Auto-maintain valid-until-time label for ControlPlaneSecretConfigs (

gardener#5798)
krgostev · Jul 5, 2022 · c9738d3 · c9738d3
1 parent c6968eb
commit c9738d3
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 8 deletions.
diff --git a/pkg/utils/secrets/manager/generate.go b/pkg/utils/secrets/manager/generate.go
@@ -385,19 +385,25 @@ func (m *manager) maintainLifetimeLabels(config secretutils.ConfigInterface, sec
 	}
 	desiredLabels[LabelKeyIssuedAtTime] = issuedAt
 
-	cfg, ok := config.(*secretutils.CertificateSecretConfig)
-	if !ok {
+	var dataKeyCertificate string
+	switch cfg := config.(type) {
+	case *secretutils.CertificateSecretConfig:
+		dataKeyCertificate = secretutils.DataKeyCertificate
+		if cfg.CertType == secretutils.CACert {
+			dataKeyCertificate = secretutils.DataKeyCertificateCA
+		}
+	case *secretutils.ControlPlaneSecretConfig:
+		if cfg.CertificateSecretConfig == nil {
+			return nil
+		}
+		dataKeyCertificate = secretutils.ControlPlaneSecretDataKeyCertificatePEM(config.GetName())
+	default:
 		return nil
 	}
 
-	dataKeyCertificate := secretutils.DataKeyCertificate
-	if cfg.SigningCA == nil {
-		dataKeyCertificate = secretutils.DataKeyCertificateCA
-	}
-
 	certificate, err := utils.DecodeCertificate(secret.Data[dataKeyCertificate])
 	if err != nil {
-		return err
+		return fmt.Errorf("error decoding certificate when trying to maintain lifetime labels: %w", err)
 	}
 
 	desiredLabels[LabelKeyIssuedAtTime] = unixTime(certificate.NotBefore)

diff --git a/pkg/utils/secrets/manager/generate_test.go b/pkg/utils/secrets/manager/generate_test.go
@@ -19,6 +19,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/gardener/gardener/pkg/utils"
 	secretutils "github.com/gardener/gardener/pkg/utils/secrets"
 	"github.com/gardener/gardener/pkg/utils/test"
 
@@ -512,6 +513,8 @@ var _ = Describe("Generate", func() {
 				expectSecretWasCreated(ctx, fakeClient, caSecret)
 
 				By("generating new control plane secret")
+				serverConfig.Clock = fakeClock
+				serverConfig.Validity = utils.DurationPtr(1337 * time.Minute)
 				controlPlaneSecretConfig := &secretutils.ControlPlaneSecretConfig{
 					Name:                    "control-plane-secret",
 					CertificateSecretConfig: serverConfig,
@@ -524,6 +527,25 @@ var _ = Describe("Generate", func() {
 				serverSecret, err := m.Generate(ctx, controlPlaneSecretConfig, SignedByCA(caName))
 				Expect(err).NotTo(HaveOccurred())
 				expectSecretWasCreated(ctx, fakeClient, serverSecret)
+
+				By("verifying labels")
+				Expect(serverSecret.Labels).To(And(
+					HaveKeyWithValue("issued-at-time", strconv.FormatInt(fakeClock.Now().Unix(), 10)),
+					HaveKeyWithValue("valid-until-time", strconv.FormatInt(fakeClock.Now().Add(*serverConfig.Validity).Unix(), 10)),
+				))
+			})
+
+			It("should correctly maintain lifetime labels for ControlPlaneSecretConfigs w/o certificate secret configs", func() {
+				By("generating new control plane secret")
+				cpSecret, err := m.Generate(ctx, &secretutils.ControlPlaneSecretConfig{Name: "control-plane-secret"})
+				Expect(err).NotTo(HaveOccurred())
+				expectSecretWasCreated(ctx, fakeClient, cpSecret)
+
+				By("verifying labels")
+				Expect(cpSecret.Labels).To(And(
+					HaveKeyWithValue("issued-at-time", strconv.FormatInt(fakeClock.Now().Unix(), 10)),
+					Not(HaveKey("valid-until-time")),
+				))
 			})
 		})