diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 5d3adf00..e910d33e 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -136,3 +136,6 @@ const OciFlexVolumeProvisioner = "oracle.com/oci" const OciAvailabilityDomainLabel = "oci-availability-domain" const K8sDefaultStorageClassAnnotation = "storageclass.kubernetes.io/is-default-class" const K8sDefaultStorageClassBetaAnnotation = "storageclass.beta.kubernetes.io/is-default-class" + +// Monitoring namespace +const MonitoringNamespace = "monitoring" diff --git a/pkg/resources/secrets/secrets_test.go b/pkg/resources/secrets/secrets_test.go index f3fa45d3..a236b905 100644 --- a/pkg/resources/secrets/secrets_test.go +++ b/pkg/resources/secrets/secrets_test.go @@ -3,8 +3,8 @@ package secrets import ( - vmcontrollerv1 "github.com/verrazzano/verrazzano-monitoring-operator/pkg/apis/vmcontroller/v1" "github.com/stretchr/testify/assert" + vmcontrollerv1 "github.com/verrazzano/verrazzano-monitoring-operator/pkg/apis/vmcontroller/v1" "testing" ) diff --git a/pkg/vmo/sauronspec.go b/pkg/vmo/sauronspec.go index 849e6de9..dc0838fb 100644 --- a/pkg/vmo/sauronspec.go +++ b/pkg/vmo/sauronspec.go @@ -36,6 +36,11 @@ func InitializeSauronSpec(controller *Controller, sauron *vmcontrollerv1.Verrazz glog.Errorf("Failed to create TLS Secrets for sauron: %v", err) } + err = EnsureTlsSecretInMonitoringNS(controller, sauron) + if err != nil { + glog.Errorf("Failed to copy TLS Secret to monitoring namespace: %v", err) + } + // Set creation time if sauron.Status.CreationTime == nil { now := metav1.Now() diff --git a/pkg/vmo/secret.go b/pkg/vmo/secret.go index 0b7a6053..3d69bc9c 100644 --- a/pkg/vmo/secret.go +++ b/pkg/vmo/secret.go @@ -6,6 +6,7 @@ import ( "crypto/sha1" "encoding/base64" "fmt" + corev1 "k8s.io/api/core/v1" "regexp" "strings" @@ -252,3 +253,42 @@ func (c *Controller) loadAllAuthSecretData(ns, secretName string) (map[string]st return m, nil } + +// The prometheus pusher needs to access the ca.ctl cert in system-tls secret from within the pod. The secret must +// be in the monitoring namespace to access it as a volume. Copy the secret from the verrazzano-system +// namespace. +func EnsureTlsSecretInMonitoringNS(controller *Controller, sauron *vmcontrollerv1.VerrazzanoMonitoringInstance) error { + const secretName = "system-tls" + + // Don't copy the secret if it already exists. + secret, err := controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Get(secretName, metav1.GetOptions{}) + if err == nil && secret != nil { + return nil + } + + // The secret must be this name since the name is hardcoded in monitoring/deployments.do of verrazzano operator. + secret, err = controller.kubeclientset.CoreV1().Secrets(sauron.Namespace).Get(secretName, metav1.GetOptions{}) + if err != nil { + glog.Errorf("Error getting TLS secret %s from namespace %s, err: %s", secretName, sauron.Namespace, err) + return err + } + + // Create the secret + newSecret := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secret.Name, + Namespace: constants.MonitoringNamespace, + }, + Data: secret.Data, + StringData: secret.StringData, + Type: secret.Type, + } + _, err = controller.kubeclientset.CoreV1().Secrets(constants.MonitoringNamespace).Create(&newSecret) + if err != nil { + glog.Errorf("caught an error trying to create a secret, err: %s", err) + return err + } + glog.Infof("Created TLS secret %s in namespace %s", secretName, constants.MonitoringNamespace) + + return nil +}