Addresses bparees and dcarr feedback

danehans · danehans · commit 78b540716ebb · 2019-08-05T12:02:36.000-07:00
diff --git a/pkg/controller/proxyconfig/controller.go b/pkg/controller/proxyconfig/controller.go
@@ -55,30 +55,30 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	// so filter events before they are provided to the controller event handlers.
 	pred := predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {
-			return e.MetaOld.GetName() == names.MERGED_TRUST_BUNDLE_CONFIGMAP &&
+			return e.MetaOld.GetName() == names.TRUST_BUNDLE_CONFIGMAP &&
 				e.MetaOld.GetNamespace() == names.TRUST_BUNDLE_CONFIGMAP_NS
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
-			return e.Meta.GetName() == names.MERGED_TRUST_BUNDLE_CONFIGMAP &&
+			return e.Meta.GetName() == names.TRUST_BUNDLE_CONFIGMAP &&
 				e.Meta.GetNamespace() == names.TRUST_BUNDLE_CONFIGMAP_NS
 		},
 		CreateFunc: func(e event.CreateEvent) bool {
-			return e.Meta.GetName() == names.MERGED_TRUST_BUNDLE_CONFIGMAP &&
+			return e.Meta.GetName() == names.TRUST_BUNDLE_CONFIGMAP &&
 				e.Meta.GetNamespace() == names.TRUST_BUNDLE_CONFIGMAP_NS
 		},
 		GenericFunc: func(e event.GenericEvent) bool {
-			return e.Meta.GetName() == names.MERGED_TRUST_BUNDLE_CONFIGMAP &&
+			return e.Meta.GetName() == names.TRUST_BUNDLE_CONFIGMAP &&
 				e.Meta.GetNamespace() == names.TRUST_BUNDLE_CONFIGMAP_NS
 		},
 	}
 
-	// Watch for changes to the user/system merged configmap
+	// Watch for changes to the trust bundle configmap.
 	err = c.Watch(&source.Kind{Type: &corev1.ConfigMap{}}, &handler.EnqueueRequestForObject{}, pred)
 	if err != nil {
 		return err
 	}
 
-	// Watch for changes to resource config.openshift.io/v1/Proxy
+	// Watch for changes to the proxy resource.
 	err = c.Watch(&source.Kind{Type: &configv1.Proxy{}}, &handler.EnqueueRequestForObject{})
 	if err != nil {
 		return err
@@ -87,8 +87,6 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-//var _ reconcile.Reconciler = &ReconcileProxyConfig{}
-
 // ReconcileProxyConfig reconciles a Proxy object
 type ReconcileProxyConfig struct {
 	// This client, initialized using mgr.Client() above, is a split client
@@ -98,16 +96,19 @@ type ReconcileProxyConfig struct {
 	status *statusmanager.StatusManager
 }
 
-// Reconcile expects request to refer to a proxy object named "cluster" in the
-// default namespace, and will ensure proxy is in the desired state.
+// Reconcile expects request to refer to a proxy object named "cluster"
+// in the default namespace or to a configmap object named
+// "trusted-ca-bundle" in namespace "openshift-config-managed", and will
+// ensure the proxy object is in the desired state.
 func (r *ReconcileProxyConfig) Reconcile(request reconcile.Request) (reconcile.Result, error) {
-	// Collect required config objects for proxy reconciliation.
-	proxyConfig := &configv1.Proxy{}
-	infraConfig := &configv1.Infrastructure{}
-	netConfig := &configv1.Network{}
-	clusterConfig := &corev1.ConfigMap{}
 	switch {
-	case request.NamespacedName == names.ProxyName():
+	case request.NamespacedName == names.Proxy():
+		// Collect required config objects for proxy reconciliation.
+		proxyConfig := &configv1.Proxy{}
+		infraConfig := &configv1.Infrastructure{}
+		netConfig := &configv1.Network{}
+		clusterConfig := &corev1.ConfigMap{}
+
 		log.Printf("Reconciling proxy: %s\n", request.Name)
 		err := r.client.Get(context.TODO(), request.NamespacedName, proxyConfig)
 		if err != nil {
@@ -122,39 +123,43 @@ func (r *ReconcileProxyConfig) Reconcile(request reconcile.Request) (reconcile.R
 		}
 
 		// A nil proxy is generated by upgrades and installs not requiring a proxy.
+		validate := true
 		if !isSpecHTTPProxySet(&proxyConfig.Spec) && !isSpecHTTPSProxySet(&proxyConfig.Spec) {
-			log.Printf("httpProxy and httpsProxy not defined; reconciliation will be skipped for proxy: %s\n",
+			log.Printf("httpProxy and httpsProxy not defined; validation will be skipped for proxy: %s\n",
 				request.Name)
-			return reconcile.Result{}, nil
+			validate = false
 		}
 
 		// Only proceed if the required config objects can be collected.
-		if err := r.client.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, infraConfig); err != nil {
-			return reconcile.Result{}, fmt.Errorf("failed to get infrastructure config 'cluster': %v", err)
-		}
-		if err := r.client.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, netConfig); err != nil {
-			log.Printf("failed to get network config 'cluster': %v", err)
-			return reconcile.Result{}, err
-		}
-		if err := r.client.Get(context.TODO(), types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"}, clusterConfig); err != nil {
-			log.Printf("failed to get configmap 'cluster': %v", err)
-			return reconcile.Result{}, err
-		}
-		if err := r.ValidateProxyConfig(&proxyConfig.Spec); err != nil {
-			log.Printf("Failed to validate Proxy.Spec: %v", err)
-			r.status.SetDegraded(statusmanager.ProxyConfig, "InvalidProxyConfig",
-				fmt.Sprintf("The proxy configuration is invalid (%v). Use 'oc edit proxy.config.openshift.io cluster' to fix.", err))
-			return reconcile.Result{}, nil
+		if validate {
+			if err := r.client.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, infraConfig); err != nil {
+				return reconcile.Result{}, fmt.Errorf("failed to get infrastructure config 'cluster': %v", err)
+			}
+			if err := r.client.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, netConfig); err != nil {
+				log.Printf("failed to get network config 'cluster': %v", err)
+				return reconcile.Result{}, err
+			}
+			if err := r.client.Get(context.TODO(), types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"}, clusterConfig); err != nil {
+				log.Printf("failed to get configmap 'cluster': %v", err)
+				return reconcile.Result{}, err
+			}
+			if err := r.ValidateProxyConfig(&proxyConfig.Spec); err != nil {
+				log.Printf("Failed to validate Proxy.Spec: %v", err)
+				r.status.SetDegraded(statusmanager.ProxyConfig, "InvalidProxyConfig",
+					fmt.Sprintf("The proxy configuration is invalid (%v). Use 'oc edit proxy.config.openshift.io cluster' to fix.", err))
+				return reconcile.Result{}, nil
+			}
 		}
-		// Update Proxy.config.openshift.io.Status
+
+		// Update proxy status.
 		if err := r.syncProxyStatus(proxyConfig, infraConfig, netConfig, clusterConfig); err != nil {
 			log.Printf("Could not sync proxy status: %v", err)
 			r.status.SetDegraded(statusmanager.ProxyConfig, "StatusError",
 				fmt.Sprintf("Could not update proxy configuration status: %v", err))
 			return reconcile.Result{}, err
 		}
 		log.Printf("Reconciling proxy: %s complete\n", request.Name)
-	case request.NamespacedName == names.MergedTrustBundleName():
+	case request.NamespacedName == names.TrustBundleConfigMap():
 		cfgMap := &corev1.ConfigMap{}
 		log.Printf("Reconciling configmap: %s/%s\n", request.Namespace, request.Name)
 		err := r.client.Get(context.TODO(), request.NamespacedName, cfgMap)
@@ -210,7 +215,7 @@ func isSpecTrustedCASet(proxyConfig *configv1.ProxySpec) bool {
 // isTrustedCAConfigMap returns true if the ConfigMap name in
 // spec.trustedCA is "proxy-ca-bundle".
 func isTrustedCAConfigMap(proxyConfig *configv1.ProxySpec) bool {
-	return proxyConfig.TrustedCA.Name == names.MERGED_TRUST_BUNDLE_CONFIGMAP
+	return proxyConfig.TrustedCA.Name == names.TRUST_BUNDLE_CONFIGMAP
 }
 
 // isSpecReadinessEndpoints returns true if spec.readinessEndpoints of
diff --git a/pkg/controller/proxyconfig/status.go b/pkg/controller/proxyconfig/status.go
@@ -46,8 +46,7 @@ func (r *ReconcileProxyConfig) syncProxyStatus(proxy *configv1.Proxy, infra *con
 	return nil
 }
 
-// mergeUserSystemNoProxy returns noProxyWildcard if it supplied as a noProxy setting.
-// Otherwise, mergeUserSystemNoProxy merges user-supplied noProxy settings from proxy
+// mergeUserSystemNoProxy merges user-supplied noProxy settings from proxy
 // with cluster-wide noProxy settings, returning a merged, comma-separated
 // string of noProxy settings.
 func mergeUserSystemNoProxy(proxy *configv1.Proxy, infra *configv1.Infrastructure, network *configv1.Network, cluster *corev1.ConfigMap) (string, error) {
@@ -68,9 +67,8 @@ func mergeUserSystemNoProxy(proxy *configv1.Proxy, infra *configv1.Infrastructur
 		apiServerURL.Hostname(),
 		internalAPIServer.Hostname(),
 	)
-	platform := infra.Status.PlatformStatus.Type
 
-	// TODO: Does a better way exist to get machineCIDR and control-plane replicas?
+	// TODO: This will be flexible when master machine management is more dynamic.
 	type installConfig struct {
 		ControlPlane struct {
 			Replicas string `json:"replicas"`
@@ -88,10 +86,11 @@ func mergeUserSystemNoProxy(proxy *configv1.Proxy, infra *configv1.Infrastructur
 		return "", fmt.Errorf("invalid install-config: %v\njson:\n%s", err, data)
 	}
 
-	if platform != configv1.VSpherePlatformType &&
-		platform != configv1.NonePlatformType &&
-		platform != configv1.BareMetalPlatformType {
+	switch infra.Status.PlatformStatus.Type {
+	case configv1.AWSPlatformType:
 		set.Insert("169.254.169.254", ic.Networking.MachineCIDR)
+	default:
+		return "", fmt.Errorf("unsupported infrastructure provider: %s", infra.Status.PlatformStatus.Type)
 	}
 
 	replicas, err := strconv.Atoi(ic.ControlPlane.Replicas)
diff --git a/pkg/controller/proxyconfig/validation.go b/pkg/controller/proxyconfig/validation.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -32,6 +31,7 @@ const (
 
 // ValidateProxyConfig ensures that proxyConfig is valid.
 func (r *ReconcileProxyConfig) ValidateProxyConfig(proxyConfig *configv1.ProxySpec) error {
+	var err error
 	if isSpecHTTPProxySet(proxyConfig) {
 		scheme, err := cnovalidation.URI(proxyConfig.HTTPProxy)
 		if err != nil {
@@ -42,26 +42,11 @@ func (r *ReconcileProxyConfig) ValidateProxyConfig(proxyConfig *configv1.ProxySp
 		}
 	}
 
-	readinessCerts := []*x509.Certificate{}
 	if isSpecHTTPSProxySet(proxyConfig) {
-		scheme, err := cnovalidation.URI(proxyConfig.HTTPSProxy)
+		_, err := cnovalidation.URI(proxyConfig.HTTPSProxy)
 		if err != nil {
 			return fmt.Errorf("invalid httpsProxy URI: %v", err)
 		}
-		if scheme == proxyHTTPSScheme {
-			// A trusted CA bundle must be provided when using https
-			// between client and proxy.
-			if !isSpecTrustedCASet(proxyConfig) {
-				return errors.New("trustedCA is required when using an https scheme with httpsProxy")
-			}
-			certBundle, err := r.validateTrustedCA(proxyConfig)
-			if err != nil {
-				return fmt.Errorf("failed validating TrustedCA %q: %v", proxyConfig.TrustedCA.Name, err)
-			}
-			for _, cert := range certBundle {
-				readinessCerts = append(readinessCerts, cert)
-			}
-		}
 	}
 
 	if isSpecNoProxySet(proxyConfig) {
@@ -77,6 +62,14 @@ func (r *ReconcileProxyConfig) ValidateProxyConfig(proxyConfig *configv1.ProxySp
 		}
 	}
 
+	var certBundle []*x509.Certificate
+	if isSpecTrustedCASet(proxyConfig) {
+		certBundle, err = r.validateTrustedCA(proxyConfig)
+		if err != nil {
+			return fmt.Errorf("failed to validate TrustedCA %q: %v", proxyConfig.TrustedCA.Name, err)
+		}
+	}
+
 	if isSpecReadinessEndpoints(proxyConfig) {
 		for _, endpoint := range proxyConfig.ReadinessEndpoints {
 			scheme, err := cnovalidation.URI(endpoint)
@@ -92,7 +85,7 @@ func (r *ReconcileProxyConfig) ValidateProxyConfig(proxyConfig *configv1.ProxySp
 				if !isSpecTrustedCASet(proxyConfig) {
 					return fmt.Errorf("readinessEndpoint with an %q scheme requires trustedCA to be set", proxyHTTPSScheme)
 				}
-				if err := validateHTTPSReadinessEndpoint(readinessCerts, endpoint); err != nil {
+				if err := validateHTTPSReadinessEndpoint(certBundle, endpoint); err != nil {
 					return fmt.Errorf("readinessEndpoint probe failed for endpoint %s", endpoint)
 				}
 			default:
@@ -156,13 +149,14 @@ func validateHTTPSReadinessEndpoint(certBundle []*x509.Certificate, endpoint str
 // by using certBundle as trusted CAs to create a TLS connection using a
 // finite loop based on retries, returning an error if it never succeeds.
 func validateHTTPSReadinessEndpointWithRetries(certBundle []*x509.Certificate, endpoint string, retries int) error {
+	var err error
 	for i := 0; i < retries; i++ {
-		if err := runHTTPSReadinessProbe(certBundle, endpoint); err != nil {
-			return err
+		if err := runHTTPSReadinessProbe(certBundle, endpoint); err == nil {
+			return nil
 		}
 	}
 
-	return nil
+	return err
 }
 
 // runHTTPSReadinessProbe tries connecting to endpoint by using certBundle as
@@ -216,7 +210,7 @@ func (r *ReconcileProxyConfig) validateTrustedCAConfigMap(proxyConfig *configv1.
 		return nil, fmt.Errorf("invalid ConfigMap reference for TrustedCA: %s", proxyConfig.TrustedCA.Name)
 	}
 	cfgMap := &corev1.ConfigMap{}
-	if err := r.client.Get(context.TODO(), names.MergedTrustBundleName(), cfgMap); err != nil {
+	if err := r.client.Get(context.TODO(), names.TrustBundleConfigMap(), cfgMap); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/names/names.go b/pkg/names/names.go
@@ -41,29 +41,28 @@ const MULTUS_VALIDATING_WEBHOOK = "multus.openshift.io"
 // the PEM encoded trust bundle.
 const TRUST_BUNDLE_CONFIGMAP_KEY = "ca-bundle.crt"
 
-// MERGED_TRUST_BUNDLE_CONFIGMAP is the name of the ConfigMap
+// TRUST_BUNDLE_CONFIGMAP is the name of the ConfigMap
 // containing the combined user/system trust bundle.
-// TODO: The bundle can be used for more than proxy, change name.
-const MERGED_TRUST_BUNDLE_CONFIGMAP = "proxy-ca-bundle"
+const TRUST_BUNDLE_CONFIGMAP = "trusted-ca-bundle"
 
 // TRUST_BUNDLE_CONFIGMAP_NS is the namespace that hosts the
-// ADDL_TRUST_BUNDLE_CONFIGMAP and MERGED_TRUST_BUNDLE_CONFIGMAP
+// ADDL_TRUST_BUNDLE_CONFIGMAP and TRUST_BUNDLE_CONFIGMAP
 // ConfigMaps.
 const TRUST_BUNDLE_CONFIGMAP_NS = "openshift-config-managed"
 
-// ProxyName returns the namespaced name of the proxy
+// Proxy returns the namespaced name of the proxy
 // object named "cluster" in namespace "openshift-config-managed".
-func ProxyName() types.NamespacedName {
+func Proxy() types.NamespacedName {
 	return types.NamespacedName{
 		Name: PROXY_CONFIG,
 	}
 }
 
-// MergedTrustBundleName returns the namespaced name of the ConfigMap
+// TrustBundleConfigMap returns the namespaced name of the ConfigMap
 // containing the merged user/system trust bundle.
-func MergedTrustBundleName() types.NamespacedName {
+func TrustBundleConfigMap() types.NamespacedName {
 	return types.NamespacedName{
 		Namespace: TRUST_BUNDLE_CONFIGMAP_NS,
-		Name:      MERGED_TRUST_BUNDLE_CONFIGMAP,
+		Name:      TRUST_BUNDLE_CONFIGMAP,
 	}
 }
