Skip to content

Commit c2240a2

Browse files
ddelnanocosmic-copybara
authored andcommitted
Create vizier and cloud cert-manager compatible secrets (#2391)
Summary: Create vizier and cloud cert-manager compatible secrets Pixie's certificate management predates cert-manager becoming the definitive method for managing k8s certs. As a result, Pixie's certificates are created in an incompatible way to how cert-manager creates its TLS secrets -- Pixie's are of type generic and bundle client and server certs while cert-manager uses the [tls secret type](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) and only can store a single CA, key and cert file. This PR updates Pixie's certificate management to create the existing generic secret alongside two tls type secrets. Future PRs will move the consumers of these secrets to use the newer cert-manager compatible equivalents Relevant Issues: N/A Type of change: /kind cleanup Test Plan: Used this as part of a larger change to deploy a cloud with cert-manager service tls certs Changelog Message: Update Pixie's vizier and cloud certificate management to create cert-manager compatible kubernetes secrets --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com> GitOrigin-RevId: 7622689973b118d71a5563e891c44cbc25101aeb
1 parent 2368c30 commit c2240a2

4 files changed

Lines changed: 113 additions & 7 deletions

File tree

scripts/create_cloud_secrets.sh

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,20 @@ kubectl create secret generic -n "${namespace}" \
9191
--from-file=server.crt=./server.crt \
9292
--from-file=server.key=./server.key
9393

94+
kubectl create secret generic -n "${namespace}" \
95+
service-tls-server-certs \
96+
--type=kubernetes.io/tls \
97+
--from-file=tls.crt=./server.crt \
98+
--from-file=tls.key=./server.key \
99+
--from-file=ca.crt=./ca.crt
100+
101+
kubectl create secret generic -n "${namespace}" \
102+
service-tls-client-certs \
103+
--type=kubernetes.io/tls \
104+
--from-file=tls.crt=./client.crt \
105+
--from-file=tls.key=./client.key \
106+
--from-file=ca.crt=./ca.crt
107+
94108
popd || exit 1
95109

96110
PROXY_TLS_CERTS="$(mktemp -d)"

src/operator/controllers/monitor.go

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -250,12 +250,30 @@ func (m *VizierMonitor) watchCerts() {
250250
}()
251251
}
252252

253+
// getServerTLSCerts returns the server certificate and CA certificate PEM bytes for
254+
// Vizier's TLS material. It prefers the kubernetes.io/tls typed service-tls-server-certs
255+
// secret (which is also the shape produced by cert-manager), falling back to the legacy
256+
// service-tls-certs secret so existing clusters that have not regenerated certs keep working.
257+
func (m *VizierMonitor) getServerTLSCerts() ([]byte, []byte, error) {
258+
tlsSecret, err := m.clientset.CoreV1().Secrets(m.namespace).Get(context.Background(), "service-tls-server-certs", metav1.GetOptions{})
259+
if err == nil {
260+
return tlsSecret.Data["tls.crt"], tlsSecret.Data["ca.crt"], nil
261+
}
262+
263+
legacySecret, legacyErr := m.clientset.CoreV1().Secrets(m.namespace).Get(context.Background(), "service-tls-certs", metav1.GetOptions{})
264+
if legacyErr != nil {
265+
// Return the original error referencing the preferred secret.
266+
return nil, nil, err
267+
}
268+
return legacySecret.Data["server.crt"], legacySecret.Data["ca.crt"], nil
269+
}
270+
253271
func (m *VizierMonitor) checkCerts() error {
254-
tlsSecret, err := m.clientset.CoreV1().Secrets(m.namespace).Get(context.Background(), "service-tls-certs", metav1.GetOptions{})
272+
serverCert, _, err := m.getServerTLSCerts()
255273
if err != nil {
256274
return err
257275
}
258-
cert, _ := pem.Decode(tlsSecret.Data["server.crt"])
276+
cert, _ := pem.Decode(serverCert)
259277
x509cert, err := x509.ParseCertificate(cert.Bytes)
260278
if err != nil {
261279
log.WithError(err).Error("failed to parse cert")
@@ -273,14 +291,14 @@ func (m *VizierMonitor) getTLSConfig() *tls.Config {
273291
// This is used as a fallback incase we somehow fail to get the CA for the vizier.
274292
fallbackInsecureConfig := &tls.Config{InsecureSkipVerify: true} // lgtm [go/disabled-certificate-check]
275293

276-
tlsSecret, err := m.clientset.CoreV1().Secrets(m.namespace).Get(context.Background(), "service-tls-certs", metav1.GetOptions{})
294+
_, caCert, err := m.getServerTLSCerts()
277295
if err != nil {
278296
log.WithError(err).Warn("failed to get certs secret, monitor will use insecure tls to check /statusz")
279297
return fallbackInsecureConfig
280298
}
281299

282300
certPool := x509.NewCertPool()
283-
if ok := certPool.AppendCertsFromPEM(tlsSecret.Data["ca.crt"]); !ok {
301+
if ok := certPool.AppendCertsFromPEM(caCert); !ok {
284302
log.WithError(err).Warn("failed add CA to pool, monitor will use insecure tls to check /statusz")
285303
return fallbackInsecureConfig
286304
}

src/utils/shared/certs/BUILD.bazel

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,5 +21,8 @@ go_library(
2121
srcs = ["certs.go"],
2222
importpath = "px.dev/pixie/src/utils/shared/certs",
2323
visibility = ["//src:__subpackages__"],
24-
deps = ["//src/utils/shared/k8s"],
24+
deps = [
25+
"//src/utils/shared/k8s",
26+
"@io_k8s_api//core/v1:core",
27+
],
2528
)

src/utils/shared/certs/certs.go

Lines changed: 73 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@ import (
2929
"strings"
3030
"time"
3131

32+
v1 "k8s.io/api/core/v1"
33+
3234
"px.dev/pixie/src/utils/shared/k8s"
3335
)
3436

@@ -172,12 +174,46 @@ func GenerateCloudCertYAMLs(namespace string) (string, error) {
172174
if err != nil {
173175
return "", err
174176
}
175-
yaml, err := k8s.ConvertResourceToYAML(tlsCert)
177+
178+
var yamls []string
179+
180+
tcYaml, err := k8s.ConvertResourceToYAML(tlsCert)
181+
if err != nil {
182+
return "", err
183+
}
184+
yamls = append(yamls, tcYaml)
185+
186+
serverTLSCert, err := k8s.CreateGenericSecretFromLiterals(namespace, "service-tls-server-certs", map[string]string{
187+
"tls.crt": string(serverCert),
188+
"tls.key": string(serverKey),
189+
"ca.crt": string(caCert),
190+
})
191+
if err != nil {
192+
return "", err
193+
}
194+
serverTLSCert.Type = v1.SecretTypeTLS
195+
stYaml, err := k8s.ConvertResourceToYAML(serverTLSCert)
176196
if err != nil {
177197
return "", err
178198
}
199+
yamls = append(yamls, stYaml)
179200

180-
return fmt.Sprintf("---\n%s\n", yaml), nil
201+
clientTLSCert, err := k8s.CreateGenericSecretFromLiterals(namespace, "service-tls-client-certs", map[string]string{
202+
"tls.crt": string(clientCert),
203+
"tls.key": string(clientKey),
204+
"ca.crt": string(caCert),
205+
})
206+
if err != nil {
207+
return "", err
208+
}
209+
clientTLSCert.Type = v1.SecretTypeTLS
210+
ctYaml, err := k8s.ConvertResourceToYAML(clientTLSCert)
211+
if err != nil {
212+
return "", err
213+
}
214+
yamls = append(yamls, ctYaml)
215+
216+
return "---\n" + strings.Join(yamls, "\n---\n"), nil
181217
}
182218

183219
// GenerateVizierCertYAMLs generates the yamls for vizier certs.
@@ -231,6 +267,41 @@ func GenerateVizierCertYAMLs(namespace string) (string, error) {
231267
}
232268
yamls = append(yamls, tcYaml)
233269

270+
// service-tls-server-certs and service-tls-client-certs mirror the data in
271+
// service-tls-certs, but are kubernetes.io/tls typed secrets. This matches the
272+
// shape produced by cert-manager Certificate resources, allowing workloads to
273+
// consume TLS material via a projected volume regardless of whether the certs
274+
// are generated by Pixie or provisioned externally by cert-manager.
275+
serverTLSCert, err := k8s.CreateGenericSecretFromLiterals(namespace, "service-tls-server-certs", map[string]string{
276+
"tls.crt": string(serverCert),
277+
"tls.key": string(serverKey),
278+
"ca.crt": string(caCert),
279+
})
280+
if err != nil {
281+
return "", err
282+
}
283+
serverTLSCert.Type = v1.SecretTypeTLS
284+
stYaml, err := k8s.ConvertResourceToYAML(serverTLSCert)
285+
if err != nil {
286+
return "", err
287+
}
288+
yamls = append(yamls, stYaml)
289+
290+
clientTLSCert, err := k8s.CreateGenericSecretFromLiterals(namespace, "service-tls-client-certs", map[string]string{
291+
"tls.crt": string(clientCert),
292+
"tls.key": string(clientKey),
293+
"ca.crt": string(caCert),
294+
})
295+
if err != nil {
296+
return "", err
297+
}
298+
clientTLSCert.Type = v1.SecretTypeTLS
299+
ctYaml, err := k8s.ConvertResourceToYAML(clientTLSCert)
300+
if err != nil {
301+
return "", err
302+
}
303+
yamls = append(yamls, ctYaml)
304+
234305
etcdPeerCert, err := k8s.CreateGenericSecretFromLiterals(namespace, "etcd-peer-tls-certs", map[string]string{
235306
"peer.key": string(serverKey),
236307
"peer.crt": string(serverCert),

0 commit comments

Comments
 (0)