tmp

cryostatio · Nov 1, 2023 · 923c1cb · 923c1cb
1 parent 46e912b
commit 923c1cb
Showing 1 changed file with 30 additions and 17 deletions.
diff --git a/internal/controllers/certmanager.go b/internal/controllers/certmanager.go
@@ -68,23 +68,6 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 		return nil, err
 	}
 
-	// Create a Cryostat CA certificate in each target namespace
-	for _, ns := range cr.TargetNamespaces {
-		cryostatCert := resources.NewCryostatCACert(cr, ns)
-		err := r.createOrUpdateCertificate(ctx, cryostatCert, cr.Object)
-		if err != nil {
-			return nil, err
-		}
-	}
-	// Delete any Cryostat CA certificates in target namespaces that are no longer requested
-	for _, ns := range toDelete(cr) {
-		cryostatCert := resources.NewCryostatCACert(cr, ns)
-		err := r.deleteCert(ctx, cryostatCert)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	// Create secret to hold keystore password
 	keystoreSecret := newKeystoreSecret(cr)
 	err = r.createOrUpdateKeystoreSecret(ctx, keystoreSecret, cr.Object)
@@ -139,6 +122,27 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 		return nil, err
 	}
 
+	// Copy Cryostat CA secret in each target namespace
+	for _, ns := range cr.TargetNamespaces {
+		secret, err := r.GetCertificateSecret(ctx, caCert)
+		if err != nil {
+			return nil, err
+		}
+		namespaceSecret := copySecret(secret, ns)
+	}
+	// Delete any Cryostat CA secrets in target namespaces that are no longer requested
+	for _, ns := range toDelete(cr) {
+		secret, err := r.GetCertificateSecret(ctx, caCert)
+		if err != nil {
+			return nil, err
+		}
+		namespaceSecret := copySecret(secret, ns)
+		err = r.deleteSecret(ctx, namespaceSecret)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// Get the Cryostat CA certificate bytes from certificate secret
 	caBytes, err := r.getCertficateBytes(ctx, caCert)
 	if err != nil {
@@ -182,6 +186,15 @@ func secretForCertificate(cert *certv1.Certificate) *corev1.Secret {
 	}
 }
 
+func copySecret(secret *corev1.Secret, namespace string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secret.Name,
+			Namespace: namespace,
+		},
+	}
+}
+
 func (r *Reconciler) certManagerAvailable() (bool, error) {
 	// Check if cert-manager API is available. Checking just one should be enough.
 	_, err := r.RESTMapper.RESTMapping(schema.GroupKind{