feat(tls): enable TLS on authproxies (#813)

cryostatio · May 8, 2024 · dc5df9b · dc5df9b
1 parent 70351e1
commit dc5df9b
Show file tree

Hide file tree

Showing 12 changed files with 141 additions and 301 deletions.
diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -53,7 +53,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:3.0.0-dev
-    createdAt: "2024-05-08T15:33:40Z"
+    createdAt: "2024-05-08T18:54:35Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {

diff --git a/internal/controllers/certmanager.go b/internal/controllers/certmanager.go
@@ -93,14 +93,6 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 		KeystorePassSecret: cryostatCert.Spec.Keystores.PKCS12.PasswordSecretRef.Name,
 	}
 	certificates := []*certv1.Certificate{caCert, cryostatCert, reportsCert}
-	// Create a certificate for Grafana signed by the Cryostat CA
-	grafanaCert := resources.NewGrafanaCert(cr)
-	err = r.createOrUpdateCertificate(ctx, grafanaCert, cr.Object)
-	if err != nil {
-		return nil, err
-	}
-	certificates = append(certificates, grafanaCert)
-	tlsConfig.GrafanaSecret = grafanaCert.Spec.SecretName
 
 	// Update owner references of TLS secrets created by cert-manager to ensure proper cleanup
 	err = r.setCertSecretOwner(ctx, cr.Object, certificates...)

diff --git a/internal/controllers/common/resource_definitions/certificates.go b/internal/controllers/common/resource_definitions/certificates.go
@@ -20,7 +20,6 @@ import (
 	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	certMeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/cryostatio/cryostat-operator/internal/controllers/common"
-	"github.com/cryostatio/cryostat-operator/internal/controllers/constants"
 	"github.com/cryostatio/cryostat-operator/internal/controllers/model"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -109,31 +108,6 @@ func NewCryostatCert(cr *model.CryostatInstance, keystoreSecretName string) *cer
 	}
 }
 
-func NewGrafanaCert(cr *model.CryostatInstance) *certv1.Certificate {
-	return &certv1.Certificate{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      cr.Name + "-grafana",
-			Namespace: cr.InstallNamespace,
-		},
-		Spec: certv1.CertificateSpec{
-			CommonName: fmt.Sprintf("%s-grafana.%s.svc", cr.Name, cr.InstallNamespace),
-			DNSNames: []string{
-				cr.Name + "-grafana",
-				fmt.Sprintf("%s-grafana.%s.svc", cr.Name, cr.InstallNamespace),
-				fmt.Sprintf("%s-grafana.%s.svc.cluster.local", cr.Name, cr.InstallNamespace),
-				constants.HealthCheckHostname,
-			},
-			SecretName: cr.Name + "-grafana-tls",
-			IssuerRef: certMeta.ObjectReference{
-				Name: cr.Name + "-ca",
-			},
-			Usages: append(certv1.DefaultKeyUsages(),
-				certv1.UsageServerAuth,
-			),
-		},
-	}
-}
-
 func NewReportsCert(cr *model.CryostatInstance) *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{