Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm mode: add additional deprecated secret logic, and fix clustermesh connect for helm mode #1551

Merged
merged 1 commit into from
May 8, 2023
Merged

helm mode: add additional deprecated secret logic, and fix clustermesh connect for helm mode #1551

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
13 changes: 7 additions & 6 deletions clustermesh/certs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,16 +110,16 @@ func (k *K8sClusterMesh) createClusterMeshClientCertificate(ctx context.Context)
signConf := &config.Signing{
Default: &config.SigningProfile{Expiry: 5 * 365 * 24 * time.Hour},
Profiles: map[string]*config.SigningProfile{
defaults.ClusterMeshClientSecretName: {
defaults.ClusterMeshRemoteSecretName: {
Expiry: 5 * 365 * 24 * time.Hour,
Usage: []string{"signing", "key encipherment", "server auth", "client auth"},
},
},
}

cert, key, err := k.certManager.GenerateCertificate(defaults.ClusterMeshClientSecretName, certReq, signConf)
cert, key, err := k.certManager.GenerateCertificate(defaults.ClusterMeshRemoteSecretName, certReq, signConf)
if err != nil {
return fmt.Errorf("unable to generate certificate %s: %w", defaults.ClusterMeshClientSecretName, err)
return fmt.Errorf("unable to generate certificate %s: %w", defaults.ClusterMeshRemoteSecretName, err)
}

data := map[string][]byte{
Expand All @@ -128,9 +128,9 @@ func (k *K8sClusterMesh) createClusterMeshClientCertificate(ctx context.Context)
defaults.CASecretCertName: k.certManager.CACertBytes(),
}

_, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(defaults.ClusterMeshClientSecretName, k.params.Namespace, data), metav1.CreateOptions{})
_, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(defaults.ClusterMeshRemoteSecretName, k.params.Namespace, data), metav1.CreateOptions{})
if err != nil {
return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, defaults.ClusterMeshClientSecretName, err)
return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, defaults.ClusterMeshRemoteSecretName, err)
}

return nil
Expand Down Expand Up @@ -177,8 +177,9 @@ func (k *K8sClusterMesh) deleteCertificates(ctx context.Context) error {
k.Log("🔥 Deleting ClusterMesh certificates...")
k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshServerSecretName, metav1.DeleteOptions{})
k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshAdminSecretName, metav1.DeleteOptions{})
k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshClientSecretName, metav1.DeleteOptions{})
k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshRemoteSecretName, metav1.DeleteOptions{})
k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshExternalWorkloadSecretName, metav1.DeleteOptions{})
k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshClientSecretName, metav1.DeleteOptions{})
return nil
}

Expand Down
41 changes: 25 additions & 16 deletions clustermesh/clustermesh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -662,6 +662,8 @@ func (ai *accessInformation) validate() bool {

func getDeprecatedName(secretName string) string {
switch secretName {
case defaults.ClusterMeshRemoteSecretName:
return defaults.ClusterMeshClientSecretName
case defaults.ClusterMeshServerSecretName,
defaults.ClusterMeshAdminSecretName,
defaults.ClusterMeshClientSecretName,
Expand All @@ -672,6 +674,27 @@ func getDeprecatedName(secretName string) string {
}
}

// getDeprecatedSecret attempts to retrieve a secret using one or more deprecated names
// There are now multiple "layers" of deprecated secret names, so we call this function recursively if needed
func (k *K8sClusterMesh) getDeprecatedSecret(ctx context.Context, client k8sClusterMeshImplementation, secretName string, defaultName string) (*corev1.Secret, error) {

deprecatedSecretName := getDeprecatedName(secretName)
if deprecatedSecretName == "" {
return nil, fmt.Errorf("unable to get secret %q and no deprecated names to try", secretName)
}

k.Log("Trying to get secret %s by deprecated name %s", secretName, deprecatedSecretName)

secret, err := client.GetSecret(ctx, k.params.Namespace, deprecatedSecretName, metav1.GetOptions{})
if err != nil {
YutaroHayakawa marked this conversation as resolved.
Show resolved Hide resolved
return k.getDeprecatedSecret(ctx, client, deprecatedSecretName, defaultName)
}

k.Log("⚠️ Deprecated secret name %q, should be changed to %q", secret.Name, defaultName)

return secret, err
}

// We had inconsistency in naming clustermesh secrets between Helm installation and Cilium CLI installation
// Cilium CLI was naming clustermesh secrets with trailing 's'. eg. 'clustermesh-apiserver-client-certs' instead of `clustermesh-apiserver-client-cert`
// This caused Cilium CLI 'clustermesh status' command to fail when Cilium is installed using Helm
Expand All @@ -680,22 +703,8 @@ func (k *K8sClusterMesh) getSecret(ctx context.Context, client k8sClusterMeshImp

secret, err := client.GetSecret(ctx, k.params.Namespace, secretName, metav1.GetOptions{})
if err != nil {
deprecatedSecretName := getDeprecatedName(secretName)
if deprecatedSecretName == "" {
return nil, fmt.Errorf("unable to get secret %q: %w", secretName, err)
}

k.Log("Trying to get secret %s by deprecated name %s", secretName, deprecatedSecretName)

secret, err = client.GetSecret(ctx, k.params.Namespace, deprecatedSecretName, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("unable to get secret %q: %w", deprecatedSecretName, err)
}

k.Log("⚠️ Deprecated secret name %q, should be changed to %q", secret.Name, secretName)

return k.getDeprecatedSecret(ctx, client, secretName, secretName)
}

return secret, err
}

Expand Down Expand Up @@ -733,7 +742,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
return nil, fmt.Errorf("secret %q does not contain CA cert %q", defaults.CASecretName, defaults.CASecretCertName)
}

meshSecret, err := k.getSecret(ctx, client, defaults.ClusterMeshClientSecretName)
meshSecret, err := k.getSecret(ctx, client, defaults.ClusterMeshRemoteSecretName)
if err != nil {
return nil, fmt.Errorf("unable to get client secret to access clustermesh service: %w", err)
}
Expand Down
1 change: 1 addition & 0 deletions defaults/defaults.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ const (
ClusterMeshServerSecretName = "clustermesh-apiserver-server-cert"
ClusterMeshAdminSecretName = "clustermesh-apiserver-admin-cert"
ClusterMeshClientSecretName = "clustermesh-apiserver-client-cert"
ClusterMeshRemoteSecretName = "clustermesh-apiserver-remote-cert"
ClusterMeshExternalWorkloadSecretName = "clustermesh-apiserver-external-workload-cert"

ConnectivityCheckNamespace = "cilium-test"
Expand Down