From 3288d6916e438b5a462051e2b3e6f7aac01af7f3 Mon Sep 17 00:00:00 2001 From: Suleyman Akbas Date: Fri, 8 Sep 2023 14:36:38 +0200 Subject: [PATCH] OCPVE-220: remove unused certificates Signed-off-by: Suleyman Akbas --- config/certmanager/certificate.yaml | 25 ---------- config/certmanager/kustomization.yaml | 5 -- config/certmanager/kustomizeconfig.yaml | 16 ------- config/crd/kustomization.yaml | 15 ------ .../patches/cainjection_in_lvmclusters.yaml | 7 --- ...jection_in_lvmvolumegroupnodestatuses.yaml | 7 --- .../cainjection_in_lvmvolumegroups.yaml | 7 --- .../crd/patches/webhook_in_lvmclusters.yaml | 16 ------- ...webhook_in_lvmvolumegroupnodestatuses.yaml | 16 ------- .../patches/webhook_in_lvmvolumegroups.yaml | 16 ------- config/default/kustomization.yaml | 16 ------- config/default/webhookcainjection_patch.yaml | 17 ------- config/manifests/kustomization.yaml | 20 -------- config/webhook/kustomizeconfig.yaml | 7 --- controllers/constants.go | 3 -- controllers/topolvm_controller.go | 46 ++++--------------- docs/design/lvm-operator-manager.md | 2 +- 17 files changed, 10 insertions(+), 231 deletions(-) delete mode 100644 config/certmanager/certificate.yaml delete mode 100644 config/certmanager/kustomization.yaml delete mode 100644 config/certmanager/kustomizeconfig.yaml delete mode 100644 config/crd/patches/cainjection_in_lvmclusters.yaml delete mode 100644 config/crd/patches/cainjection_in_lvmvolumegroupnodestatuses.yaml delete mode 100644 config/crd/patches/cainjection_in_lvmvolumegroups.yaml delete mode 100644 config/crd/patches/webhook_in_lvmclusters.yaml delete mode 100644 config/crd/patches/webhook_in_lvmvolumegroupnodestatuses.yaml delete mode 100644 config/crd/patches/webhook_in_lvmvolumegroups.yaml delete mode 100644 config/default/webhookcainjection_patch.yaml diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml deleted file mode 100644 index 52d866183..000000000 --- a/config/certmanager/certificate.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# The following manifests contain a self-signed issuer CR and a certificate CR. -# More document can be found at https://docs.cert-manager.io -# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned-issuer - namespace: system -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml - namespace: system -spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize - dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml deleted file mode 100644 index bebea5a59..000000000 --- a/config/certmanager/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -resources: -- certificate.yaml - -configurations: -- kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml deleted file mode 100644 index e631f7773..000000000 --- a/config/certmanager/kustomizeconfig.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -nameReference: -- kind: Issuer - group: cert-manager.io - fieldSpecs: - - kind: Certificate - group: cert-manager.io - path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index ad6db7b0a..5f76a2b2b 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -18,21 +18,6 @@ patches: name: lvmclusters.lvm.topolvm.io path: patches/additionalPrinterColumn_in_lvmcluster.yaml -patchesStrategicMerge: -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_lvmclusters.yaml -#- patches/webhook_in_lvmvolumegroups.yaml -#- patches/webhook_in_lvmvolumegroupnodestatuses.yaml -#+kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_lvmclusters.yaml -#- patches/cainjection_in_lvmvolumegroups.yaml -#- patches/cainjection_in_lvmvolumegroupnodestatuses.yaml -#+kubebuilder:scaffold:crdkustomizecainjectionpatch - # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: - kustomizeconfig.yaml diff --git a/config/crd/patches/cainjection_in_lvmclusters.yaml b/config/crd/patches/cainjection_in_lvmclusters.yaml deleted file mode 100644 index 51c408db3..000000000 --- a/config/crd/patches/cainjection_in_lvmclusters.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: lvmclusters.lvm.topolvm.io diff --git a/config/crd/patches/cainjection_in_lvmvolumegroupnodestatuses.yaml b/config/crd/patches/cainjection_in_lvmvolumegroupnodestatuses.yaml deleted file mode 100644 index 620b87078..000000000 --- a/config/crd/patches/cainjection_in_lvmvolumegroupnodestatuses.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: lvmvolumegroupnodestatuses.lvm.topolvm.io diff --git a/config/crd/patches/cainjection_in_lvmvolumegroups.yaml b/config/crd/patches/cainjection_in_lvmvolumegroups.yaml deleted file mode 100644 index 9a8d1597f..000000000 --- a/config/crd/patches/cainjection_in_lvmvolumegroups.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: lvmvolumegroups.lvm.topolvm.io diff --git a/config/crd/patches/webhook_in_lvmclusters.yaml b/config/crd/patches/webhook_in_lvmclusters.yaml deleted file mode 100644 index 76d12b32c..000000000 --- a/config/crd/patches/webhook_in_lvmclusters.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: lvmclusters.lvm.topolvm.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/crd/patches/webhook_in_lvmvolumegroupnodestatuses.yaml b/config/crd/patches/webhook_in_lvmvolumegroupnodestatuses.yaml deleted file mode 100644 index 5d04a68fe..000000000 --- a/config/crd/patches/webhook_in_lvmvolumegroupnodestatuses.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: lvmvolumegroupnodestatuses.lvm.topolvm.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/crd/patches/webhook_in_lvmvolumegroups.yaml b/config/crd/patches/webhook_in_lvmvolumegroups.yaml deleted file mode 100644 index fb02e82b0..000000000 --- a/config/crd/patches/webhook_in_lvmvolumegroups.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: lvmvolumegroups.lvm.topolvm.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 650fac1d4..8c06bae6f 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -12,12 +12,6 @@ namespace: openshift-storage #commonLabels: # someName: someValue -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager - # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. @@ -25,21 +19,11 @@ patchesStrategicMerge: - manager_auth_proxy_patch.yaml - manager_custom_env.yaml - manager_webhook_patch.yaml -- webhookcainjection_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml - # the following config is for teaching kustomize how to do var substitution apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml deleted file mode 100644 index 161c21967..000000000 --- a/config/default/webhookcainjection_patch.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. - -#apiVersion: admissionregistration.k8s.io/v1 -#kind: MutatingWebhookConfiguration -#metadata: -# name: mutating-webhook-configuration -# annotations: -# cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validating-webhook-configuration - annotations: - #cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - service.beta.openshift.io/inject-cabundle: "true" diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index cfa5fbdfa..96753aea2 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -5,23 +5,3 @@ resources: - ../default - ../samples - ../scorecard - -# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. -# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. -# These patches remove the unnecessary "cert" volume and its manager container volumeMount. -#patchesJson6902: -#- target: -# group: apps -# version: v1 -# kind: Deployment -# name: controller-manager -# namespace: system -# patch: |- -# # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 -# # Remove the "cert" volume, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing volumes in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/volumes/0 diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index 25e21e3c9..e809f7820 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -4,18 +4,11 @@ nameReference: - kind: Service version: v1 fieldSpecs: - - kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - kind: ValidatingWebhookConfiguration group: admissionregistration.k8s.io path: webhooks/clientConfig/service/name namespace: -- kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true - kind: ValidatingWebhookConfiguration group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace diff --git a/controllers/constants.go b/controllers/constants.go index 18b0b19dd..445502572 100644 --- a/controllers/constants.go +++ b/controllers/constants.go @@ -52,9 +52,6 @@ const ( VgManagerMemRequest = "45Mi" VgManagerCPURequest = "2m" - CertGeneratorMemRequest = "15Mi" - CertGeneratorCPURequest = "1m" - // topoLVM Node resource requests TopolvmNodeMemRequest = "25Mi" TopolvmNodeCPURequest = "1m" diff --git a/controllers/topolvm_controller.go b/controllers/topolvm_controller.go index 515d6923e..f9c17bc05 100644 --- a/controllers/topolvm_controller.go +++ b/controllers/topolvm_controller.go @@ -23,17 +23,20 @@ import ( v1 "github.com/openshift/api/config/v1" lvmv1alpha1 "github.com/openshift/lvm-operator/api/v1alpha1" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/pointer" cutil "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/log" ) const ( - controllerName = "topolvm-controller" + controllerName = "topolvm-controller" + lvmsWebhookSecretName = "lvms-operator-webhook-server-cert" ) type topolvmController struct { @@ -52,7 +55,7 @@ func (c topolvmController) ensureCreated(r *LVMClusterReconciler, ctx context.Co logger := log.FromContext(ctx).WithValues("resourceManager", c.getName()) // get the desired state of topolvm controller deployment - desiredDeployment := getControllerDeployment(r.Namespace, r.ImageName, r.TopoLVMLeaderElectionPassthrough) + desiredDeployment := getControllerDeployment(r.Namespace, r.TopoLVMLeaderElectionPassthrough) existingDeployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Name: desiredDeployment.Name, @@ -73,7 +76,6 @@ func (c topolvmController) ensureCreated(r *LVMClusterReconciler, ctx context.Co // for update, topolvm controller is interested in only updating container images // labels, volumes, service account etc can remain unchanged existingDeployment.Spec.Template.Spec.Containers = desiredDeployment.Spec.Template.Spec.Containers - existingDeployment.Spec.Template.Spec.InitContainers = desiredDeployment.Spec.Template.Spec.InitContainers return nil }) @@ -96,16 +98,14 @@ func (c topolvmController) ensureDeleted(r *LVMClusterReconciler, ctx context.Co return nil } -func getControllerDeployment(namespace string, initImage string, topoLVMLeaderElectionPassthrough v1.LeaderElection) *appsv1.Deployment { +func getControllerDeployment(namespace string, topoLVMLeaderElectionPassthrough v1.LeaderElection) *appsv1.Deployment { // Topolvm CSI Controller Deployment var replicas int32 = 1 volumes := []corev1.Volume{ {Name: "socket-dir", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}}, - {Name: "certs", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}}, - } - - initContainers := []corev1.Container{ - initContainer(initImage), + // TopoLVM needs the certs for webhooks that are not deployed in LVMS, but there is no option to disable them from the controller webhook server. + // We pass the existing LVMS certs for the controller to start, but they are not used afterward. + {Name: "certs", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: lvmsWebhookSecretName, DefaultMode: pointer.Int32(420)}}}, } // get all containers that are part of csi controller deployment @@ -147,7 +147,6 @@ func getControllerDeployment(namespace string, initImage string, topoLVMLeaderEl Labels: labels, }, Spec: corev1.PodSpec{ - InitContainers: initContainers, Containers: containers, ServiceAccountName: TopolvmControllerServiceAccount, Volumes: volumes, @@ -157,33 +156,6 @@ func getControllerDeployment(namespace string, initImage string, topoLVMLeaderEl } } -func initContainer(initImage string) corev1.Container { - - // generation of tls certs - command := []string{ - "/usr/bin/bash", - "-c", - "openssl req -nodes -x509 -newkey rsa:4096 -subj '/DC=self_signed_certificate' -keyout /certs/tls.key -out /certs/tls.crt -days 3650", - } - - volumeMounts := []corev1.VolumeMount{ - {Name: "certs", MountPath: "/certs"}, - } - - return corev1.Container{ - Name: "self-signed-cert-generator", - Image: initImage, - Command: command, - VolumeMounts: volumeMounts, - Resources: corev1.ResourceRequirements{ - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse(CertGeneratorCPURequest), - corev1.ResourceMemory: resource.MustParse(CertGeneratorMemRequest), - }, - }, - } -} - func controllerContainer(topoLVMLeaderElectionPassthrough v1.LeaderElection) corev1.Container { // topolvm controller plugin container diff --git a/docs/design/lvm-operator-manager.md b/docs/design/lvm-operator-manager.md index 15593f25d..dc3c858db 100644 --- a/docs/design/lvm-operator-manager.md +++ b/docs/design/lvm-operator-manager.md @@ -33,7 +33,7 @@ The `csiDriver` reconcile unit creates the TopoLVM `CSIDriver` resource. ### TopoLVM Controller -The `topolvmController` reconcile unit is responsible for deploying a single instance of the TopoLVM controller plugin deployment and ensuring that any necessary updates are made to the deployment. As part of this process, an init container is used to generate openssl certificates that are utilized by the TopoLVM Controller. However, it should be noted that this method will be replaced with the use of cert-manager in the near future. +The `topolvmController` reconcile unit is responsible for deploying a single instance of the TopoLVM controller plugin deployment and ensuring that any necessary updates are made to the deployment. ### Topolvm Node and lvmd