Moving cert generation into EO based on enhancement proposal

https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/elasticsearch-cert-management.md
openshift · Jun 11, 2021 · c372cb4 · c372cb4
1 parent b911e78
commit c372cb4
Show file tree

Hide file tree

Showing 12 changed files with 945 additions and 13 deletions.
diff --git a/apis/logging/v1/elasticsearch_types.go b/apis/logging/v1/elasticsearch_types.go
@@ -36,17 +36,20 @@ type Elasticsearch struct {
 
 // AddOwnerRefTo appends the Elasticsearch object as an OwnerReference to the passed object
 func (es *Elasticsearch) AddOwnerRefTo(o metav1.Object) {
+
+	ref := es.GetOwnerRef()
+	o.SetOwnerReferences(append(o.GetOwnerReferences(), ref))
+}
+
+func (es *Elasticsearch) GetOwnerRef() metav1.OwnerReference {
 	trueVar := true
-	ref := metav1.OwnerReference{
+	return metav1.OwnerReference{
 		APIVersion: GroupVersion.String(),
 		Kind:       "Elasticsearch",
 		Name:       es.Name,
 		UID:        es.UID,
 		Controller: &trueVar,
 	}
-	if (metav1.OwnerReference{}) != ref {
-		o.SetOwnerReferences(append(o.GetOwnerReferences(), ref))
-	}
 }
 
 // +kubebuilder:object:root=true

diff --git a/controllers/logging/kibana_controller.go b/controllers/logging/kibana_controller.go
@@ -3,6 +3,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -89,13 +90,25 @@ func (r *KibanaReconciler) Reconcile(request ctrl.Request) (ctrl.Result, error)
 		return reconcile.Result{RequeueAfter: 30 * time.Second}, nil
 	}
 
+	// Check if es has annotation logging.openshift.io/elasticsearch-cert-management: true
+	eoCertManagement := false
+	certOwnerRef := metav1.OwnerReference{}
+	value, ok := es.Annotations[constants.EOCertManagementLabel]
+	if ok {
+		manageBool, _ := strconv.ParseBool(value)
+		if manageBool {
+			eoCertManagement = manageBool
+			certOwnerRef = es.GetOwnerRef()
+		}
+	}
+
 	esClient := elasticsearch.NewClient(es.Name, es.Namespace, r.Client)
 	proxyCfg, err := kibana.GetProxyConfig(r.Client)
 	if err != nil {
 		return reconcile.Result{}, err
 	}
 
-	if err := kibana.Reconcile(kibanaInstance, r.Client, esClient, proxyCfg); err != nil {
+	if err := kibana.Reconcile(kibanaInstance, r.Client, esClient, proxyCfg, eoCertManagement, certOwnerRef); err != nil {
 		return reconcile.Result{}, err
 	}
 

diff --git a/hack/cr.yaml b/hack/cr.yaml
@@ -5,6 +5,8 @@ metadata:
   name: "elasticsearch"
   annotations:
       elasticsearch.openshift.io/loglevel: trace
+      logging.openshift.io/elasticsearch-cert-management: "true"
+      logging.openshift.io/elasticsearch-cert.fluentd: "system.logging.fluentd"
 spec:
   managementState: "Managed"
   nodeSpec:

diff --git a/internal/constants/constants.go b/internal/constants/constants.go
@@ -19,6 +19,9 @@ const (
 	OcpTemplatePrefix = "ocp-gen"
 
 	SecurityIndex = ".security"
+
+	EOCertManagementLabel = "logging.openshift.io/elasticsearch-cert-management"
+	EOComponentCertPrefix = "logging.openshift.io/elasticsearch-cert."
 )
 
 var (