feat(cert): add cryostat CA cert to target namespaces

[mwangggg]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

---

Fixes: #595

[mwangggg]

/build_test

[mwangggg]

https://github.com/cryostatio/cryostat-operator/actions/runs/6630750805

[ebaron]

Sorry to complicate things further, but since these secrets will be in different namespaces from the CR, they cannot be owned by the CR. This means we can't leverage Kubernetes garbage collection to clean them up when the CR is deleted. The get around this we can use the existing finalizer to manually delete the secrets when the user attempts to delete the CR.

Here's where we use finalizers in the operator currently:

cryostat-operator/internal/controllers/reconciler.go

Lines 126 to 148 in 3f928ca

	// Check if this Cryostat is being deleted
	if cr.Object.GetDeletionTimestamp() != nil {
	if controllerutil.ContainsFinalizer(cr.Object, cryostatFinalizer) {
	// Perform finalizer logic related to RBAC objects
	err := r.finalizeRBAC(ctx, cr)
	if err != nil {
	return reconcile.Result{}, err
	}
	// OpenShift-specific
	err = r.finalizeOpenShift(ctx, cr)
	if err != nil {
	return reconcile.Result{}, err
	}
	err = common.RemoveFinalizer(ctx, r.Client, cr.Object, cryostatFinalizer)
	if err != nil {
	return reconcile.Result{}, err
	}
	}
	// Ready for deletion
	return reconcile.Result{}, nil
	}

We'll want want to add something here like finalizeTLS that runs the deletion logic you've added already, but in this case it would be for all target namespaces.

[ebaron]

Hi Ming! Just a few more comments. Are you planning to add some tests for these changes? I can help you get started with them

[mwangggg]

/build_test

[mwangggg]

https://github.com/cryostatio/cryostat-operator/actions/runs/6817721645

[ebaron]

Hi @mwangggg, sorry it took me a while to get back to this PR. I have some more suggestions below. If you have any questions about them, please let me know.

[mwangggg]

/build_test

[mwangggg]

https://github.com/cryostatio/cryostat-operator/actions/runs/6907075648

[ebaron]

Oh whoops, I noticed while testing this in OpenShift that we need to be more selective with what we copy from the Secret. cert-manager includes the private key in addition to the certificate in the CA secret. We definitely don't want to copy that all over the cluster.

I've made some suggestions below to remedy this.

[ebaron]

Hi @mwangggg, sorry for the delay on this. This one thing jumped out at me.

[ebaron]

Hi Ming, a few more comments below.

[mwangggg]

/build_test

[ebaron]

Looks good! Thanks for the great work!