Skip to content

Commit

Permalink
Showing 4 changed files with 211 additions and 201 deletions.
24 changes: 12 additions & 12 deletions pkg/controller/cluster/console-csr.go
Original file line number Diff line number Diff line change
@@ -29,7 +29,7 @@ import (
"k8s.io/klog/v2"
)

func generateConsoleCryptoData(mi *miniov1.Tenant) ([]byte, []byte, error) {
func generateConsoleCryptoData(tenant *miniov1.Tenant) ([]byte, []byte, error) {
privateKey, err := newPrivateKey(miniov1.DefaultEllipticCurve)
if err != nil {
klog.Errorf("Unexpected error during the ECDSA Key generation: %v", err)
@@ -44,11 +44,11 @@ func generateConsoleCryptoData(mi *miniov1.Tenant) ([]byte, []byte, error) {

csrTemplate := x509.CertificateRequest{
Subject: pkix.Name{
CommonName: mi.ConsoleCommonName(),
Organization: mi.Spec.CertConfig.OrganizationName,
CommonName: tenant.ConsoleCommonName(),
Organization: tenant.Spec.CertConfig.OrganizationName,
},
SignatureAlgorithm: x509.ECDSAWithSHA512,
DNSNames: []string{mi.ConsoleCIServiceName()},
DNSNames: []string{tenant.ConsoleCIServiceName()},
}

csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, privateKey)
@@ -62,33 +62,33 @@ func generateConsoleCryptoData(mi *miniov1.Tenant) ([]byte, []byte, error) {
// createConsoleTLSCSR handles all the steps required to create the CSR: from creation of keys, submitting CSR and
// finally creating a secret that Console deployment will use to mount private key and certificate for TLS
// This Method Blocks till the CSR Request is approved via kubectl approve
func (c *Controller) createConsoleTLSCSR(ctx context.Context, mi *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateConsoleCryptoData(mi)
func (c *Controller) createConsoleTLSCSR(ctx context.Context, tenant *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateConsoleCryptoData(tenant)
if err != nil {
klog.Errorf("Private Key and CSR generation failed with error: %v", err)
return err
}

err = c.createCertificate(ctx, mi.ConsolePodLabels(), mi.ConsoleCSRName(), mi.Namespace, csrBytes, mi)
err = c.createCertificate(ctx, tenant.ConsolePodLabels(), tenant.ConsoleCSRName(), tenant.Namespace, csrBytes, tenant)
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.ConsoleCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.ConsoleCSRName(), err)
return err
}

// fetch certificate from CSR
certbytes, err := c.fetchCertificate(ctx, mi.ConsoleCSRName())
certbytes, err := c.fetchCertificate(ctx, tenant.ConsoleCSRName())
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.ConsoleCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.ConsoleCSRName(), err)
return err
}

// PEM encode private ECDSA key
encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})

// Create secret for Console Deployment to use
err = c.createSecret(ctx, mi, mi.ConsolePodLabels(), mi.ConsoleTLSSecretName(), encodedPrivKey, certbytes)
err = c.createSecret(ctx, tenant, tenant.ConsolePodLabels(), tenant.ConsoleTLSSecretName(), encodedPrivKey, certbytes)
if err != nil {
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.ConsoleTLSSecretName(), err)
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", tenant.ConsoleTLSSecretName(), err)
return err
}

48 changes: 24 additions & 24 deletions pkg/controller/cluster/csr.go
Original file line number Diff line number Diff line change
@@ -67,7 +67,7 @@ func isEqual(a, b []string) bool {
return true
}

func generateCryptoData(mi *miniov1.Tenant, hostsTemplate string) ([]byte, []byte, error) {
func generateCryptoData(tenant *miniov1.Tenant, hostsTemplate string) ([]byte, []byte, error) {
var dnsNames []string
klog.V(0).Infof("Generating private key")
privateKey, err := newPrivateKey(miniov1.DefaultEllipticCurve)
@@ -82,24 +82,24 @@ func generateCryptoData(mi *miniov1.Tenant, hostsTemplate string) ([]byte, []byt
return nil, nil, err
}

klog.V(0).Infof("Generating CSR with CN=%s", mi.Spec.CertConfig.CommonName)
klog.V(0).Infof("Generating CSR with CN=%s", tenant.Spec.CertConfig.CommonName)

hosts := mi.AllMinIOHosts()
hosts := tenant.AllMinIOHosts()
if hostsTemplate != "" {
hosts = mi.TemplatedMinIOHosts(hostsTemplate)
hosts = tenant.TemplatedMinIOHosts(hostsTemplate)
}

if isEqual(mi.Spec.CertConfig.DNSNames, hosts) {
dnsNames = mi.Spec.CertConfig.DNSNames
if isEqual(tenant.Spec.CertConfig.DNSNames, hosts) {
dnsNames = tenant.Spec.CertConfig.DNSNames
} else {
dnsNames = append(mi.Spec.CertConfig.DNSNames, hosts...)
dnsNames = append(tenant.Spec.CertConfig.DNSNames, hosts...)
}
dnsNames = append(dnsNames, mi.MinIOBucketBaseWildcardDomain())
dnsNames = append(dnsNames, tenant.MinIOBucketBaseWildcardDomain())

csrTemplate := x509.CertificateRequest{
Subject: pkix.Name{
CommonName: mi.Spec.CertConfig.CommonName,
Organization: mi.Spec.CertConfig.OrganizationName,
CommonName: tenant.Spec.CertConfig.CommonName,
Organization: tenant.Spec.CertConfig.OrganizationName,
},
SignatureAlgorithm: x509.ECDSAWithSHA512,
DNSNames: dnsNames,
@@ -116,41 +116,41 @@ func generateCryptoData(mi *miniov1.Tenant, hostsTemplate string) ([]byte, []byt
// createCSR handles all the steps required to create the CSR: from creation of keys, submitting CSR and
// finally creating a secret that MinIO statefulset will use to mount private key and certificate for TLS
// This Method Blocks till the CSR Request is approved via kubectl approve
func (c *Controller) createCSR(ctx context.Context, mi *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateCryptoData(mi, c.hostsTemplate)
func (c *Controller) createCSR(ctx context.Context, tenant *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateCryptoData(tenant, c.hostsTemplate)
if err != nil {
klog.Errorf("Private Key and CSR generation failed with error: %v", err)
return err
}

err = c.createCertificate(ctx, mi.MinIOPodLabels(), mi.MinIOCSRName(), mi.Namespace, csrBytes, mi)
err = c.createCertificate(ctx, tenant.MinIOPodLabels(), tenant.MinIOCSRName(), tenant.Namespace, csrBytes, tenant)
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.MinIOCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.MinIOCSRName(), err)
return err
}

// fetch certificate from CSR
certbytes, err := c.fetchCertificate(ctx, mi.MinIOCSRName())
certbytes, err := c.fetchCertificate(ctx, tenant.MinIOCSRName())
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.MinIOCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.MinIOCSRName(), err)
return err
}

// PEM encode private ECDSA key
encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})

// Create secret for MinIO Statefulset to use
err = c.createSecret(ctx, mi, mi.MinIOPodLabels(), mi.MinIOTLSSecretName(), encodedPrivKey, certbytes)
err = c.createSecret(ctx, tenant, tenant.MinIOPodLabels(), tenant.MinIOTLSSecretName(), encodedPrivKey, certbytes)
if err != nil {
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.MinIOTLSSecretName(), err)
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", tenant.MinIOTLSSecretName(), err)
return err
}

return nil
}

// createCertificate is equivalent to kubectl create <csr-name> and kubectl approve csr <csr-name>
func (c *Controller) createCertificate(ctx context.Context, labels map[string]string, name, namespace string, csrBytes []byte, mi *miniov1.Tenant) error {
func (c *Controller) createCertificate(ctx context.Context, labels map[string]string, name, namespace string, csrBytes []byte, tenant *miniov1.Tenant) error {
encodedBytes := pem.EncodeToMemory(&pem.Block{Type: csrType, Bytes: csrBytes})

kubeCSR := &certificates.CertificateSigningRequest{
@@ -163,7 +163,7 @@ func (c *Controller) createCertificate(ctx context.Context, labels map[string]st
Labels: labels,
Namespace: namespace,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(mi, schema.GroupVersionKind{
*metav1.NewControllerRef(tenant, schema.GroupVersionKind{
Group: miniov1.SchemeGroupVersion.Group,
Version: miniov1.SchemeGroupVersion.Version,
Kind: miniov1.MinIOCRDResourceKind,
@@ -252,15 +252,15 @@ func (c *Controller) fetchCertificate(ctx context.Context, csrName string) ([]by
}
}

func (c *Controller) createSecret(ctx context.Context, mi *miniov1.Tenant, labels map[string]string, secretName string, pkBytes, certBytes []byte) error {
func (c *Controller) createSecret(ctx context.Context, tenant *miniov1.Tenant, labels map[string]string, secretName string, pkBytes, certBytes []byte) error {
secret := &corev1.Secret{
Type: "Opaque",
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Namespace: mi.Namespace,
Namespace: tenant.Namespace,
Labels: labels,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(mi, schema.GroupVersionKind{
*metav1.NewControllerRef(tenant, schema.GroupVersionKind{
Group: miniov1.SchemeGroupVersion.Group,
Version: miniov1.SchemeGroupVersion.Version,
Kind: miniov1.MinIOCRDResourceKind,
@@ -272,7 +272,7 @@ func (c *Controller) createSecret(ctx context.Context, mi *miniov1.Tenant, label
"public.crt": certBytes,
},
}
_, err := c.kubeClientSet.CoreV1().Secrets(mi.Namespace).Create(ctx, secret, metav1.CreateOptions{})
_, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Create(ctx, secret, metav1.CreateOptions{})
return err
}

44 changes: 22 additions & 22 deletions pkg/controller/cluster/kes-csr.go
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ import (
miniov1 "github.com/minio/operator/pkg/apis/minio.min.io/v1"
)

func generateKESCryptoData(mi *miniov1.Tenant) ([]byte, []byte, error) {
func generateKESCryptoData(tenant *miniov1.Tenant) ([]byte, []byte, error) {
privateKey, err := newPrivateKey(miniov1.DefaultEllipticCurve)
if err != nil {
klog.Errorf("Unexpected error during the ECDSA Key generation: %v", err)
@@ -47,11 +47,11 @@ func generateKESCryptoData(mi *miniov1.Tenant) ([]byte, []byte, error) {

csrTemplate := x509.CertificateRequest{
Subject: pkix.Name{
CommonName: mi.KESWildCardName(),
Organization: mi.Spec.CertConfig.OrganizationName,
CommonName: tenant.KESWildCardName(),
Organization: tenant.Spec.CertConfig.OrganizationName,
},
SignatureAlgorithm: x509.ECDSAWithSHA512,
DNSNames: mi.KESHosts(),
DNSNames: tenant.KESHosts(),
}

csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, privateKey)
@@ -65,33 +65,33 @@ func generateKESCryptoData(mi *miniov1.Tenant) ([]byte, []byte, error) {
// createKESTLSCSR handles all the steps required to create the CSR: from creation of keys, submitting CSR and
// finally creating a secret that KES Statefulset will use to mount private key and certificate for TLS
// This Method Blocks till the CSR Request is approved via kubectl approve
func (c *Controller) createKESTLSCSR(ctx context.Context, mi *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateKESCryptoData(mi)
func (c *Controller) createKESTLSCSR(ctx context.Context, tenant *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateKESCryptoData(tenant)
if err != nil {
klog.Errorf("Private Key and CSR generation failed with error: %v", err)
return err
}

err = c.createCertificate(ctx, mi.KESPodLabels(), mi.KESCSRName(), mi.Namespace, csrBytes, mi)
err = c.createCertificate(ctx, tenant.KESPodLabels(), tenant.KESCSRName(), tenant.Namespace, csrBytes, tenant)
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.KESCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.KESCSRName(), err)
return err
}

// fetch certificate from CSR
certbytes, err := c.fetchCertificate(ctx, mi.KESCSRName())
certbytes, err := c.fetchCertificate(ctx, tenant.KESCSRName())
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.KESCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.KESCSRName(), err)
return err
}

// PEM encode private ECDSA key
encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})

// Create secret for KES Statefulset to use
err = c.createSecret(ctx, mi, mi.KESPodLabels(), mi.KESTLSSecretName(), encodedPrivKey, certbytes)
err = c.createSecret(ctx, tenant, tenant.KESPodLabels(), tenant.KESTLSSecretName(), encodedPrivKey, certbytes)
if err != nil {
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.KESTLSSecretName(), err)
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", tenant.KESTLSSecretName(), err)
return err
}

@@ -100,23 +100,23 @@ func (c *Controller) createKESTLSCSR(ctx context.Context, mi *miniov1.Tenant) er

// createMinIOClientTLSCSR handles all the steps required to create the CSR: from creation of keys, submitting CSR and
// finally creating a secret that KES Statefulset will use for MinIO Client Auth
func (c *Controller) createMinIOClientTLSCSR(ctx context.Context, mi *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateCryptoData(mi, c.hostsTemplate)
func (c *Controller) createMinIOClientTLSCSR(ctx context.Context, tenant *miniov1.Tenant) error {
privKeysBytes, csrBytes, err := generateCryptoData(tenant, c.hostsTemplate)
if err != nil {
klog.Errorf("Private Key and CSR generation failed with error: %v", err)
return err
}

err = c.createCertificate(ctx, mi.MinIOPodLabels(), mi.MinIOClientCSRName(), mi.Namespace, csrBytes, mi)
err = c.createCertificate(ctx, tenant.MinIOPodLabels(), tenant.MinIOClientCSRName(), tenant.Namespace, csrBytes, tenant)
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.MinIOClientCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.MinIOClientCSRName(), err)
return err
}

// fetch certificate from CSR
certbytes, err := c.fetchCertificate(ctx, mi.MinIOClientCSRName())
certbytes, err := c.fetchCertificate(ctx, tenant.MinIOClientCSRName())
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.MinIOClientCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.MinIOClientCSRName(), err)
return err
}

@@ -125,13 +125,13 @@ func (c *Controller) createMinIOClientTLSCSR(ctx context.Context, mi *miniov1.Te
h := sha256.New()
cert, err := parseCertificate(bytes.NewReader(certbytes))
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.MinIOClientCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.MinIOClientCSRName(), err)
return err
}

_, err = h.Write(cert.RawSubjectPublicKeyInfo)
if err != nil {
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", mi.MinIOClientCSRName(), err)
klog.Errorf("Unexpected error during the creation of the csr/%s: %v", tenant.MinIOClientCSRName(), err)
return err
}

@@ -142,9 +142,9 @@ func (c *Controller) createMinIOClientTLSCSR(ctx context.Context, mi *miniov1.Te
encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})

// Create secret for KES Statefulset to use
err = c.createSecret(ctx, mi, mi.MinIOPodLabels(), mi.MinIOClientTLSSecretName(), encodedPrivKey, certbytes)
err = c.createSecret(ctx, tenant, tenant.MinIOPodLabels(), tenant.MinIOClientTLSSecretName(), encodedPrivKey, certbytes)
if err != nil {
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.MinIOClientTLSSecretName(), err)
klog.Errorf("Unexpected error during the creation of the secret/%s: %v", tenant.MinIOClientTLSSecretName(), err)
return err
}

296 changes: 153 additions & 143 deletions pkg/controller/cluster/main-controller.go

Large diffs are not rendered by default.

0 comments on commit 290e871

Please sign in to comment.