Merge pull request #534 from makhov/k0smotron-cp-external-certs

Respect external certificates for K0smotronControlPlane
k0sproject · Apr 22, 2024 · 0329079 · 0329079
2 parents d716146 + 262fe6c
commit 0329079
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 20 deletions.
diff --git a/internal/controller/controlplane/k0smotron_controlplane_controller.go b/internal/controller/controlplane/k0smotron_controlplane_controller.go
@@ -18,6 +18,7 @@ package controlplane
 
 import (
 	"context"
+	"fmt"
 	"reflect"
 	"time"
 
@@ -105,13 +106,9 @@ func (c *K0smotronController) Reconcile(ctx context.Context, req ctrl.Request) (
 	// 	return ctrl.Result{}, nil
 	// }
 
-	if err = c.ensureCertificates(ctx, cluster, kcp); err != nil {
-		log.Error(err, "Failed to ensure certificates")
-		return ctrl.Result{}, err
-	}
-
 	res, ready, err := c.reconcile(ctx, cluster, kcp)
 	if err != nil {
+		log.Error(err, "Reconciliation failed")
 		return res, err
 	}
 	if !ready {
@@ -193,19 +190,25 @@ func (c *K0smotronController) waitExternalAddress(ctx context.Context, cluster *
 }
 
 func (c *K0smotronController) reconcile(ctx context.Context, cluster *clusterv1.Cluster, kcp *cpv1beta1.K0smotronControlPlane) (ctrl.Result, bool, error) {
-	kcp.Spec.CertificateRefs = []kapi.CertificateRef{
-		{
-			Type: string(secret.ClusterCA),
-			Name: secret.Name(cluster.Name, secret.ClusterCA),
-		},
-		{
-			Type: string(secret.FrontProxyCA),
-			Name: secret.Name(cluster.Name, secret.FrontProxyCA),
-		},
-		{
-			Type: string(secret.ServiceAccount),
-			Name: secret.Name(cluster.Name, secret.ServiceAccount),
-		},
+	if kcp.Spec.CertificateRefs == nil {
+		kcp.Spec.CertificateRefs = []kapi.CertificateRef{
+			{
+				Type: string(secret.ClusterCA),
+				Name: secret.Name(cluster.Name, secret.ClusterCA),
+			},
+			{
+				Type: string(secret.FrontProxyCA),
+				Name: secret.Name(cluster.Name, secret.FrontProxyCA),
+			},
+			{
+				Type: string(secret.ServiceAccount),
+				Name: secret.Name(cluster.Name, secret.ServiceAccount),
+			},
+		}
+
+		if err := c.ensureCertificates(ctx, cluster, kcp); err != nil {
+			return ctrl.Result{}, false, fmt.Errorf("failed to ensure certificates for K0smotronControlPlane %s/%s", kcp.Namespace, kcp.Name)
+		}
 	}
 	kcluster := kapi.Cluster{
 		TypeMeta: metav1.TypeMeta{

diff --git a/inttest/capi-docker/capi_docker_test.go b/inttest/capi-docker/capi_docker_test.go
@@ -33,6 +33,9 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
+	"sigs.k8s.io/cluster-api/util/secret"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -77,7 +80,7 @@ func (s *CAPIDockerSuite) SetupSuite() {
 }
 
 func (s *CAPIDockerSuite) TestCAPIDocker() {
-
+	s.prepareCerts()
 	// Apply the child cluster objects
 	s.applyClusterObjects()
 	defer func() {
@@ -137,6 +140,20 @@ func (s *CAPIDockerSuite) TestCAPIDocker() {
 	s.Require().Equal("test-file", extraFile)
 }
 
+func (s *CAPIDockerSuite) prepareCerts() {
+	certificates := secret.NewCertificatesForInitialControlPlane(&bootstrapv1.ClusterConfiguration{})
+	err := certificates.Generate()
+	s.Require().NoError(err, "failed to generate certificates")
+
+	for _, certificate := range certificates {
+		certificate.Generated = false
+		certSecret := certificate.AsSecret(client.ObjectKey{Namespace: "default", Name: "docker-test"}, metav1.OwnerReference{})
+		if _, err := s.client.CoreV1().Secrets("default").Create(s.ctx, certSecret, metav1.CreateOptions{}); err != nil {
+			s.Require().NoError(err)
+		}
+	}
+}
+
 func (s *CAPIDockerSuite) applyClusterObjects() {
 	// Exec via kubectl
 	out, err := exec.Command("kubectl", "apply", "-f", s.clusterYamlsPath).CombinedOutput()
@@ -145,7 +162,10 @@ func (s *CAPIDockerSuite) applyClusterObjects() {
 
 func (s *CAPIDockerSuite) deleteCluster() {
 	// Exec via kubectl
-	out, err := exec.Command("kubectl", "delete", "-f", s.clusterYamlsPath).CombinedOutput()
+	out, err := exec.Command("kubectl", "delete", "secret", "docker-test-ca", "docker-test-etcd", "docker-test-proxy", "docker-test-sa").CombinedOutput()
+	s.Require().NoError(err, "failed to delete secrets: %s", string(out))
+
+	out, err = exec.Command("kubectl", "delete", "-f", s.clusterYamlsPath).CombinedOutput()
 	s.Require().NoError(err, "failed to delete cluster objects: %s", string(out))
 }
 
@@ -215,6 +235,13 @@ metadata:
   name: docker-test-cp
 spec:
   version: v1.27.2-k0s.0
+  certificateRefs:
+    - name: docker-test-ca
+      type: ca
+    - name: docker-test-proxy
+      type: proxy
+    - name: docker-test-sa
+      type: sa
   persistence:
     type: pvc
     persistentVolumeClaim: