Skip to content

Commit e9711cb

Browse files
authored
Merge pull request noobaa#1767 from liranmauda/liran-backport-into-5.19
[Backport into 5.19] Backport fixes into 5.19
2 parents d9fc6ac + e8592ca commit e9711cb

9 files changed

Lines changed: 89 additions & 23 deletions

File tree

.github/workflows/run_hac_test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: HAC on KIND cluster Test
2-
on: [push, pull_request, workflow_dispatch]
2+
on: [workflow_dispatch]
33

44
jobs:
55
run-hac-test:

pkg/controller/add_hac.go

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,15 @@
11
package controller
22

33
import (
4+
"os"
5+
46
hac "github.com/noobaa/noobaa-operator/v5/pkg/controller/ha"
57
)
68

79
func init() {
8-
// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
9-
AddToManagerFuncs = append(AddToManagerFuncs, hac.Add)
10+
hacEnabled := os.Getenv("HAC_ENABLED")
11+
if hacEnabled == "true" {
12+
// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
13+
AddToManagerFuncs = append(AddToManagerFuncs, hac.Add)
14+
}
1015
}

pkg/controller/ha/ha_controller.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ func nodeNotReadyPredicate() predicate.Predicate {
7171

7272
// Add creates a nodewatcher Controller and adds it to the Manager.
7373
func Add(mgr manager.Manager) error {
74+
util.Logger().Info("Adding high availability controller (HAC)")
7475

7576
opts := controller.Options{
7677
MaxConcurrentReconciles: 1,

pkg/hac/hac.go

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ package hac
55

66
import (
77
"context"
8+
"os"
89

910
"github.com/pkg/errors"
1011
"github.com/sirupsen/logrus"
@@ -43,8 +44,12 @@ func (pd *PodDeleter) DeletePodsOnNode() error {
4344
return errors.Errorf("failed to list noobaa pods on the node %v in namespace %v", pd.NodeName, options.Namespace)
4445
}
4546

46-
// delete the found pods
47-
var gracePeriod int64 = 0
47+
// delete the found pods. by default using a 1 second grace period.
48+
var gracePeriod int64 = 1
49+
if os.Getenv("HAC_FORCE_DELETE") == "true" {
50+
// if HAC_FORCE_DELETE is set to true, use a 0 second grace period.
51+
gracePeriod = 0
52+
}
4853
deleteOpts := client.DeleteOptions{GracePeriodSeconds: &gracePeriod}
4954
for _, pod := range podList.Items {
5055
if err := pd.Client.Delete(context.Background(), &pod, &deleteOpts); err != nil {

pkg/options/options.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -48,9 +48,6 @@ const (
4848

4949
// SystemName is a constant as we want just a single system per namespace
5050
SystemName = "noobaa"
51-
52-
// ServiceServingCertCAFile points to OCP root CA to be added to the default root CA list
53-
ServiceServingCertCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
5451
)
5552

5653
// Namespace is the target namespace for locating the noobaa system

pkg/system/phase2_creating.go

Lines changed: 27 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -392,6 +392,21 @@ func (r *Reconciler) SetDesiredNooBaaDB() error {
392392
}
393393

394394
func (r *Reconciler) setDesiredCoreEnv(c *corev1.Container) {
395+
// Filter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec
396+
// it is set via mounting the secret as files
397+
// this will remove the leftover env var in case of an upgrade from older operator version (older than 4.21)
398+
// as we preserve env vars on updates by merging the arrays and not replacing them.
399+
400+
if len(c.Env) > 0 {
401+
filtered := c.Env[:0]
402+
for _, env := range c.Env {
403+
if env.Name != "NOOBAA_ROOT_SECRET" {
404+
filtered = append(filtered, env)
405+
}
406+
}
407+
c.Env = filtered
408+
}
409+
395410
for j := range c.Env {
396411
switch c.Env[j].Name {
397412
case "AGENT_PROFILE":
@@ -521,6 +536,10 @@ func (r *Reconciler) SetDesiredCoreApp() error {
521536
r.CoreApp.Spec.ServiceName = r.ServiceMgmt.Name
522537

523538
podSpec := &r.CoreApp.Spec.Template.Spec
539+
// set the termination grace period for noobaa-core pod.
540+
// For now we set it to 1 second. A better approach should be to implement a graceful shutdown for the noobaa-core pod when SIGTERM is received.
541+
terminationGracePeriodSeconds := int64(1)
542+
podSpec.TerminationGracePeriodSeconds = &terminationGracePeriodSeconds
524543
podSpec.ServiceAccountName = "noobaa-core"
525544
coreImageChanged := false
526545

@@ -575,10 +594,11 @@ func (r *Reconciler) SetDesiredCoreApp() error {
575594
util.MergeVolumeMountList(&c.VolumeMounts, &dbSecretVolumeMounts)
576595
}
577596

578-
if util.KubeCheckQuiet(r.CaBundleConf) {
597+
// we want to check that the cm exists and also that it has data in it
598+
if util.KubeCheckQuiet(r.CaBundleConf) && len(r.CaBundleConf.Data) > 0 {
579599
configMapVolumeMounts := []corev1.VolumeMount{{
580600
Name: r.CaBundleConf.Name,
581-
MountPath: "/etc/ocp-injected-ca-bundle.crt",
601+
MountPath: "/etc/ocp-injected-ca-bundle",
582602
ReadOnly: true,
583603
}}
584604
util.MergeVolumeMountList(&c.VolumeMounts, &configMapVolumeMounts)
@@ -658,10 +678,11 @@ func (r *Reconciler) SetDesiredCoreApp() error {
658678
Limits: logResourceList,
659679
}
660680
}
661-
if util.KubeCheckQuiet(r.CaBundleConf) {
681+
// we want to check that the cm exists and also that it has data in it
682+
if util.KubeCheckQuiet(r.CaBundleConf) && len(r.CaBundleConf.Data) > 0 {
662683
configMapVolumeMounts := []corev1.VolumeMount{{
663684
Name: r.CaBundleConf.Name,
664-
MountPath: "/etc/ocp-injected-ca-bundle.crt",
685+
MountPath: "/etc/ocp-injected-ca-bundle",
665686
ReadOnly: true,
666687
}}
667688
util.MergeVolumeMountList(&c.VolumeMounts, &configMapVolumeMounts)
@@ -701,7 +722,8 @@ func (r *Reconciler) SetDesiredCoreApp() error {
701722

702723
r.CoreApp.Spec.Template.Annotations["noobaa.io/configmap-hash"] = r.CoreAppConfig.Annotations["noobaa.io/configmap-hash"]
703724

704-
if util.KubeCheckQuiet(r.CaBundleConf) {
725+
// we want to check that the cm exists and also that it has data in it
726+
if util.KubeCheckQuiet(r.CaBundleConf) && len(r.CaBundleConf.Data) > 0 {
705727
configMapVolumes := []corev1.Volume{{
706728
Name: r.CaBundleConf.Name,
707729
VolumeSource: corev1.VolumeSource{

pkg/system/phase4_configuring.go

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -507,7 +507,8 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container
507507
util.MergeVolumeMountList(&container.VolumeMounts, &dbSecretVolumeMounts)
508508
}
509509

510-
if util.KubeCheckQuiet(r.CaBundleConf) {
510+
// we want to check that the cm exists and also that it has data in it
511+
if util.KubeCheckQuiet(r.CaBundleConf) && len(r.CaBundleConf.Data) > 0 {
511512
configMapVolumes := []corev1.Volume{{
512513
Name: r.CaBundleConf.Name,
513514
VolumeSource: corev1.VolumeSource{
@@ -525,7 +526,7 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container
525526
util.MergeVolumeList(&podSpec.Volumes, &configMapVolumes)
526527
configMapVolumeMounts := []corev1.VolumeMount{{
527528
Name: r.CaBundleConf.Name,
528-
MountPath: "/etc/ocp-injected-ca-bundle.crt",
529+
MountPath: "/etc/ocp-injected-ca-bundle",
529530
ReadOnly: true,
530531
}}
531532
util.MergeVolumeMountList(&container.VolumeMounts, &configMapVolumeMounts)
@@ -1069,6 +1070,10 @@ func (r *Reconciler) prepareAWSBackingStore() error {
10691070
*result.Credentials.SecretAccessKey,
10701071
*result.Credentials.SessionToken,
10711072
),
1073+
HTTPClient: &http.Client{
1074+
Transport: util.GlobalCARefreshingTransport,
1075+
Timeout: 10 * time.Second,
1076+
},
10721077
Region: &region,
10731078
}
10741079
} else { // handle AWS long-lived credentials (not STS)
@@ -1078,6 +1083,10 @@ func (r *Reconciler) prepareAWSBackingStore() error {
10781083
cloudCredsSecret.StringData["aws_secret_access_key"],
10791084
"",
10801085
),
1086+
HTTPClient: &http.Client{
1087+
Transport: util.GlobalCARefreshingTransport,
1088+
Timeout: 10 * time.Second,
1089+
},
10811090
Region: &region,
10821091
}
10831092
}

pkg/system/reconciler.go

Lines changed: 25 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ type Reconciler struct {
6868
OperatorVersion string
6969
OAuthEndpoints *util.OAuth2Endpoints
7070
PostgresConnectionString string
71-
ApplyCAsToPods string
71+
ApplyCAsToPods string // the path that will be applied to the core and endpoint pods in NODE_EXTRA_CA_CERTS
7272

7373
NooBaa *nbv1.NooBaa
7474
ServiceAccount *corev1.ServiceAccount
@@ -282,7 +282,7 @@ func NewReconciler(
282282
r.RouteS3.Name = r.ServiceS3.Name
283283
r.RouteSts.Name = r.ServiceSts.Name
284284
r.DeploymentEndpoint.Name = r.Request.Name + "-endpoint"
285-
r.CaBundleConf.Name = r.Request.Name + "-ca-inject"
285+
r.CaBundleConf.Name = "ocp-injected-ca-bundle"
286286
r.KedaScaled.Name = r.Request.Name
287287
r.AdapterHPA.Name = r.Request.Name + "-hpav2"
288288
r.BucketLoggingPVC.Name = r.Request.Name + "-bucket-logging-pvc"
@@ -404,9 +404,30 @@ func (r *Reconciler) Reconcile() (reconcile.Result, error) {
404404
}
405405
}
406406

407-
err = util.AddToRootCAs(options.ServiceServingCertCAFile)
407+
/*
408+
This code is problematic due to the way other parts of the product work.
409+
On the core side, get_unsecured_agent() relies on the presence of the NODE_EXTRA_CA_CERTS
410+
environment variable to determine whether an HTTP or HTTPS client should be used.
411+
412+
At the time of writing this comment, if the environment variable is not set, an HTTP agent
413+
will be used for *all* S3-compatible domains that aren't under amazonaws.com - including
414+
domains that are already present by default in the system's certificate store.
415+
416+
Forcing the environment variable to always be set leads to a different problem where
417+
some things might fail - e.g. the admission tests that rely on creating a namespacestore
418+
that points towards NooBaa's (self-signed) S3 service. In that case, the HTTPS agent fails
419+
due to the self-signed certificate.
420+
421+
Also, note that the code that combines certificates only applies to the operator.
422+
Based on whether the certificate bundling was successful, the operator will set the value of
423+
NODE_EXTRA_CA_CERTS in endpoints and core pods to point to *the system generated service-serving certs*.
424+
425+
At the time of writing, user certs are not included at any point.
426+
*/
427+
428+
err = util.CombineCaBundle(util.ServiceServingCertCAFile)
408429
if err == nil {
409-
r.ApplyCAsToPods = options.ServiceServingCertCAFile
430+
r.ApplyCAsToPods = util.ServiceServingCertCAFile
410431
} else if !os.IsNotExist(err) {
411432
log.Errorf("❌ NooBaa %q failed to add root CAs to system default", r.NooBaa.Name)
412433
res.RequeueAfter = 3 * time.Second

pkg/util/util.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,12 @@ const (
8484

8585
topologyConstraintsEnabledKubeVersion = "1.26.0"
8686
trueStr = "true"
87+
88+
// ServiceServingCertCAFile points to OCP default root CA list
89+
ServiceServingCertCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
90+
91+
// InjectedBundleCertCAFile points to OCP root CA to be added to the default root CA list
92+
InjectedBundleCertCAFile = "/etc/ocp-injected-ca-bundle/ca-bundle.crt"
8793
)
8894

8995
// OAuth2Endpoints holds OAuth2 endpoints information.
@@ -143,15 +149,15 @@ var (
143149
}
144150
)
145151

146-
// AddToRootCAs adds a local cert file to Our GlobalCARefreshingTransport
147-
func AddToRootCAs(localCertFile string) error {
152+
// CombineCaBundle combines a local cert file to Our GlobalCARefreshingTransport
153+
func CombineCaBundle(localCertFile string) error {
148154
rootCAs, _ := x509.SystemCertPool()
149155
if rootCAs == nil {
150156
rootCAs = x509.NewCertPool()
151157
}
152158

153159
var certFiles = []string{
154-
"/etc/ocp-injected-ca-bundle.crt",
160+
InjectedBundleCertCAFile,
155161
localCertFile,
156162
}
157163

@@ -169,7 +175,7 @@ func AddToRootCAs(localCertFile string) error {
169175
}
170176

171177
// Trust the augmented cert pool in our client
172-
log.Infof("Successfuly appended %q to RootCAs", certFile)
178+
log.Infof("Successfully appended %q to RootCAs", certFile)
173179
}
174180
GlobalCARefreshingTransport.TLSClientConfig.RootCAs = rootCAs
175181
return nil

0 commit comments

Comments
 (0)