Add reconciler logic for client certificate

This commit will add reconciler logic for creating
client certificate to communicate with the etcdCluster

Signed-off-by: ArkaSaha30 <[email protected]>

Author: ArkaSaha30

cmd/main.go

@@ -21,6 +21,7 @@ import (
 	"flag"
 	"os"
 
+	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -49,6 +50,8 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	utilruntime.Must(operatorv1alpha1.AddToScheme(scheme))
+
+	utilruntime.Must(certv1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 

config/rbac/role.yaml

@@ -39,6 +39,26 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - operator.etcd.io
   resources:

config/samples/operator_v1alpha1_etcdcluster.yaml

@@ -8,3 +8,11 @@ metadata:
 spec:
   version: v3.5.21
   size: 3
+  tls:
+    provider: "cert-manager"
+    providerCfg:
+      certManagerCfg:
+        commonName: "etcd-operator-system"
+        validityDuration: "90h"
+        issuerName: "selfsigned"
+        issuerKind: "ClusterIssuer"

internal/controller/etcdcluster_controller.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"time"
 
+	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -30,9 +31,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
+	clientv3 "go.etcd.io/etcd/client/v3"
+
 	ecv1alpha1 "go.etcd.io/etcd-operator/api/v1alpha1"
 	"go.etcd.io/etcd-operator/internal/etcdutils"
-	clientv3 "go.etcd.io/etcd/client/v3"
 )
 
 const (
@@ -53,6 +55,9 @@ type EtcdClusterReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch;get;list;update
+// +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=create;get;list;update;delete;watch
+// +kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;list;watch
+// +kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -78,6 +83,13 @@ func (r *EtcdClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, err
 	}
 
+	// Create Client Certificate for etcd-operator to communicate with the etcdClusterAdd commentMore actions
+	clientCertErr := r.checkClientCertificate(etcdCluster, ctx)
+	if clientCertErr != nil {
+		logger.Info("Error creating Client Certificate")
+		return ctrl.Result{}, clientCertErr
+	}
+
 	logger.Info("Reconciling EtcdCluster", "spec", etcdCluster.Spec)
 
 	// Get the statefulsets which has the same name as the EtcdCluster resource
@@ -258,5 +270,6 @@ func (r *EtcdClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&appsv1.StatefulSet{}).
 		Owns(&corev1.Service{}).
 		Owns(&corev1.ConfigMap{}).
+		Owns(&certv1.Certificate{}).
 		Complete(r)
 }

internal/controller/utils.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log"
+	"net"
 	"slices"
 	"strconv"
 	"strings"
@@ -24,9 +26,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
+	clientv3 "go.etcd.io/etcd/client/v3"
+
 	ecv1alpha1 "go.etcd.io/etcd-operator/api/v1alpha1"
 	"go.etcd.io/etcd-operator/internal/etcdutils"
-	clientv3 "go.etcd.io/etcd/client/v3"
+	"go.etcd.io/etcd-operator/pkg/certificate"
+	certInterface "go.etcd.io/etcd-operator/pkg/certificate/interfaces"
 )
 
 const (
@@ -522,3 +527,81 @@ func healthCheck(sts *appsv1.StatefulSet, lg klog.Logger) (*clientv3.MemberListR
 
 	return memberlistResp, healthInfos, nil
 }
+
+func createCMCertificateConfig(ec *ecv1alpha1.ProviderCertManagerConfig) *certInterface.Config {
+	duration, err := time.ParseDuration(ec.ValidityDuration)
+	if err != nil {
+		log.Printf("Failed to parse ValidityDuration: %s", err)
+	}
+	config := &certInterface.Config{
+		CommonName:       ec.CommonName,
+		Organization:     ec.Organization,
+		ValidityDuration: duration,
+		AltNames: certInterface.AltNames{
+			DNSNames: ec.AltNames.DNSNames,
+			IPs:      make([]net.IP, len(ec.AltNames.DNSNames)),
+		},
+		ExtraConfig: map[string]any{
+			"issuerName": ec.IssuerName,
+			"issuerKind": ec.IssuerKind,
+		},
+	}
+	return config
+}
+
+func createAutoCertificateConfig(ec *ecv1alpha1.ProviderAutoConfig) *certInterface.Config {
+	// TODO
+	config := &certInterface.Config{}
+	return config
+}
+
+func (r *EtcdClusterReconciler) createCertificate(ec *ecv1alpha1.EtcdCluster, ctx context.Context, podName, podNamespace, certType string) error {
+	certName := fmt.Sprintf("%s-%s-tls", podName, certType)
+	// cert, certErr := certificate.NewProvider(certificate.ProviderType(ec.Spec.TLS.Provider))
+	cert, certErr := certificate.NewProvider(certificate.ProviderType(ec.Spec.TLS.Provider), r.Client)
+	if certErr != nil {
+		// TODO: instead of error, set default autoConfig
+		return certErr
+	}
+	_, getCertError := cert.GetCertificateConfig(ctx, certName, podNamespace)
+	if getCertError != nil {
+		if k8serrors.IsNotFound(getCertError) {
+			log.Println("Creating Client Certificate for etcd-operator to communicate with the etcdCluster")
+			switch {
+			case ec.Spec.TLS.ProviderCfg.AutoCfg != nil:
+				cmConfig := createAutoCertificateConfig(ec.Spec.TLS.ProviderCfg.AutoCfg)
+				createCertErr := cert.EnsureCertificateSecret(ctx, certName, podNamespace, cmConfig)
+				if createCertErr != nil {
+					log.Printf("Error creating certificate: %s", createCertErr)
+				}
+				return nil
+			case ec.Spec.TLS.ProviderCfg.CertManagerCfg != nil:
+				cmConfig := createCMCertificateConfig(ec.Spec.TLS.ProviderCfg.CertManagerCfg)
+				createCertErr := cert.EnsureCertificateSecret(ctx, certName, podNamespace, cmConfig)
+				if createCertErr != nil {
+					log.Printf("Error creating certificate: %s", createCertErr)
+				}
+				return nil
+			default:
+				if ec.Spec.TLS.ProviderCfg.AutoCfg == nil {
+					// TODO: instead of error, set default autoConfig which will be applied if Provider/ProviderConfig is not set
+					return errors.New("default autoCertificate config not defined")
+				}
+				cmConfig := createAutoCertificateConfig(ec.Spec.TLS.ProviderCfg.AutoCfg)
+				createCertErr := cert.EnsureCertificateSecret(ctx, certName, podNamespace, cmConfig)
+				log.Printf("Error creating certificate, maybe already present: %s", createCertErr)
+				return nil
+			}
+		} else {
+			log.Printf("Error getting certificate")
+			return getCertError
+		}
+	}
+
+	return nil
+}
+
+func (r *EtcdClusterReconciler) checkClientCertificate(ec *ecv1alpha1.EtcdCluster, ctx context.Context) error {
+	createClientCertErr := r.createCertificate(ec, ctx, ec.Name, ec.Namespace, "client")
+	return createClientCertErr
+}