From a5f82819d828b7f3ebcc37ba4e602ed2485ec73f Mon Sep 17 00:00:00 2001 From: Alina Militaru <41362174+asincu@users.noreply.github.com> Date: Thu, 2 May 2024 14:59:22 -0700 Subject: [PATCH] Clean up es proxy for ELASTIC environment variables (#3333) --- pkg/controller/manager/manager_controller.go | 18 +----------------- .../manager/manager_controller_test.go | 13 ------------- pkg/render/manager.go | 13 ------------- pkg/render/manager_test.go | 8 -------- 4 files changed, 1 insertion(+), 51 deletions(-) diff --git a/pkg/controller/manager/manager_controller.go b/pkg/controller/manager/manager_controller.go index 723cd9d728..c97ce0247e 100644 --- a/pkg/controller/manager/manager_controller.go +++ b/pkg/controller/manager/manager_controller.go @@ -160,7 +160,7 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { for _, secretName := range []string{ // We need to watch for es-gateway certificate because es-proxy still creates a // client to talk to elastic via es-gateway - render.ManagerTLSSecretName, render.ElasticsearchManagerUserSecret, relasticsearch.PublicCertSecret, + render.ManagerTLSSecretName, relasticsearch.PublicCertSecret, render.VoltronTunnelSecretName, render.ComplianceServerCertSecret, render.PacketCaptureServerCert, render.ManagerInternalTLSSecretName, monitor.PrometheusServerTLSSecretName, certificatemanagement.CASecretName, } { @@ -505,21 +505,6 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ } } - var esSecrets []*corev1.Secret - if !r.multiTenant { - // Get secrets used by the manager to authenticate with Elasticsearch. This is used for Kibana login, and isn't - // needed for multi-tenant installations since currently Kibana is not supported in that mode. - esSecrets, err = utils.ElasticsearchSecrets(ctx, []string{render.ElasticsearchManagerUserSecret}, r.client) - if err != nil { - if errors.IsNotFound(err) { - r.status.SetDegraded(operatorv1.ResourceNotFound, "Elasticsearch secrets are not available yet, waiting until they become available", err, logc) - return reconcile.Result{}, nil - } - r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get Elasticsearch credentials", err, logc) - return reconcile.Result{}, err - } - } - managementCluster, err := utils.GetManagementCluster(ctx, r.client) if err != nil { r.status.SetDegraded(operatorv1.ResourceReadError, "Error reading ManagementCluster", err, logc) @@ -671,7 +656,6 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ managerCfg := &render.ManagerConfiguration{ VoltronRouteConfig: routeConfig, KeyValidatorConfig: keyValidatorConfig, - ESSecrets: esSecrets, TrustedCertBundle: trustedBundle, ClusterConfig: clusterConfig, TLSKeyPair: tlsSecret, diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go index f3b8b12fa0..fae6734a7c 100644 --- a/pkg/controller/manager/manager_controller_test.go +++ b/pkg/controller/manager/manager_controller_test.go @@ -232,12 +232,6 @@ var _ = Describe("Manager controller tests", func() { Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, internalKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - Expect(c.Create(ctx, &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: render.ElasticsearchManagerUserSecret, - Namespace: "tigera-operator", - }, - })).NotTo(HaveOccurred()) Expect(c.Create(ctx, &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: eck.LicenseConfigMapName, @@ -538,13 +532,6 @@ var _ = Describe("Manager controller tests", func() { Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) - Expect(c.Create(ctx, &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: render.ElasticsearchManagerUserSecret, - Namespace: "tigera-operator", - }, - })).NotTo(HaveOccurred()) - Expect(c.Create(ctx, &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: eck.LicenseConfigMapName, diff --git a/pkg/render/manager.go b/pkg/render/manager.go index 30a3a96721..6ac4489114 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -50,7 +50,6 @@ import ( "github.com/tigera/operator/pkg/render/manager" "github.com/tigera/operator/pkg/tls/certificatemanagement" "github.com/tigera/operator/pkg/tls/certkeyusage" - "github.com/tigera/operator/pkg/url" ) const ( @@ -622,18 +621,6 @@ func (c *managerComponent) managerEsProxyContainer() corev1.Container { {Name: "VOLTRON_URL", Value: fmt.Sprintf("https://tigera-manager.%s.svc:9443", c.cfg.Namespace)}, } - if KibanaEnabled(c.cfg.Tenant, c.cfg.Installation) { - esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace)) - env = append(env, - relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), - relasticsearch.ElasticSchemeEnvVar(esScheme), - relasticsearch.ElasticHostEnvVar(esHost), - relasticsearch.ElasticPortEnvVar(esPort), - relasticsearch.ElasticUserEnvVar(ElasticsearchManagerUserSecret), - relasticsearch.ElasticPasswordEnvVar(ElasticsearchManagerUserSecret), - relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ClusterConfig.ClusterName())) - } - // Determine the Linseed location. Use code default unless in multi-tenant mode, // in which case use the Linseed in the current namespace. if c.cfg.Tenant != nil { diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 511faf6d62..eb7a78ba7c 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -36,7 +36,6 @@ import ( relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/podaffinity" - "github.com/tigera/operator/pkg/render/common/secret" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/testutils" "github.com/tigera/operator/pkg/tls" @@ -138,13 +137,6 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { {Name: "LINSEED_CLIENT_KEY", Value: "/internal-manager-tls/tls.key"}, {Name: "ELASTIC_KIBANA_DISABLED", Value: "false"}, {Name: "VOLTRON_URL", Value: "https://tigera-manager.tigera-manager.svc:9443"}, - {Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - {Name: "ELASTIC_SCHEME", Value: "https"}, - {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, - {Name: "ELASTIC_PORT", Value: "9200"}, - {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "username", false)}, - {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "password", false)}, - {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, } Expect(esProxy.Env).To(Equal(esProxyExpectedEnvVars))