feat(deploy): separate -storage and -db pods

internal/controllers/certmanager.go

@@ -24,6 +24,7 @@ import (
 	"github.com/cryostatio/cryostat-operator/internal/controllers/common"
 	resources "github.com/cryostatio/cryostat-operator/internal/controllers/common/resource_definitions"
 	"github.com/cryostatio/cryostat-operator/internal/controllers/model"
+	"github.com/google/go-cmp/cmp"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -414,25 +415,43 @@ func (r *Reconciler) reconcileAgentCertificate(ctx context.Context, cert *certv1
 	return nil
 }
 
+var errCertificateModified error = errors.New("certificate has been modified")
+
 func (r *Reconciler) createOrUpdateCertificate(ctx context.Context, cert *certv1.Certificate, owner metav1.Object) error {
-	certSpec := cert.Spec.DeepCopy()
+	certCopy := cert.DeepCopy()
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Client, cert, func() error {
 		if owner != nil {
 			if err := controllerutil.SetControllerReference(owner, cert, r.Scheme); err != nil {
 				return err
 			}
 		}
-		// Update Certificate spec
-		cert.Spec = *certSpec
+
+		if cert.CreationTimestamp.IsZero() {
+			cert.Spec = certCopy.Spec
+		} else if !cmp.Equal(cert.Spec, certCopy.Spec) {
+			return errCertificateModified
+		}
+
 		return nil
 	})
 	if err != nil {
+		if err == errCertificateModified {
+			return r.recreateCertificate(ctx, certCopy, owner)
+		}
 		return err
 	}
 	r.Log.Info(fmt.Sprintf("Certificate %s", op), "name", cert.Name, "namespace", cert.Namespace)
 	return nil
 }
 
+func (r *Reconciler) recreateCertificate(ctx context.Context, cert *certv1.Certificate, owner metav1.Object) error {
+	err := r.deleteCertWithSecret(ctx, cert)
+	if err != nil {
+		return err
+	}
+	return r.createOrUpdateCertificate(ctx, cert, owner)
+}
+
 func newKeystoreSecret(cr *model.CryostatInstance) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{

internal/controllers/reconciler_test.go

@@ -1842,6 +1842,66 @@ func (c *controllerTest) commonTests() {
 				t.expectCertificates()
 			})
 		})
+		Context("with modified certificates", func() {
+			var oldCerts []*certv1.Certificate
+			BeforeEach(func() {
+				t.objs = append(t.objs, t.NewCryostat().Object, t.OtherCAIssuer())
+				oldCerts = []*certv1.Certificate{
+					t.OtherCACert(),
+					t.OtherAgentProxyCert(),
+					t.OtherCryostatCert(),
+					t.OtherReportsCert(),
+				}
+				// Add an annotation for each cert, the test will assert that
+				// the annotation is gone.
+				for i, cert := range oldCerts {
+					metav1.SetMetaDataAnnotation(&oldCerts[i].ObjectMeta, "bad", "cert")
+					t.objs = append(t.objs, cert)
+				}
+			})
+			JustBeforeEach(func() {
+				cr := t.getCryostatInstance()
+				for _, cert := range oldCerts {
+					// Make the old certs owned by the Cryostat CR
+					err := controllerutil.SetControllerReference(cr.Object, cert, t.Client.Scheme())
+					Expect(err).ToNot(HaveOccurred())
+					err = t.Client.Update(context.Background(), cert)
+					Expect(err).ToNot(HaveOccurred())
+				}
+				t.reconcileCryostatFully()
+			})
+			It("should recreate certificates", func() {
+				t.expectCertificates()
+			})
+		})
+		Context("with a modified certificate TLS CommonName", func() {
+			var oldCerts []*certv1.Certificate
+			BeforeEach(func() {
+				oldCerts = []*certv1.Certificate{
+					t.NewCryostatCert(),
+					t.NewReportsCert(),
+					t.NewAgentProxyCert(),
+				}
+				t.objs = append(t.objs, t.NewCryostat().Object, t.OtherCAIssuer())
+				for _, cert := range oldCerts {
+					t.objs = append(t.objs, cert)
+				}
+			})
+			JustBeforeEach(func() {
+				cr := t.getCryostatInstance()
+				for _, cert := range oldCerts {
+					// Make the old certs owned by the Cryostat CR
+					err := controllerutil.SetControllerReference(cr.Object, cert, t.Client.Scheme())
+					Expect(err).ToNot(HaveOccurred())
+					err = t.Client.Update(context.Background(), cert)
+					Expect(err).ToNot(HaveOccurred())
+				}
+				t.reconcileCryostatFully()
+			})
+			It("should recreate certificates", func() {
+				t.expectCertificates()
+			})
+		})
 
 		Context("reconciling a multi-namespace request", func() {
 			targetNamespaces := []string{"multi-test-one", "multi-test-two"}

internal/test/resources.go

@@ -1232,6 +1232,12 @@ func (r *TestResources) NewCryostatCert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherCryostatCert() *certv1.Certificate {
+	cert := r.NewCryostatCert()
+	cert.Spec.CommonName = fmt.Sprintf("%s.%s.svc", r.Name, r.Namespace)
+	return cert
+}
+
 func (r *TestResources) NewReportsCert() *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1284,6 +1290,12 @@ func (r *TestResources) NewDatabaseCert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherReportsCert() *certv1.Certificate {
+	cert := r.NewReportsCert()
+	cert.Spec.CommonName = fmt.Sprintf("%s-reports.%s.svc", r.Name, r.Namespace)
+	return cert
+}
+
 func (r *TestResources) NewAgentProxyCert() *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1336,6 +1348,12 @@ func (r *TestResources) NewStorageCert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherAgentProxyCert() *certv1.Certificate {
+	cert := r.NewAgentProxyCert()
+	cert.Spec.CommonName = fmt.Sprintf("%s-agent.%s.svc", r.Name, r.Namespace)
+	return cert
+}
+
 func (r *TestResources) NewCACert() *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1353,6 +1371,13 @@ func (r *TestResources) NewCACert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherCACert() *certv1.Certificate {
+	cert := r.NewCACert()
+	cert.Spec.CommonName = fmt.Sprintf("ca.%s.cert-manager", r.Name)
+	cert.Spec.SecretName = r.Name + "-ca"
+	return cert
+}
+
 func (r *TestResources) NewAgentCert(namespace string) *certv1.Certificate {
 	name := r.getClusterUniqueNameForAgent(namespace)
 	return &certv1.Certificate{