chore: remove unused certificates

Signed-off-by: Suleyman Akbas <[email protected]>

Dockerfile

@@ -29,7 +29,6 @@ FROM --platform=$TARGETPLATFORM registry.access.redhat.com/ubi9/ubi-minimal:9.2
 
 # Update the image to get the latest CVE updates
 RUN microdnf update -y && \
-    microdnf install -y openssl && \
     microdnf install -y util-linux && \
     microdnf clean all
 

config/crd/kustomization.yaml

@@ -18,21 +18,6 @@ patches:
       name: lvmclusters.lvm.topolvm.io
     path: patches/additionalPrinterColumn_in_lvmcluster.yaml
 
-patchesStrategicMerge:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
-# patches here are for enabling the conversion webhook for each CRD
-#- patches/webhook_in_lvmclusters.yaml
-#- patches/webhook_in_lvmvolumegroups.yaml
-#- patches/webhook_in_lvmvolumegroupnodestatuses.yaml
-#+kubebuilder:scaffold:crdkustomizewebhookpatch
-
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_lvmclusters.yaml
-#- patches/cainjection_in_lvmvolumegroups.yaml
-#- patches/cainjection_in_lvmvolumegroupnodestatuses.yaml
-#+kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml

config/default/kustomization.yaml

@@ -12,34 +12,18 @@ namespace: openshift-storage
 #commonLabels:
 #  someName: someValue
 
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-#- ../webhook
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
-
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
 patchesStrategicMerge:
 - manager_auth_proxy_patch.yaml
 - manager_custom_env.yaml
 - manager_webhook_patch.yaml
-- webhookcainjection_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type
 #- manager_config_patch.yaml
 
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-#- manager_webhook_patch.yaml
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-#- webhookcainjection_patch.yaml
-
 # the following config is for teaching kustomize how to do var substitution
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

config/manifests/kustomization.yaml

@@ -5,23 +5,3 @@ resources:
 - ../default
 - ../samples
 - ../scorecard
-
-# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
-# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager.
-# These patches remove the unnecessary "cert" volume and its manager container volumeMount.
-#patchesJson6902:
-#- target:
-#    group: apps
-#    version: v1
-#    kind: Deployment
-#    name: controller-manager
-#    namespace: system
-#  patch: |-
-#    # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs.
-#    # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment.
-#    - op: remove
-#      path: /spec/template/spec/containers/1/volumeMounts/0
-#    # Remove the "cert" volume, since OLM will create and mount a set of certs.
-#    # Update the indices in this path if adding or removing volumes in the manager's Deployment.
-#    - op: remove
-#      path: /spec/template/spec/volumes/0

config/webhook/kustomizeconfig.yaml

@@ -4,18 +4,11 @@ nameReference:
 - kind: Service
   version: v1
   fieldSpecs:
-  - kind: MutatingWebhookConfiguration
-    group: admissionregistration.k8s.io
-    path: webhooks/clientConfig/service/name
   - kind: ValidatingWebhookConfiguration
     group: admissionregistration.k8s.io
     path: webhooks/clientConfig/service/name
 
 namespace:
-- kind: MutatingWebhookConfiguration
-  group: admissionregistration.k8s.io
-  path: webhooks/clientConfig/service/namespace
-  create: true
 - kind: ValidatingWebhookConfiguration
   group: admissionregistration.k8s.io
   path: webhooks/clientConfig/service/namespace

controllers/constants.go

@@ -52,9 +52,6 @@ const (
 	VgManagerMemRequest = "45Mi"
 	VgManagerCPURequest = "2m"
 
-	CertGeneratorMemRequest = "15Mi"
-	CertGeneratorCPURequest = "1m"
-
 	// topoLVM Node resource requests
 	TopolvmNodeMemRequest = "25Mi"
 	TopolvmNodeCPURequest = "1m"

controllers/topolvm_controller.go

@@ -23,6 +23,7 @@ import (
 
 	v1 "github.com/openshift/api/config/v1"
 	lvmv1alpha1 "github.com/openshift/lvm-operator/api/v1alpha1"
+
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -52,7 +53,7 @@ func (c topolvmController) ensureCreated(r *LVMClusterReconciler, ctx context.Co
 	logger := log.FromContext(ctx).WithValues("resourceManager", c.getName())
 
 	// get the desired state of topolvm controller deployment
-	desiredDeployment := getControllerDeployment(r.Namespace, r.ImageName, r.TopoLVMLeaderElectionPassthrough)
+	desiredDeployment := getControllerDeployment(r.Namespace, r.TopoLVMLeaderElectionPassthrough)
 	existingDeployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      desiredDeployment.Name,
@@ -73,7 +74,6 @@ func (c topolvmController) ensureCreated(r *LVMClusterReconciler, ctx context.Co
 		// for update, topolvm controller is interested in only updating container images
 		// labels, volumes, service account etc can remain unchanged
 		existingDeployment.Spec.Template.Spec.Containers = desiredDeployment.Spec.Template.Spec.Containers
-		existingDeployment.Spec.Template.Spec.InitContainers = desiredDeployment.Spec.Template.Spec.InitContainers
 
 		return nil
 	})
@@ -96,16 +96,11 @@ func (c topolvmController) ensureDeleted(r *LVMClusterReconciler, ctx context.Co
 	return nil
 }
 
-func getControllerDeployment(namespace string, initImage string, topoLVMLeaderElectionPassthrough v1.LeaderElection) *appsv1.Deployment {
+func getControllerDeployment(namespace string, topoLVMLeaderElectionPassthrough v1.LeaderElection) *appsv1.Deployment {
 	// Topolvm CSI Controller Deployment
 	var replicas int32 = 1
 	volumes := []corev1.Volume{
 		{Name: "socket-dir", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}},
-		{Name: "certs", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}},
-	}
-
-	initContainers := []corev1.Container{
-		initContainer(initImage),
 	}
 
 	// get all containers that are part of csi controller deployment
@@ -147,7 +142,6 @@ func getControllerDeployment(namespace string, initImage string, topoLVMLeaderEl
 					Labels:    labels,
 				},
 				Spec: corev1.PodSpec{
-					InitContainers:     initContainers,
 					Containers:         containers,
 					ServiceAccountName: TopolvmControllerServiceAccount,
 					Volumes:            volumes,
@@ -157,39 +151,12 @@ func getControllerDeployment(namespace string, initImage string, topoLVMLeaderEl
 	}
 }
 
-func initContainer(initImage string) corev1.Container {
-
-	// generation of tls certs
-	command := []string{
-		"/usr/bin/bash",
-		"-c",
-		"openssl req -nodes -x509 -newkey rsa:4096 -subj '/DC=self_signed_certificate' -keyout /certs/tls.key -out /certs/tls.crt -days 3650",
-	}
-
-	volumeMounts := []corev1.VolumeMount{
-		{Name: "certs", MountPath: "/certs"},
-	}
-
-	return corev1.Container{
-		Name:         "self-signed-cert-generator",
-		Image:        initImage,
-		Command:      command,
-		VolumeMounts: volumeMounts,
-		Resources: corev1.ResourceRequirements{
-			Requests: corev1.ResourceList{
-				corev1.ResourceCPU:    resource.MustParse(CertGeneratorCPURequest),
-				corev1.ResourceMemory: resource.MustParse(CertGeneratorMemRequest),
-			},
-		},
-	}
-}
-
 func controllerContainer(topoLVMLeaderElectionPassthrough v1.LeaderElection) corev1.Container {
 
 	// topolvm controller plugin container
 	command := []string{
 		"/topolvm-controller",
-		"--cert-dir=/certs",
+		"--enable-webhooks=false",
 		fmt.Sprintf("--leader-election-namespace=%s", topoLVMLeaderElectionPassthrough.Namespace),
 		fmt.Sprintf("--leader-election-lease-duration=%s", topoLVMLeaderElectionPassthrough.LeaseDuration.Duration),
 		fmt.Sprintf("--leader-election-renew-deadline=%s", topoLVMLeaderElectionPassthrough.RenewDeadline.Duration),
@@ -205,7 +172,6 @@ func controllerContainer(topoLVMLeaderElectionPassthrough v1.LeaderElection) cor
 
 	volumeMounts := []corev1.VolumeMount{
 		{Name: "socket-dir", MountPath: filepath.Dir(DefaultCSISocket)},
-		{Name: "certs", MountPath: "/certs"},
 	}
 
 	return corev1.Container{

docs/design/lvm-operator-manager.md

@@ -33,7 +33,7 @@ The `csiDriver` reconcile unit creates the TopoLVM `CSIDriver` resource.
 
 ### TopoLVM Controller
 
-The `topolvmController` reconcile unit is responsible for deploying a single instance of the TopoLVM controller plugin deployment and ensuring that any necessary updates are made to the deployment. As part of this process, an init container is used to generate openssl certificates that are utilized by the TopoLVM Controller. However, it should be noted that this method will be replaced with the use of cert-manager in the near future.
+The `topolvmController` reconcile unit is responsible for deploying a single instance of the TopoLVM controller plugin deployment and ensuring that any necessary updates are made to the deployment.
 
 ### Topolvm Node and lvmd