Skip to content

Commit

Permalink
add kafkauser csr approval support
Browse files Browse the repository at this point in the history
  • Loading branch information
@LuciferInLove
LuciferInLove authored Jul 14, 2023
1 parent 75f0e83 commit 82d2ec2
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 5 deletions.
12 changes: 12 additions & 0 deletions charts/kafka-operator/templates/operator-rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resources:
- signers
verbs:
- approve
- apiGroups:
- coordination.k8s.io
resources:
Expand Down
12 changes: 12 additions & 0 deletions config/base/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resources:
- signers
verbs:
- approve
- apiGroups:
- coordination.k8s.io
resources:
Expand Down
2 changes: 2 additions & 0 deletions controllers/kafkauser_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,8 @@ type KafkaUserReconciler struct {
// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=cert-manager.io,resources=clusterissuers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/approval,verbs=update
// +kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,verbs=approve

// Reconcile reads that state of the cluster for a KafkaUser object and makes changes based on the state read
// and what is in the KafkaUser.Spec
Expand Down
5 changes: 3 additions & 2 deletions pkg/pki/k8scsrpki/k8scsr.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,9 @@ import (
)

const (
DependingCsrAnnotation string = "banzaicloud.io/csr"
IncludeFullChainAnnotation string = "csr.banzaicloud.io/fullchain"
DependingCsrAnnotation string = "banzaicloud.io/csr"
IncludeFullChainAnnotation string = "csr.banzaicloud.io/fullchain"
CertManagerSignerNamePrefix string = "clusterissuers.cert-manager.io"
)

type K8sCSR interface {
Expand Down
41 changes: 38 additions & 3 deletions pkg/pki/k8scsrpki/k8scsr_user.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"crypto/x509"
"encoding/pem"
"fmt"
"strings"

"emperror.dev/errors"
"github.com/go-logr/logr"
Expand All @@ -38,12 +39,15 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
csrclient "k8s.io/client-go/kubernetes/typed/certificates/v1"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
)

const (
notApprovedErrMsg = "instance is not approved"
notFoundApprovedCsrErrMsg = "could not find approved csr"
notFoundApprovedCsrErrMsg = "could not find approved csr and the operator is not capable of approving the csr"
approveReason = "ApprovedByPolicy"
)

// ReconcileUserCertificate ensures and returns a user certificate - should be idempotent
Expand Down Expand Up @@ -158,8 +162,15 @@ func (c *k8sCSR) ReconcileUserCertificate(
}

if !foundApproved {
return nil, errorfactory.New(errorfactory.FatalReconcileError{}, errors.New(notApprovedErrMsg),
notFoundApprovedCsrErrMsg, "csrName", signingReq.GetName())
if strings.Split(signingReq.Spec.SignerName, "/")[0] == CertManagerSignerNamePrefix {
err = c.Approve(ctx, signingReq)
if err != nil {
return nil, err
}
} else {
return nil, errorfactory.New(errorfactory.FatalReconcileError{}, errors.New(notApprovedErrMsg),
notFoundApprovedCsrErrMsg, "csrName", signingReq.GetName())
}
}
if len(signingReq.Status.Certificate) == 0 {
return nil, errorfactory.New(errorfactory.ResourceNotReady{},
Expand Down Expand Up @@ -309,3 +320,27 @@ func isKafkaUserCertificateReady(secret *corev1.Secret, includeJKS bool) bool {

return true
}

// Approve approves certificate signing requests
func (c *k8sCSR) Approve(ctx context.Context, signingReq *certsigningreqv1.CertificateSigningRequest) error {
cond := certsigningreqv1.CertificateSigningRequestCondition{
Type: certsigningreqv1.CertificateApproved,
Status: corev1.ConditionTrue,
Reason: approveReason,
Message: "CSR has been approved by Koperator",
}
signingReq.Status.Conditions = append(signingReq.Status.Conditions, cond)

restConfig, err := ctrl.GetConfig()
if err != nil {
return err
}
csrClient := csrclient.NewForConfigOrDie(restConfig).CertificateSigningRequests()

signingReq, err = csrClient.UpdateApproval(ctx, signingReq.Name, signingReq, metav1.UpdateOptions{}) //nolint:staticcheck
if err != nil {
return err
}

return nil
}

0 comments on commit 82d2ec2

Please sign in to comment.