Merge pull request #4735 from djoshy/reintroduce-mcs-ca-sync

MCO-643: MCO-645: Reintroduce MCS CA rotation
openshift · Jan 24, 2025 · 38fb1b8 · 38fb1b8
2 parents 9871a24 + 9117787
commit 38fb1b8
Show file tree

Hide file tree

Showing 56 changed files with 2,975 additions and 57 deletions.
diff --git a/cmd/machine-config-controller/start.go b/cmd/machine-config-controller/start.go
@@ -10,6 +10,7 @@ import (
 	features "github.com/openshift/api/features"
 	"github.com/openshift/machine-config-operator/cmd/common"
 	"github.com/openshift/machine-config-operator/internal/clients"
+	certrotationcontroller "github.com/openshift/machine-config-operator/pkg/controller/certrotation"
 	ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common"
 	containerruntimeconfig "github.com/openshift/machine-config-operator/pkg/controller/container-runtime-config"
 	"github.com/openshift/machine-config-operator/pkg/controller/drain"
@@ -83,6 +84,18 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 			ctrlctx.FeatureGateAccess,
 		)
 
+		certrotationcontroller, err := certrotationcontroller.New(
+			ctrlctx.ClientBuilder.KubeClientOrDie("cert-rotation-controller"),
+			ctrlctx.ClientBuilder.ConfigClientOrDie("cert-rotation-controller"),
+			ctrlctx.ClientBuilder.MachineClientOrDie("cert-rotation-controller"),
+			ctrlctx.KubeMAOSharedInformer.Core().V1().Secrets(),
+			ctrlctx.KubeNamespacedInformerFactory.Core().V1().Secrets(),
+			ctrlctx.KubeNamespacedInformerFactory.Core().V1().ConfigMaps(),
+		)
+		if err != nil {
+			klog.Fatalf("unable to start cert rotation controller: %v", err)
+		}
+
 		// Start the shared factory informers that you need to use in your controller
 		ctrlctx.InformerFactory.Start(ctrlctx.Stop)
 		ctrlctx.KubeInformerFactory.Start(ctrlctx.Stop)
@@ -150,6 +163,7 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 			go c.Run(2, ctrlctx.Stop)
 		}
 		go draincontroller.Run(5, ctrlctx.Stop)
+		go certrotationcontroller.Run(ctx, 1)
 
 		// wait here in this function until the context gets cancelled (which tells us when we are being shut down)
 		<-ctx.Done()

diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/imdario/mergo v0.3.16
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/openshift/api v0.0.0-20250102185430-d6d8306a24ec
-	github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f
+	github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071
 	github.com/openshift/library-go v0.0.0-20241022210936-abb8c75b88dc
 	github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b
 	github.com/prometheus/client_golang v1.20.4

diff --git a/go.sum b/go.sum
@@ -596,8 +596,8 @@ github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bl
 github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/openshift/api v0.0.0-20250102185430-d6d8306a24ec h1:VEDRGJmiYeN0V0xW1aI9wfzEMgaMZOVasy3FzEz27Lo=
 github.com/openshift/api v0.0.0-20250102185430-d6d8306a24ec/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
-github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f h1:FRc0bVNWprihWS0GqQWzb3dY4dkCwpOP3mDw5NwSoR4=
-github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f/go.mod h1:KiZi2mJRH1TOJ3FtBDYS6YvUL30s/iIXaGSUrSa36mo=
+github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071 h1:l0++HnGVKBcs8kXFL/1yeozxioxPGNpp0PYe3Y+0sq4=
+github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071/go.mod h1:gL0laCCiIaNTNw1ZsMQZXBVu2NeQFpNWm9bLtYO9+ZU=
 github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 h1:GPlAy197Jkr+D0T2FNWanamraTdzS/r9ZkT29lxvHaA=
 github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
 github.com/openshift/library-go v0.0.0-20241022210936-abb8c75b88dc h1:fwtWTW+QcTyzGVAYxMPz9amtAURWvSs8p+a37nG/43c=

diff --git a/manifests/machineconfigcontroller/clusterrole.yaml b/manifests/machineconfigcontroller/clusterrole.yaml
@@ -37,7 +37,7 @@ rules:
   resources: ["daemonsets"]
   verbs: ["get"]
 - apiGroups: ["machine.openshift.io"]
-  resources: ["machinesets"]
+  resources: ["machinesets","machines"]
   verbs: ["get", "list", "watch", "patch"]
 - apiGroups: ["operator.openshift.io"]
   resources: ["machineconfigurations/status"]

diff --git a/manifests/userdata_secret.yaml b/manifests/userdata_secret.yaml
@@ -3,6 +3,8 @@ kind: Secret
 metadata:
   name: {{.Role}}-user-data-managed
   namespace: openshift-machine-api
+  labels:
+    "machineconfiguration.openshift.io/managed-ca-bundle-derived-from-configmap": ""
 type: Opaque
 data:
   disableTemplating: "dHJ1ZQo="