-
Notifications
You must be signed in to change notification settings - Fork 478
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent creation of ssh-keypair.old
secret on Shoot creation.
#5388
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious?
Is it not nice to have just key only something like ShootSSHKeypairRotated
, it can be set to true
indicating that the SSH keypair for the shoot nodes has been rotated at least once.
Annotations also acts as key-value pair. Here we have assigned the value |
ShootSSHKeypairRotated : "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, this looks much better now!
Should we also delete all the ssh-keypair.old
secrets in seed and garden if their content is equal to the ssh-keypair
, i.e., if they were never rotated? This would free up some space. OTOH, maybe it's not worth the effort given that once there was at least one SSH key rotation there will always be both ssh-keypair
and ssh-keypair.old
, so it's just a matter of time until all shoots have both.
cc @ialidzhikov
7ce65d1
to
328decb
Compare
By this you mean the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
…ener#5388) * Avoid creation of `ssh-keypair.old` secret on Shoot creation. * Address PR feedback. * Move logic for ssh-keypair.old secret creation to `rotateSSHKeypairSecrets` function. * Handle `IsNotFound` error when `ssh-keypair.old` is not present in shoot namespace in seed. * Minor modifications * Address PR feedback from `@plkokanov`
…ener#5388) * Avoid creation of `ssh-keypair.old` secret on Shoot creation. * Address PR feedback. * Move logic for ssh-keypair.old secret creation to `rotateSSHKeypairSecrets` function. * Handle `IsNotFound` error when `ssh-keypair.old` is not present in shoot namespace in seed. * Minor modifications * Address PR feedback from `@plkokanov`
How to categorize this PR?
/area quality
/area auto-scaling
/kind enhancement
What this PR does / why we need it:
Prevent gardenlet from creating ssh-keypair.old Secret on Shoot creation.
Which issue(s) this PR fixes:
Fixes #4527
Special notes for your reviewer:
A new annotation field
gardener.cloud/ssh-keypair
is added to shoot whenssh-keypair
is rotated.Release note: