Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not requeue error when disableNonTLSListen is misconfigured #887

Merged
merged 1 commit into from
Nov 10, 2021
Merged

Do not requeue error when disableNonTLSListen is misconfigured #887

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions controllers/rabbitmqcluster_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ package controllers
import (
"context"
"encoding/json"
"errors"
"fmt"
"reflect"
"strings"
Expand Down Expand Up @@ -150,8 +151,11 @@ func (r *RabbitmqClusterReconciler) Reconcile(ctx context.Context, req ctrl.Requ
return ctrl.Result{RequeueAfter: requeueAfter}, err
}

if err := r.reconcileTLS(ctx, rabbitmqCluster); err != nil {
return ctrl.Result{}, err
tlsErr := r.reconcileTLS(ctx, rabbitmqCluster)
if errors.Is(tlsErr, disableNonTLSConfigErr) {
return ctrl.Result{}, nil
} else if tlsErr != nil {
return ctrl.Result{}, tlsErr
}

sts, err := r.statefulSet(ctx, rabbitmqCluster)
Expand Down
20 changes: 12 additions & 8 deletions controllers/reconcile_tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,27 @@ package controllers

import (
"context"
"errors"
"fmt"

ctrl "sigs.k8s.io/controller-runtime"

rabbitmqv1beta1 "github.com/rabbitmq/cluster-operator/api/v1beta1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
)

var disableNonTLSConfigErr = errors.New("TLS must be enabled if disableNonTLSListeners is set to true")

func (r *RabbitmqClusterReconciler) reconcileTLS(ctx context.Context, rabbitmqCluster *rabbitmqv1beta1.RabbitmqCluster) error {
// if tls.disableNonTLSListeners set to true and TLS is not enabled, it's a configuration error
// reconcileTLS() will return a special error so the operator won't requeue
if rabbitmqCluster.DisableNonTLSListeners() && !rabbitmqCluster.TLSEnabled() {
err := errors.NewBadRequest("TLS must be enabled if disableNonTLSListeners is set to true")
r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
ctrl.LoggerFrom(ctx).Error(err, "Error setting up TLS")
r.setReconcileSuccess(ctx, rabbitmqCluster, corev1.ConditionFalse, "TLSError", err.Error())
return err
r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", disableNonTLSConfigErr.Error())
ctrl.LoggerFrom(ctx).Error(disableNonTLSConfigErr, "Error setting up TLS")
r.setReconcileSuccess(ctx, rabbitmqCluster, corev1.ConditionFalse, "TLSError", disableNonTLSConfigErr.Error())
return disableNonTLSConfigErr
}

if rabbitmqCluster.SecretTLSEnabled() {
Expand Down Expand Up @@ -47,7 +51,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
_, hasTLSKey := secret.Data["tls.key"]
_, hasTLSCert := secret.Data["tls.crt"]
if !hasTLSCert || !hasTLSKey {
err := errors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the fields tls.crt and tls.key", secretName, rabbitmqCluster.Namespace))
err := k8serrors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the fields tls.crt and tls.key", secretName, rabbitmqCluster.Namespace))
r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
logger.Error(err, "Error setting up TLS")
return err
Expand All @@ -71,7 +75,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm

// Mutual TLS: verify that CA certificate is present in secret
if _, hasCaCert := secret.Data["ca.crt"]; !hasCaCert {
err := errors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the field ca.crt", rabbitmqCluster.Spec.TLS.CaSecretName, rabbitmqCluster.Namespace))
err := k8serrors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the field ca.crt", rabbitmqCluster.Spec.TLS.CaSecretName, rabbitmqCluster.Namespace))
r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
logger.Error(err, "Error setting up TLS")
return err
Expand Down
2 changes: 1 addition & 1 deletion controllers/reconcile_tls_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,7 @@ var _ = Describe("Reconcile TLS", func() {
})

When("DiableNonTLSListeners set to true", func() {
It("returns an error, logs TLSError and set ReconcileSuccess to false when TLS is not enabled", func() {
It("logs TLSError and set ReconcileSuccess to false when TLS is not enabled", func() {
tlsSpec := rabbitmqv1beta1.TLSSpec{
DisableNonTLSListeners: true,
}
Expand Down