Fix KubeadmControlPlane secrets should always be adopted

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
kubernetes-sigs · Nov 22, 2022 · 168da4c · 168da4c
1 parent 844eff2
commit 168da4c
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 8 deletions.
diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
@@ -437,12 +437,21 @@ func (r *KubeadmConfigReconciler) handleClusterNotInitialized(ctx context.Contex
 	}
 
 	certificates := secret.NewCertificatesForInitialControlPlane(scope.Config.Spec.ClusterConfiguration)
-	err = certificates.LookupOrGenerate(
-		ctx,
+
+	// Find the certificates associated with the Cluster.
+	err = certificates.Lookup(ctx,
 		r.Client,
-		util.ObjectKey(scope.Cluster),
-		*metav1.NewControllerRef(scope.Config, bootstrapv1.GroupVersion.WithKind("KubeadmConfig")),
-	)
+		util.ObjectKey(scope.Cluster))
+
+	// If the Cluster does not have a ControlPlaneReference look up and generate the certificates.
+	// If there is a ControlPlane ref look up the existing certificates.
+	if scope.Cluster.Spec.ControlPlaneRef == nil {
+		err = certificates.LookupOrGenerate(
+			ctx,
+			r.Client,
+			util.ObjectKey(scope.Cluster),
+			*metav1.NewControllerRef(scope.Config, bootstrapv1.GroupVersion.WithKind("KubeadmConfig")))
+	}
 	if err != nil {
 		conditions.MarkFalse(scope.Config, bootstrapv1.CertificatesAvailableCondition, bootstrapv1.CertificatesGenerationFailedReason, clusterv1.ConditionSeverityWarning, err.Error())
 		return ctrl.Result{}, err

diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go
@@ -284,6 +284,9 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, cluster *
 		conditions.MarkFalse(kcp, controlplanev1.CertificatesAvailableCondition, controlplanev1.CertificatesGenerationFailedReason, clusterv1.ConditionSeverityWarning, err.Error())
 		return ctrl.Result{}, err
 	}
+	if err := adoptSecrets(ctx, r.Client, util.ObjectKey(cluster), certificates, *controllerRef); err != nil {
+		return ctrl.Result{}, err
+	}
 	conditions.MarkTrue(kcp, controlplanev1.CertificatesAvailableCondition)
 
 	// If ControlPlaneEndpoint is not set, return early
@@ -773,3 +776,26 @@ func (r *KubeadmControlPlaneReconciler) adoptOwnedSecrets(ctx context.Context, k
 
 	return nil
 }
+
+// adoptSecrets ensures an ownerReference to the owner is added any certificates  Kubernetes secrets.
+func adoptSecrets(ctx context.Context, ctrlclient client.Client, clusterKey client.ObjectKey, certificates secret.Certificates, owner metav1.OwnerReference) error {
+	for _, c := range certificates {
+		s := &corev1.Secret{}
+		secretKey := client.ObjectKey{Namespace: clusterKey.Namespace, Name: secret.Name(clusterKey.Name, c.Purpose)}
+		if err := ctrlclient.Get(ctx, secretKey, s); err != nil {
+			// If the secret isn't found ignore the error.
+			if !apierrors.IsNotFound(err) {
+				return errors.Wrapf(errors.WithStack(err), "failed to get Secret %s", secretKey)
+			}
+		}
+		patchHelper, err := patch.NewHelper(s, ctrlclient)
+		if err != nil {
+			return errors.Wrapf(errors.WithStack(err), "failed to create patchHelper for Secret %s", secretKey)
+		}
+		s.OwnerReferences = util.EnsureOwnerRef(s.OwnerReferences, owner)
+		if err := patchHelper.Patch(ctx, s); err != nil {
+			return errors.Wrapf(errors.WithStack(err), "failed to patch Secret %s with ownerReference %s", secretKey, owner.String())
+		}
+	}
+	return nil
+}
diff --git a/util/secret/certificates.go b/util/secret/certificates.go
@@ -263,17 +263,17 @@ func (c Certificates) SaveGenerated(ctx context.Context, ctrlclient client.Clien
 
 // LookupOrGenerate is a convenience function that wraps cluster bootstrap certificate behavior.
 func (c Certificates) LookupOrGenerate(ctx context.Context, ctrlclient client.Client, clusterName client.ObjectKey, owner metav1.OwnerReference) error {
-	// Find the certificates that exist
+	// Find the certificates that exist.
 	if err := c.Lookup(ctx, ctrlclient, clusterName); err != nil {
 		return err
 	}
 
-	// Generate the certificates that don't exist
+	// Generate the certificates that don't exist.
 	if err := c.Generate(); err != nil {
 		return err
 	}
 
-	// Save any certificates that have been generated
+	// Save any certificates that have been generated.
 	return c.SaveGenerated(ctx, ctrlclient, clusterName, owner)
 }