Merge remote-tracking branch 'origin/master' into dns-trusted-servers

RELEASING.md

@@ -1,39 +1,57 @@
 # Releasing the operator
 
-## Preparing for a release
+## Preparing a new release branch
 
-Checkout the branch from which you want to release. For a major or minor release,
-you will need to create a new `release-vX.Y` branch based on the target minor version.
+For a major or minor release, you will need to create a new
+`release-vX.Y` branch based on the target minor version.
 
-Make sure the appropriate versions have been updated in `config/calico_versions.yml`, `config/enterprise_versions.yml`
-or / and config/common_versions.yaml, make sure both the images have been updated and
-the title field has been updated with the release (the format should be `v<Major>.<Minor>.<Patch>`).
-Then ensure `make gen-versions` has been ran and the resulting updates have been committed. When updating versions
-for enterprise, if necessary also update the `TigeraRegistry` field in `pkg/components/images.go`.
+## Preparing for the release
 
-Make sure the branch is in a good state, e.g. Update any pins in go.mod, create PR, ensure tests pass and merge.
+Review the milestone for this release and ensure it is accurate. https://github.com/tigera/operator/milestones
 
-You should have no local changes and tests should be passing.
+## Updating versions
 
-## Creating release
+Checkout the branch from which you want to release. Ensure that you are using the correct
+operator version for the version of Calico or Calient that you are releasing. If in doubt,
+check [the releases page](https://github.com/tigera/operator/releases) to find the most
+recent Operator release for your Calico or Calient minor version.
 
-1. Review the milestone for this release and ensure it is accurate. https://github.com/tigera/operator/milestones
+Update the image versions and the title field with the appropriate versions in the
+format `vX.Y.Z` for each of the following files:
 
-1. Choose a version e.g. `v1.0.1`
+1. `config/calico_versions.yml` (Calico OSS version)
+2. `config/enterprise_versions.yml` (Calico Enterprise version)
+3. `config/common_versions.yaml` (components common to both)
 
-1. Ensure the `title:` field in both config/calico_versions.yaml and config/enterprise_versions.yaml match
-   appropriate product release that the operator should install, if not see
-   [Preparing for a release](#preparing-for-a-release).
+(When updating versions for enterprise, if necessary also update
+the `TigeraRegistry` field in `pkg/components/images.go`.)
 
-1. Create a tag in git
+Then ensure `make gen-versions` has been ran and the resulting updates have been committed.
 
-   ```
-   git tag <version>
-   ```
+Make sure the branch is in a good state: 
+
+1. Update any pins in go.mod
+2. Create a PR for all of the local changes (versions updates, gen-versions, etc)
+3. Ensure tests pass
+
+You should have no local changes and tests should be passing.
 
-1. Push the git tag.
+## Releasing 
 
-1. Log in to semaphore and trigger a build on the tagged commit. Semaphore will build, test, and publish the release.
+1. Merge your PR to the release branch
+
+1. Create a git tag for the new commit on the release branch and push it:
+
+```
+git tag v1.30.3
+git push --tags
+```
+
+1. Log in to semaphore and find the new build for the release branch commit, and
+   click 'Rerun'. When Semaphore starts the rebuild, it will notice the new tag and
+   build and publish an operator release.
+
+## Release notes and milestones
 
 1. Run the following command to generate release notes for the release
 
@@ -49,10 +67,14 @@ You should have no local changes and tests should be passing.
 
 ## Updates for new Calico CRDs
 
+(TODO: We need to be able to detect new CRDs and do this automatically)
+
 If the release includes new Calico CRDs, add the new CRDs to `hack/gen-bundle/get-manifests.sh` and `config/manifests/bases/operator.clusterserviceversion.yaml`.
 
 ## Publishing a release on the RH Catalog
 
+(Note: We are not currently publishing to RH Catalog, but we will resume soon. These notes are left here for current and future reference.)
+
 We currently only publish operator releases targeting Calico. If the release targets Calico, continue onto the following steps to generate the
 operator bundle for it, and publish the release on the RH Catalog.
 

pkg/controller/compliance/compliance_controller.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2022 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -475,7 +475,7 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R
 	}
 	certificateComponent := rcertificatemanagement.CertificateManagement(&rcertificatemanagement.Config{
 		Namespace:       render.ComplianceNamespace,
-		ServiceAccounts: []string{render.ComplianceServerServiceAccount},
+		ServiceAccounts: []string{render.ComplianceServerServiceAccount, render.ComplianceBenchmarkerServiceAccount, render.ComplianceSnapshotterServiceAccount, render.ComplianceControllerServiceAccount, render.ComplianceReporterServiceAccount},
 		KeyPairOptions: []rcertificatemanagement.KeyPairOption{
 			rcertificatemanagement.NewKeyPairOption(complianceServerKeyPair, true, true),
 			rcertificatemanagement.NewKeyPairOption(controllerKeyPair.Interface, true, true),

pkg/controller/compliance/compliance_controller_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2022 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ import (
 	relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/tls"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -59,6 +60,7 @@ var _ = Describe("Compliance controller tests", func() {
 	var r ReconcileCompliance
 	var mockStatus *status.MockStatus
 	var scheme *runtime.Scheme
+	var installation *operatorv1.Installation
 
 	expectedDNSNames := dns.GetServiceDNSNames(render.ComplianceServiceName, render.ComplianceNamespace, dns.DefaultClusterDomain)
 	BeforeEach(func() {
@@ -83,6 +85,7 @@ var _ = Describe("Compliance controller tests", func() {
 		mockStatus.On("AddCronJobs", mock.Anything)
 		mockStatus.On("IsAvailable").Return(true)
 		mockStatus.On("OnCRFound").Return()
+		mockStatus.On("AddCertificateSigningRequests", mock.Anything).Return()
 		mockStatus.On("ClearDegraded")
 		mockStatus.On("SetDegraded", "Waiting for LicenseKeyAPI to be ready", "").Return().Maybe()
 		mockStatus.On("ReadyToMonitor")
@@ -99,25 +102,25 @@ var _ = Describe("Compliance controller tests", func() {
 			licenseAPIReady: &utils.ReadyFlag{},
 			tierWatchReady:  &utils.ReadyFlag{},
 		}
-
 		// We start off with a 'standard' installation, with nothing special
+		installation = &operatorv1.Installation{
+			ObjectMeta: metav1.ObjectMeta{Name: "default"},
+			Spec: operatorv1.InstallationSpec{
+				Variant:  operatorv1.TigeraSecureEnterprise,
+				Registry: "some.registry.org/",
+			},
+			Status: operatorv1.InstallationStatus{
+				Variant: operatorv1.TigeraSecureEnterprise,
+				Computed: &operatorv1.InstallationSpec{
+					Registry: "my-reg",
+					// The test is provider agnostic.
+					KubernetesProvider: operatorv1.ProviderNone,
+				},
+			},
+		}
 		Expect(c.Create(
 			ctx,
-			&operatorv1.Installation{
-				ObjectMeta: metav1.ObjectMeta{Name: "default"},
-				Spec: operatorv1.InstallationSpec{
-					Variant:  operatorv1.TigeraSecureEnterprise,
-					Registry: "some.registry.org/",
-				},
-				Status: operatorv1.InstallationStatus{
-					Variant: operatorv1.TigeraSecureEnterprise,
-					Computed: &operatorv1.InstallationSpec{
-						Registry: "my-reg",
-						// The test is provider agnostic.
-						KubernetesProvider: operatorv1.ProviderNone,
-					},
-				},
-			})).NotTo(HaveOccurred())
+			installation)).NotTo(HaveOccurred())
 
 		// The compliance reconcile loop depends on a ton of objects that should be available in your client as
 		// prerequisites. Without them, compliance will not even start creating objects. Let's create them now.
@@ -358,6 +361,43 @@ var _ = Describe("Compliance controller tests", func() {
 		Expect(dpl.Spec.Template.ObjectMeta.Name).To(Equal(render.ComplianceControllerName))
 	})
 
+	It("should add cluster role bindings when certificate management is enabled", func() {
+		ca, err := tls.MakeCA(rmeta.DefaultOperatorCASignerName())
+		Expect(err).NotTo(HaveOccurred())
+		cert, _, _ := ca.Config.GetPEMBytes()
+		installation.Spec.CertificateManagement = &operatorv1.CertificateManagement{
+			CACert:     cert,
+			SignerName: "a.b/c",
+		}
+		Expect(c.Update(ctx, installation)).NotTo(HaveOccurred())
+		_, err = r.Reconcile(ctx, reconcile.Request{})
+		Expect(err).ShouldNot(HaveOccurred())
+
+		crb := rbacv1.ClusterRoleBinding{
+			ObjectMeta: metav1.ObjectMeta{},
+		}
+		Expect(c.Get(ctx, client.ObjectKey{
+			Name: "tigera-compliance-benchmarker:csr-creator",
+		}, &crb)).NotTo(HaveOccurred())
+		Expect(crb.Subjects).To(HaveLen(1))
+		Expect(c.Get(ctx, client.ObjectKey{
+			Name: "tigera-compliance-controller:csr-creator",
+		}, &crb)).NotTo(HaveOccurred())
+		Expect(crb.Subjects).To(HaveLen(1))
+		Expect(c.Get(ctx, client.ObjectKey{
+			Name: "tigera-compliance-server:csr-creator",
+		}, &crb)).NotTo(HaveOccurred())
+		Expect(crb.Subjects).To(HaveLen(1))
+		Expect(c.Get(ctx, client.ObjectKey{
+			Name: "tigera-compliance-snapshotter:csr-creator",
+		}, &crb)).NotTo(HaveOccurred())
+		Expect(crb.Subjects).To(HaveLen(1))
+		Expect(c.Get(ctx, client.ObjectKey{
+			Name: "tigera-compliance-reporter:csr-creator",
+		}, &crb)).NotTo(HaveOccurred())
+		Expect(crb.Subjects).To(HaveLen(1))
+	})
+
 	Context("image reconciliation", func() {
 		It("should use builtin images", func() {
 			_, err := r.Reconcile(ctx, reconcile.Request{})

pkg/controller/logstorage/logstorage.go

@@ -184,7 +184,7 @@ func (r *ReconcileLogStorage) createLogStorage(
 		components = append(components,
 			rcertificatemanagement.CertificateManagement(&rcertificatemanagement.Config{
 				Namespace:       render.KibanaNamespace,
-				ServiceAccounts: []string{render.KibanaName},
+				ServiceAccounts: []string{render.KibanaObjectName},
 				KeyPairOptions: []rcertificatemanagement.KeyPairOption{
 					// We do not want to delete the secret from the tigera-elasticsearch when CertificateManagement is
 					// enabled. Instead, it will be replaced with a TLS secret that serves merely to pass ECK's validation

pkg/controller/logstorage/logstorage_controller.go

@@ -397,7 +397,7 @@ func (c *keyPairCollection) component(bundle certificatemanagement.TrustedBundle
 	return rcertificatemanagement.CertificateManagement(&rcertificatemanagement.Config{
 		Namespace: render.ElasticsearchNamespace,
 		ServiceAccounts: []string{
-			render.ElasticsearchName,
+			render.ElasticsearchObjectName,
 			linseed.ServiceAccountName,
 			esgateway.ServiceAccountName,
 			esmetrics.ElasticsearchMetricsName,
@@ -438,6 +438,10 @@ func (r *ReconcileLogStorage) generateSecrets(
 		// Get certificate for es-proxy, which Linseed and es-gateway need to trust.
 		render.ManagerTLSSecretName,
 
+		// Linseed needs the manager internal cert in order to verify the cert presented by Voltron when provisioning
+		// tokens into managed clusters.
+		render.ManagerInternalTLSSecretName,
+
 		// Get certificate for fluentd, which Linseed needs to trust in a standalone or management cluster.
 		render.FluentdPrometheusTLSSecretName,
 

pkg/crds/enterprise/crd.projectcalico.org_egressgatewaypolicies.yaml

@@ -74,6 +74,16 @@ spec:
                             via.
                           type: string
                       type: object
+                    gatewayPreference:
+                      default: None
+                      description: GatewayPreference specifies which egress gateways
+                        to use. If set to PreferNodeLocal, egress gateways in the
+                        same node as the client will be used if available. Otherwise
+                        all the active egress gateways will be used.
+                      enum:
+                      - None
+                      - PreferNodeLocal
+                      type: string
                   type: object
                 type: array
             type: object

pkg/render/compliance.go

@@ -435,9 +435,13 @@ func (c *complianceComponent) complianceControllerDeployment() *appsv1.Deploymen
 		{Name: "TIGERA_COMPLIANCE_MAX_JOB_RETRIES", Value: "6"},
 		{Name: "LINSEED_CLIENT_CERT", Value: certPath},
 		{Name: "LINSEED_CLIENT_KEY", Value: keyPath},
-		{Name: "CLUSTER_NAME", Value: c.cfg.ESClusterConfig.ClusterName()},
 		{Name: "LINSEED_TOKEN", Value: GetLinseedTokenPath(c.cfg.ManagementClusterConnection != nil)},
 	}
+
+	var initContainers []corev1.Container
+	if c.cfg.ControllerKeyPair != nil && c.cfg.ControllerKeyPair.UseCertificateManagement() {
+		initContainers = append(initContainers, c.cfg.ControllerKeyPair.InitContainer(ComplianceNamespace))
+	}
 	podTemplate := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      ComplianceControllerName,
@@ -448,6 +452,7 @@ func (c *complianceComponent) complianceControllerDeployment() *appsv1.Deploymen
 			Tolerations:        append(c.cfg.Installation.ControlPlaneTolerations, rmeta.TolerateControlPlane...),
 			NodeSelector:       c.cfg.Installation.ControlPlaneNodeSelector,
 			ImagePullSecrets:   secret.GetReferenceList(c.cfg.PullSecrets),
+			InitContainers:     initContainers,
 			Containers: []corev1.Container{
 				{
 					Name:            ComplianceControllerName,
@@ -568,7 +573,6 @@ func (c *complianceComponent) complianceReporterPodTemplate() *corev1.PodTemplat
 		{Name: "TIGERA_COMPLIANCE_JOB_NAMESPACE", Value: ComplianceNamespace},
 		{Name: "LINSEED_CLIENT_CERT", Value: certPath},
 		{Name: "LINSEED_CLIENT_KEY", Value: keyPath},
-		{Name: "CLUSTER_NAME", Value: c.cfg.ESClusterConfig.ClusterName()},
 		{Name: "LINSEED_TOKEN", Value: GetLinseedTokenPath(c.cfg.ManagementClusterConnection != nil)},
 	}
 
@@ -609,6 +613,10 @@ func (c *complianceComponent) complianceReporterPodTemplate() *corev1.PodTemplat
 				MountPath: LinseedVolumeMountPath,
 			})
 	}
+	var initContainers []corev1.Container
+	if c.cfg.ReporterKeyPair != nil && c.cfg.ReporterKeyPair.UseCertificateManagement() {
+		initContainers = append(initContainers, c.cfg.ReporterKeyPair.InitContainer(ComplianceNamespace))
+	}
 
 	return &corev1.PodTemplate{
 		TypeMeta: metav1.TypeMeta{Kind: "PodTemplate", APIVersion: "v1"},
@@ -632,6 +640,7 @@ func (c *complianceComponent) complianceReporterPodTemplate() *corev1.PodTemplat
 				Tolerations:        append(c.cfg.Installation.ControlPlaneTolerations, rmeta.TolerateControlPlane...),
 				NodeSelector:       c.cfg.Installation.ControlPlaneNodeSelector,
 				ImagePullSecrets:   secret.GetReferenceList(c.cfg.PullSecrets),
+				InitContainers:     initContainers,
 				Containers: []corev1.Container{
 					{
 						Name:            "reporter",
@@ -809,7 +818,6 @@ func (c *complianceComponent) complianceServerDeployment() *appsv1.Deployment {
 		{Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(c.cfg.Installation.FIPSMode)},
 		{Name: "LINSEED_CLIENT_CERT", Value: certPath},
 		{Name: "LINSEED_CLIENT_KEY", Value: keyPath},
-		{Name: "CLUSTER_NAME", Value: c.cfg.ESClusterConfig.ClusterName()},
 		{Name: "LINSEED_TOKEN", Value: GetLinseedTokenPath(c.cfg.ManagementClusterConnection != nil)},
 	}
 	if c.cfg.KeyValidatorConfig != nil {
@@ -994,7 +1002,6 @@ func (c *complianceComponent) complianceSnapshotterDeployment() *appsv1.Deployme
 		{Name: "TIGERA_COMPLIANCE_SNAPSHOT_HOUR", Value: "0"},
 		{Name: "LINSEED_CLIENT_CERT", Value: certPath},
 		{Name: "LINSEED_CLIENT_KEY", Value: keyPath},
-		{Name: "CLUSTER_NAME", Value: c.cfg.ESClusterConfig.ClusterName()},
 		{Name: "LINSEED_TOKEN", Value: GetLinseedTokenPath(c.cfg.ManagementClusterConnection != nil)},
 	}
 
@@ -1021,6 +1028,10 @@ func (c *complianceComponent) complianceSnapshotterDeployment() *appsv1.Deployme
 				MountPath: LinseedVolumeMountPath,
 			})
 	}
+	var initContainers []corev1.Container
+	if c.cfg.SnapshotterKeyPair != nil && c.cfg.SnapshotterKeyPair.UseCertificateManagement() {
+		initContainers = append(initContainers, c.cfg.SnapshotterKeyPair.InitContainer(ComplianceNamespace))
+	}
 
 	podTemplate := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1032,6 +1043,7 @@ func (c *complianceComponent) complianceSnapshotterDeployment() *appsv1.Deployme
 			Tolerations:        append(c.cfg.Installation.ControlPlaneTolerations, rmeta.TolerateControlPlane...),
 			NodeSelector:       c.cfg.Installation.ControlPlaneNodeSelector,
 			ImagePullSecrets:   secret.GetReferenceList(c.cfg.PullSecrets),
+			InitContainers:     initContainers,
 			Containers: []corev1.Container{
 				{
 					Name:            ComplianceSnapshotterName,
@@ -1147,7 +1159,6 @@ func (c *complianceComponent) complianceBenchmarkerDaemonSet() *appsv1.DaemonSet
 		{Name: "NODENAME", ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{FieldPath: "spec.nodeName"}}},
 		{Name: "LINSEED_CLIENT_CERT", Value: certPath},
 		{Name: "LINSEED_CLIENT_KEY", Value: keyPath},
-		{Name: "CLUSTER_NAME", Value: c.cfg.ESClusterConfig.ClusterName()},
 		{Name: "LINSEED_TOKEN", Value: GetLinseedTokenPath(c.cfg.ManagementClusterConnection != nil)},
 	}
 
@@ -1215,6 +1226,10 @@ func (c *complianceComponent) complianceBenchmarkerDaemonSet() *appsv1.DaemonSet
 			})
 	}
 
+	var initContainers []corev1.Container
+	if c.cfg.BenchmarkerKeyPair.UseCertificateManagement() {
+		initContainers = append(initContainers, c.cfg.BenchmarkerKeyPair.InitContainer(ComplianceNamespace))
+	}
 	podTemplate := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      ComplianceBenchmarkerName,
@@ -1225,6 +1240,7 @@ func (c *complianceComponent) complianceBenchmarkerDaemonSet() *appsv1.DaemonSet
 			HostPID:            true,
 			Tolerations:        rmeta.TolerateAll,
 			ImagePullSecrets:   secret.GetReferenceList(c.cfg.PullSecrets),
+			InitContainers:     initContainers,
 			Containers: []corev1.Container{
 				{
 					Name:            ComplianceBenchmarkerName,