PolicyRecommendation controller overwrites tigera-ca bundle per tenant

pkg/controller/policyrecommendation/policyrecommendation_controller.go

@@ -124,6 +124,7 @@ func Add(mgr manager.Manager, opts options.AddOptions) error {
 			certificatemanagement.CASecretName,
 			render.ManagerInternalTLSSecretName,
 			render.TigeraLinseedSecret,
+			render.PolicyRecommendationTLSSecretName,
 		} {
 			if err = utils.AddSecretsWatch(c, secretName, namespace); err != nil {
 				return fmt.Errorf("policy-recommendation-controller failed to watch the secret '%s' in '%s' namespace: %w", secretName, namespace, err)
@@ -349,31 +350,10 @@ func (r *ReconcilePolicyRecommendation) Reconcile(ctx context.Context, request r
 	}
 
 	logc.V(3).Info("rendering components")
-	policyRecommendationCfg := &render.PolicyRecommendationConfiguration{
-		ClusterDomain:        r.clusterDomain,
-		Installation:         installation,
-		ManagedCluster:       isManagedCluster,
-		PullSecrets:          pullSecrets,
-		Openshift:            r.provider == operatorv1.ProviderOpenShift,
-		UsePSP:               r.usePSP,
-		Namespace:            helper.InstallNamespace(),
-		Tenant:               tenant,
-		BindingNamespaces:    bindNamespaces,
-		PolicyRecommendation: policyRecommendation,
-		ExternalElastic:      r.externalElastic,
-	}
-
-	// Render the desired objects from the CRD and create or update them.
-	component := render.PolicyRecommendation(policyRecommendationCfg)
-
-	if err = imageset.ApplyImageSet(ctx, r.client, variant, component); err != nil {
-		r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error with images from ImageSet", err, logc)
-		return reconcile.Result{}, err
-	}
-
-	components := []render.Component{
-		component,
-	}
+	var policyRecommendationKeyPair certificatemanagement.KeyPairInterface
+	var trustedBundleRO certificatemanagement.TrustedBundleRO
+	var trustedBundleRW certificatemanagement.TrustedBundle
+	var components []render.Component
 
 	if !isManagedCluster {
 		opts := []certificatemanager.Option{
@@ -406,19 +386,28 @@ func (r *ReconcilePolicyRecommendation) Reconcile(ctx context.Context, request r
 			return reconcile.Result{}, nil
 		}
 
-		trustedBundle := certificateManager.CreateTrustedBundle(managerInternalTLSSecret, linseedCertificate)
-
 		// policyRecommendationKeyPair is the key pair policy recommendation presents to identify itself
-		policyRecommendationKeyPair, err := certificateManager.GetOrCreateKeyPair(r.client, render.PolicyRecommendationTLSSecretName, helper.TruthNamespace(), []string{render.PolicyRecommendationTLSSecretName})
+		policyRecommendationKeyPair, err = certificateManager.GetOrCreateKeyPair(r.client, render.PolicyRecommendationTLSSecretName, helper.TruthNamespace(), []string{render.PolicyRecommendationTLSSecretName})
 		if err != nil {
 			r.status.SetDegraded(operatorv1.ResourceCreateError, "Error creating TLS certificate", err, logc)
 			return reconcile.Result{}, err
 		}
 
 		certificateManager.AddToStatusManager(r.status, helper.InstallNamespace())
 
-		policyRecommendationCfg.TrustedBundle = trustedBundle
-		policyRecommendationCfg.PolicyRecommendationCertSecret = policyRecommendationKeyPair
+		if !r.multiTenant {
+			// Zero-tenant and single tenant setups install resources inside tigera-policy-recommendation namespace. Thus,
+			// we need to create a tigera-ca-bundle inside this namespace in order to allow communication with Linseed
+			trustedBundleRW = certificateManager.CreateTrustedBundle(managerInternalTLSSecret, linseedCertificate)
+			trustedBundleRO = trustedBundleRW.(certificatemanagement.TrustedBundleRO)
+		} else {
+			// Multi-tenant setups need to load the bundle the created by pkg/controller/secrets/tenant_controller.go
+			trustedBundleRO, err = certificateManager.LoadTrustedBundle(ctx, r.client, helper.InstallNamespace())
+			if err != nil {
+				r.status.SetDegraded(operatorv1.ResourceReadError, "Error getting trusted bundle", err, logc)
+				return reconcile.Result{}, err
+			}
+		}
 
 		components = append(components,
 			rcertificatemanagement.CertificateManagement(&rcertificatemanagement.Config{
@@ -428,7 +417,11 @@ func (r *ReconcilePolicyRecommendation) Reconcile(ctx context.Context, request r
 				KeyPairOptions: []rcertificatemanagement.KeyPairOption{
 					rcertificatemanagement.NewKeyPairOption(policyRecommendationKeyPair, true, true),
 				},
-				TrustedBundle: trustedBundle,
+				// Zero and single tenant setups need to create tigera-ca-bundle configmap because we install resources
+				// in namespace tigera-policy-recommendation
+				// Multi-tenant setups need to use the config map that was created by pkg/controller/secrets/tenant_controller.go
+				// in the tenant namespace. This parameter needs to be nil in this case
+				TrustedBundle: trustedBundleRW,
 			}),
 		)
 	}
@@ -439,6 +432,31 @@ func (r *ReconcilePolicyRecommendation) Reconcile(ctx context.Context, request r
 		return reconcile.Result{}, nil
 	}
 
+	policyRecommendationCfg := &render.PolicyRecommendationConfiguration{
+		ClusterDomain:                  r.clusterDomain,
+		Installation:                   installation,
+		ManagedCluster:                 isManagedCluster,
+		PullSecrets:                    pullSecrets,
+		Openshift:                      r.provider == operatorv1.ProviderOpenShift,
+		UsePSP:                         r.usePSP,
+		Namespace:                      helper.InstallNamespace(),
+		Tenant:                         tenant,
+		BindingNamespaces:              bindNamespaces,
+		ExternalElastic:                r.externalElastic,
+		TrustedBundle:                  trustedBundleRO,
+		PolicyRecommendationCertSecret: policyRecommendationKeyPair,
+	}
+
+	// Render the desired objects from the CRD and create or update them.
+	component := render.PolicyRecommendation(policyRecommendationCfg)
+
+	if err = imageset.ApplyImageSet(ctx, r.client, variant, component); err != nil {
+		r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error with images from ImageSet", err, logc)
+		return reconcile.Result{}, err
+	}
+
+	// Prepend PolicyRecommendation before certificate creation
+	components = append([]render.Component{component}, components...)
 	for _, cmp := range components {
 		if err := handler.CreateOrUpdateOrDelete(context.Background(), cmp, r.status); err != nil {
 			r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error creating / updating resource", err, logc)

pkg/controller/policyrecommendation/policyrecommendation_controller_test.go

@@ -86,6 +86,7 @@ var _ = Describe("PolicyRecommendation controller tests", func() {
 		mockStatus.On("SetDegraded", operatorv1.ResourceUpdateError, mock.AnythingOfType("string"), mock.Anything, mock.Anything).Return().Maybe()
 		mockStatus.On("SetDegraded", operatorv1.ResourceNotFound, mock.AnythingOfType("string"), mock.Anything, mock.Anything).Return().Maybe()
 		mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, mock.AnythingOfType("string"), mock.Anything, mock.Anything).Return().Maybe()
+		mockStatus.On("SetDegraded", operatorv1.ResourceCreateError, mock.AnythingOfType("string"), mock.Anything, mock.Anything).Return().Maybe()
 		mockStatus.On("ReadyToMonitor")
 		mockStatus.On("RemoveCertificateSigningRequests", mock.Anything)
 		mockStatus.On("SetMetaData", mock.Anything).Return()
@@ -412,6 +413,40 @@ var _ = Describe("PolicyRecommendation controller tests", func() {
 				err = test.GetResource(c, &tenantBServiceAccount)
 				Expect(err).ShouldNot(HaveOccurred())
 			})
+
+			It("should not create the trusted bundle config map as it will be created by the tenant controller", func() {
+				// Create the Tenant resources for tenant-a
+				tenantA := &operatorv1.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "default",
+						Namespace: tenantANamespace,
+					},
+					Spec: operatorv1.TenantSpec{ID: "tenant-a"},
+				}
+				Expect(c.Create(ctx, tenantA)).NotTo(HaveOccurred())
+
+				Expect(c.Create(ctx, &operatorv1.PolicyRecommendation{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tigera-secure",
+						Namespace: tenantANamespace,
+					},
+				})).NotTo(HaveOccurred())
+
+				// Now reconcile only tenant A's namespace and expect an error
+				_, err := r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Namespace: tenantANamespace}})
+				Expect(err).Should(HaveOccurred())
+				Expect(err.Error()).Should(ContainSubstring("CA secret"))
+
+				// Create a CA secret for the test, and create its KeyPair.
+				certificateManagerTenantA, err := certificatemanager.Create(c, nil, "", tenantANamespace, certificatemanager.AllowCACreation(), certificatemanager.WithTenant(tenantA))
+				Expect(err).NotTo(HaveOccurred())
+				Expect(c.Create(ctx, certificateManagerTenantA.KeyPair().Secret(tenantANamespace))).NotTo(HaveOccurred())
+				Expect(c.Create(ctx, certificateManagerTenantA.CreateTrustedBundle().ConfigMap(tenantANamespace))).NotTo(HaveOccurred())
+
+				// Now reconcile tenant A's namespace and do not expect an error
+				_, err = r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Namespace: tenantANamespace}})
+				Expect(err).ShouldNot(HaveOccurred())
+			})
 		})
 	})
 })

pkg/controller/secrets/tenant_controller.go

@@ -90,6 +90,13 @@ func AddTenantController(mgr manager.Manager, opts options.AddOptions) error {
 		return fmt.Errorf("tenant-controller failed to watch tenant CA Secret %s in all namespace: %w", certificatemanagement.TenantCASecretName, err)
 	}
 
+	if err = utils.AddConfigMapWatch(c, certificatemanagement.TrustedCertConfigMapName, "", &handler.EnqueueRequestForObject{}); err != nil {
+		return fmt.Errorf("tenant-controller failed to watch ConfigMap resource: %w", err)
+	}
+	if err = utils.AddConfigMapWatch(c, certificatemanagement.TrustedCertConfigMapNamePublic, "", &handler.EnqueueRequestForObject{}); err != nil {
+		return fmt.Errorf("tenant-controller failed to watch ConfigMap resource: %w", err)
+	}
+
 	return nil
 }
 

pkg/render/policyrecommendation.go

@@ -68,7 +68,7 @@ type PolicyRecommendationConfiguration struct {
 	ManagedCluster                 bool
 	Openshift                      bool
 	PullSecrets                    []*corev1.Secret
-	TrustedBundle                  certificatemanagement.TrustedBundle
+	TrustedBundle                  certificatemanagement.TrustedBundleRO
 	PolicyRecommendationCertSecret certificatemanagement.KeyPairInterface
 
 	// Whether the cluster supports pod security policies.