Enable SSL verification on MongoDB migrations

Originating issue: [IBMPrivateCloud/roadmap#64854](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/64854) * Set InsecureSkipVerify to false * Modify MongoDB bootstrap script contents to create internal certificate including Service FQDN Signed-off-by: Rob Hundley <[email protected]>
IBM · Jan 29, 2025 · b75d925 · b75d925
1 parent 4f2dd41
commit b75d925
Show file tree

Hide file tree

Showing 9 changed files with 1,047 additions and 524 deletions.
diff --git a/apis/oidc.security/v1/groupversion_info.go b/apis/oidc.security/v1/groupversion_info.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2023.
+Copyright 2025.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/controllers/common/resources.go b/controllers/common/resources.go
@@ -20,6 +20,7 @@ import (
 	"regexp"
 
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -48,10 +49,7 @@ func IsCsConfigAnnotationExists(annotations map[string]string) bool {
 			break
 		}
 	}
-	if csAnnotationFound {
-		return true
-	}
-	return false
+	return csAnnotationFound
 }
 
 func isOwnerOf(owner client.Object, ownerRef v1.OwnerReference) (isOwner bool) {
@@ -69,12 +67,14 @@ func isControllerOf(controller client.Object, ownerRef v1.OwnerReference) (isCon
 	return
 }
 
-// IsOwnerOf determines whether one object is listed in another object's OwnerReferences.
-func IsOwnerOf(owner, owned client.Object) (isOwner bool) {
+// IsOwnerOf determines whether one object is listed in another object's OwnerReferences. Requires GVK due to
+// https://github.com/kubernetes/kubernetes/issues/80609.
+func IsOwnerOf(gvk schema.GroupVersionKind, owner, owned client.Object) (isOwner bool) {
 	ownerRefs := owned.GetOwnerReferences()
 	if len(ownerRefs) == 0 {
 		return
 	}
+	owner.GetObjectKind().SetGroupVersionKind(gvk)
 	for _, ownerRef := range ownerRefs {
 		if isOwnerOf(owner, ownerRef) {
 			return true
@@ -84,12 +84,13 @@ func IsOwnerOf(owner, owned client.Object) (isOwner bool) {
 }
 
 // IsControllerOf determines whether one object is listed as the controller of another object within its
-// OwnerReferences.
-func IsControllerOf(controller, controlled client.Object) (isController bool) {
+// OwnerReferences.  Requires GVK due to https://github.com/kubernetes/kubernetes/issues/80609.
+func IsControllerOf(gvk schema.GroupVersionKind, controller, controlled client.Object) (isController bool) {
 	ownerRefs := controlled.GetOwnerReferences()
 	if len(ownerRefs) == 0 {
 		return
 	}
+	controller.GetObjectKind().SetGroupVersionKind(gvk)
 	for _, ownerRef := range ownerRefs {
 		if isControllerOf(controller, ownerRef) {
 			return true

diff --git a/controllers/common/utils.go b/controllers/common/utils.go
@@ -18,6 +18,7 @@ package common
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -29,6 +30,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	discovery "k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
@@ -114,33 +117,42 @@ func GetClusterType(ctx context.Context, k8sClient *client.Client, cmName string
 	return
 }
 
-func clusterHasGroupVersion(gv schema.GroupVersion) (apiPresent bool, err error) {
-	cfg, err := config.GetConfig()
-	if err != nil {
-		return
-	}
+func clusterHasGroupVersion(dc *discovery.DiscoveryClient, gv schema.GroupVersion) (apiPresent bool, err error) {
+	if dc == nil {
+		var cfg *rest.Config
+		if cfg, err = config.GetConfig(); err != nil {
+			return
+		}
 
-	discoveryClient, err := discovery.NewDiscoveryClientForConfig(cfg)
-	if err != nil {
-		return
+		if dc, err = discovery.NewDiscoveryClientForConfig(cfg); err != nil {
+			return
+		}
 	}
 
 	groupVersion := strings.Join([]string{gv.Group, gv.Version}, "/")
-	resources, err := discoveryClient.ServerResourcesForGroupVersion(groupVersion)
+	resources, err := dc.ServerResourcesForGroupVersion(groupVersion)
 	if err != nil || resources == nil {
 		return false, err
 	}
 
 	return true, nil
 }
 
-func ClusterHasRouteGroupVersion() (found bool) {
-	found, _ = clusterHasGroupVersion(routev1.GroupVersion)
+func ClusterHasRouteGroupVersion(dc *discovery.DiscoveryClient) (found bool) {
+	found, _ = clusterHasGroupVersion(dc, routev1.GroupVersion)
+	return
+}
+
+func ClusterHasOpenShiftConfigGroupVerison(dc *discovery.DiscoveryClient) (found bool) {
+	found, _ = clusterHasGroupVersion(dc, osconfigv1.GroupVersion)
 	return
 }
 
-func ClusterHasOpenShiftConfigGroupVerison() (found bool) {
-	found, _ = clusterHasGroupVersion(osconfigv1.GroupVersion)
+func ClusterHasCertificateV1Alpha1(dc *discovery.DiscoveryClient) (found bool) {
+	found, _ = clusterHasGroupVersion(dc, schema.GroupVersion{
+		Group:   "certmanager.k8s.io",
+		Version: "v1alpha1",
+	})
 	return
 }
 
@@ -260,3 +272,30 @@ func GetBindInfoRefreshMap() map[string]string {
 		"bindinfoRefresh/secret":    DatastoreEDBSecretName,
 	}
 }
+
+// ReduceSubreconcilerResultsAndErrors takes a slice of Result pointers and a slice of errors and reduces them to a
+// single Result pointer and error to be used in a subreconciler.Evaluate call.
+func ReduceSubreconcilerResultsAndErrors(results []*ctrl.Result, errs []error) (result *ctrl.Result, err error) {
+	err = errors.Join(errs...)
+	for _, r := range results {
+		if r == nil {
+			continue
+		}
+		if result == nil {
+			result = &ctrl.Result{}
+			*result = *r
+			continue
+		}
+		if r.Requeue {
+			result.Requeue = true
+		}
+		// Always use exponential back off for results that have errors
+		if err != nil {
+			result.RequeueAfter = 0
+		} else if r.RequeueAfter > result.RequeueAfter {
+			result.RequeueAfter = r.RequeueAfter
+		}
+	}
+
+	return
+}