From e16cbaa20e39f623cc3c65adf464c30266d823c4 Mon Sep 17 00:00:00 2001 From: Andrew Sauber <2046750+asauber@users.noreply.github.com> Date: Thu, 27 Apr 2023 10:54:34 -0400 Subject: [PATCH] helm mode: add recursive deprecated secret logic Previously, we had logic to look for deprecated names like clustermesh-apiserver-client-certs when clustermesh-apiserver-client-cert was expected. With helm-based installations, we now need to also look for clustermesh-apiserver-client-cert when clustermesh-apiserver-remote-cert is expected, and do this recursively. Signed-off-by: Andrew Sauber --- clustermesh/certs.go | 13 ++++++------ clustermesh/clustermesh.go | 41 +++++++++++++++++++++++--------------- defaults/defaults.go | 1 + 3 files changed, 33 insertions(+), 22 deletions(-) diff --git a/clustermesh/certs.go b/clustermesh/certs.go index 79f2af5795..b45f7924a3 100644 --- a/clustermesh/certs.go +++ b/clustermesh/certs.go @@ -110,16 +110,16 @@ func (k *K8sClusterMesh) createClusterMeshClientCertificate(ctx context.Context) signConf := &config.Signing{ Default: &config.SigningProfile{Expiry: 5 * 365 * 24 * time.Hour}, Profiles: map[string]*config.SigningProfile{ - defaults.ClusterMeshClientSecretName: { + defaults.ClusterMeshRemoteSecretName: { Expiry: 5 * 365 * 24 * time.Hour, Usage: []string{"signing", "key encipherment", "server auth", "client auth"}, }, }, } - cert, key, err := k.certManager.GenerateCertificate(defaults.ClusterMeshClientSecretName, certReq, signConf) + cert, key, err := k.certManager.GenerateCertificate(defaults.ClusterMeshRemoteSecretName, certReq, signConf) if err != nil { - return fmt.Errorf("unable to generate certificate %s: %w", defaults.ClusterMeshClientSecretName, err) + return fmt.Errorf("unable to generate certificate %s: %w", defaults.ClusterMeshRemoteSecretName, err) } data := map[string][]byte{ @@ -128,9 +128,9 @@ func (k *K8sClusterMesh) createClusterMeshClientCertificate(ctx context.Context) defaults.CASecretCertName: k.certManager.CACertBytes(), } - _, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(defaults.ClusterMeshClientSecretName, k.params.Namespace, data), metav1.CreateOptions{}) + _, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(defaults.ClusterMeshRemoteSecretName, k.params.Namespace, data), metav1.CreateOptions{}) if err != nil { - return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, defaults.ClusterMeshClientSecretName, err) + return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, defaults.ClusterMeshRemoteSecretName, err) } return nil @@ -177,8 +177,9 @@ func (k *K8sClusterMesh) deleteCertificates(ctx context.Context) error { k.Log("🔥 Deleting ClusterMesh certificates...") k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshServerSecretName, metav1.DeleteOptions{}) k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshAdminSecretName, metav1.DeleteOptions{}) - k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshClientSecretName, metav1.DeleteOptions{}) + k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshRemoteSecretName, metav1.DeleteOptions{}) k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshExternalWorkloadSecretName, metav1.DeleteOptions{}) + k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshClientSecretName, metav1.DeleteOptions{}) return nil } diff --git a/clustermesh/clustermesh.go b/clustermesh/clustermesh.go index cc8d6951d4..d5c7f1b295 100644 --- a/clustermesh/clustermesh.go +++ b/clustermesh/clustermesh.go @@ -662,6 +662,8 @@ func (ai *accessInformation) validate() bool { func getDeprecatedName(secretName string) string { switch secretName { + case defaults.ClusterMeshRemoteSecretName: + return defaults.ClusterMeshClientSecretName case defaults.ClusterMeshServerSecretName, defaults.ClusterMeshAdminSecretName, defaults.ClusterMeshClientSecretName, @@ -672,6 +674,27 @@ func getDeprecatedName(secretName string) string { } } +// getDeprecatedSecret attempts to retrieve a secret using one or more deprecated names +// There are now multiple "layers" of deprecated secret names, so we call this function recursively if needed +func (k *K8sClusterMesh) getDeprecatedSecret(ctx context.Context, client k8sClusterMeshImplementation, secretName string, defaultName string) (*corev1.Secret, error) { + + deprecatedSecretName := getDeprecatedName(secretName) + if deprecatedSecretName == "" { + return nil, fmt.Errorf("unable to get secret %q and no deprecated names to try", secretName) + } + + k.Log("Trying to get secret %s by deprecated name %s", secretName, deprecatedSecretName) + + secret, err := client.GetSecret(ctx, k.params.Namespace, deprecatedSecretName, metav1.GetOptions{}) + if err != nil { + return k.getDeprecatedSecret(ctx, client, deprecatedSecretName, defaultName) + } + + k.Log("⚠️ Deprecated secret name %q, should be changed to %q", secret.Name, defaultName) + + return secret, err +} + // We had inconsistency in naming clustermesh secrets between Helm installation and Cilium CLI installation // Cilium CLI was naming clustermesh secrets with trailing 's'. eg. 'clustermesh-apiserver-client-certs' instead of `clustermesh-apiserver-client-cert` // This caused Cilium CLI 'clustermesh status' command to fail when Cilium is installed using Helm @@ -680,22 +703,8 @@ func (k *K8sClusterMesh) getSecret(ctx context.Context, client k8sClusterMeshImp secret, err := client.GetSecret(ctx, k.params.Namespace, secretName, metav1.GetOptions{}) if err != nil { - deprecatedSecretName := getDeprecatedName(secretName) - if deprecatedSecretName == "" { - return nil, fmt.Errorf("unable to get secret %q: %w", secretName, err) - } - - k.Log("Trying to get secret %s by deprecated name %s", secretName, deprecatedSecretName) - - secret, err = client.GetSecret(ctx, k.params.Namespace, deprecatedSecretName, metav1.GetOptions{}) - if err != nil { - return nil, fmt.Errorf("unable to get secret %q: %w", deprecatedSecretName, err) - } - - k.Log("⚠️ Deprecated secret name %q, should be changed to %q", secret.Name, secretName) - + return k.getDeprecatedSecret(ctx, client, secretName, secretName) } - return secret, err } @@ -733,7 +742,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8 return nil, fmt.Errorf("secret %q does not contain CA cert %q", defaults.CASecretName, defaults.CASecretCertName) } - meshSecret, err := k.getSecret(ctx, client, defaults.ClusterMeshClientSecretName) + meshSecret, err := k.getSecret(ctx, client, defaults.ClusterMeshRemoteSecretName) if err != nil { return nil, fmt.Errorf("unable to get client secret to access clustermesh service: %w", err) } diff --git a/defaults/defaults.go b/defaults/defaults.go index c49caa3ecd..65e28f047e 100644 --- a/defaults/defaults.go +++ b/defaults/defaults.go @@ -63,6 +63,7 @@ const ( ClusterMeshServerSecretName = "clustermesh-apiserver-server-cert" ClusterMeshAdminSecretName = "clustermesh-apiserver-admin-cert" ClusterMeshClientSecretName = "clustermesh-apiserver-client-cert" + ClusterMeshRemoteSecretName = "clustermesh-apiserver-remote-cert" ClusterMeshExternalWorkloadSecretName = "clustermesh-apiserver-external-workload-cert" ConnectivityCheckNamespace = "cilium-test"