Skip to content

Commit

Permalink
Propage WebProxyHosts update (konpyutaika#392)
Browse files Browse the repository at this point in the history
* Propage WebProxyHosts update

* Update CHANGELOG

* Fix resourceVersion retrieval
  • Loading branch information
juldrixx authored Mar 13, 2024
1 parent e60b550 commit 2be328d
Show file tree
Hide file tree
Showing 10 changed files with 62 additions and 11 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
- [PR #391](https://github.com/konpyutaika/nifikop/pull/391) - **[Operator/NifiUserGroup]** Added settings missing for secure LDAP connections in login_identity_providers.xml

- [PR #381](https://github.com/konpyutaika/nifikop/pull/381) - **[Operator/NifiUserGroup]** Added ability to set `NifiUserGroup.Spec.Identity` when users need to override the default naming convention.
- [PR #392](https://github.com/konpyutaika/nifikop/pull/392) - **[Operator/NifiCluster]** Added update of the `DNSNames` of the node's `NifiUsers` if the `webProxyHosts` is updated.
- [PR #392](https://github.com/konpyutaika/nifikop/pull/392) - **[Operator/NifiUser]** Added update of the `Certificate` if the `NifiUser` is updated.

### Changed

Expand Down
2 changes: 1 addition & 1 deletion internal/controller/nifiuser_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ func (r *NifiUserReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
// using the vault backend, then tried to delete and fix it. Should probably
// have the PKIManager export a GetUserCertificate specifically for deletions
// that will allow the error to fall through if the certificate doesn't exist.
_, err := pkiManager.ReconcileUserCertificate(ctx, instance, r.Scheme)
_, err := pkiManager.ReconcileUserCertificate(ctx, r.Log, instance, r.Scheme)
if err != nil {
switch errors.Cause(err).(type) {
case errorfactory.ResourceNotReady:
Expand Down
25 changes: 25 additions & 0 deletions pkg/k8sutil/resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
runtimeClient "sigs.k8s.io/controller-runtime/pkg/client"

certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
nifikopv1 "github.com/konpyutaika/nifikop/api/v1"
"github.com/konpyutaika/nifikop/pkg/errorfactory"
)
Expand Down Expand Up @@ -67,6 +68,18 @@ func Reconcile(log zap.Logger, client runtimeClient.Client, desired runtimeClien
group := desired.(*nifikopv1.NifiUserGroup)
group.Status = current.(*nifikopv1.NifiUserGroup).Status
desired = group
case *certv1.ClusterIssuer:
issuer := desired.(*certv1.ClusterIssuer)
issuer.Status = current.(*certv1.ClusterIssuer).Status
desired = issuer
case *certv1.Issuer:
issuer := desired.(*certv1.Issuer)
issuer.Status = current.(*certv1.Issuer).Status
desired = issuer
case *certv1.Certificate:
certificate := desired.(*certv1.Certificate)
certificate.Status = current.(*certv1.Certificate).Status
desired = certificate
}

if CheckIfObjectUpdated(log, desiredType, current, desired) {
Expand All @@ -82,6 +95,18 @@ func Reconcile(log zap.Logger, client runtimeClient.Client, desired runtimeClien
svc.ResourceVersion = current.(*corev1.Service).ResourceVersion
svc.Spec.ClusterIP = current.(*corev1.Service).Spec.ClusterIP
desired = svc
case *certv1.ClusterIssuer:
issuer := desired.(*certv1.ClusterIssuer)
issuer.ResourceVersion = current.(*certv1.ClusterIssuer).ResourceVersion
desired = issuer
case *certv1.Issuer:
issuer := desired.(*certv1.Issuer)
issuer.ResourceVersion = current.(*certv1.Issuer).ResourceVersion
desired = issuer
case *certv1.Certificate:
certificate := desired.(*certv1.Certificate)
certificate.ResourceVersion = current.(*certv1.Certificate).ResourceVersion
desired = certificate
}

if cr != nil {
Expand Down
11 changes: 8 additions & 3 deletions pkg/pki/certmanagerpki/certmanager_user.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,15 @@ import (

certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"go.uber.org/zap"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

"github.com/konpyutaika/nifikop/api/v1"
v1 "github.com/konpyutaika/nifikop/api/v1"
"github.com/konpyutaika/nifikop/pkg/errorfactory"
"github.com/konpyutaika/nifikop/pkg/k8sutil"
certutil "github.com/konpyutaika/nifikop/pkg/util/cert"
Expand All @@ -27,11 +28,12 @@ func (c *certManager) FinalizeUserCertificate(ctx context.Context, user *v1.Nifi
}

// ReconcileUserCertificate ensures a certificate/secret combination using cert-manager.
func (c *certManager) ReconcileUserCertificate(ctx context.Context, user *v1.NifiUser, scheme *runtime.Scheme) (*pkicommon.UserCertificate, error) {
func (c *certManager) ReconcileUserCertificate(ctx context.Context, logger zap.Logger, user *v1.NifiUser, scheme *runtime.Scheme) (*pkicommon.UserCertificate, error) {
var err error
var secret *corev1.Secret
// See if we have an existing certificate for this user already
_, err = c.getUserCertificate(ctx, user)
cert := c.clusterCertificateForUser(user, scheme)

if err != nil && apierrors.IsNotFound(err) {
// the certificate does not exist, let's make one
Expand All @@ -41,7 +43,6 @@ func (c *certManager) ReconcileUserCertificate(ctx context.Context, user *v1.Nif
return nil, err
}
}
cert := c.clusterCertificateForUser(user, scheme)
if err = c.client.Create(ctx, cert); err != nil {
return nil, errorfactory.New(errorfactory.APIFailure{}, err, "could not create user certificate")
}
Expand All @@ -50,6 +51,10 @@ func (c *certManager) ReconcileUserCertificate(ctx context.Context, user *v1.Nif
return nil, errorfactory.New(errorfactory.APIFailure{}, err, "failed looking up user certificate")
}

if err = k8sutil.Reconcile(logger, c.client, cert, nil, nil); err != nil {
return nil, errorfactory.New(errorfactory.APIFailure{}, err, "could not reconcile user certificate")
}

// Get the secret created from the certificate
secret, err = c.getUserSecret(ctx, user)
if err != nil {
Expand Down
8 changes: 4 additions & 4 deletions pkg/pki/certmanagerpki/certmanager_user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
corev1 "k8s.io/api/core/v1"
"k8s.io/client-go/kubernetes/scheme"

"github.com/konpyutaika/nifikop/api/v1"
v1 "github.com/konpyutaika/nifikop/api/v1"
"github.com/konpyutaika/nifikop/pkg/errorfactory"
certutil "github.com/konpyutaika/nifikop/pkg/util/cert"
)
Expand Down Expand Up @@ -49,7 +49,7 @@ func TestReconcileUserCertificate(t *testing.T) {
ctx := context.Background()

manager.client.Create(context.TODO(), newMockUser())
if _, err := manager.ReconcileUserCertificate(ctx, newMockUser(), scheme.Scheme); err == nil {
if _, err := manager.ReconcileUserCertificate(ctx, *log, newMockUser(), scheme.Scheme); err == nil {
t.Error("Expected resource not ready error, got nil")
} else if reflect.TypeOf(err) != reflect.TypeOf(errorfactory.ResourceNotReady{}) {
t.Error("Expected resource not ready error, got:", reflect.TypeOf(err))
Expand All @@ -60,15 +60,15 @@ func TestReconcileUserCertificate(t *testing.T) {
if err := manager.client.Create(context.TODO(), newMockUserSecret()); err != nil {
t.Error("could not update test secret")
}
if _, err := manager.ReconcileUserCertificate(ctx, newMockUser(), scheme.Scheme); err != nil {
if _, err := manager.ReconcileUserCertificate(ctx, *log, newMockUser(), scheme.Scheme); err != nil {
t.Error("Expected no error, got:", err)
}

// Test error conditions
manager = newMock(newMockCluster())
manager.client.Create(context.TODO(), newMockUser())
manager.client.Create(context.TODO(), manager.clusterCertificateForUser(newMockUser(), scheme.Scheme))
if _, err := manager.ReconcileUserCertificate(ctx, newMockUser(), scheme.Scheme); err == nil {
if _, err := manager.ReconcileUserCertificate(ctx, *log, newMockUser(), scheme.Scheme); err == nil {
t.Error("Expected error, got nil")
}
}
16 changes: 16 additions & 0 deletions pkg/pki/certmanagerpki/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"

v1 "github.com/konpyutaika/nifikop/api/v1"
"github.com/konpyutaika/nifikop/pkg/k8sutil"
)

// reconcile ensures the given kubernetes object.
Expand Down Expand Up @@ -44,6 +45,9 @@ func reconcileClusterIssuer(ctx context.Context, log zap.Logger, client client.C
}
return client.Create(ctx, issuer)
}
if err = k8sutil.Reconcile(log, client, issuer, cluster, &cluster.Status); err != nil {
return err
}
return nil
}

Expand All @@ -57,6 +61,9 @@ func reconcileIssuer(ctx context.Context, log zap.Logger, client client.Client,
}
return client.Create(ctx, issuer)
}
if err = k8sutil.Reconcile(log, client, issuer, cluster, &cluster.Status); err != nil {
return err
}
return nil
}

Expand All @@ -70,6 +77,9 @@ func reconcileCertificate(ctx context.Context, log zap.Logger, client client.Cli
}
return client.Create(ctx, cert)
}
if err = k8sutil.Reconcile(log, client, cert, cluster, &cluster.Status); err != nil {
return err
}
return nil
}

Expand All @@ -83,6 +93,9 @@ func reconcileSecret(ctx context.Context, log zap.Logger, client client.Client,
}
return client.Create(ctx, secret)
}
if err = k8sutil.Reconcile(log, client, secret, cluster, &cluster.Status); err != nil {
return err
}
return nil
}

Expand All @@ -96,5 +109,8 @@ func reconcileUser(ctx context.Context, log zap.Logger, client client.Client, us
}
return client.Create(ctx, user)
}
if err = k8sutil.Reconcile(log, client, user, cluster, &cluster.Status); err != nil {
return err
}
return nil
}
2 changes: 1 addition & 1 deletion pkg/pki/pki_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func (m *mockPKIManager) FinalizePKI(ctx context.Context, logger zap.Logger) err
return nil
}

func (m *mockPKIManager) ReconcileUserCertificate(ctx context.Context, user *v1.NifiUser, scheme *runtime.Scheme) (*pki.UserCertificate, error) {
func (m *mockPKIManager) ReconcileUserCertificate(ctx context.Context, logger zap.Logger, user *v1.NifiUser, scheme *runtime.Scheme) (*pki.UserCertificate, error) {
return &pki.UserCertificate{}, nil
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/pki/pki_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func TestGetPKIManager(t *testing.T) {
t.Error("Expected nil error got:", err)
}

if _, err = mock.ReconcileUserCertificate(ctx, &v1.NifiUser{}, scheme.Scheme); err != nil {
if _, err = mock.ReconcileUserCertificate(ctx, log, &v1.NifiUser{}, scheme.Scheme); err != nil {
t.Error("Expected nil error got:", err)
}

Expand Down
3 changes: 3 additions & 0 deletions pkg/resources/nifi/nifi.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"fmt"
"reflect"
"sort"
"strings"
"time"

Expand Down Expand Up @@ -107,6 +108,8 @@ func (r *Reconciler) Reconcile(log zap.Logger) error {
for k := range uniqueHostnamesMap {
uniqueHostnames = append(uniqueHostnames, k)
}
// Preserving order
sort.Strings(uniqueHostnames)

// Setup the PKI if using SSL
if r.NifiCluster.Spec.ListenersConfig.SSLSecrets != nil {
Expand Down
2 changes: 1 addition & 1 deletion pkg/util/pki/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ type Manager interface {
FinalizePKI(ctx context.Context, logger zap.Logger) error

// ReconcileUserCertificate ensures and returns a user certificate - should be idempotent
ReconcileUserCertificate(ctx context.Context, user *v1.NifiUser, scheme *runtime.Scheme) (*UserCertificate, error)
ReconcileUserCertificate(ctx context.Context, logger zap.Logger, user *v1.NifiUser, scheme *runtime.Scheme) (*UserCertificate, error)

// FinalizeUserCertificate removes/revokes a user certificate
FinalizeUserCertificate(ctx context.Context, user *v1.NifiUser) error
Expand Down

0 comments on commit 2be328d

Please sign in to comment.