MON-3701: clean-up injection of trusted CA bundles

simonpasquier · simonpasquier · commit b39666c2b976 · 2024-04-12T10:23:17.000+02:00
Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;
diff --git a/assets/alertmanager/alertmanager.yaml b/assets/alertmanager/alertmanager.yaml
@@ -143,10 +143,19 @@ spec:
     runAsUser: 65534
   serviceAccountName: alertmanager-main
   version: 0.26.0
+  volumeMounts:
+  - mountPath: /etc/pki/ca-trust/extracted/pem/
+    name: alertmanager-trusted-ca-bundle
   volumes:
   - configMap:
       name: metrics-client-ca
     name: metrics-client-ca
+  - configMap:
+      items:
+      - key: ca-bundle.crt
+        path: tls-ca-bundle.pem
+      name: alertmanager-trusted-ca-bundle
+    name: alertmanager-trusted-ca-bundle
   web:
     httpConfig:
       headers:
diff --git a/jsonnet/components/alertmanager.libsonnet b/jsonnet/components/alertmanager.libsonnet
@@ -16,7 +16,6 @@ function(params)
     trustedCaBundle: generateCertInjection.trustedCNOCaBundleCM(cfg.namespace, 'alertmanager-trusted-ca-bundle'),
 
     // OpenShift route to access the Alertmanager UI.
-
     route: {
       apiVersion: 'v1',
       kind: 'Route',
@@ -411,6 +410,22 @@ function(params)
               name: 'metrics-client-ca',
             },
           },
+          {
+            name: $.trustedCaBundle.metadata.name,
+            configMap: {
+              name: $.trustedCaBundle.metadata.name,
+              items: [{
+                key: 'ca-bundle.crt',
+                path: 'tls-ca-bundle.pem',
+              }],
+            },
+          },
+        ],
+        volumeMounts+: [
+          {
+            name: $.trustedCaBundle.metadata.name,
+            mountPath: '/etc/pki/ca-trust/extracted/pem/',
+          },
         ],
       },
     },
diff --git a/jsonnet/utils/generate-certificate-injection.libsonnet b/jsonnet/utils/generate-certificate-injection.libsonnet
@@ -15,6 +15,7 @@
     },
     data: {},
   },
+
   // This CA bundle is injected by the service-ca-operator.
   SCOCaBundleCM(cfgNamespace, cfgName):: {
     apiVersion: 'v1',
@@ -28,6 +29,7 @@
     },
     data: {},
   },
+
   SCOCaBundleVolume(volName):: {
     name: volName,
     configmap: {
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -586,7 +586,7 @@ func setupStartupProbe(a *monv1.Alertmanager) {
 	)
 }
 
-func (f *Factory) AlertmanagerMain(trustedCABundleCM *v1.ConfigMap) (*monv1.Alertmanager, error) {
+func (f *Factory) AlertmanagerMain() (*monv1.Alertmanager, error) {
 	a, err := f.NewAlertmanager(f.assets.MustNewAssetSlice(AlertmanagerMain))
 	if err != nil {
 		return nil, err
@@ -651,18 +651,6 @@ func (f *Factory) AlertmanagerMain(trustedCABundleCM *v1.ConfigMap) (*monv1.Aler
 			f.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.TopologySpreadConstraints
 	}
 
-	if trustedCABundleCM != nil {
-		volumeName := "alertmanager-trusted-ca-bundle"
-		a.Spec.VolumeMounts = append(a.Spec.VolumeMounts, trustedCABundleVolumeMount(volumeName))
-
-		volume := trustedCABundleVolume(trustedCABundleCM.Name, volumeName)
-		volume.VolumeSource.ConfigMap.Items = append(volume.VolumeSource.ConfigMap.Items, v1.KeyToPath{
-			Key:  TrustedCABundleKey,
-			Path: "tls-ca-bundle.pem",
-		})
-		a.Spec.Volumes = append(a.Spec.Volumes, volume)
-	}
-
 	for i, c := range a.Spec.Containers {
 		switch c.Name {
 		case "kube-rbac-proxy", "kube-rbac-proxy-metric", "kube-rbac-proxy-web":
diff --git a/pkg/manifests/manifests_test.go b/pkg/manifests/manifests_test.go
@@ -251,7 +251,7 @@ func TestUnconfiguredManifests(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	_, err = f.AlertmanagerMain(nil)
+	_, err = f.AlertmanagerMain()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -3041,9 +3041,7 @@ func TestAlertmanagerMainStartupProbe(t *testing.T) {
 				t.Fatal(err)
 			}
 			f := NewFactory("openshift-monitoring", "openshift-user-workload-monitoring", c, tc.infrastructure, &fakeProxyReader{}, NewAssets(assetsPath), &APIServerConfig{}, &configv1.Console{})
-			a, err := f.AlertmanagerMain(
-				&v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
-			)
+			a, err := f.AlertmanagerMain()
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -3115,9 +3113,7 @@ ingress:
 	})
 
 	f := NewFactory("openshift-monitoring", "openshift-user-workload-monitoring", c, defaultInfrastructureReader(), &fakeProxyReader{}, NewAssets(assetsPath), &APIServerConfig{}, &configv1.Console{Status: configv1.ConsoleStatus{ConsoleURL: "https://console-openshift-console.apps.foo.devcluster.openshift.com"}})
-	a, err := f.AlertmanagerMain(
-		&v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
-	)
+	a, err := f.AlertmanagerMain()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -4360,9 +4356,7 @@ func TestNonHighlyAvailableInfrastructure(t *testing.T) {
 		{
 			name: "Alertmanager",
 			getSpec: func(f *Factory) (spec, error) {
-				a, err := f.AlertmanagerMain(
-					&v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
-				)
+				a, err := f.AlertmanagerMain()
 				if err != nil {
 					return spec{}, err
 				}
diff --git a/pkg/tasks/alertmanager.go b/pkg/tasks/alertmanager.go
@@ -185,17 +185,12 @@ func (t *AlertmanagerTask) create(ctx context.Context) error {
 			return fmt.Errorf("initializing Alertmanager CA bundle ConfigMap failed: %w", err)
 		}
 
-		cbs := &caBundleSyncer{
-			client:  t.client,
-			factory: t.factory,
-			prefix:  "alertmanager",
-		}
-		trustedCA, err = cbs.syncTrustedCABundle(ctx, trustedCA)
+		err = t.client.CreateOrUpdateConfigMap(ctx, trustedCA)
 		if err != nil {
-			return fmt.Errorf("syncing Alertmanager trusted CA bundle ConfigMap failed: %w", err)
+			return fmt.Errorf("reconciling Alertmanager trusted CA bundle ConfigMap failed: %w", err)
 		}
 
-		a, err := t.factory.AlertmanagerMain(trustedCA)
+		a, err := t.factory.AlertmanagerMain()
 		if err != nil {
 			return fmt.Errorf("initializing Alertmanager object failed: %w", err)
 		}
@@ -239,6 +234,12 @@ func (t *AlertmanagerTask) create(ctx context.Context) error {
 		return fmt.Errorf("deleting Alertmanager proxy Secret failed: %w", err)
 	}
 
+	// TODO(simonpasquier): remove this step after OCP 4.16 is released.
+	err = t.client.DeleteHashedConfigMap(ctx, "openshift-monitoring", "alertmanager-trusted-ca-bundle", "")
+	if err != nil {
+		return fmt.Errorf("deleting all hashed Alertmanager trusted CA bundle ConfigMap failed: %w", err)
+	}
+
 	return nil
 }
 
@@ -356,7 +357,7 @@ func (t *AlertmanagerTask) destroy(ctx context.Context) error {
 			return fmt.Errorf("deleting Alertmanager trusted CA bundle failed: %w", err)
 		}
 
-		a, err := t.factory.AlertmanagerMain(trustedCA)
+		a, err := t.factory.AlertmanagerMain()
 		if err != nil {
 			return fmt.Errorf("initializing Alertmanager object failed: %w", err)
 		}
diff --git a/test/e2e/alertmanager_test.go b/test/e2e/alertmanager_test.go
@@ -39,46 +39,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 )
 
-func TestAlertmanagerTrustedCA(t *testing.T) {
-	var (
-		newCM   *v1.ConfigMap
-		lastErr error
-	)
-
-	cm := f.MustGetConfigMap(t, "alertmanager-trusted-ca-bundle", f.Ns)
-	newCM, err := f.ManifestsFactory.HashTrustedCA(cm, "alertmanager")
-	if err != nil {
-		t.Fatal(fmt.Errorf("no trusted CA bundle data available: %w", err))
-	}
-
-	// Wait for the new hashed trusted CA bundle ConfigMap to be created
-	f.AssertConfigmapExists(newCM.Name, f.Ns)(t)
-
-	// Get Alertmanager StatefulSet and make sure it has a volume mounted.
-	err = wait.Poll(time.Second, 5*time.Minute, func() (bool, error) {
-		ss := f.MustGetStatefulSet(t, "alertmanager-main", f.Ns)
-
-		if len(ss.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
-			return false, errors.New("Could not find any VolumeMounts, expected at least 1")
-		}
-
-		for _, mount := range ss.Spec.Template.Spec.Containers[0].VolumeMounts {
-			if mount.Name == "alertmanager-trusted-ca-bundle" {
-				return true, nil
-			}
-		}
-
-		lastErr = fmt.Errorf("no volume %s mounted", newCM.Name)
-		return false, nil
-	})
-	if err != nil {
-		if err == wait.ErrWaitTimeout && lastErr != nil {
-			err = lastErr
-		}
-		t.Fatal(err)
-	}
-}
-
 // TestAlertmanagerTenancyAPI ensures that the Alertmanager API exposed on the
 // tenancy port enforces the namespace value.
 func TestAlertmanagerTenancyAPI(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -251,7 +251,7 @@ func TestUnconfiguredManifests(t *testing.T) {`
`251`	`251`	`t.Fatal(err)`
`252`	`252`	`}`
`253`	`253`
`254`		`- _, err = f.AlertmanagerMain(nil)`
	`254`	`+ _, err = f.AlertmanagerMain()`
`255`	`255`	`if err != nil {`
`256`	`256`	`t.Fatal(err)`
`257`	`257`	`}`
`@@ -3041,9 +3041,7 @@ func TestAlertmanagerMainStartupProbe(t *testing.T) {`
`3041`	`3041`	`t.Fatal(err)`
`3042`	`3042`	`}`
`3043`	`3043`	`f := NewFactory("openshift-monitoring", "openshift-user-workload-monitoring", c, tc.infrastructure, &fakeProxyReader{}, NewAssets(assetsPath), &APIServerConfig{}, &configv1.Console{})`
`3044`		`- a, err := f.AlertmanagerMain(`
`3045`		`- &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},`
`3046`		`- )`
	`3044`	`+ a, err := f.AlertmanagerMain()`
`3047`	`3045`	`if err != nil {`
`3048`	`3046`	`t.Fatal(err)`
`3049`	`3047`	`}`
`@@ -3115,9 +3113,7 @@ ingress:`
`3115`	`3113`	`})`
`3116`	`3114`
`3117`	`3115`	`f := NewFactory("openshift-monitoring", "openshift-user-workload-monitoring", c, defaultInfrastructureReader(), &fakeProxyReader{}, NewAssets(assetsPath), &APIServerConfig{}, &configv1.Console{Status: configv1.ConsoleStatus{ConsoleURL: "https://console-openshift-console.apps.foo.devcluster.openshift.com"}})`
`3118`		`- a, err := f.AlertmanagerMain(`
`3119`		`- &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},`
`3120`		`- )`
	`3116`	`+ a, err := f.AlertmanagerMain()`
`3121`	`3117`	`if err != nil {`
`3122`	`3118`	`t.Fatal(err)`
`3123`	`3119`	`}`
`@@ -4360,9 +4356,7 @@ func TestNonHighlyAvailableInfrastructure(t *testing.T) {`
`4360`	`4356`	`{`
`4361`	`4357`	`name: "Alertmanager",`
`4362`	`4358`	`getSpec: func(f *Factory) (spec, error) {`
`4363`		`- a, err := f.AlertmanagerMain(`
`4364`		`- &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},`
`4365`		`- )`
	`4359`	`+ a, err := f.AlertmanagerMain()`
`4366`	`4360`	`if err != nil {`
`4367`	`4361`	`return spec{}, err`
`4368`	`4362`	`}`
Original file line number	Diff line number	Diff line change
`@@ -185,17 +185,12 @@ func (t *AlertmanagerTask) create(ctx context.Context) error {`
`185`	`185`	`return fmt.Errorf("initializing Alertmanager CA bundle ConfigMap failed: %w", err)`
`186`	`186`	`}`
`187`	`187`
`188`		`- cbs := &caBundleSyncer{`
`189`		`- client: t.client,`
`190`		`- factory: t.factory,`
`191`		`- prefix: "alertmanager",`
`192`		`- }`
`193`		`- trustedCA, err = cbs.syncTrustedCABundle(ctx, trustedCA)`
	`188`	`+ err = t.client.CreateOrUpdateConfigMap(ctx, trustedCA)`
`194`	`189`	`if err != nil {`
`195`		`- return fmt.Errorf("syncing Alertmanager trusted CA bundle ConfigMap failed: %w", err)`
	`190`	`+ return fmt.Errorf("reconciling Alertmanager trusted CA bundle ConfigMap failed: %w", err)`
`196`	`191`	`}`
`197`	`192`
`198`		`- a, err := t.factory.AlertmanagerMain(trustedCA)`
	`193`	`+ a, err := t.factory.AlertmanagerMain()`
`199`	`194`	`if err != nil {`
`200`	`195`	`return fmt.Errorf("initializing Alertmanager object failed: %w", err)`
`201`	`196`	`}`
`@@ -239,6 +234,12 @@ func (t *AlertmanagerTask) create(ctx context.Context) error {`
`239`	`234`	`return fmt.Errorf("deleting Alertmanager proxy Secret failed: %w", err)`
`240`	`235`	`}`
`241`	`236`
	`237`	`+ // TODO(simonpasquier): remove this step after OCP 4.16 is released.`
	`238`	`+ err = t.client.DeleteHashedConfigMap(ctx, "openshift-monitoring", "alertmanager-trusted-ca-bundle", "")`
	`239`	`+ if err != nil {`
	`240`	`+ return fmt.Errorf("deleting all hashed Alertmanager trusted CA bundle ConfigMap failed: %w", err)`
	`241`	`+ }`
	`242`	`+`
`242`	`243`	`return nil`
`243`	`244`	`}`
`244`	`245`
`@@ -356,7 +357,7 @@ func (t *AlertmanagerTask) destroy(ctx context.Context) error {`
`356`	`357`	`return fmt.Errorf("deleting Alertmanager trusted CA bundle failed: %w", err)`
`357`	`358`	`}`
`358`	`359`
`359`		`- a, err := t.factory.AlertmanagerMain(trustedCA)`
	`360`	`+ a, err := t.factory.AlertmanagerMain()`
`360`	`361`	`if err != nil {`
`361`	`362`	`return fmt.Errorf("initializing Alertmanager object failed: %w", err)`
`362`	`363`	`}`