helm mode: add recursive deprecated secret logic

Previously, we had logic to look for deprecated names like
clustermesh-apiserver-client-certs when
clustermesh-apiserver-client-cert was expected. With helm-based
installations, we now need to also look for
clustermesh-apiserver-client-cert when clustermesh-apiserver-remote-cert
is expected, and do this recursively.

Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>

clustermesh/certs.go

@@ -110,16 +110,16 @@ func (k *K8sClusterMesh) createClusterMeshClientCertificate(ctx context.Context)
 	signConf := &config.Signing{
 		Default: &config.SigningProfile{Expiry: 5 * 365 * 24 * time.Hour},
 		Profiles: map[string]*config.SigningProfile{
-			defaults.ClusterMeshClientSecretName: {
+			defaults.ClusterMeshRemoteSecretName: {
 				Expiry: 5 * 365 * 24 * time.Hour,
 				Usage:  []string{"signing", "key encipherment", "server auth", "client auth"},
 			},
 		},
 	}
 
-	cert, key, err := k.certManager.GenerateCertificate(defaults.ClusterMeshClientSecretName, certReq, signConf)
+	cert, key, err := k.certManager.GenerateCertificate(defaults.ClusterMeshRemoteSecretName, certReq, signConf)
 	if err != nil {
-		return fmt.Errorf("unable to generate certificate %s: %w", defaults.ClusterMeshClientSecretName, err)
+		return fmt.Errorf("unable to generate certificate %s: %w", defaults.ClusterMeshRemoteSecretName, err)
 	}
 
 	data := map[string][]byte{
@@ -128,9 +128,9 @@ func (k *K8sClusterMesh) createClusterMeshClientCertificate(ctx context.Context)
 		defaults.CASecretCertName: k.certManager.CACertBytes(),
 	}
 
-	_, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(defaults.ClusterMeshClientSecretName, k.params.Namespace, data), metav1.CreateOptions{})
+	_, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(defaults.ClusterMeshRemoteSecretName, k.params.Namespace, data), metav1.CreateOptions{})
 	if err != nil {
-		return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, defaults.ClusterMeshClientSecretName, err)
+		return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, defaults.ClusterMeshRemoteSecretName, err)
 	}
 
 	return nil
@@ -177,8 +177,9 @@ func (k *K8sClusterMesh) deleteCertificates(ctx context.Context) error {
 	k.Log("🔥 Deleting ClusterMesh certificates...")
 	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshServerSecretName, metav1.DeleteOptions{})
 	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshAdminSecretName, metav1.DeleteOptions{})
-	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshClientSecretName, metav1.DeleteOptions{})
+	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshRemoteSecretName, metav1.DeleteOptions{})
 	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshExternalWorkloadSecretName, metav1.DeleteOptions{})
+	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshClientSecretName, metav1.DeleteOptions{})
 	return nil
 }
 

clustermesh/clustermesh.go

@@ -662,6 +662,8 @@ func (ai *accessInformation) validate() bool {
 
 func getDeprecatedName(secretName string) string {
 	switch secretName {
+	case defaults.ClusterMeshRemoteSecretName:
+		return defaults.ClusterMeshClientSecretName
 	case defaults.ClusterMeshServerSecretName,
 		defaults.ClusterMeshAdminSecretName,
 		defaults.ClusterMeshClientSecretName,
@@ -672,6 +674,27 @@ func getDeprecatedName(secretName string) string {
 	}
 }
 
+// getDeprecatedSecret attempts to retrieve a secret using one or more deprecated names
+// There are now multiple "layers" of deprecated secret names, so we call this function recursively if needed
+func (k *K8sClusterMesh) getDeprecatedSecret(ctx context.Context, client k8sClusterMeshImplementation, secretName string, defaultName string) (*corev1.Secret, error) {
+
+	deprecatedSecretName := getDeprecatedName(secretName)
+	if deprecatedSecretName == "" {
+		return nil, fmt.Errorf("unable to get secret %q and no deprecated names to try", secretName)
+	}
+
+	k.Log("Trying to get secret %s by deprecated name %s", secretName, deprecatedSecretName)
+
+	secret, err := client.GetSecret(ctx, k.params.Namespace, deprecatedSecretName, metav1.GetOptions{})
+	if err != nil {
+		return k.getDeprecatedSecret(ctx, client, deprecatedSecretName, defaultName)
+	}
+
+	k.Log("⚠️ Deprecated secret name %q, should be changed to %q", secret.Name, defaultName)
+
+	return secret, err
+}
+
 // We had inconsistency in naming clustermesh secrets between Helm installation and Cilium CLI installation
 // Cilium CLI was naming clustermesh secrets with trailing 's'. eg. 'clustermesh-apiserver-client-certs' instead of `clustermesh-apiserver-client-cert`
 // This caused Cilium CLI 'clustermesh status' command to fail when Cilium is installed using Helm
@@ -680,22 +703,8 @@ func (k *K8sClusterMesh) getSecret(ctx context.Context, client k8sClusterMeshImp
 
 	secret, err := client.GetSecret(ctx, k.params.Namespace, secretName, metav1.GetOptions{})
 	if err != nil {
-		deprecatedSecretName := getDeprecatedName(secretName)
-		if deprecatedSecretName == "" {
-			return nil, fmt.Errorf("unable to get secret %q: %w", secretName, err)
-		}
-
-		k.Log("Trying to get secret %s by deprecated name %s", secretName, deprecatedSecretName)
-
-		secret, err = client.GetSecret(ctx, k.params.Namespace, deprecatedSecretName, metav1.GetOptions{})
-		if err != nil {
-			return nil, fmt.Errorf("unable to get secret %q: %w", deprecatedSecretName, err)
-		}
-
-		k.Log("⚠️ Deprecated secret name %q, should be changed to %q", secret.Name, secretName)
-
+		return k.getDeprecatedSecret(ctx, client, secretName, secretName)
 	}
-
 	return secret, err
 }
 
@@ -733,7 +742,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
 		return nil, fmt.Errorf("secret %q does not contain CA cert %q", defaults.CASecretName, defaults.CASecretCertName)
 	}
 
-	meshSecret, err := k.getSecret(ctx, client, defaults.ClusterMeshClientSecretName)
+	meshSecret, err := k.getSecret(ctx, client, defaults.ClusterMeshRemoteSecretName)
 	if err != nil {
 		return nil, fmt.Errorf("unable to get client secret to access clustermesh service: %w", err)
 	}

defaults/defaults.go

@@ -63,6 +63,7 @@ const (
 	ClusterMeshServerSecretName           = "clustermesh-apiserver-server-cert"
 	ClusterMeshAdminSecretName            = "clustermesh-apiserver-admin-cert"
 	ClusterMeshClientSecretName           = "clustermesh-apiserver-client-cert"
+	ClusterMeshRemoteSecretName           = "clustermesh-apiserver-remote-cert"
 	ClusterMeshExternalWorkloadSecretName = "clustermesh-apiserver-external-workload-cert"
 
 	ConnectivityCheckNamespace = "cilium-test"