From 7f3f29b73f130501c1714e8b88597c84dfc494ed Mon Sep 17 00:00:00 2001 From: Ashish Ranjan Yadav Date: Mon, 7 Mar 2022 20:32:47 +0530 Subject: [PATCH] Prevent creation of `ssh-keypair.old` secret on Shoot creation. (#5388) * Avoid creation of `ssh-keypair.old` secret on Shoot creation. * Address PR feedback. * Move logic for ssh-keypair.old secret creation to `rotateSSHKeypairSecrets` function. * Handle `IsNotFound` error when `ssh-keypair.old` is not present in shoot namespace in seed. * Minor modifications * Address PR feedback from `@plkokanov` --- pkg/operation/botanist/secrets.go | 66 +++++++++++++++++++----- pkg/operation/botanist/wanted_secrets.go | 7 --- 2 files changed, 53 insertions(+), 20 deletions(-) diff --git a/pkg/operation/botanist/secrets.go b/pkg/operation/botanist/secrets.go index fcb1d43de38..33b9ce212fa 100644 --- a/pkg/operation/botanist/secrets.go +++ b/pkg/operation/botanist/secrets.go @@ -34,10 +34,13 @@ import ( "github.com/gardener/gardener/pkg/utils" "github.com/gardener/gardener/pkg/utils/flow" gutil "github.com/gardener/gardener/pkg/utils/gardener" + "github.com/gardener/gardener/pkg/utils/infodata" kutil "github.com/gardener/gardener/pkg/utils/kubernetes" + "github.com/gardener/gardener/pkg/utils/secrets" secretutils "github.com/gardener/gardener/pkg/utils/secrets" corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/clock" @@ -195,10 +198,44 @@ func (b *Botanist) DeploySecrets(ctx context.Context) error { for name, secret := range secretsManager.DeployedSecrets { b.StoreSecret(name, secret) } + for _, name := range b.AllSecretKeys() { b.StoreCheckSum(name, utils.ComputeSecretChecksum(b.LoadSecret(name).Data)) } + // copy ssh-keypair.old secret to shoot namespace in seed + oldSSHKeyPair, err := infodata.GetInfoData(gardenerResourceDataList, v1beta1constants.SecretNameOldSSHKeyPair) + if err != nil { + return err + } + if oldSSHKeyPair != nil { + secretConfig := &secrets.RSASecretConfig{ + Name: v1beta1constants.SecretNameOldSSHKeyPair, + Bits: 4096, + UsedForSSH: true, + } + + oldSSHKeyPairData, err := secretConfig.GenerateFromInfoData(oldSSHKeyPair) + if err != nil { + return err + } + + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: v1beta1constants.SecretNameOldSSHKeyPair, + Namespace: b.Shoot.SeedNamespace, + }, + } + if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, b.K8sSeedClient.Client(), secret, func() error { + secret.Type = corev1.SecretTypeOpaque + secret.Data = oldSSHKeyPairData.SecretData() + return nil + }); err != nil { + return err + } + b.StoreSecret(v1beta1constants.SecretNameOldSSHKeyPair, secret) + } + wildcardCert, err := seed.GetWildcardCertificate(ctx, b.K8sSeedClient.Client()) if err != nil { return err @@ -342,16 +379,10 @@ func (b *Botanist) rotateSSHKeypairSecrets(ctx context.Context, gardenerResource oldSecret.Name = v1beta1constants.SecretNameOldSSHKeyPair gardenerResourceDataList.Upsert(oldSecret) - names := []string{ - v1beta1constants.SecretNameSSHKeyPair, - v1beta1constants.SecretNameOldSSHKeyPair, + if err := b.K8sSeedClient.Client().Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: v1beta1constants.SecretNameSSHKeyPair, Namespace: b.Shoot.SeedNamespace}}); client.IgnoreNotFound(err) != nil { + return err } - for _, secretName := range names { - if err := b.K8sSeedClient.Client().Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace: b.Shoot.SeedNamespace}}); client.IgnoreNotFound(err) != nil { - return err - } - } gardenerResourceDataList.Delete(v1beta1constants.SecretNameSSHKeyPair) // remove operation annotation @@ -432,11 +463,6 @@ func (b *Botanist) SyncShootCredentialsToGarden(ctx context.Context) error { suffix: gutil.ShootProjectSecretSuffixSSHKeypair, labels: map[string]string{v1beta1constants.GardenRole: v1beta1constants.GardenRoleSSHKeyPair}, }, - { - secretName: v1beta1constants.SecretNameOldSSHKeyPair, - suffix: gutil.ShootProjectSecretSuffixOldSSHKeypair, - labels: map[string]string{v1beta1constants.GardenRole: v1beta1constants.GardenRoleSSHKeyPair}, - }, { secretName: "monitoring-ingress-credentials-users", suffix: gutil.ShootProjectSecretSuffixMonitoring, @@ -445,6 +471,20 @@ func (b *Botanist) SyncShootCredentialsToGarden(ctx context.Context) error { }, } + // ssh-keypair.old secret will be synced to the Garden cluster if it is present in shoot namespace in seed. + oldSecret := &corev1.Secret{} + if err := b.K8sSeedClient.Client().Get(ctx, kutil.Key(b.Shoot.SeedNamespace, v1beta1constants.SecretNameOldSSHKeyPair), oldSecret); err != nil { + if !apierrors.IsNotFound(err) { + return err + } + } else { + projectSecrets = append(projectSecrets, projectSecret{ + secretName: v1beta1constants.SecretNameOldSSHKeyPair, + suffix: gutil.ShootProjectSecretSuffixOldSSHKeypair, + labels: map[string]string{v1beta1constants.GardenRole: v1beta1constants.GardenRoleSSHKeyPair}, + }) + } + var fns []flow.TaskFn for _, projectSecret := range projectSecrets { s := projectSecret diff --git a/pkg/operation/botanist/wanted_secrets.go b/pkg/operation/botanist/wanted_secrets.go index 0fda05756c1..9c84617d7de 100644 --- a/pkg/operation/botanist/wanted_secrets.go +++ b/pkg/operation/botanist/wanted_secrets.go @@ -290,13 +290,6 @@ func (b *Botanist) generateWantedSecretConfigs(basicAuthAPIServer *secrets.Basic UsedForSSH: true, }, - // Secret definition for ssh-keypair.old - &secrets.RSASecretConfig{ - Name: v1beta1constants.SecretNameOldSSHKeyPair, - Bits: 4096, - UsedForSSH: true, - }, - // Secret definition for service-account-key &secrets.RSASecretConfig{ Name: v1beta1constants.SecretNameServiceAccountKey,