Prevent creation of ssh-keypair.old secret on Shoot creation. (gard…

…ener#5388) * Avoid creation of `ssh-keypair.old` secret on Shoot creation. * Address PR feedback. * Move logic for ssh-keypair.old secret creation to `rotateSSHKeypairSecrets` function. * Handle `IsNotFound` error when `ssh-keypair.old` is not present in shoot namespace in seed. * Minor modifications * Address PR feedback from `@plkokanov`
nickytd · Mar 7, 2022 · 7f3f29b · 7f3f29b
1 parent 4ef7dbd
commit 7f3f29b
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 20 deletions.
diff --git a/pkg/operation/botanist/secrets.go b/pkg/operation/botanist/secrets.go
@@ -34,10 +34,13 @@ import (
 	"github.com/gardener/gardener/pkg/utils"
 	"github.com/gardener/gardener/pkg/utils/flow"
 	gutil "github.com/gardener/gardener/pkg/utils/gardener"
+	"github.com/gardener/gardener/pkg/utils/infodata"
 	kutil "github.com/gardener/gardener/pkg/utils/kubernetes"
+	"github.com/gardener/gardener/pkg/utils/secrets"
 	secretutils "github.com/gardener/gardener/pkg/utils/secrets"
 
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/clock"
@@ -195,10 +198,44 @@ func (b *Botanist) DeploySecrets(ctx context.Context) error {
 	for name, secret := range secretsManager.DeployedSecrets {
 		b.StoreSecret(name, secret)
 	}
+
 	for _, name := range b.AllSecretKeys() {
 		b.StoreCheckSum(name, utils.ComputeSecretChecksum(b.LoadSecret(name).Data))
 	}
 
+	// copy ssh-keypair.old secret to shoot namespace in seed
+	oldSSHKeyPair, err := infodata.GetInfoData(gardenerResourceDataList, v1beta1constants.SecretNameOldSSHKeyPair)
+	if err != nil {
+		return err
+	}
+	if oldSSHKeyPair != nil {
+		secretConfig := &secrets.RSASecretConfig{
+			Name:       v1beta1constants.SecretNameOldSSHKeyPair,
+			Bits:       4096,
+			UsedForSSH: true,
+		}
+
+		oldSSHKeyPairData, err := secretConfig.GenerateFromInfoData(oldSSHKeyPair)
+		if err != nil {
+			return err
+		}
+
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      v1beta1constants.SecretNameOldSSHKeyPair,
+				Namespace: b.Shoot.SeedNamespace,
+			},
+		}
+		if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, b.K8sSeedClient.Client(), secret, func() error {
+			secret.Type = corev1.SecretTypeOpaque
+			secret.Data = oldSSHKeyPairData.SecretData()
+			return nil
+		}); err != nil {
+			return err
+		}
+		b.StoreSecret(v1beta1constants.SecretNameOldSSHKeyPair, secret)
+	}
+
 	wildcardCert, err := seed.GetWildcardCertificate(ctx, b.K8sSeedClient.Client())
 	if err != nil {
 		return err
@@ -342,16 +379,10 @@ func (b *Botanist) rotateSSHKeypairSecrets(ctx context.Context, gardenerResource
 	oldSecret.Name = v1beta1constants.SecretNameOldSSHKeyPair
 	gardenerResourceDataList.Upsert(oldSecret)
 
-	names := []string{
-		v1beta1constants.SecretNameSSHKeyPair,
-		v1beta1constants.SecretNameOldSSHKeyPair,
+	if err := b.K8sSeedClient.Client().Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: v1beta1constants.SecretNameSSHKeyPair, Namespace: b.Shoot.SeedNamespace}}); client.IgnoreNotFound(err) != nil {
+		return err
 	}
 
-	for _, secretName := range names {
-		if err := b.K8sSeedClient.Client().Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace: b.Shoot.SeedNamespace}}); client.IgnoreNotFound(err) != nil {
-			return err
-		}
-	}
 	gardenerResourceDataList.Delete(v1beta1constants.SecretNameSSHKeyPair)
 
 	// remove operation annotation
@@ -432,11 +463,6 @@ func (b *Botanist) SyncShootCredentialsToGarden(ctx context.Context) error {
 			suffix:     gutil.ShootProjectSecretSuffixSSHKeypair,
 			labels:     map[string]string{v1beta1constants.GardenRole: v1beta1constants.GardenRoleSSHKeyPair},
 		},
-		{
-			secretName: v1beta1constants.SecretNameOldSSHKeyPair,
-			suffix:     gutil.ShootProjectSecretSuffixOldSSHKeypair,
-			labels:     map[string]string{v1beta1constants.GardenRole: v1beta1constants.GardenRoleSSHKeyPair},
-		},
 		{
 			secretName:  "monitoring-ingress-credentials-users",
 			suffix:      gutil.ShootProjectSecretSuffixMonitoring,
@@ -445,6 +471,20 @@ func (b *Botanist) SyncShootCredentialsToGarden(ctx context.Context) error {
 		},
 	}
 
+	// ssh-keypair.old secret will be synced to the Garden cluster if it is present in shoot namespace in seed.
+	oldSecret := &corev1.Secret{}
+	if err := b.K8sSeedClient.Client().Get(ctx, kutil.Key(b.Shoot.SeedNamespace, v1beta1constants.SecretNameOldSSHKeyPair), oldSecret); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return err
+		}
+	} else {
+		projectSecrets = append(projectSecrets, projectSecret{
+			secretName: v1beta1constants.SecretNameOldSSHKeyPair,
+			suffix:     gutil.ShootProjectSecretSuffixOldSSHKeypair,
+			labels:     map[string]string{v1beta1constants.GardenRole: v1beta1constants.GardenRoleSSHKeyPair},
+		})
+	}
+
 	var fns []flow.TaskFn
 	for _, projectSecret := range projectSecrets {
 		s := projectSecret

diff --git a/pkg/operation/botanist/wanted_secrets.go b/pkg/operation/botanist/wanted_secrets.go
@@ -290,13 +290,6 @@ func (b *Botanist) generateWantedSecretConfigs(basicAuthAPIServer *secrets.Basic
 			UsedForSSH: true,
 		},
 
-		// Secret definition for ssh-keypair.old
-		&secrets.RSASecretConfig{
-			Name:       v1beta1constants.SecretNameOldSSHKeyPair,
-			Bits:       4096,
-			UsedForSSH: true,
-		},
-
 		// Secret definition for service-account-key
 		&secrets.RSASecretConfig{
 			Name:       v1beta1constants.SecretNameServiceAccountKey,