From c9738d35af5c9e4c12573ec2ad1d14d4da3fcbc6 Mon Sep 17 00:00:00 2001 From: Rafael Franzke Date: Tue, 19 Apr 2022 12:06:27 +0200 Subject: [PATCH] Auto-maintain `valid-until-time` label for `ControlPlaneSecretConfig`s (#5798) --- pkg/utils/secrets/manager/generate.go | 22 ++++++++++++++-------- pkg/utils/secrets/manager/generate_test.go | 22 ++++++++++++++++++++++ 2 files changed, 36 insertions(+), 8 deletions(-) diff --git a/pkg/utils/secrets/manager/generate.go b/pkg/utils/secrets/manager/generate.go index 5621742c9a2b..fed8838f2fb8 100644 --- a/pkg/utils/secrets/manager/generate.go +++ b/pkg/utils/secrets/manager/generate.go @@ -385,19 +385,25 @@ func (m *manager) maintainLifetimeLabels(config secretutils.ConfigInterface, sec } desiredLabels[LabelKeyIssuedAtTime] = issuedAt - cfg, ok := config.(*secretutils.CertificateSecretConfig) - if !ok { + var dataKeyCertificate string + switch cfg := config.(type) { + case *secretutils.CertificateSecretConfig: + dataKeyCertificate = secretutils.DataKeyCertificate + if cfg.CertType == secretutils.CACert { + dataKeyCertificate = secretutils.DataKeyCertificateCA + } + case *secretutils.ControlPlaneSecretConfig: + if cfg.CertificateSecretConfig == nil { + return nil + } + dataKeyCertificate = secretutils.ControlPlaneSecretDataKeyCertificatePEM(config.GetName()) + default: return nil } - dataKeyCertificate := secretutils.DataKeyCertificate - if cfg.SigningCA == nil { - dataKeyCertificate = secretutils.DataKeyCertificateCA - } - certificate, err := utils.DecodeCertificate(secret.Data[dataKeyCertificate]) if err != nil { - return err + return fmt.Errorf("error decoding certificate when trying to maintain lifetime labels: %w", err) } desiredLabels[LabelKeyIssuedAtTime] = unixTime(certificate.NotBefore) diff --git a/pkg/utils/secrets/manager/generate_test.go b/pkg/utils/secrets/manager/generate_test.go index 01e681ded768..a18db10d4ee7 100644 --- a/pkg/utils/secrets/manager/generate_test.go +++ b/pkg/utils/secrets/manager/generate_test.go @@ -19,6 +19,7 @@ import ( "strconv" "time" + "github.com/gardener/gardener/pkg/utils" secretutils "github.com/gardener/gardener/pkg/utils/secrets" "github.com/gardener/gardener/pkg/utils/test" @@ -512,6 +513,8 @@ var _ = Describe("Generate", func() { expectSecretWasCreated(ctx, fakeClient, caSecret) By("generating new control plane secret") + serverConfig.Clock = fakeClock + serverConfig.Validity = utils.DurationPtr(1337 * time.Minute) controlPlaneSecretConfig := &secretutils.ControlPlaneSecretConfig{ Name: "control-plane-secret", CertificateSecretConfig: serverConfig, @@ -524,6 +527,25 @@ var _ = Describe("Generate", func() { serverSecret, err := m.Generate(ctx, controlPlaneSecretConfig, SignedByCA(caName)) Expect(err).NotTo(HaveOccurred()) expectSecretWasCreated(ctx, fakeClient, serverSecret) + + By("verifying labels") + Expect(serverSecret.Labels).To(And( + HaveKeyWithValue("issued-at-time", strconv.FormatInt(fakeClock.Now().Unix(), 10)), + HaveKeyWithValue("valid-until-time", strconv.FormatInt(fakeClock.Now().Add(*serverConfig.Validity).Unix(), 10)), + )) + }) + + It("should correctly maintain lifetime labels for ControlPlaneSecretConfigs w/o certificate secret configs", func() { + By("generating new control plane secret") + cpSecret, err := m.Generate(ctx, &secretutils.ControlPlaneSecretConfig{Name: "control-plane-secret"}) + Expect(err).NotTo(HaveOccurred()) + expectSecretWasCreated(ctx, fakeClient, cpSecret) + + By("verifying labels") + Expect(cpSecret.Labels).To(And( + HaveKeyWithValue("issued-at-time", strconv.FormatInt(fakeClock.Now().Unix(), 10)), + Not(HaveKey("valid-until-time")), + )) }) })