Drop VPN Diffie–Hellman parameters

gardener · Mar 14, 2024 · 082ffe7 · 082ffe7
1 parent 12e8f78
commit 082ffe7
Show file tree

Hide file tree

Showing 8 changed files with 7 additions and 190 deletions.
diff --git a/pkg/apis/core/v1beta1/constants/types_constants.go b/pkg/apis/core/v1beta1/constants/types_constants.go
@@ -281,8 +281,6 @@ const (
 	GardenRoleDefaultDomain = "default-domain"
 	// GardenRoleInternalDomain is the value of the GardenRole key indicating type 'internal-domain'.
 	GardenRoleInternalDomain = "internal-domain"
-	// GardenRoleOpenVPNDiffieHellman is the value of the GardenRole key indicating type 'openvpn-diffie-hellman'.
-	GardenRoleOpenVPNDiffieHellman = "openvpn-diffie-hellman"
 	// GardenRoleGlobalMonitoring is the value of the GardenRole key indicating type 'global-monitoring'
 	GardenRoleGlobalMonitoring = "global-monitoring"
 	// GardenRoleGlobalShootRemoteWriteMonitoring is the value of the GardenRole key indicating type 'global-shoot-remote-write-monitoring'

diff --git a/pkg/component/networking/vpn/seedserver/mock/mocks.go b/pkg/component/networking/vpn/seedserver/mock/mocks.go
diff --git a/pkg/component/networking/vpn/seedserver/seedserver.go b/pkg/component/networking/vpn/seedserver/seedserver.go
@@ -100,21 +100,13 @@ type Interface interface {
 	component.MonitoringComponent
 
 	SetNodeNetworkCIDR(nodes *string)
-	// SetSecrets sets the secrets.
-	SetSecrets(Secrets)
 	// SetSeedNamespaceObjectUID sets UID for the namespace
 	SetSeedNamespaceObjectUID(namespaceUID types.UID)
 
 	// GetValues returns the current configuration values of the deployer.
 	GetValues() Values
 }
 
-// Secrets is collection of secrets for the vpn-seed-server.
-type Secrets struct {
-	// DiffieHellmanKey is a secret containing the diffie hellman key.
-	DiffieHellmanKey component.Secret
-}
-
 // NetworkValues contains the configuration values for the network.
 type NetworkValues struct {
 	// PodCIDR is the CIDR of the pod network.
@@ -172,7 +164,6 @@ type vpnSeedServer struct {
 	secretsManager     secretsmanager.Interface
 	namespaceUID       types.UID
 	values             Values
-	secrets            Secrets
 	istioNamespaceFunc func() string
 }
 
@@ -181,10 +172,6 @@ func (v *vpnSeedServer) GetValues() Values {
 }
 
 func (v *vpnSeedServer) Deploy(ctx context.Context) error {
-	if v.secrets.DiffieHellmanKey.Name == "" || v.secrets.DiffieHellmanKey.Checksum == "" {
-		return fmt.Errorf("missing DH secret information")
-	}
-
 	var (
 		configMap = &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
@@ -195,19 +182,9 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
 				fileNameEnvoyConfig: v.getEnvoyConfig(),
 			},
 		}
-
-		dhSecret = &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      secretNameDH,
-				Namespace: v.namespace,
-			},
-			Type: corev1.SecretTypeOpaque,
-			Data: v.secrets.DiffieHellmanKey.Data,
-		}
 	)
 
 	utilruntime.Must(kubernetesutils.MakeUnique(configMap))
-	utilruntime.Must(kubernetesutils.MakeUnique(dhSecret))
 
 	secretCAVPN, found := v.secretsManager.Get(v1beta1constants.SecretNameCAVPN)
 	if !found {
@@ -236,11 +213,7 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
 		return err
 	}
 
-	if err := v.client.Create(ctx, dhSecret); client.IgnoreAlreadyExists(err) != nil {
-		return err
-	}
-
-	podTemplate := v.podTemplate(configMap, dhSecret, secretCAVPN, secretServer, secretTLSAuth)
+	podTemplate := v.podTemplate(configMap, secretCAVPN, secretServer, secretTLSAuth)
 	labels := getLabels()
 
 	if v.values.HighAvailabilityEnabled {
@@ -284,7 +257,7 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
 	return v.deployVPA(ctx)
 }
 
-func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secretCAVPN, secretServer, secretTLSAuth *corev1.Secret) *corev1.PodTemplateSpec {
+func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, secretCAVPN, secretServer, secretTLSAuth *corev1.Secret) *corev1.PodTemplateSpec {
 	hostPathCharDev := corev1.HostPathCharDev
 	var ipFamilies []string
 	for _, v := range v.values.Network.IPFamilies {
@@ -386,10 +359,6 @@ func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secre
 							Name:      volumeNameTLSAuth,
 							MountPath: volumeMountPathTLSAuth,
 						},
-						{
-							Name:      volumeNameDH,
-							MountPath: volumeMountPathDH,
-						},
 					},
 				},
 			},
@@ -451,15 +420,6 @@ func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secre
 						},
 					},
 				},
-				{
-					Name: volumeNameDH,
-					VolumeSource: corev1.VolumeSource{
-						Secret: &corev1.SecretVolumeSource{
-							SecretName:  dhSecret.Name,
-							DefaultMode: ptr.To(int32(0400)),
-						},
-					},
-				},
 			},
 		},
 	}
@@ -840,8 +800,6 @@ func (v *vpnSeedServer) Destroy(ctx context.Context) error {
 func (v *vpnSeedServer) Wait(_ context.Context) error        { return nil }
 func (v *vpnSeedServer) WaitCleanup(_ context.Context) error { return nil }
 
-func (v *vpnSeedServer) SetSecrets(secrets Secrets) { v.secrets = secrets }
-
 func (v *vpnSeedServer) SetSeedNamespaceObjectUID(namespaceUID types.UID) {
 	v.namespaceUID = namespaceUID
 }

diff --git a/pkg/component/networking/vpn/seedserver/seedserver_test.go b/pkg/component/networking/vpn/seedserver/seedserver_test.go
@@ -43,7 +43,6 @@ import (
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	"github.com/gardener/gardener/pkg/client/kubernetes"
-	"github.com/gardener/gardener/pkg/component"
 	. "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver"
 	comptest "github.com/gardener/gardener/pkg/component/test"
 	"github.com/gardener/gardener/pkg/resourcemanager/controller/garbagecollector/references"
@@ -72,26 +71,15 @@ var _ = Describe("VpnSeedServer", func() {
 		controlledValues = vpaautoscalingv1.ContainerControlledValuesRequestsOnly
 		namespaceUID     = types.UID("123456")
 
-		secretNameDH      = "vpn-seed-server-dh"
 		secretNameTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00"
-		secretChecksumDH  = "9012"
-		secretDataDH      = map[string][]byte{"dh2048.pem": []byte("baz")}
-		secrets           = Secrets{}
 
 		listenAddress   = "0.0.0.0"
 		listenAddressV6 = "::"
 		dnsLookUpFamily = "ALL"
 
 		expectedConfigMap *corev1.ConfigMap
-		expectedSecretDH  = &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{Name: "vpn-seed-server-dh", Namespace: namespace},
-			Type:       corev1.SecretTypeOpaque,
-			Data:       secretDataDH,
-		}
 	)
 
-	Expect(kubernetesutils.MakeUnique(expectedSecretDH)).To(Succeed())
-
 	var (
 		deploymentObjectMeta = &metav1.ObjectMeta{
 			Name:      DeploymentName,
@@ -202,10 +190,6 @@ var _ = Describe("VpnSeedServer", func() {
 									Name:      "tlsauth",
 									MountPath: "/srv/secrets/tlsauth",
 								},
-								{
-									Name:      "dh",
-									MountPath: "/srv/secrets/dh",
-								},
 							},
 						},
 					},
@@ -267,15 +251,6 @@ var _ = Describe("VpnSeedServer", func() {
 								},
 							},
 						},
-						{
-							Name: "dh",
-							VolumeSource: corev1.VolumeSource{
-								Secret: &corev1.SecretVolumeSource{
-									SecretName:  expectedSecretDH.Name,
-									DefaultMode: ptr.To(int32(0400)),
-								},
-							},
-						},
 					},
 				},
 			}
@@ -660,10 +635,6 @@ var _ = Describe("VpnSeedServer", func() {
 	BeforeEach(func() {
 		runtimeKubernetesVersion = semver.MustParse("1.25.0")
 
-		secrets = Secrets{
-			DiffieHellmanKey: component.Secret{Name: secretNameDH, Checksum: secretChecksumDH, Data: secretDataDH},
-		}
-
 		values = Values{
 			ImageAPIServerProxy: "envoyproxy/envoy:v4.5.6",
 			ImageVPNSeedServer:  vpnImage,
@@ -692,21 +663,10 @@ var _ = Describe("VpnSeedServer", func() {
 
 		values.RuntimeKubernetesVersion = runtimeKubernetesVersion
 		vpnSeedServer = New(c, namespace, sm, istioNamespaceFunc, values)
-		vpnSeedServer.SetSecrets(secrets)
 		vpnSeedServer.SetSeedNamespaceObjectUID(namespaceUID)
 	})
 
 	Describe("#Deploy", func() {
-		Context("missing secret information", func() {
-			BeforeEach(func() {
-				secrets = Secrets{}
-			})
-
-			It("should return an error because the DH secret information is not provided", func() {
-				Expect(vpnSeedServer.Deploy(ctx)).To(MatchError(ContainSubstring("missing DH secret information")))
-			})
-		})
-
 		Context("secret information available", func() {
 			JustBeforeEach(func() {
 				statefulSet := statefulSet(values.Network.NodeCIDR)
@@ -735,11 +695,6 @@ var _ = Describe("VpnSeedServer", func() {
 				Expect(actualSecretTLSAuth.Immutable).To(PointTo(BeTrue()))
 				Expect(actualSecretTLSAuth.Data).NotTo(BeEmpty())
 
-				actualSecretDH := &corev1.Secret{}
-				Expect(c.Get(ctx, kubernetesutils.Key(expectedSecretDH.Namespace, expectedSecretDH.Name), actualSecretDH)).To(Succeed())
-				Expect(expectedSecretDH.Immutable).To(PointTo(BeTrue()))
-				Expect(expectedSecretDH.Data).NotTo(BeEmpty())
-
 				actualService := &corev1.Service{}
 				Expect(c.Get(ctx, kubernetesutils.Key(expectedService.Namespace, expectedService.Name), actualService)).To(Succeed())
 				Expect(actualService).To(DeepEqual(expectedService))
@@ -846,11 +801,6 @@ var _ = Describe("VpnSeedServer", func() {
 				Expect(actualSecretTLSAuth.Immutable).To(PointTo(BeTrue()))
 				Expect(actualSecretTLSAuth.Data).NotTo(BeEmpty())
 
-				actualSecretDH := &corev1.Secret{}
-				Expect(c.Get(ctx, kubernetesutils.Key(expectedSecretDH.Namespace, expectedSecretDH.Name), actualSecretDH)).To(Succeed())
-				Expect(expectedSecretDH.Immutable).To(PointTo(BeTrue()))
-				Expect(expectedSecretDH.Data).NotTo(BeEmpty())
-
 				for i := 0; i < 2; i++ {
 					actualDestinationRule := &istionetworkingv1beta1.DestinationRule{}
 					expectedDestinationRule := indexedDestinationRule(i)

diff --git a/pkg/component/networking/vpn/shoot/shoot.go b/pkg/component/networking/vpn/shoot/shoot.go
@@ -126,7 +126,6 @@ type vpnShoot struct {
 	namespace      string
 	secretsManager secretsmanager.Interface
 	values         Values
-	secrets        Secrets
 }
 
 type vpnSecret struct {
@@ -242,7 +241,6 @@ func (v *vpnShoot) computeResourcesData(secretCAVPN *corev1.Secret, secretsVPNSh
 			Type: corev1.SecretTypeOpaque,
 			Data: secretVPNSeedServerTLSAuth.Data,
 		}
-		secretDH           *corev1.Secret
 		clusterRole        *rbacv1.ClusterRole
 		clusterRoleBinding *rbacv1.ClusterRoleBinding
 	)
@@ -390,7 +388,6 @@ func (v *vpnShoot) computeResourcesData(secretCAVPN *corev1.Secret, secretsVPNSh
 	objects = append(objects,
 		secretCA,
 		secretTLSAuth,
-		secretDH,
 		serviceAccount,
 		networkPolicy,
 		networkPolicyFromSeed,
@@ -538,16 +535,6 @@ func (v *vpnShoot) statefulSet(labels map[string]string, template *corev1.PodTem
 	}
 }
 
-// Secrets is collection of secrets for the vpn-shoot.
-type Secrets struct {
-	// DH is a secret containing the Diffie-Hellman credentials.
-	DH *component.Secret
-}
-
-func (v *vpnShoot) SetSecrets(secrets Secrets) {
-	v.secrets = secrets
-}
-
 func getLabels() map[string]string {
 	return map[string]string{v1beta1constants.LabelApp: LabelValue}
 }

diff --git a/pkg/gardenlet/operation/botanist/vpnseedserver.go b/pkg/gardenlet/operation/botanist/vpnseedserver.go
@@ -20,46 +20,10 @@ import (
 	"k8s.io/utils/ptr"
 
 	"github.com/gardener/gardener/imagevector"
-	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
-	"github.com/gardener/gardener/pkg/component"
 	vpnseedserver "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver"
-	"github.com/gardener/gardener/pkg/utils"
 	imagevectorutils "github.com/gardener/gardener/pkg/utils/imagevector"
 )
 
-var (
-	diffieHellmanKeyData = map[string][]byte{
-		"dh2048.pem": []byte(`-----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA7cBXxG9an6KRz/sB5uiSOTf7Eg+uWVkhXO4peKDTARzMYa8b7WR8
-B/Aw+AyUXtB3tXtrzeC5M3IHnuhFwMo3K4oSOkFJxatLlYKeY15r+Kt5vnOOT3BW
-eN5OnWlR5Wi7GZBWbaQgXVR79N4yst43sVhJus6By0lN6Olc9xD/ys9GH/ykJVIh
-Z/NLrxAC5lxjwCqJMd8hrryChuDlz597vg6gYFuRV60U/YU4DK71F4H7mI07aGJ9
-l+SK8TbkKWF5ITI7kYWbc4zmtfXSXaGjMhM9omQUaTH9csB96hzFJdeZ4XjxybRf
-Vc3t7XP5q7afeaKmM3FhSXdeHKCTqQzQuwIBAg==
------END DH PARAMETERS-----
-`,
-		)}
-	diffieHellmanKeyChecksum string
-)
-
-// init calculates the checksum of the default diffie hellman key
-func init() {
-	diffieHellmanKeyChecksum = utils.ComputeChecksum(diffieHellmanKeyData)
-}
-
-func (b *Botanist) getDiffieHellmanSecret() component.Secret {
-	data, checksum := diffieHellmanKeyData, diffieHellmanKeyChecksum
-	if secret := b.LoadSecret(v1beta1constants.GardenRoleOpenVPNDiffieHellman); secret != nil {
-		data, checksum = secret.Data, utils.ComputeSecretChecksum(secret.Data)
-	}
-
-	return component.Secret{
-		Name:     v1beta1constants.GardenRoleOpenVPNDiffieHellman,
-		Data:     data,
-		Checksum: checksum,
-	}
-}
-
 // DefaultVPNSeedServer returns a deployer for the vpn-seed-server.
 func (b *Botanist) DefaultVPNSeedServer() (vpnseedserver.Interface, error) {
 	imageAPIServerProxy, err := imagevector.ImageVector().FindImage(imagevector.ImageNameApiserverProxy, imagevectorutils.RuntimeVersion(b.SeedVersion()), imagevectorutils.TargetVersion(b.ShootVersion()))
@@ -108,7 +72,6 @@ func (b *Botanist) DefaultVPNSeedServer() (vpnseedserver.Interface, error) {
 // DeployVPNServer deploys the vpn-seed-server.
 func (b *Botanist) DeployVPNServer(ctx context.Context) error {
 	b.Shoot.Components.ControlPlane.VPNSeedServer.SetNodeNetworkCIDR(b.Shoot.GetInfo().Spec.Networking.Nodes)
-	b.Shoot.Components.ControlPlane.VPNSeedServer.SetSecrets(vpnseedserver.Secrets{DiffieHellmanKey: b.getDiffieHellmanSecret()})
 	b.Shoot.Components.ControlPlane.VPNSeedServer.SetSeedNamespaceObjectUID(b.SeedNamespaceObject.UID)
 
 	return b.Shoot.Components.ControlPlane.VPNSeedServer.Deploy(ctx)

diff --git a/pkg/gardenlet/operation/botanist/vpnseedserver_test.go b/pkg/gardenlet/operation/botanist/vpnseedserver_test.go
@@ -29,10 +29,7 @@ import (
 	"k8s.io/utils/ptr"
 
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
-	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	kubernetesmock "github.com/gardener/gardener/pkg/client/kubernetes/mock"
-	"github.com/gardener/gardener/pkg/component"
-	vpnseedserver "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver"
 	mockvpnseedserver "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver/mock"
 	"github.com/gardener/gardener/pkg/gardenlet/apis/config"
 	"github.com/gardener/gardener/pkg/gardenlet/operation"
@@ -134,17 +131,13 @@ var _ = Describe("VPNSeedServer", func() {
 			ctx     = context.TODO()
 			fakeErr = fmt.Errorf("fake err")
 
-			secretNameDH     = v1beta1constants.GardenRoleOpenVPNDiffieHellman
-			secretChecksumDH = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
-
 			namespaceUID    = types.UID("1234")
 			nodeNetworkCIDR = "10.0.0.0/24"
 		)
 
 		BeforeEach(func() {
 			vpnSeedServer = mockvpnseedserver.NewMockInterface(ctrl)
 
-			botanist.StoreSecret(secretNameDH, &corev1.Secret{})
 			botanist.Shoot = &shootpkg.Shoot{
 				Components: &shootpkg.Components{
 					ControlPlane: &shootpkg.ControlPlane{
@@ -178,9 +171,6 @@ var _ = Describe("VPNSeedServer", func() {
 
 		BeforeEach(func() {
 			vpnSeedServer.EXPECT().SetNodeNetworkCIDR(&nodeNetworkCIDR)
-			vpnSeedServer.EXPECT().SetSecrets(vpnseedserver.Secrets{
-				DiffieHellmanKey: component.Secret{Name: secretNameDH, Checksum: secretChecksumDH},
-			})
 			vpnSeedServer.EXPECT().SetSeedNamespaceObjectUID(namespaceUID)
 		})