resources: opts.plan.Spec.Resources, + Service: opts.instanceMergedWithFlavors.Spec.Service.DeepCopy(), HealthcheckPath: "/_nginx_healthcheck", - TLS: instanceMergedWithFlavors.Spec.TLS, Cache: cacheConfig, - PodTemplate: instanceMergedWithFlavors.Spec.PodTemplate, - Lifecycle: instanceMergedWithFlavors.Spec.Lifecycle, - Ingress: instanceMergedWithFlavors.Spec.Ingress, + PodTemplate: opts.instanceMergedWithFlavors.Spec.PodTemplate, + Lifecycle: opts.instanceMergedWithFlavors.Spec.Lifecycle, + Ingress: opts.instanceMergedWithFlavors.Spec.Ingress, }, } @@ -1157,7 +1166,7 @@ func newNginx(instanceMergedWithFlavors *v1alpha1.RpaasInstance, plan *v1alpha1. n.Spec.Service.Type = corev1.ServiceTypeLoadBalancer } - for i, f := range instanceMergedWithFlavors.Spec.Files { + for i, f := range opts.instanceMergedWithFlavors.Spec.Files { volumeName := fmt.Sprintf("extra-files-%d", i) n.Spec.PodTemplate.Volumes = append(n.Spec.PodTemplate.Volumes, corev1.Volume{ @@ -1177,12 +1186,12 @@ func newNginx(instanceMergedWithFlavors *v1alpha1.RpaasInstance, plan *v1alpha1. }) } - if isTLSSessionTicketEnabled(&instanceMergedWithFlavors.Spec) { + if isTLSSessionTicketEnabled(&opts.instanceMergedWithFlavors.Spec) { n.Spec.PodTemplate.Volumes = append(n.Spec.PodTemplate.Volumes, corev1.Volume{ Name: sessionTicketsVolumeName, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: secretNameForTLSSessionTickets(instanceMergedWithFlavors.Name), + SecretName: secretNameForTLSSessionTickets(opts.instanceMergedWithFlavors.Name), }, }, }) @@ -1194,6 +1203,53 @@ func newNginx(instanceMergedWithFlavors *v1alpha1.RpaasInstance, plan *v1alpha1. }) } + mapSecretNameToCertName := make(map[string]string) + secretsByName := make(map[string]corev1.Secret) + + for _, secret := range opts.certificateSecrets { + secretsByName[secret.Name] = secret + certName := secret.Labels[certificates.CertificateNameLabel] + if certName != "" { + mapSecretNameToCertName[secret.Name] = certName + } + } + + tlsByCertName := make(map[string]nginxv1alpha1.NginxTLS) + for _, tls := range opts.instanceMergedWithFlavors.Spec.TLS { + certName := mapSecretNameToCertName[tls.SecretName] + if certName == "" { + continue + } + tlsByCertName[certName] = tls + + if secret, ok := secretsByName[tls.SecretName]; ok { + n.Spec.PodTemplate.Annotations[certificateHashAnnotationKey(tls.SecretName)] = util.SHA256(secret.Data[corev1.TLSCertKey]) + n.Spec.PodTemplate.Annotations[keyHashAnnotationKey(tls.SecretName)] = util.SHA256(secret.Data[corev1.TLSPrivateKeyKey]) + } + } + + for _, cert := range opts.certManagerCertificates { + tlsByCertName[cert.Name] = nginxv1alpha1.NginxTLS{ + SecretName: cert.Spec.SecretName, + Hosts: cert.Spec.DNSNames, + } + + if secret, ok := secretsByName[cert.Spec.SecretName]; ok { + if n.Spec.PodTemplate.Annotations == nil { + n.Spec.PodTemplate.Annotations = make(map[string]string) + } + + n.Spec.PodTemplate.Annotations[certificateHashAnnotationKey(secret.Name)] = util.SHA256(secret.Data[corev1.TLSCertKey]) + n.Spec.PodTemplate.Annotations[keyHashAnnotationKey(secret.Name)] = util.SHA256(secret.Data[corev1.TLSPrivateKeyKey]) + } else { + // TODO: use other fields to generate the hash + } + } + + for _, tls := range tlsByCertName { + n.Spec.TLS = append(n.Spec.TLS, tls) + } + return n } @@ -1211,6 +1267,34 @@ func generateNginxHash(nginx *nginxv1alpha1.Nginx) (string, error) { return strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(hash[:])), nil } +func certificateHashAnnotationKey(secretName string) string { + keyFormat := "rpaas.extensions.tsuru.io/%s-secret-cert-sha256" + + // NOTE: Annotation keys must not be greater than 63 chars. + // See more: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + maxIssuer := 63 - len(fmt.Sprintf(keyFormat, "")) + + if len(secretName) > maxIssuer { + secretName = secretName[:maxIssuer] + } + + return fmt.Sprintf(keyFormat, secretName) +} + +func keyHashAnnotationKey(secretName string) string { + keyFormat := "rpaas.extensions.tsuru.io/%s-secret-key-sha256" + + // NOTE: Annotation keys must not be greater than 63 chars. + // See more: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + maxIssuer := 63 - len(fmt.Sprintf(keyFormat, "")) + + if len(secretName) > maxIssuer { + secretName = secretName[:maxIssuer] + } + + return fmt.Sprintf(keyFormat, secretName) +} + func generateSpecHash(spec any) (string, error) { if spec == nil { return "", nil diff --git a/controllers/controller_test.go b/controllers/controller_test.go index 57efc5a94..db41b078a 100644 --- a/controllers/controller_test.go +++ b/controllers/controller_test.go @@ -256,7 +256,11 @@ func Test_newNginx(t *testing.T) { if tt.expected != nil { nginx = tt.expected(nginx) } - assert.Equal(t, nginx, newNginx(instance, plan, cm)) + assert.Equal(t, nginx, newNginx(newNginxOptions{ + instanceMergedWithFlavors: instance, + plan: plan, + configMap: cm, + })) }) } } diff --git a/controllers/rpaasinstance_controller.go b/controllers/rpaasinstance_controller.go index 1bfdeab78..57c022bb0 100644 --- a/controllers/rpaasinstance_controller.go +++ b/controllers/rpaasinstance_controller.go @@ -123,7 +123,8 @@ func (r *RpaasInstanceReconciler) Reconcile(ctx context.Context, req ctrl.Reques } } - if err = certificates.ReconcileDynamicCertificates(ctx, r.Client, instance, instanceMergedWithFlavors); err != nil { + certManagerCertificates, err := certificates.ReconcileCertManager(ctx, r.Client, instance, instanceMergedWithFlavors) + if err != nil { return reconcile.Result{}, err } @@ -173,8 +174,19 @@ func (r *RpaasInstanceReconciler) Reconcile(ctx context.Context, req ctrl.Reques } } + certificateSecrets, err := certificates.ListCertificateSecrets(ctx, r.Client, instanceMergedWithFlavors) + if err != nil { + return reconcile.Result{}, err + } + // Nginx CRD - nginx := newNginx(instanceMergedWithFlavors, plan, configMap) + nginx := newNginx(newNginxOptions{ + instanceMergedWithFlavors: instanceMergedWithFlavors, + plan: plan, + configMap: configMap, + certManagerCertificates: certManagerCertificates, + certificateSecrets: certificateSecrets, + }) changes["nginx"], err = r.reconcileNginx(ctx, instanceMergedWithFlavors, nginx) if err != nil { return ctrl.Result{}, err diff --git a/internal/controllers/certificates/cert_manager.go b/internal/controllers/certificates/cert_manager.go index 69602dfa3..672bb5d81 100644 --- a/internal/controllers/certificates/cert_manager.go +++ b/internal/controllers/certificates/cert_manager.go @@ -26,32 +26,34 @@ import ( const CertManagerCertificateName string = "cert-manager" -func reconcileCertManager(ctx context.Context, client client.Client, instance, instanceMergedWithFlavors *v1alpha1.RpaasInstance) error { +func ReconcileCertManager(ctx context.Context, client client.Client, instance, instanceMergedWithFlavors *v1alpha1.RpaasInstance) ([]cmv1.Certificate, error) { err := removeOldCertificates(ctx, client, instance, instanceMergedWithFlavors) if err != nil { - return err + return nil, err } + certManagerCerts := []cmv1.Certificate{} + for _, req := range instanceMergedWithFlavors.CertManagerRequests() { issuer, err := getCertManagerIssuer(ctx, client, req, instanceMergedWithFlavors.Namespace) if err != nil { - return err + return nil, err } newCert, err := newCertificate(instanceMergedWithFlavors, issuer, req) if err != nil { - return err + return nil, err } var cert cmv1.Certificate err = client.Get(ctx, types.NamespacedName{Name: newCert.Name, Namespace: newCert.Namespace}, &cert) if err != nil && k8serrors.IsNotFound(err) { - if err = takeOverPreviousSecret(ctx, client, instance, instanceMergedWithFlavors, newCert); err != nil { - return err + if err = takeOverPreviousSecret(ctx, client, instanceMergedWithFlavors, newCert); err != nil { + return nil, err } if err = client.Create(ctx, newCert); err != nil { - return err + return nil, err } newCert.DeepCopyInto(&cert) @@ -61,21 +63,23 @@ func reconcileCertManager(ctx context.Context, client client.Client, instance, i newCert.ResourceVersion = cert.ResourceVersion if err = client.Update(ctx, newCert); err != nil { - return err + return nil, err } } + certManagerCerts = append(certManagerCerts, cert) + if !isCertificateReady(&cert) { continue } err = UpdateCertificateFromSecret(ctx, client, instance, cmCertificateName(req), newCert.Spec.SecretName) if err != nil { - return err + return nil, err } } - return nil + return certManagerCerts, nil } func removeOldCertificates(ctx context.Context, c client.Client, instance, instanceMergedWithFlavors *v1alpha1.RpaasInstance) error { @@ -117,7 +121,7 @@ func removeOldCertificates(ctx context.Context, c client.Client, instance, insta return nil } -func takeOverPreviousSecret(ctx context.Context, c client.Client, instance, instanceMergedWithFlavors *v1alpha1.RpaasInstance, cert *cmv1.Certificate) error { +func takeOverPreviousSecret(ctx context.Context, c client.Client, instanceMergedWithFlavors *v1alpha1.RpaasInstance, cert *cmv1.Certificate) error { var secret corev1.Secret err := c.Get(ctx, types.NamespacedName{Name: cert.Spec.SecretName, Namespace: cert.Namespace}, &secret) diff --git a/internal/controllers/certificates/cert_manager_test.go b/internal/controllers/certificates/cert_manager_test.go index b86a11054..6caf511c2 100644 --- a/internal/controllers/certificates/cert_manager_test.go +++ b/internal/controllers/certificates/cert_manager_test.go @@ -598,12 +598,7 @@ wg4cGbIbBPs= }, }, assert: func(t *testing.T, cli client.Client, instance *v1alpha1.RpaasInstance) { - assert.Equal(t, []nginxv1alpha1.NginxTLS{ - {SecretName: "my-instance-3-cert-manager-issuer-1", Hosts: []string{"www.example.com", "www.example.org", "www.example.test"}}, - }, instance.Spec.TLS) - - assert.Equal(t, "a0610da4d1958cfa7c375870e2c1bac796e84f509bbd989fa5a7c0e040965f28", instance.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/cert-manager-issue-certificate-sha256"]) - assert.Equal(t, "e644183deec75208c5fc53b4afb98e471ee290c7e7e10c5b95caff6851346132", instance.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/cert-manager-issuer-1-key-sha256"]) + assert.Nil(t, instance.Spec.TLS) var cert cmv1.Certificate err := cli.Get(context.TODO(), types.NamespacedName{ @@ -614,7 +609,7 @@ wg4cGbIbBPs= var s corev1.Secret err = cli.Get(context.TODO(), types.NamespacedName{ - Name: instance.Spec.TLS[0].SecretName, + Name: cert.Spec.SecretName, Namespace: instance.Namespace, }, &s) require.NoError(t, err) @@ -637,7 +632,7 @@ wg4cGbIbBPs= WithRuntimeObjects(allResources...). Build() - err := reconcileCertManager(context.TODO(), cli, tt.instance, tt.instance) + _, err := ReconcileCertManager(context.TODO(), cli, tt.instance, tt.instance) if tt.expectedError != "" { assert.EqualError(t, err, tt.expectedError) diff --git a/internal/controllers/certificates/certificates.go b/internal/controllers/certificates/certificates.go index 6b79b6f38..f80b7ba6c 100644 --- a/internal/controllers/certificates/certificates.go +++ b/internal/controllers/certificates/certificates.go @@ -19,7 +19,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "github.com/tsuru/rpaas-operator/api/v1alpha1" - "github.com/tsuru/rpaas-operator/pkg/util" ) const CertificateNameLabel = "rpaas.extensions.tsuru.io/certificate-name" @@ -59,7 +58,7 @@ func UpdateCertificateFromSecret(ctx context.Context, c client.Client, instance } } - return updateInstanceWithCertificateInfos(ctx, c, instance, &s) + return nil } func UpdateCertificate(ctx context.Context, c client.Client, instance *v1alpha1.RpaasInstance, certificateName string, certData, keyData []byte) error { @@ -106,7 +105,7 @@ func UpdateCertificate(ctx context.Context, c client.Client, instance *v1alpha1. return err } - return updateInstanceWithCertificateInfos(ctx, c, instance, s) + return updateInstanceSpecWithCertificateInfos(ctx, c, instance, s) } @@ -136,9 +135,6 @@ func DeleteCertificate(ctx context.Context, c client.Client, instance *v1alpha1. instance.Spec.TLS = append(instance.Spec.TLS[:index], instance.Spec.TLS[index+1:]...) // removes the i-th element } - delete(instance.Spec.PodTemplate.Annotations, certificateHashAnnotationKey(certificateName)) - delete(instance.Spec.PodTemplate.Annotations, keyHashAnnotationKey(certificateName)) - if err = c.Update(ctx, instance); err != nil { return err } @@ -146,7 +142,7 @@ func DeleteCertificate(ctx context.Context, c client.Client, instance *v1alpha1. return c.Delete(ctx, s) } -func updateInstanceWithCertificateInfos(ctx context.Context, c client.Client, i *v1alpha1.RpaasInstance, s *corev1.Secret) error { +func updateInstanceSpecWithCertificateInfos(ctx context.Context, c client.Client, i *v1alpha1.RpaasInstance, s *corev1.Secret) error { hosts, err := extractDNSNames(s.Data[corev1.TLSCertKey]) if err != nil { return err @@ -163,20 +159,38 @@ func updateInstanceWithCertificateInfos(ctx context.Context, c client.Client, i }) } - if i.Spec.PodTemplate.Annotations == nil { - i.Spec.PodTemplate.Annotations = make(map[string]string) + if !reflect.DeepEqual(i.Spec.TLS, original.Spec.TLS) { + updateErr := c.Update(ctx, i) + if updateErr != nil { + return updateErr + } } - certName := s.Labels[CertificateNameLabel] + return nil +} + +func ListCertificateSecrets(ctx context.Context, c client.Client, instance *v1alpha1.RpaasInstance) ([]corev1.Secret, error) { + var sl corev1.SecretList + err := c.List(ctx, &sl, &client.ListOptions{ + LabelSelector: labels.Set{ + "rpaas.extensions.tsuru.io/instance-name": instance.Name, + }.AsSelector(), + Namespace: instance.Namespace, + }) + + if err != nil { + return nil, err + } - i.Spec.PodTemplate.Annotations[certificateHashAnnotationKey(certName)] = util.SHA256(s.Data[corev1.TLSCertKey]) - i.Spec.PodTemplate.Annotations[keyHashAnnotationKey(certName)] = util.SHA256(s.Data[corev1.TLSPrivateKeyKey]) + result := make([]corev1.Secret, 0, len(sl.Items)) - if reflect.DeepEqual(i.Spec.PodTemplate.Annotations, original.Spec.PodTemplate.Annotations) && reflect.DeepEqual(i.Spec.TLS, original.Spec.TLS) { - return nil + for _, s := range sl.Items { + if _, ok := s.Labels[CertificateNameLabel]; ok { + result = append(result, s) + } } - return c.Update(ctx, i) + return result, nil } func getTLSSecretByCertificateName(ctx context.Context, c client.Client, instance *v1alpha1.RpaasInstance, certName string) (*corev1.Secret, error) { @@ -256,31 +270,3 @@ func extractDNSNames(rawCert []byte) ([]string, error) { return leaf.DNSNames, nil } - -func certificateHashAnnotationKey(certName string) string { - keyFormat := "rpaas.extensions.tsuru.io/%s-certificate-sha256" - - // NOTE: Annotation keys must not be greater than 63 chars. - // See more: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - maxIssuer := 63 - len(fmt.Sprintf(keyFormat, "")) - - if len(certName) > maxIssuer { - certName = certName[:maxIssuer] - } - - return fmt.Sprintf(keyFormat, certName) -} - -func keyHashAnnotationKey(certName string) string { - keyFormat := "rpaas.extensions.tsuru.io/%s-key-sha256" - - // NOTE: Annotation keys must not be greater than 63 chars. - // See more: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - maxIssuer := 63 - len(fmt.Sprintf(keyFormat, "")) - - if len(certName) > maxIssuer { - certName = certName[:maxIssuer] - } - - return fmt.Sprintf(keyFormat, certName) -} diff --git a/internal/controllers/certificates/certificates_test.go b/internal/controllers/certificates/certificates_test.go index 5965695fb..026a91855 100644 --- a/internal/controllers/certificates/certificates_test.go +++ b/internal/controllers/certificates/certificates_test.go @@ -146,12 +146,7 @@ func TestUpdateCertificateFromSecret(t *testing.T) { err = c.Get(context.TODO(), types.NamespacedName{Name: "my-instance-3", Namespace: "rpaasv2"}, &i) assert.NoError(t, err) - assert.Equal(t, []nginxv1alpha1.NginxTLS{{ - SecretName: "my-instance-3-cert-manager", - Hosts: []string{"*.example.com", "*.example.org"}, - }}, i.Spec.TLS) - assert.Equal(t, "b08063b4653a313c028d44e6e0ceebbc38efa961b2178a30d930c02da438c984", i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/cert-manager-certificate-sha256"]) - assert.Equal(t, "c0a86dc8278f233cff1f90833b486db20b00b31879b8dec395f9e7f6ba556f8b", i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/cert-manager-key-sha256"]) + assert.Nil(t, i.Spec.TLS) }, }, } @@ -255,9 +250,6 @@ wg4cGbIbBPs= SecretName: s.Name, Hosts: []string{"www.example.com", "www.example.org", "www.example.test"}, }}, i.Spec.TLS) - - assert.Equal(t, "a0610da4d1958cfa7c375870e2c1bac796e84f509bbd989fa5a7c0e040965f28", i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/www.example.com-certificate-sha256"]) - assert.Equal(t, "e644183deec75208c5fc53b4afb98e471ee290c7e7e10c5b95caff6851346132", i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/www.example.com-key-sha256"]) }, }, @@ -308,9 +300,6 @@ wg4cGbIbBPs= SecretName: s.Name, Hosts: []string{"www.example.com", "www.example.org", "www.example.test"}, }}, i.Spec.TLS) - - assert.Equal(t, "a0610da4d1958cfa7c375870e2c1bac796e84f509bbd989fa5a7c0e040965f28", i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/www.example.com-certificate-sha256"]) - assert.Equal(t, "e644183deec75208c5fc53b4afb98e471ee290c7e7e10c5b95caff6851346132", i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/www.example.com-key-sha256"]) }, }, @@ -431,10 +420,6 @@ func Test_DeleteCertificate(t *testing.T) { require.NoError(t, err) assert.Len(t, i.Spec.TLS, 0) - _, found := i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/www.example.com-certificate-sha256"] - assert.False(t, found) - _, found = i.Spec.PodTemplate.Annotations["rpaas.extensions.tsuru.io/www.example.com-key-sha256"] - assert.False(t, found) }, }, } diff --git a/internal/controllers/certificates/dynamic_certificates.go b/internal/controllers/certificates/dynamic_certificates.go deleted file mode 100644 index 2b428dc36..000000000 --- a/internal/controllers/certificates/dynamic_certificates.go +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright 2021 tsuru authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package certificates - -import ( - "context" - - "sigs.k8s.io/controller-runtime/pkg/client" - - "github.com/tsuru/rpaas-operator/api/v1alpha1" -) - -func ReconcileDynamicCertificates(ctx context.Context, client client.Client, instance, instanceMergedWithFlavors *v1alpha1.RpaasInstance) error { - // NOTE: for now, we've only a way to obtain automatic certificates but it can - // be useful if we had more options in the future. - return reconcileCertManager(ctx, client, instance, instanceMergedWithFlavors) -}