Renew external certs

minio · Feb 6, 2024 · 896176a · 896176a
1 parent e360633
commit 896176a
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/pkg/controller/monitoring.go b/pkg/controller/monitoring.go
@@ -18,6 +18,7 @@ import (
  "context"
  "fmt"
  "log"
+ "strings"
  "time"
 
  "github.com/minio/madmin-go/v3"
@@ -120,6 +121,42 @@ func (c *Controller) updateHealthStatusForTenant(tenant *miniov2.Tenant) error {
  if err != nil {
  // show the error and continue
  klog.Infof("'%s/%s' Failed to get cluster health: %v", tenant.Namespace, tenant.Name, err)
+ if strings.Contains(err.Error(), "failed to verify certificate") {
+ externalCertSecret := tenant.Spec.ExternalCertSecret
+ klog.Info("Let's check if there is an external cert for the tenant...")
+ if externalCertSecret != nil {
+ // Check that there is a secret that starts with "operator-ca-tls-" to proceed with the renewal
+ secretsAvailableAtOperatorNS, _ := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).List(context.Background(), metav1.ListOptions{})
+ for _, secret := range secretsAvailableAtOperatorNS.Items {
+ // Check if secret starts with "operator-ca-tls-"
+ secretName := OperatorCATLSSecretName + "-"
+ if strings.HasPrefix(secret.Name, secretName) {
+ klog.Infof("External secret found: %s", secret.Name)
+ klog.Info("We are going to renew the external certificate for the tenant...")
+ // Steps:
+ // 1. Delete the secret that starts with operator-ca-tls- because it is expired
+ c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Delete(context.Background(), secret.Name, metav1.DeleteOptions{})
+ // 2. Get the new certificate generated by cert-manager
+ tenantSecretName := tenant.Spec.ExternalCertSecret[0].Name
+ data, _ := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(context.Background(), tenantSecretName, metav1.GetOptions{})
+ CACertificate := data.Data["0"]
+ // 3. Create the new secret that contains the new certificate
+ newSecret := &corev1.Secret{
+ Type: "Opaque",
+ ObjectMeta: metav1.ObjectMeta{
+ Name: secret.Name,
+ Namespace: miniov2.GetNSFromFile(),
+ },
+ Data: map[string][]byte{
+ "ca.crt": CACertificate,
+ },
+ }
+ c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Create(context.Background(), newSecret, metav1.CreateOptions{})
+ // 4. Rollout the Operator Deployment to use new certificate and trust the tenant.
+ }
+ }
+ }
+ }
  return nil
  }