Skip to content

Commit d1fd8ca

Browse files
kabicinkabicin
authored
Optimize cert generation by delaying create/update requests (#683)
1 parent 42180cf commit d1fd8ca

1 file changed

Lines changed: 61 additions & 3 deletions

File tree

utils/reconciler.go

Lines changed: 61 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -485,6 +485,51 @@ func (r *ReconcilerBase) GetRouteTLSValues(ba common.BaseComponent) (key string,
485485
return key, cert, ca, destCa, nil
486486
}
487487

488+
func (r *ReconcilerBase) checkCertificateReady(cert *certmanagerv1.Certificate) error {
489+
err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: cert.Name, Namespace: cert.Namespace}, cert)
490+
if err != nil {
491+
return err
492+
}
493+
isReady := false
494+
for _, condition := range cert.Status.Conditions {
495+
if condition.Type == certmanagerv1.CertificateConditionReady {
496+
if condition.Status == certmanagermetav1.ConditionTrue {
497+
isReady = true
498+
}
499+
}
500+
}
501+
if !isReady {
502+
return fmt.Errorf("certificate %s is not ready", cert.Name)
503+
}
504+
return nil
505+
}
506+
507+
func (r *ReconcilerBase) checkIssuerReady(issuer *certmanagerv1.Issuer) error {
508+
err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: issuer.Name, Namespace: issuer.Namespace}, issuer)
509+
if err != nil {
510+
return err
511+
}
512+
isReady := false
513+
for _, condition := range issuer.Status.Conditions {
514+
if condition.Type == certmanagerv1.IssuerConditionReady {
515+
if condition.Status == certmanagermetav1.ConditionTrue {
516+
isReady = true
517+
}
518+
}
519+
}
520+
if !isReady {
521+
return fmt.Errorf("issuer %s is not ready", issuer.Name)
522+
}
523+
return nil
524+
}
525+
526+
func (r *ReconcilerBase) checkSecretExists(secretName, secretNamespace string) error {
527+
secret := &corev1.Secret{}
528+
secret.Name = secretName
529+
secret.Namespace = secretNamespace
530+
return r.GetClient().Get(context.TODO(), types.NamespacedName{Name: secretName, Namespace: secretNamespace}, secret)
531+
}
532+
488533
func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACommonName string, operatorName string) error {
489534
if ok, err := r.IsGroupVersionSupported(certmanagerv1.SchemeGroupVersion.String(), "Issuer"); err != nil {
490535
return err
@@ -504,16 +549,21 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
504549
if err != nil {
505550
return err
506551
}
552+
if err := r.checkIssuerReady(issuer); err != nil {
553+
return err
554+
}
555+
507556
caCert := &certmanagerv1.Certificate{ObjectMeta: metav1.ObjectMeta{
508557
Name: prefix + "-ca-cert",
509558
Namespace: namespace,
510559
}}
511560

561+
caCertSecretName := prefix + "-ca-tls"
512562
err = r.CreateOrUpdate(caCert, nil, func() error {
513563
caCert.Labels = MergeMaps(caCert.Labels, map[string]string{"app.kubernetes.io/managed-by": operatorName})
514564
caCert.Spec.CommonName = CACommonName
515565
caCert.Spec.IsCA = true
516-
caCert.Spec.SecretName = prefix + "-ca-tls"
566+
caCert.Spec.SecretName = caCertSecretName
517567
caCert.Spec.IssuerRef = certmanagermetav1.ObjectReference{
518568
Name: prefix + "-self-signed",
519569
}
@@ -530,6 +580,7 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
530580
if err != nil {
531581
return err
532582
}
583+
533584
CustomCACert := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{
534585
Name: prefix + "-custom-ca-tls",
535586
Namespace: namespace,
@@ -539,6 +590,14 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
539590
Namespace: CustomCACert.GetNamespace()}, CustomCACert)
540591
if err == nil {
541592
customCACertFound = true
593+
} else {
594+
// check CA Certificate and it's Secret exist before CA Issuer init
595+
if err := r.checkCertificateReady(caCert); err != nil {
596+
return err
597+
}
598+
if err := r.checkSecretExists(caCertSecretName, namespace); err != nil {
599+
return err
600+
}
542601
}
543602

544603
issuer = &certmanagerv1.Issuer{ObjectMeta: metav1.ObjectMeta{
@@ -548,7 +607,7 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
548607
err = r.CreateOrUpdate(issuer, nil, func() error {
549608
issuer.Labels = MergeMaps(issuer.Labels, map[string]string{"app.kubernetes.io/managed-by": operatorName})
550609
issuer.Spec.CA = &certmanagerv1.CAIssuer{}
551-
issuer.Spec.CA.SecretName = prefix + "-ca-tls"
610+
issuer.Spec.CA.SecretName = caCertSecretName
552611
if issuer.Annotations == nil {
553612
issuer.Annotations = map[string]string{}
554613
}
@@ -574,7 +633,6 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
574633
}
575634

576635
func (r *ReconcilerBase) GenerateSvcCertSecret(ba common.BaseComponent, prefix string, CACommonName string, operatorName string) (bool, error) {
577-
578636
delete(ba.GetStatus().GetReferences(), common.StatusReferenceCertSecretName)
579637
cleanup := func() {
580638
if ok, err := r.IsGroupVersionSupported(certmanagerv1.SchemeGroupVersion.String(), "Certificate"); err != nil {

0 commit comments

Comments
 (0)