From dd5b66744c01731cc79215ca25f869c3ae965401 Mon Sep 17 00:00:00 2001 From: Yun-Tang Hsu Date: Mon, 1 Jul 2024 13:33:24 -0700 Subject: [PATCH] Delete NCP created certificate in cleanup Signed-off-by: Yun-Tang Hsu --- pkg/nsx/client.go | 12 ++++--- pkg/nsx/services/common/types.go | 3 ++ pkg/nsx/services/vpc/store.go | 9 +++++ pkg/nsx/services/vpc/vpc.go | 57 ++++++++++++++++++++++++++++++-- 4 files changed, 74 insertions(+), 7 deletions(-) diff --git a/pkg/nsx/client.go b/pkg/nsx/client.go index 412b0bd1e..e72405f68 100644 --- a/pkg/nsx/client.go +++ b/pkg/nsx/client.go @@ -15,14 +15,15 @@ import ( mpsearch "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-mp/nsx/search" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-mp/nsx/trust_management" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-mp/nsx/trust_management/principal_identities" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/sites/enforcement_points" - projects "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects" - infra "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects" + project_infra "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/realized_state" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs" - nat "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs/nat" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs/nat" vpc_sp "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs/security_policies" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs/subnets" "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs/subnets/ip_pools" @@ -74,7 +75,8 @@ type Client struct { OrgRootClient nsx_policy.OrgRootClient ProjectInfraClient projects.InfraClient VPCClient projects.VpcsClient - IPBlockClient infra.IpBlocksClient + IPBlockClient project_infra.IpBlocksClient + CertificateClient infra.CertificatesClient StaticRouteClient vpcs.StaticRoutesClient NATRuleClient nat.NatRulesClient VpcGroupClient vpcs.GroupsClient @@ -152,7 +154,7 @@ func GetClient(cf *config.NSXOperatorConfig) *Client { orgRootClient := nsx_policy.NewOrgRootClient(restConnector(cluster)) projectInfraClient := projects.NewInfraClient(restConnector(cluster)) vpcClient := projects.NewVpcsClient(restConnector(cluster)) - ipBlockClient := infra.NewIpBlocksClient(restConnector(cluster)) + ipBlockClient := project_infra.NewIpBlocksClient(restConnector(cluster)) staticRouteClient := vpcs.NewStaticRoutesClient(restConnector(cluster)) natRulesClient := nat.NewNatRulesClient(restConnector(cluster)) vpcGroupClient := vpcs.NewGroupsClient(restConnector(cluster)) diff --git a/pkg/nsx/services/common/types.go b/pkg/nsx/services/common/types.go index 08d671dff..377ef39eb 100644 --- a/pkg/nsx/services/common/types.go +++ b/pkg/nsx/services/common/types.go @@ -28,6 +28,8 @@ const ( TagScopeNCPVIFProjectUID string = "ncp/vif_project_uid" TagScopeNCPPod string = "ncp/pod" TagScopeNCPVNETInterface string = "ncp/vnet_interface" + TagScopeNCPDefaultLBCert string = "ncp/lb_default_cert" + TagScopeNCPSecret string = "ncp/secret" TagScopeVersion string = "nsx-op/version" TagScopeCluster string = "nsx-op/cluster" TagScopeNamespace string = "nsx-op/namespace" @@ -152,6 +154,7 @@ var ( ResourceTypeChildGroup = "ChildGroup" ResourceTypeChildSecurityPolicy = "ChildSecurityPolicy" ResourceTypeChildResourceReference = "ChildResourceReference" + ResourceTypeTlsCertificate = "TlsCertificate" // ResourceTypeClusterControlPlane is used by NSXServiceAccountController ResourceTypeClusterControlPlane = "clustercontrolplane" diff --git a/pkg/nsx/services/vpc/store.go b/pkg/nsx/services/vpc/store.go index 6c5d90610..b5e4ca2c4 100644 --- a/pkg/nsx/services/vpc/store.go +++ b/pkg/nsx/services/vpc/store.go @@ -137,6 +137,15 @@ func (vs *VPCStore) GetByKey(key string) *model.Vpc { return nil } +// CertStore is a store to query certificate +type CertStore struct { + common.ResourceStore +} + +func (certStore *CertStore) Apply(i interface{}) error { + return nil +} + func (is *IPBlockStore) GetByIndex(index string, value string) *model.IpAddressBlock { indexResults, err := is.ResourceStore.Indexer.ByIndex(index, value) if err != nil || len(indexResults) == 0 { diff --git a/pkg/nsx/services/vpc/vpc.go b/pkg/nsx/services/vpc/vpc.go index c619c6a64..3eb2f3e03 100644 --- a/pkg/nsx/services/vpc/vpc.go +++ b/pkg/nsx/services/vpc/vpc.go @@ -173,11 +173,11 @@ func InitializeVPC(service common.Service) (*VPCService, error) { VPCService.VPCNSNetworkConfigStore = VPCNsNetworkConfigStore{ VPCNSNetworkConfigMap: make(map[string]string), } - //initialize vpc store and ip blocks store + // initialize vpc store and ip blocks store go VPCService.InitializeResourceStore(&wg, fatalErrors, common.ResourceTypeVpc, nil, VPCService.VpcStore) go VPCService.InitializeResourceStore(&wg, fatalErrors, common.ResourceTypeIPBlock, nil, VPCService.IpblockStore) - //initalize avi rule related store + // initialize avi rule related store if enableAviAllowRule { VPCService.RuleStore = &AviRuleStore{ResourceStore: common.ResourceStore{ Indexer: cache.NewIndexer(keyFuncAVI, nil), @@ -259,6 +259,44 @@ func (s *VPCService) DeleteVPC(path string) error { return nil } +func (s *VPCService) ListCert() []model.TlsCertificate { + certStore := &CertStore{ResourceStore: common.ResourceStore{ + Indexer: cache.NewIndexer(keyFunc, cache.Indexers{}), + BindingType: model.TlsCertificateBindingType(), + }} + query := fmt.Sprintf("%s:%s", common.ResourceType, common.ResourceTypeTlsCertificate) + count, searcherr := s.SearchResource(common.ResourceTypeTlsCertificate, query, certStore, nil) + if searcherr != nil { + log.Error(searcherr, "failed to query certificate", "query", query) + } else { + log.V(1).Info("query certificate", "count", count) + } + certs := certStore.List() + certsSet := []model.TlsCertificate{} + for _, cert := range certs { + certsSet = append(certsSet, *cert.(*model.TlsCertificate)) + } + return certsSet +} + +func (s *VPCService) DeleteCert(id string) error { + certClient := s.NSXClient.CertificateClient + if err := certClient.Delete(id); err != nil { + return err + } + log.Info("successfully deleted NCP created certificate", "certificate", id) + return nil +} + +func isNCPCreatedCert(tags []model.Tag) bool { + for _, tag := range tags { + if *tag.Scope == common.TagScopeNCPDefaultLBCert || *tag.Scope == common.TagScopeNCPSecret { + return true + } + } + return false +} + func (s *VPCService) deleteIPBlock(path string) error { ipblockClient := s.NSXClient.IPBlockClient parts := strings.Split(path, "/") @@ -633,6 +671,21 @@ func (s *VPCService) Cleanup(ctx context.Context) error { } } + certs := s.ListCert() + log.Info("cleaning up certificates", "Count", len(certs)) + for _, cert := range certs { + select { + case <-ctx.Done(): + return errors.Join(nsxutil.TimeoutFailed, ctx.Err()) + default: + if !isNCPCreatedCert(cert.Tags) { + continue + } + if err := s.DeleteCert(*cert.Id); err != nil { + return err + } + } + } return nil }