From 5750392c8e079592efffac62d9ea3fcfdd850cfa Mon Sep 17 00:00:00 2001 From: Maxim Patlasov Date: Mon, 16 Mar 2026 00:09:19 -0700 Subject: [PATCH] feat(cpo): Generate Azure Disk and File CSI Driver Operator metrics serving certs by HCP controller service-ca operator might not be running in some HCP environments. Hence, we need CPO help to generate certs for us. (see https://redhat.atlassian.net/browse/STOR-2770 for a bigger picture) --- .../hostedcontrolplane_controller.go | 28 +++++++++++++++++++ .../azure_disk_csi_driver_operator.go | 19 +++++++++++++ .../azure_file_csi_driver_operator.go | 19 +++++++++++++ .../hostedcontrolplane/manifests/pki.go | 8 ++++++ .../pki/azure_disk_csi_driver_operator.go | 19 +++++++++++++ .../pki/azure_file_csi_driver_operator.go | 19 +++++++++++++ 6 files changed, 112 insertions(+) create mode 100644 control-plane-operator/controllers/hostedcontrolplane/manifests/azure_disk_csi_driver_operator.go create mode 100644 control-plane-operator/controllers/hostedcontrolplane/manifests/azure_file_csi_driver_operator.go create mode 100644 control-plane-operator/controllers/hostedcontrolplane/pki/azure_disk_csi_driver_operator.go create mode 100644 control-plane-operator/controllers/hostedcontrolplane/pki/azure_file_csi_driver_operator.go diff --git a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go index e03ac2114b3..7e2c6461e76 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go +++ b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go @@ -1731,6 +1731,20 @@ func (r *HostedControlPlaneReconciler) reconcilePKI(ctx context.Context, hcp *hy return fmt.Errorf("failed to reconcile %s secret: %w", azureWorkloadIdentityWebhookServingCert.Name, err) } + // Azure-disk CSI driver Operator metrics Serving Cert + AzureDiskCsiDriverOperatorServingCert := manifests.AzureDiskCSIDriverOperatorServingCertSecret(hcp.Namespace) + AzureDiskCsiDriverOperatorService := manifests.AzureDiskCSIDriverOperatorMetricsService(hcp.Namespace) + err := removeServiceCAAnnotationAndSecret(ctx, r.Client, AzureDiskCsiDriverOperatorService, AzureDiskCsiDriverOperatorServingCert) + if err != nil { + r.Log.Error(err, "failed to remove service ca annotation and secret: %w") + } + if _, err = createOrUpdate(ctx, r, AzureDiskCsiDriverOperatorServingCert, func() error { + z := pki.ReconcileAzureDiskCsiDriverOperatorMetricsServingCertSecret(AzureDiskCsiDriverOperatorServingCert, rootCASecret, p.OwnerRef) + return z + }); err != nil { + return fmt.Errorf("failed to reconcile azure-disk csi driver operator serving cert: %w", err) + } + azureDiskCsiDriverControllerMetricsService := manifests.AzureDiskCsiDriverControllerMetricsService(hcp.Namespace) if err = r.Get(ctx, client.ObjectKeyFromObject(azureDiskCsiDriverControllerMetricsService), azureDiskCsiDriverControllerMetricsService); err != nil { if !apierrors.IsNotFound(err) { @@ -1753,6 +1767,20 @@ func (r *HostedControlPlaneReconciler) reconcilePKI(ctx context.Context, hcp *hy } } + // Azure-file CSI driver Operator metrics Serving Cert + AzureFileCsiDriverOperatorServingCert := manifests.AzureFileCSIDriverOperatorServingCertSecret(hcp.Namespace) + AzureFileCsiDriverOperatorService := manifests.AzureFileCSIDriverOperatorMetricsService(hcp.Namespace) + err = removeServiceCAAnnotationAndSecret(ctx, r.Client, AzureFileCsiDriverOperatorService, AzureFileCsiDriverOperatorServingCert) + if err != nil { + r.Log.Error(err, "failed to remove service ca annotation and secret: %w") + } + if _, err = createOrUpdate(ctx, r, AzureFileCsiDriverOperatorServingCert, func() error { + z := pki.ReconcileAzureFileCsiDriverOperatorMetricsServingCertSecret(AzureFileCsiDriverOperatorServingCert, rootCASecret, p.OwnerRef) + return z + }); err != nil { + return fmt.Errorf("failed to reconcile azure-file csi driver operator serving cert: %w", err) + } + azureFileCsiDriverControllerMetricsService := manifests.AzureFileCsiDriverControllerMetricsService(hcp.Namespace) if err = r.Get(ctx, client.ObjectKeyFromObject(azureFileCsiDriverControllerMetricsService), azureFileCsiDriverControllerMetricsService); err != nil { if !apierrors.IsNotFound(err) { diff --git a/control-plane-operator/controllers/hostedcontrolplane/manifests/azure_disk_csi_driver_operator.go b/control-plane-operator/controllers/hostedcontrolplane/manifests/azure_disk_csi_driver_operator.go new file mode 100644 index 00000000000..8aad290e555 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/manifests/azure_disk_csi_driver_operator.go @@ -0,0 +1,19 @@ +package manifests + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// Metrics +func AzureDiskCSIDriverOperatorMetricsService(namespace string) *corev1.Service { + return &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: "azure-disk-csi-driver-operator", + Namespace: namespace, + }, + Spec: corev1.ServiceSpec{ + ClusterIP: "None", + }, + } +} diff --git a/control-plane-operator/controllers/hostedcontrolplane/manifests/azure_file_csi_driver_operator.go b/control-plane-operator/controllers/hostedcontrolplane/manifests/azure_file_csi_driver_operator.go new file mode 100644 index 00000000000..2586e0464cd --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/manifests/azure_file_csi_driver_operator.go @@ -0,0 +1,19 @@ +package manifests + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// Metrics +func AzureFileCSIDriverOperatorMetricsService(namespace string) *corev1.Service { + return &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: "azure-file-csi-driver-operator", + Namespace: namespace, + }, + Spec: corev1.ServiceSpec{ + ClusterIP: "None", + }, + } +} diff --git a/control-plane-operator/controllers/hostedcontrolplane/manifests/pki.go b/control-plane-operator/controllers/hostedcontrolplane/manifests/pki.go index e026189fe26..1c5c97daaad 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/manifests/pki.go +++ b/control-plane-operator/controllers/hostedcontrolplane/manifests/pki.go @@ -324,6 +324,14 @@ func ClusterNodeTuningOperatorServingCertSecret(ns string) *corev1.Secret { return secretFor(ns, "node-tuning-operator-tls") } +func AzureDiskCSIDriverOperatorServingCertSecret(ns string) *corev1.Secret { + return secretFor(ns, "azure-disk-csi-driver-operator-serving-cert") +} + +func AzureFileCSIDriverOperatorServingCertSecret(ns string) *corev1.Secret { + return secretFor(ns, "azure-file-csi-driver-operator-serving-cert") +} + func OLMPackageServerCertSecret(ns string) *corev1.Secret { return secretFor(ns, "packageserver-cert") } func OLMOperatorServingCertSecret(ns string) *corev1.Secret { diff --git a/control-plane-operator/controllers/hostedcontrolplane/pki/azure_disk_csi_driver_operator.go b/control-plane-operator/controllers/hostedcontrolplane/pki/azure_disk_csi_driver_operator.go new file mode 100644 index 00000000000..f5a40ba86b4 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/pki/azure_disk_csi_driver_operator.go @@ -0,0 +1,19 @@ +package pki + +import ( + "fmt" + + "github.com/openshift/hypershift/support/config" + + corev1 "k8s.io/api/core/v1" +) + +func ReconcileAzureDiskCsiDriverOperatorMetricsServingCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error { + dnsNames := []string{ + fmt.Sprintf("azure-disk-csi-driver-operator.%s.svc", secret.Namespace), + fmt.Sprintf("azure-disk-csi-driver-operator.%s.svc.cluster.local", secret.Namespace), + "azure-disk-csi-driver-operator", + "localhost", + } + return reconcileSignedCertWithAddresses(secret, ca, ownerRef, "azure-disk-csi-driver-operator", []string{"openshift"}, X509UsageClientServerAuth, dnsNames, nil) +} diff --git a/control-plane-operator/controllers/hostedcontrolplane/pki/azure_file_csi_driver_operator.go b/control-plane-operator/controllers/hostedcontrolplane/pki/azure_file_csi_driver_operator.go new file mode 100644 index 00000000000..e5ed9144ffa --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/pki/azure_file_csi_driver_operator.go @@ -0,0 +1,19 @@ +package pki + +import ( + "fmt" + + "github.com/openshift/hypershift/support/config" + + corev1 "k8s.io/api/core/v1" +) + +func ReconcileAzureFileCsiDriverOperatorMetricsServingCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error { + dnsNames := []string{ + fmt.Sprintf("azure-file-csi-driver-operator.%s.svc", secret.Namespace), + fmt.Sprintf("azure-file-csi-driver-operator.%s.svc.cluster.local", secret.Namespace), + "azure-file-csi-driver-operator", + "localhost", + } + return reconcileSignedCertWithAddresses(secret, ca, ownerRef, "azure-file-csi-driver-operator", []string{"openshift"}, X509UsageClientServerAuth, dnsNames, nil) +}