Merge pull request #9309 from djoshy/add-mcs-ca-annos

MCO-1457: Clean up MCS CA & TLS cert objects for management
openshift · Jan 7, 2025 · aeab38f · aeab38f
2 parents 334309f + 7589564
commit aeab38f
Show file tree

Hide file tree

Showing 36 changed files with 2,258 additions and 62 deletions.
diff --git a/data/data/manifests/bootkube/machine-config-server-ca-configmap.yaml.template b/data/data/manifests/bootkube/machine-config-server-ca-configmap.yaml.template
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: machine-config-server-ca
+  namespace: openshift-machine-config-operator
+  annotations:
+    openshift.io/description: CA bundle that stores all valid CAs for the MachineConfigServer TLS certificate
+    openshift.io/owning-component: machine-config-operator
+  labels:
+    auth.openshift.io/managed-certificate-type: ca-bundle
+data:
+  ca-bundle.crt: |
+    {{.RootCaCert | indent 4}}
diff --git a/data/data/manifests/bootkube/machine-config-server-ca-secret.yaml.template b/data/data/manifests/bootkube/machine-config-server-ca-secret.yaml.template
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: machine-config-server-ca
+  namespace: openshift-machine-config-operator
+  annotations:
+    openshift.io/owning-component: machine-config-operator
+    openshift.io/description: CA used to sign the MachineConfigServer TLS certificate
+    auth.openshift.io/certificate-issuer: {{.RootCAIssuerName}}
+    auth.openshift.io/certificate-not-after: {{.RootCANotAfter}}
+    auth.openshift.io/certificate-not-before: {{.RootCANotBefore}}
+  labels:
+    auth.openshift.io/managed-certificate-type: signer
+type: kubernetes.io/tls
+data:
+  tls.crt: {{.RootCACertBase64}}
+  tls.key: {{.RootCASignerKeyBase64}}
diff --git a/data/data/manifests/bootkube/machine-config-server-tls-secret.yaml.template b/data/data/manifests/bootkube/machine-config-server-tls-secret.yaml.template
@@ -4,8 +4,15 @@ metadata:
   name: machine-config-server-tls
   namespace: openshift-machine-config-operator
   annotations:
-    openshift.io/owning-component: "Machine Config Operator"
-type: Opaque
+    openshift.io/description: Secret containing the MachineConfigServer TLS certificate and key
+    openshift.io/owning-component: machine-config-operator
+    auth.openshift.io/certificate-hostnames: {{.McsHostName}}
+    auth.openshift.io/certificate-issuer: {{.RootCAIssuerName}}
+    auth.openshift.io/certificate-not-after: {{.McsTLSCertNotAfter}}
+    auth.openshift.io/certificate-not-before: {{.McsTLSCertNotBefore}}
+  labels:
+    auth.openshift.io/managed-certificate-type: target
+type: kubernetes.io/tls
 data:
   tls.crt: {{.McsTLSCert}}
   tls.key: {{.McsTLSKey}}
diff --git a/go.mod b/go.mod
@@ -73,18 +73,18 @@ require (
 	github.com/nutanix-cloud-native/cluster-api-provider-nutanix v1.3.3-0.20240416171357-98239ba02cb2
 	github.com/nutanix-cloud-native/prism-go-client v0.3.4
 	github.com/onsi/gomega v1.35.1
-	github.com/openshift/api v0.0.0-20241124010541-a09992e80c68
+	github.com/openshift/api v0.0.0-20241203091751-58d4ac495429
 	github.com/openshift/assisted-image-service v0.0.0-20240607085136-02df2e56dde6
 	github.com/openshift/assisted-service/api v0.0.0
 	github.com/openshift/assisted-service/client v0.0.0
 	github.com/openshift/assisted-service/models v0.0.0
-	github.com/openshift/client-go v0.0.0-20241107164952-923091dd2b1a
+	github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071
 	github.com/openshift/cloud-credential-operator v0.0.0-20240404165937-5e8812d64187
 	github.com/openshift/cluster-api-provider-baremetal v0.0.0-20220408122422-7a548effc26e
 	github.com/openshift/cluster-api-provider-libvirt v0.2.1-0.20230308152226-83c0473d4429
 	github.com/openshift/cluster-api-provider-ovirt v0.1.1-0.20220323121149-e3f2850dd519
 	github.com/openshift/hive/apis v0.0.0-20231220215202-ad99b9e52d27
-	github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060
+	github.com/openshift/library-go v0.0.0-20241210171208-85e36bca7246
 	github.com/openshift/machine-api-provider-gcp v0.0.1-0.20241021180644-0eca0846914a
 	github.com/openshift/machine-api-provider-ibmcloud v0.0.0-20231207164151-6b0b8ea7b16d
 	github.com/ovirt/go-ovirt v0.0.0-20210809163552-d4276e35d3db
@@ -294,6 +294,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gorm.io/gorm v1.24.5 // indirect
+	k8s.io/apiserver v0.31.1 // indirect
 	k8s.io/cli-runtime v0.31.1 // indirect
 	k8s.io/cluster-bootstrap v0.30.3 // indirect
 	k8s.io/component-base v0.31.1 // indirect

diff --git a/go.sum b/go.sum
@@ -772,8 +772,8 @@ github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQ
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/openshift/api v0.0.0-20241124010541-a09992e80c68 h1:t3Ji1VIkNbjQzI+q2sbJyI19fnBs930VGug9kqPi9bo=
-github.com/openshift/api v0.0.0-20241124010541-a09992e80c68/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
+github.com/openshift/api v0.0.0-20241203091751-58d4ac495429 h1:fz+u78YFRL14rXqBKWIVYK04mUOy6LccHe3wQsUS3iI=
+github.com/openshift/api v0.0.0-20241203091751-58d4ac495429/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
 github.com/openshift/assisted-image-service v0.0.0-20240607085136-02df2e56dde6 h1:U6ve+dnHlHhAELoxX+rdFOHVhoaYl0l9qtxwYtsO6C0=
 github.com/openshift/assisted-image-service v0.0.0-20240607085136-02df2e56dde6/go.mod h1:o2H5VwQhUD8P6XsK6dRmKpCCJqVvv12KJQZBXmcCXCU=
 github.com/openshift/assisted-service v1.0.10-0.20230830164851-6573b5d7021d h1:CKw2Y4EdaFsMoqAdr2Tq0nlYTaaXmCRdP0gOu7pN64U=
@@ -788,8 +788,8 @@ github.com/openshift/baremetal-operator/apis v0.0.0-20231128154154-6736c9b9c6c8
 github.com/openshift/baremetal-operator/apis v0.0.0-20231128154154-6736c9b9c6c8/go.mod h1:CvKrrnAcvvtrZIc9y9WaqWmJhK0AJ9sWnh+VP4d7jcM=
 github.com/openshift/baremetal-operator/pkg/hardwareutils v0.0.0-20231128154154-6736c9b9c6c8 h1:38vY9w7dXqB7tI9g1GCUnpahNDyBbp9Yylq+BQ154YE=
 github.com/openshift/baremetal-operator/pkg/hardwareutils v0.0.0-20231128154154-6736c9b9c6c8/go.mod h1:399nvdaqoU9rTI25UdFw2EWcVjmJPpeZPIhfDAIx/XU=
-github.com/openshift/client-go v0.0.0-20241107164952-923091dd2b1a h1:h3F55x+zOXwSG4okUlXmOlU/5CQ7Ve2HKxYjseJPVoY=
-github.com/openshift/client-go v0.0.0-20241107164952-923091dd2b1a/go.mod h1:JBIcn1JfD/JCpGYnRRT0+HLxrleF/Y7T3Y/t0p8o5jk=
+github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071 h1:l0++HnGVKBcs8kXFL/1yeozxioxPGNpp0PYe3Y+0sq4=
+github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071/go.mod h1:gL0laCCiIaNTNw1ZsMQZXBVu2NeQFpNWm9bLtYO9+ZU=
 github.com/openshift/cloud-credential-operator v0.0.0-20240404165937-5e8812d64187 h1:v2D/+SWsOPsl4Syz1SVjo7m3L0ethuRGR++ubsb89oA=
 github.com/openshift/cloud-credential-operator v0.0.0-20240404165937-5e8812d64187/go.mod h1:eyA6FG71366St6Q1TW+jXdQbald0rUwtEPhAREMlyhA=
 github.com/openshift/cloud-provider-vsphere v1.19.1-0.20240626105621-6464d0bb4928 h1:gX0HAKR0f40xmMWlUSn8DBMCjip8Iuzg5XToWAv6Uzw=
@@ -808,8 +808,8 @@ github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87
 github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87/go.mod h1:DB/Mf2oTeiAmVVX1gN+NEqweonAPY0TKUwADizj8+ZA=
 github.com/openshift/hive/apis v0.0.0-20231220215202-ad99b9e52d27 h1:9C86viyQl7HE9yg7Gctgx803Oq6DbrCUAberyMVcWDE=
 github.com/openshift/hive/apis v0.0.0-20231220215202-ad99b9e52d27/go.mod h1:RRH8lt09SAiPECNdsbh7Gun0lkcRWi1nYKq6tDp5WxQ=
-github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060 h1:jiDC7d8d+jmjv2WfiMY0+Uf55q11MGyYkGGqXnfqWTU=
-github.com/openshift/library-go v0.0.0-20241107160307-0064ad7bd060/go.mod h1:9B1MYPoLtP9tqjWxcbUNVpwxy68zOH/3EIP6c31dAM0=
+github.com/openshift/library-go v0.0.0-20241210171208-85e36bca7246 h1:HpUROtJipZRTCLLGlSrl+fwniNb9Z1q1trPOUFSXhvI=
+github.com/openshift/library-go v0.0.0-20241210171208-85e36bca7246/go.mod h1:eGSI6tp7yUVr4V2d0WrVt2l5s3iCwAh8Hi0RC9Fo16U=
 github.com/openshift/machine-api-operator v0.2.1-0.20240930121047-57b7917e6140 h1:VKn644y4Ra94L8YZ3JT8ZuOZMEspZt8yoIjHeaRM3pA=
 github.com/openshift/machine-api-operator v0.2.1-0.20240930121047-57b7917e6140/go.mod h1:JEUa45hXYbC6tDpLjJCRuLXIKs7pdcawDkodqfZuQEE=
 github.com/openshift/machine-api-provider-gcp v0.0.1-0.20241021180644-0eca0846914a h1:2/DQryD6yCabqVtYLELnsrzX8SLUuGJEABvHrd4x5/U=

diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go
@@ -8,8 +8,11 @@ import (
 	"path/filepath"
 	"strings"
 	"text/template"
+	"time"
 
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/yaml"
 
 	"github.com/openshift/installer/pkg/asset"
@@ -18,6 +21,7 @@ import (
 	"github.com/openshift/installer/pkg/asset/tls"
 	"github.com/openshift/installer/pkg/types"
 	"github.com/openshift/installer/pkg/types/vsphere"
+	"github.com/openshift/library-go/pkg/crypto"
 )
 
 const (
@@ -71,6 +75,8 @@ func (m *Manifests) Dependencies() []asset.Asset {
 		&bootkube.CVOOverrides{},
 		&bootkube.KubeCloudConfig{},
 		&bootkube.KubeSystemConfigmapRootCA{},
+		&bootkube.MachineConfigServerCASecret{},
+		&bootkube.MachineConfigServerCAConfigMap{},
 		&bootkube.MachineConfigServerTLSSecret{},
 		&bootkube.OpenshiftConfigSecretPullSecret{},
 	}
@@ -150,21 +156,52 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 	)
 
 	templateData := &bootkubeTemplateData{
-		CVOCapabilities:  installConfig.Config.Capabilities,
-		CVOClusterID:     clusterID.UUID,
-		McsTLSCert:       base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
-		McsTLSKey:        base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
-		PullSecretBase64: base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
-		RootCaCert:       string(rootCA.Cert()),
-		IsFCOS:           installConfig.Config.IsFCOS(),
-		IsSCOS:           installConfig.Config.IsSCOS(),
-		IsOKD:            installConfig.Config.IsOKD(),
+		CVOCapabilities:       installConfig.Config.Capabilities,
+		CVOClusterID:          clusterID.UUID,
+		McsTLSCert:            base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
+		McsTLSKey:             base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
+		PullSecretBase64:      base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
+		RootCaCert:            string(rootCA.Cert()),
+		RootCACertBase64:      base64.StdEncoding.EncodeToString(rootCA.Cert()),
+		RootCASignerKeyBase64: base64.StdEncoding.EncodeToString(rootCA.Key()),
+		IsFCOS:                installConfig.Config.IsFCOS(),
+		IsSCOS:                installConfig.Config.IsSCOS(),
+		IsOKD:                 installConfig.Config.IsOKD(),
+	}
+
+	// Populate MCS CA(also called root-CA) specifics
+	if rootCAPair, err := crypto.GetCAFromBytes(rootCA.Cert(), rootCA.Key()); err == nil {
+		templateData.RootCAIssuerName = rootCAPair.Config.Certs[0].Issuer.CommonName
+		templateData.RootCANotAfter = rootCAPair.Config.Certs[0].NotAfter.Format(time.RFC3339)
+		templateData.RootCANotBefore = rootCAPair.Config.Certs[0].NotBefore.Format(time.RFC3339)
+		logrus.Infof("Successfully populated MCS CA cert information: %s %s %s", templateData.RootCAIssuerName, templateData.RootCANotAfter, templateData.RootCANotBefore)
+	} else {
+		logrus.Errorf("error populating MCS CA cert details: %v", err)
+	}
+	// Populate MCS TLS Cert specifics
+	if MCSTLSCertPair, err := crypto.GetCAFromBytes(mcsCertKey.Cert(), mcsCertKey.Key()); err == nil {
+		// Hostname annottation need a little massaging
+		hostnames := sets.Set[string]{}
+		for _, ip := range MCSTLSCertPair.Config.Certs[0].IPAddresses {
+			hostnames.Insert(ip.String())
+		}
+		for _, dnsName := range MCSTLSCertPair.Config.Certs[0].DNSNames {
+			hostnames.Insert(dnsName)
+		}
+		templateData.McsHostName = strings.Join(sets.List(hostnames), ",")
+		templateData.McsTLSCertNotAfter = MCSTLSCertPair.Config.Certs[0].NotAfter.Format(time.RFC3339)
+		templateData.McsTLSCertNotBefore = MCSTLSCertPair.Config.Certs[0].NotBefore.Format(time.RFC3339)
+		logrus.Infof("Successfully populated MCS TLS cert information: %s %s %s", templateData.RootCAIssuerName, templateData.RootCANotAfter, templateData.RootCANotBefore)
+	} else {
+		logrus.Errorf("error populating MCS TLS cert details: %v", err)
 	}
 
 	files := []*asset.File{}
 	for _, a := range []asset.WritableAsset{
 		&bootkube.CVOOverrides{},
 		&bootkube.KubeCloudConfig{},
+		&bootkube.MachineConfigServerCASecret{},
+		&bootkube.MachineConfigServerCAConfigMap{},
 		&bootkube.KubeSystemConfigmapRootCA{},
 		&bootkube.MachineConfigServerTLSSecret{},
 		&bootkube.OpenshiftConfigSecretPullSecret{},

diff --git a/pkg/asset/manifests/template.go b/pkg/asset/manifests/template.go
@@ -82,8 +82,16 @@ type bootkubeTemplateData struct {
 	IsOKD                      bool
 	McsTLSCert                 string
 	McsTLSKey                  string
+	McsHostName                string
+	McsTLSCertNotAfter         string
+	McsTLSCertNotBefore        string
 	PullSecretBase64           string
 	RootCaCert                 string
+	RootCACertBase64           string
+	RootCASignerKeyBase64      string
+	RootCAIssuerName           string
+	RootCANotAfter             string
+	RootCANotBefore            string
 	WorkerIgnConfig            string
 }
 

diff --git a/pkg/asset/targets/targets.go b/pkg/asset/targets/targets.go
@@ -37,6 +37,8 @@ var (
 	// ManifestTemplates are the manifest-templates targeted assets.
 	ManifestTemplates = []asset.WritableAsset{
 		&bootkube.KubeCloudConfig{},
+		&bootkube.MachineConfigServerCASecret{},
+		&bootkube.MachineConfigServerCAConfigMap{},
 		&bootkube.MachineConfigServerTLSSecret{},
 		&bootkube.CVOOverrides{},
 		&bootkube.KubeSystemConfigmapRootCA{},

diff --git a/pkg/asset/templates/content/bootkube/machine-config-server-ca-configmap.go b/pkg/asset/templates/content/bootkube/machine-config-server-ca-configmap.go
@@ -0,0 +1,65 @@
+package bootkube
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	machineConfigServerCAConfigMapFileName = "machine-config-server-ca-configmap.yaml.template"
+)
+
+var _ asset.WritableAsset = (*MachineConfigServerCAConfigMap)(nil)
+
+// MachineConfigServerCAConfigMap is the constant to represent contents of machine-config-server-ca-configmap.yaml.template file.
+type MachineConfigServerCAConfigMap struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset.
+func (t *MachineConfigServerCAConfigMap) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *MachineConfigServerCAConfigMap) Name() string {
+	return "MachineConfigServerCAConfigMap"
+}
+
+// Generate generates the actual files by this asset.
+func (t *MachineConfigServerCAConfigMap) Generate(_ context.Context, parents asset.Parents) error {
+	fileName := machineConfigServerCAConfigMapFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     data,
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *MachineConfigServerCAConfigMap) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *MachineConfigServerCAConfigMap) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, machineConfigServerCAConfigMapFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}
diff --git a/pkg/asset/templates/content/bootkube/machine-config-server-ca-secret.go b/pkg/asset/templates/content/bootkube/machine-config-server-ca-secret.go
@@ -0,0 +1,65 @@
+package bootkube
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	machineConfigServerCASecretFileName = "machine-config-server-ca-secret.yaml.template" // #nosec G101
+)
+
+var _ asset.WritableAsset = (*MachineConfigServerCASecret)(nil)
+
+// MachineConfigServerCASecret is the constant to represent contents of machine-config-server-ca-secret.yaml.template file.
+type MachineConfigServerCASecret struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset.
+func (t *MachineConfigServerCASecret) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *MachineConfigServerCASecret) Name() string {
+	return "MachineConfigServerCASecret"
+}
+
+// Generate generates the actual files by this asset.
+func (t *MachineConfigServerCASecret) Generate(_ context.Context, parents asset.Parents) error {
+	fileName := machineConfigServerCASecretFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     data,
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *MachineConfigServerCASecret) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *MachineConfigServerCASecret) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, machineConfigServerCASecretFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}