diff --git a/pkg/cluster/cert.go b/pkg/cluster/cert.go index f704203deef..12f75329108 100644 --- a/pkg/cluster/cert.go +++ b/pkg/cluster/cert.go @@ -32,27 +32,9 @@ func CreateSelfSignedCertificate(ctx context.Context, c client.Client, secretNam if err := ApplyMetaOptions(certSecret, metaOptions...); err != nil { return err } - existingSecret := &corev1.Secret{} - err = c.Get(ctx, client.ObjectKey{Name: secretName, Namespace: namespace}, existingSecret) - if err != nil { - if k8serr.IsNotFound(err) { - // Secret does not exist, create it - if createErr := c.Create(ctx, certSecret); createErr != nil { - return fmt.Errorf("failed creating certificate secret: %w", createErr) - } - } else { - return fmt.Errorf("failed getting certificate secret: %w", err) - } - } else if existingSecret.Type != certSecret.Type { - // Secret exists but with a different type, delete and recreate it - if err := c.Delete(ctx, existingSecret); err != nil { - return fmt.Errorf("failed deleting existing secret: %w", err) - } - if createErr := c.Create(ctx, certSecret); client.IgnoreAlreadyExists(createErr) != nil { - return fmt.Errorf("failed creating certificate secret: %w", createErr) - } + if err = generateCertSecret(ctx, c, certSecret, secretName, namespace); err != nil { + return fmt.Errorf("failed update self-signed certificate secret: %w", err) } - return nil } @@ -194,43 +176,51 @@ func copySecretToNamespace(ctx context.Context, c client.Client, secret *corev1. Data: secret.Data, Type: secret.Type, } - - existingSecret := &corev1.Secret{} - err := c.Get(ctx, client.ObjectKey{Name: newSecretName, Namespace: namespace}, existingSecret) - if k8serr.IsNotFound(err) { // create if not found - if err = c.Create(ctx, newSecret); err != nil { - return fmt.Errorf("failed to create new secret: %w", err) - } - } else if err != nil { - return fmt.Errorf("failed to get existing secret: %w", err) + if err := generateCertSecret(ctx, c, newSecret, newSecretName, namespace); err != nil { + return fmt.Errorf("failed to deploy default cert secret to namespace %s: %w", namespace, err) } - - if existingSecret.Type != newSecret.Type { // recreate if found with mismatched type - if recreateSecret(ctx, c, existingSecret, newSecret) != nil { - return errors.New("failed to recreate secret with type corrected") - } - } - - if isSecretOutdated(existingSecret.Data, newSecret.Data) { - if err = c.Update(ctx, newSecret); err != nil { // update data if found with same type but outdated content - return fmt.Errorf("failed to update secret: %w", err) - } - } - return nil } // recreateSecret deletes the existing secret and creates a new one. func recreateSecret(ctx context.Context, c client.Client, existingSecret, newSecret *corev1.Secret) error { if err := c.Delete(ctx, existingSecret); err != nil { - return fmt.Errorf("failed to delete existing secret: %w", err) + return fmt.Errorf("failed to delete existing secret before recreating new one: %w", err) } if err := c.Create(ctx, newSecret); err != nil { - return fmt.Errorf("failed to create new secret: %w", err) + return fmt.Errorf("failed to create new secret after existing one has been deleted: %w", err) } return nil } +// generateCertSecret creates a secret if it does not exist; recreate this secret if type not match; update data if outdated. +func generateCertSecret(ctx context.Context, c client.Client, certSecret *corev1.Secret, secretName, namespace string) error { + existingSecret := &corev1.Secret{} + err := c.Get(ctx, client.ObjectKey{Name: secretName, Namespace: namespace}, existingSecret) + switch { + case err == nil: + // Secret exists but with a different type, delete and create it again + if existingSecret.Type != certSecret.Type { + return recreateSecret(ctx, c, existingSecret, certSecret) + } + // update data if found with same type but outdated content + if isSecretOutdated(existingSecret.Data, certSecret.Data) { + if err = c.Update(ctx, certSecret); err != nil { + return fmt.Errorf("failed to update existing secret: %w", err) + } + } + case k8serr.IsNotFound(err): + // Secret does not exist, create it + if err := c.Create(ctx, certSecret); err != nil { + return fmt.Errorf("failed creating new certificate secret: %w", err) + } + default: + return fmt.Errorf("failed getting certificate secret: %w", err) + } + + return nil +} + // isSecretOutdated compares two secret data of type map[string][]byte and returns true if they are not equal. func isSecretOutdated(existingSecretData, newSecretData map[string][]byte) bool { if len(existingSecretData) != len(newSecretData) {