changing native client to runtime client

Signed-off-by: rchikatw <[email protected]>

Dockerfile

@@ -12,7 +12,7 @@ ARG LDFLAGS
 
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -ldflags "$LDFLAGS" -tags netgo,osusergo -o ocs-operator main.go
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o provider-api services/provider/main.go
-RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o onboarding-secret-generator onboarding/main.go
+RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o rotate-onboarding-keys rotate-onboarding-keys/main.go
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o ux-backend-server services/ux-backend/main.go
 
 # Build stage 2
@@ -21,7 +21,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal
 
 COPY --from=builder workspace/ocs-operator /usr/local/bin/ocs-operator
 COPY --from=builder workspace/provider-api /usr/local/bin/provider-api
-COPY --from=builder workspace/onboarding-secret-generator /usr/local/bin/onboarding-secret-generator
+COPY --from=builder workspace/rotate-onboarding-keys /usr/local/bin/rotate-onboarding-keys
 COPY --from=builder workspace/metrics/deploy/*rules*.yaml /ocs-prometheus-rules/
 COPY --from=builder workspace/ux-backend-server /usr/local/bin/ux-backend-server
 

controllers/storagecluster/provider_server.go

@@ -27,11 +27,11 @@ import (
 )
 
 const (
-	ocsProviderServerName               = "ocs-provider-server"
-	providerAPIServerImage              = "PROVIDER_API_SERVER_IMAGE"
-	onboardingSecretGeneratorImage      = "ONBOARDING_SECRET_GENERATOR_IMAGE"
-	onboardingJobName                   = "onboarding-secret-generator"
-	onboardingTicketPublicKeySecretName = "onboarding-ticket-key"
+	ocsProviderServerName                   = "ocs-provider-server"
+	providerAPIServerImage                  = "PROVIDER_API_SERVER_IMAGE"
+	rotateOnboardingKeypairsImage           = "ROTATE_ONBOARDING_KEYPAIRS_IMAGE"
+	rotateOnboardingKeypairsJobName         = "rotate-onboarding-keypairs"
+	onboardingValidationPublicKeySecretName = "onboarding-ticket-key"
 
 	ocsProviderServicePort     = int32(50051)
 	ocsProviderServiceNodePort = int32(31659)
@@ -451,7 +451,7 @@ func getOnboardingJobObject(instance *ocsv1.StorageCluster) *batchv1.Job {
 
 	return &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      onboardingJobName,
+			Name:      rotateOnboardingKeypairsJobName,
 			Namespace: instance.Namespace,
 		},
 		Spec: batchv1.JobSpec{
@@ -460,12 +460,12 @@ func getOnboardingJobObject(instance *ocsv1.StorageCluster) *batchv1.Job {
 			Template: corev1.PodTemplateSpec{
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
-					ServiceAccountName: onboardingJobName,
+					ServiceAccountName: rotateOnboardingKeypairsJobName,
 					Containers: []corev1.Container{
 						{
-							Name:    onboardingJobName,
-							Image:   os.Getenv(onboardingSecretGeneratorImage),
-							Command: []string{"/usr/local/bin/onboarding-secret-generator"},
+							Name:    rotateOnboardingKeypairsJobName,
+							Image:   os.Getenv(rotateOnboardingKeypairsImage),
+							Command: []string{"/usr/local/bin/rotate-onboarding-keys"},
 							Env: []corev1.EnvVar{
 								{
 									Name:  util.OperatorNamespaceEnvVar,
@@ -482,7 +482,7 @@ func getOnboardingJobObject(instance *ocsv1.StorageCluster) *batchv1.Job {
 
 func (o *ocsProviderServer) createJob(r *StorageClusterReconciler, instance *ocsv1.StorageCluster) (reconcile.Result, error) {
 	var err error
-	if os.Getenv(onboardingSecretGeneratorImage) == "" {
+	if os.Getenv(rotateOnboardingKeypairsImage) == "" {
 		err = fmt.Errorf("OnboardingSecretGeneratorImage env var is not set")
 		r.Log.Error(err, "No value set for env variable")
 
@@ -491,7 +491,7 @@ func (o *ocsProviderServer) createJob(r *StorageClusterReconciler, instance *ocs
 
 	actualSecret := &corev1.Secret{}
 	// Creating the job only if public is not found
-	err = r.Client.Get(context.Background(), types.NamespacedName{Name: onboardingTicketPublicKeySecretName,
+	err = r.Client.Get(context.Background(), types.NamespacedName{Name: onboardingValidationPublicKeySecretName,
 		Namespace: instance.Namespace}, actualSecret)
 
 	if errors.IsNotFound(err) {

controllers/storagecluster/provider_server_test.go

@@ -321,7 +321,7 @@ func createSetupForOcsProviderTest(t *testing.T, allowRemoteStorageConsumers boo
 	}
 
 	os.Setenv(providerAPIServerImage, "fake-image")
-	os.Setenv(onboardingSecretGeneratorImage, "fake-image")
+	os.Setenv(rotateOnboardingKeypairsImage, "fake-image")
 	os.Setenv(util.WatchNamespaceEnvVar, "openshift-storage")
 
 	return r, instance

deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml

@@ -3093,7 +3093,7 @@ spec:
                   value: docker.io/centos/postgresql-12-centos8
                 - name: PROVIDER_API_SERVER_IMAGE
                   value: quay.io/ocs-dev/ocs-operator:latest
-                - name: ONBOARDING_SECRET_GENERATOR_IMAGE
+                - name: ROTATE_ONBOARDING_KEYPAIRS_IMAGE
                   value: quay.io/ocs-dev/ocs-operator:latest
                 - name: OPERATOR_NAMESPACE
                   valueFrom:

deploy/ocs-operator/manifests/onboarding-secret-generator-binding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 subjects:
 - kind: ServiceAccount
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
   namespace: openshift-storage

deploy/ocs-operator/manifests/onboarding-secret-generator-role.yaml

@@ -1,7 +1,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 rules:
 - apiGroups:
   - ""

deploy/ocs-operator/manifests/onboarding-secret-generator-sa.yaml

@@ -1,5 +1,5 @@
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 type: kubernetes.io/service-account-token

rbac/onboarding-secret-generator-binding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 subjects:
 - kind: ServiceAccount
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
   namespace: openshift-storage

rbac/onboarding-secret-generator-role.yaml

@@ -1,7 +1,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 rules:
 - apiGroups:
   - ""

rbac/onboarding-secret-generator-sa.yaml

@@ -1,5 +1,5 @@
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: onboarding-secret-generator
+  name: rotate-onboarding-keypairs
 type: kubernetes.io/service-account-token

onboarding/main.go → rotate-onboarding-keys/main.go

@@ -4,19 +4,18 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
-	"encoding/json"
 	"encoding/pem"
-	"fmt"
 	"os"
 
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/util"
 	"golang.org/x/net/context"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
-	runtime "sigs.k8s.io/controller-runtime/pkg/client/config"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
 const (
@@ -27,9 +26,9 @@ const (
 )
 
 func main() {
-	clientset, err := newClient()
+	cl, err := newClient()
 	if err != nil {
-		klog.Errorf("failed to create clientset: %v", err)
+		klog.Errorf("failed to create client: %v", err)
 		os.Exit(1)
 	}
 
@@ -57,90 +56,87 @@ func main() {
 	// Instead, a safer approach is to delete both secrets and then recreate them simultaneously
 	// to ensure consistency and accuracy of all secrets. By this way it will be easier to diagnose the
 	// issues if one or two secrets do not exist instead of trying to understand if they match
-	err = clientset.CoreV1().
-		Secrets(operatorNamespace).
-		Delete(ctx, onboardingValidationPrivateKeySecretName, metav1.DeleteOptions{})
+	privateSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      onboardingValidationPrivateKeySecretName,
+			Namespace: operatorNamespace,
+		},
+	}
+	err = cl.Delete(ctx, privateSecret, client.GracePeriodSeconds(0))
 	if err != nil && !kerrors.IsNotFound(err) {
 		klog.Errorf("failed to delete private secret: %v", err)
 		os.Exit(1)
 	}
 
 	// Delete public key secret
-	err = clientset.CoreV1().
-		Secrets(operatorNamespace).
-		Delete(ctx, onboardingValidationPublicKeySecretName, metav1.DeleteOptions{})
+	publicSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      onboardingValidationPublicKeySecretName,
+			Namespace: operatorNamespace,
+		},
+	}
+	err = cl.Delete(ctx, publicSecret, client.GracePeriodSeconds(0))
 	if err != nil && !kerrors.IsNotFound(err) {
 		klog.Errorf("failed to delete public secret: %v", err)
 		os.Exit(1)
 	}
 
-	storageClusterMetadata, err := getStorageClusterMetadata(ctx, operatorNamespace, clientset)
+	storageClusterMetadata, err := getStorageClusterMetadata(ctx, operatorNamespace, cl)
 	if err != nil {
 		klog.Errorf("failed to get storage cluster metadata: %v", err)
 		os.Exit(1)
 	}
 
-	privateSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      onboardingValidationPrivateKeySecretName,
-			Namespace: operatorNamespace,
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					UID:        storageClusterMetadata.UID,
-					APIVersion: storageClusterMetadata.APIVersion,
-					Kind:       storageClusterMetadata.Kind,
-					Name:       storageClusterMetadata.Name,
-				},
-			}},
-		StringData: map[string]string{
-			"key": privatePem,
+	privateSecret.ObjectMeta.OwnerReferences = []metav1.OwnerReference{
+		{
+			UID:        storageClusterMetadata.UID,
+			APIVersion: storageClusterMetadata.APIVersion,
+			Kind:       storageClusterMetadata.Kind,
+			Name:       storageClusterMetadata.Name,
 		},
 	}
+	privateSecret.StringData = map[string]string{
+		"key": privatePem,
+	}
 
-	_, err = clientset.CoreV1().
-		Secrets(operatorNamespace).
-		Create(ctx, privateSecret, metav1.CreateOptions{})
-
+	err = cl.Create(ctx, privateSecret, &client.CreateOptions{})
 	if err != nil {
 		klog.Errorf("failed to create private secret: %v", err)
 		os.Exit(1)
 	}
 
-	publicSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      onboardingValidationPublicKeySecretName,
-			Namespace: operatorNamespace,
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					UID:        storageClusterMetadata.UID,
-					APIVersion: storageClusterMetadata.APIVersion,
-					Kind:       storageClusterMetadata.Kind,
-					Name:       storageClusterMetadata.Name,
-				},
-			}},
-		StringData: map[string]string{
-			"key": publicPem,
+	publicSecret.ObjectMeta.OwnerReferences = []metav1.OwnerReference{
+		{
+			UID:        storageClusterMetadata.UID,
+			APIVersion: storageClusterMetadata.APIVersion,
+			Kind:       storageClusterMetadata.Kind,
+			Name:       storageClusterMetadata.Name,
 		},
 	}
+	publicSecret.StringData = map[string]string{
+		"key": publicPem,
+	}
 
-	_, err = clientset.CoreV1().
-		Secrets(operatorNamespace).
-		Create(ctx, publicSecret, metav1.CreateOptions{})
+	err = cl.Create(ctx, publicSecret, &client.CreateOptions{})
 	if err != nil {
 		klog.Errorf("failed to create public secret: %v", err)
 		os.Exit(1)
 	}
 
 }
 
-func newClient() (*kubernetes.Clientset, error) {
-	config := runtime.GetConfigOrDie()
-	clientset, err := kubernetes.NewForConfig(config)
+func newClient() (client.Client, error) {
+	klog.Info("Setting up k8s client")
+	config, err := config.GetConfig()
 	if err != nil {
-		return nil, err
+		klog.Exitf("Failed to get config: %v", err)
+	}
+	k8sClient, err := client.New(config, client.Options{})
+	if err != nil {
+		klog.Exitf("Failed to create controller-runtime client: %v", err)
 	}
 
-	return clientset, nil
+	return k8sClient, nil
 }
 
 func convertRsaPrivateKeyAsPemStr(privateKey *rsa.PrivateKey) string {
@@ -155,20 +151,15 @@ func convertRsaPublicKeyAsPemStr(publicKey *rsa.PublicKey) string {
 	return string(publicKeyPem)
 }
 
-func getStorageClusterMetadata(ctx context.Context, operatorNamespace string, clientset *kubernetes.Clientset) (*metav1.PartialObjectMetadata, error) {
-	var storageClusterMetadata metav1.PartialObjectMetadata
-	storageClusterGVKPath := fmt.Sprintf(
-		"/apis/ocs.openshift.io/v1/namespaces/%s/storageclusters/%s",
-		operatorNamespace,
-		storageClusterName,
-	)
-	storageClusterMetadataJSON, err := clientset.RESTClient().Get().AbsPath(storageClusterGVKPath).Do(ctx).Raw()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get storage cluster metadata: %v", err)
+func getStorageClusterMetadata(ctx context.Context, operatorNamespace string, client client.Client) (*metav1.PartialObjectMetadata, error) {
+	storageClusterMetadata := metav1.PartialObjectMetadata{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "storagecluster",
+			APIVersion: "ocs.openshift.io/v1",
+		},
 	}
-
-	if err = json.Unmarshal(storageClusterMetadataJSON, &storageClusterMetadata); err != nil {
-		return nil, fmt.Errorf("failed to parse storage cluster metadata response: %v", err)
+	if err := client.Get(ctx, types.NamespacedName{Name: storageClusterName, Namespace: operatorNamespace}, &storageClusterMetadata); err != nil {
+		return nil, err
 	}
 
 	return &storageClusterMetadata, nil

tools/csv-merger/csv-merger.go

@@ -159,7 +159,7 @@ func unmarshalCSV(filePath string) *csvv1.ClusterServiceVersion {
 				Value: *ocsContainerImage,
 			},
 			{
-				Name:  "ONBOARDING_SECRET_GENERATOR_IMAGE",
+				Name:  "ROTATE_ONBOARDING_KEYPAIRS_IMAGE",
 				Value: *ocsContainerImage,
 			},
 			{