Skip to content

Commit

Permalink
[Cleanup] Drop VPN Diffie–Hellman parameters (#9386)
Browse files Browse the repository at this point in the history
* Drop VPN Diffie–Hellman parameters

* Run make generate

* Address PR review feedback

* Address PR review feedback
  • Loading branch information
ary1992 committed Mar 26, 2024
1 parent af97c25 commit 6e6e14e
Show file tree
Hide file tree
Showing 10 changed files with 2 additions and 210 deletions.
3 changes: 0 additions & 3 deletions docs/operations/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,6 @@ When the `gardenlet` starts, it scans the `garden` namespace of the garden clust
* This external AlertManager is not managed by Gardener and can be configured however the operator sees fit.
* Supported authentication types are no authentication, basic, or mutual TLS.

* **OpenVPN Diffie-Hellmann Key secret** (optional) - contains the self-generated Diffie-Hellmann key used by OpenVPN in your landscape, please see this [yaml file](../../example/10-secret-openvpn-diffie-hellman.yaml) for an example.
* If you don't specify a custom key, then a default key is used, but for productive landscapes it's recommend to create a landscape-specific key and define it.

* **Global monitoring secrets** (optional) - contains basic authentication credentials for the Prometheus aggregating metrics for all clusters.
* These secrets are synced to each seed cluster and used to gain access to the aggregate monitoring components.

Expand Down
13 changes: 0 additions & 13 deletions example/10-secret-openvpn-diffie-hellman.yaml

This file was deleted.

2 changes: 0 additions & 2 deletions pkg/apis/core/v1beta1/constants/types_constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -281,8 +281,6 @@ const (
GardenRoleDefaultDomain = "default-domain"
// GardenRoleInternalDomain is the value of the GardenRole key indicating type 'internal-domain'.
GardenRoleInternalDomain = "internal-domain"
// GardenRoleOpenVPNDiffieHellman is the value of the GardenRole key indicating type 'openvpn-diffie-hellman'.
GardenRoleOpenVPNDiffieHellman = "openvpn-diffie-hellman"
// GardenRoleGlobalMonitoring is the value of the GardenRole key indicating type 'global-monitoring'
GardenRoleGlobalMonitoring = "global-monitoring"
// GardenRoleGlobalShootRemoteWriteMonitoring is the value of the GardenRole key indicating type 'global-shoot-remote-write-monitoring'
Expand Down
12 changes: 0 additions & 12 deletions pkg/component/networking/vpn/seedserver/mock/mocks.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 2 additions & 47 deletions pkg/component/networking/vpn/seedserver/seedserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ const (
// MetricsPort is the port metrics can be scraped at.
MetricsPort = 15000

secretNameDH = "vpn-seed-server-dh"
envoyProxyContainerName = "envoy-proxy"

fileNameEnvoyConfig = "envoy.yaml"
Expand All @@ -82,14 +81,12 @@ const (
volumeMountPathDevNetTun = "/dev/net/tun"
volumeMountPathCerts = "/srv/secrets/vpn-server"
volumeMountPathTLSAuth = "/srv/secrets/tlsauth"
volumeMountPathDH = "/srv/secrets/dh"
volumeMountPathEnvoyConfig = "/etc/envoy"
volumeMountPathStatusDir = "/srv/status"

volumeNameDevNetTun = "dev-net-tun"
volumeNameCerts = "certs"
volumeNameTLSAuth = "tlsauth"
volumeNameDH = "dh"
volumeNameEnvoyConfig = "envoy-config"
volumeNameStatusDir = "openvpn-status"
)
Expand All @@ -100,21 +97,13 @@ type Interface interface {
component.MonitoringComponent

SetNodeNetworkCIDR(nodes *string)
// SetSecrets sets the secrets.
SetSecrets(Secrets)
// SetSeedNamespaceObjectUID sets UID for the namespace
SetSeedNamespaceObjectUID(namespaceUID types.UID)

// GetValues returns the current configuration values of the deployer.
GetValues() Values
}

// Secrets is collection of secrets for the vpn-seed-server.
type Secrets struct {
// DiffieHellmanKey is a secret containing the diffie hellman key.
DiffieHellmanKey component.Secret
}

// NetworkValues contains the configuration values for the network.
type NetworkValues struct {
// PodCIDR is the CIDR of the pod network.
Expand Down Expand Up @@ -172,7 +161,6 @@ type vpnSeedServer struct {
secretsManager secretsmanager.Interface
namespaceUID types.UID
values Values
secrets Secrets
istioNamespaceFunc func() string
}

Expand All @@ -181,10 +169,6 @@ func (v *vpnSeedServer) GetValues() Values {
}

func (v *vpnSeedServer) Deploy(ctx context.Context) error {
if v.secrets.DiffieHellmanKey.Name == "" || v.secrets.DiffieHellmanKey.Checksum == "" {
return fmt.Errorf("missing DH secret information")
}

var (
configMap = &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -195,19 +179,9 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
fileNameEnvoyConfig: v.getEnvoyConfig(),
},
}

dhSecret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretNameDH,
Namespace: v.namespace,
},
Type: corev1.SecretTypeOpaque,
Data: v.secrets.DiffieHellmanKey.Data,
}
)

utilruntime.Must(kubernetesutils.MakeUnique(configMap))
utilruntime.Must(kubernetesutils.MakeUnique(dhSecret))

secretCAVPN, found := v.secretsManager.Get(v1beta1constants.SecretNameCAVPN)
if !found {
Expand Down Expand Up @@ -236,11 +210,7 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
return err
}

if err := v.client.Create(ctx, dhSecret); client.IgnoreAlreadyExists(err) != nil {
return err
}

podTemplate := v.podTemplate(configMap, dhSecret, secretCAVPN, secretServer, secretTLSAuth)
podTemplate := v.podTemplate(configMap, secretCAVPN, secretServer, secretTLSAuth)
labels := getLabels()

if v.values.HighAvailabilityEnabled {
Expand Down Expand Up @@ -284,7 +254,7 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
return v.deployVPA(ctx)
}

func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secretCAVPN, secretServer, secretTLSAuth *corev1.Secret) *corev1.PodTemplateSpec {
func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, secretCAVPN, secretServer, secretTLSAuth *corev1.Secret) *corev1.PodTemplateSpec {
hostPathCharDev := corev1.HostPathCharDev
var ipFamilies []string
for _, v := range v.values.Network.IPFamilies {
Expand Down Expand Up @@ -386,10 +356,6 @@ func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secre
Name: volumeNameTLSAuth,
MountPath: volumeMountPathTLSAuth,
},
{
Name: volumeNameDH,
MountPath: volumeMountPathDH,
},
},
},
},
Expand Down Expand Up @@ -451,15 +417,6 @@ func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secre
},
},
},
{
Name: volumeNameDH,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: dhSecret.Name,
DefaultMode: ptr.To(int32(0400)),
},
},
},
},
},
}
Expand Down Expand Up @@ -840,8 +797,6 @@ func (v *vpnSeedServer) Destroy(ctx context.Context) error {
func (v *vpnSeedServer) Wait(_ context.Context) error { return nil }
func (v *vpnSeedServer) WaitCleanup(_ context.Context) error { return nil }

func (v *vpnSeedServer) SetSecrets(secrets Secrets) { v.secrets = secrets }

func (v *vpnSeedServer) SetSeedNamespaceObjectUID(namespaceUID types.UID) {
v.namespaceUID = namespaceUID
}
Expand Down
50 changes: 0 additions & 50 deletions pkg/component/networking/vpn/seedserver/seedserver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ import (
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
"github.com/gardener/gardener/pkg/client/kubernetes"
"github.com/gardener/gardener/pkg/component"
. "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver"
comptest "github.com/gardener/gardener/pkg/component/test"
"github.com/gardener/gardener/pkg/resourcemanager/controller/garbagecollector/references"
Expand Down Expand Up @@ -72,26 +71,15 @@ var _ = Describe("VpnSeedServer", func() {
controlledValues = vpaautoscalingv1.ContainerControlledValuesRequestsOnly
namespaceUID = types.UID("123456")

secretNameDH = "vpn-seed-server-dh"
secretNameTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00"
secretChecksumDH = "9012"
secretDataDH = map[string][]byte{"dh2048.pem": []byte("baz")}
secrets = Secrets{}

listenAddress = "0.0.0.0"
listenAddressV6 = "::"
dnsLookUpFamily = "ALL"

expectedConfigMap *corev1.ConfigMap
expectedSecretDH = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Name: "vpn-seed-server-dh", Namespace: namespace},
Type: corev1.SecretTypeOpaque,
Data: secretDataDH,
}
)

Expect(kubernetesutils.MakeUnique(expectedSecretDH)).To(Succeed())

var (
deploymentObjectMeta = &metav1.ObjectMeta{
Name: DeploymentName,
Expand Down Expand Up @@ -202,10 +190,6 @@ var _ = Describe("VpnSeedServer", func() {
Name: "tlsauth",
MountPath: "/srv/secrets/tlsauth",
},
{
Name: "dh",
MountPath: "/srv/secrets/dh",
},
},
},
},
Expand Down Expand Up @@ -267,15 +251,6 @@ var _ = Describe("VpnSeedServer", func() {
},
},
},
{
Name: "dh",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: expectedSecretDH.Name,
DefaultMode: ptr.To(int32(0400)),
},
},
},
},
},
}
Expand Down Expand Up @@ -636,10 +611,6 @@ var _ = Describe("VpnSeedServer", func() {
BeforeEach(func() {
runtimeKubernetesVersion = semver.MustParse("1.25.0")

secrets = Secrets{
DiffieHellmanKey: component.Secret{Name: secretNameDH, Checksum: secretChecksumDH, Data: secretDataDH},
}

values = Values{
ImageAPIServerProxy: "envoyproxy/envoy:v4.5.6",
ImageVPNSeedServer: vpnImage,
Expand Down Expand Up @@ -668,21 +639,10 @@ var _ = Describe("VpnSeedServer", func() {

values.RuntimeKubernetesVersion = runtimeKubernetesVersion
vpnSeedServer = New(c, namespace, sm, istioNamespaceFunc, values)
vpnSeedServer.SetSecrets(secrets)
vpnSeedServer.SetSeedNamespaceObjectUID(namespaceUID)
})

Describe("#Deploy", func() {
Context("missing secret information", func() {
BeforeEach(func() {
secrets = Secrets{}
})

It("should return an error because the DH secret information is not provided", func() {
Expect(vpnSeedServer.Deploy(ctx)).To(MatchError(ContainSubstring("missing DH secret information")))
})
})

Context("secret information available", func() {
JustBeforeEach(func() {
statefulSet := statefulSet(values.Network.NodeCIDR)
Expand Down Expand Up @@ -711,11 +671,6 @@ var _ = Describe("VpnSeedServer", func() {
Expect(actualSecretTLSAuth.Immutable).To(PointTo(BeTrue()))
Expect(actualSecretTLSAuth.Data).NotTo(BeEmpty())

actualSecretDH := &corev1.Secret{}
Expect(c.Get(ctx, kubernetesutils.Key(expectedSecretDH.Namespace, expectedSecretDH.Name), actualSecretDH)).To(Succeed())
Expect(expectedSecretDH.Immutable).To(PointTo(BeTrue()))
Expect(expectedSecretDH.Data).NotTo(BeEmpty())

actualService := &corev1.Service{}
Expect(c.Get(ctx, kubernetesutils.Key(expectedService.Namespace, expectedService.Name), actualService)).To(Succeed())
Expect(actualService).To(DeepEqual(expectedService))
Expand Down Expand Up @@ -822,11 +777,6 @@ var _ = Describe("VpnSeedServer", func() {
Expect(actualSecretTLSAuth.Immutable).To(PointTo(BeTrue()))
Expect(actualSecretTLSAuth.Data).NotTo(BeEmpty())

actualSecretDH := &corev1.Secret{}
Expect(c.Get(ctx, kubernetesutils.Key(expectedSecretDH.Namespace, expectedSecretDH.Name), actualSecretDH)).To(Succeed())
Expect(expectedSecretDH.Immutable).To(PointTo(BeTrue()))
Expect(expectedSecretDH.Data).NotTo(BeEmpty())

for i := 0; i < 2; i++ {
actualDestinationRule := &istionetworkingv1beta1.DestinationRule{}
expectedDestinationRule := indexedDestinationRule(i)
Expand Down
13 changes: 0 additions & 13 deletions pkg/component/networking/vpn/shoot/shoot.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,6 @@ type vpnShoot struct {
namespace string
secretsManager secretsmanager.Interface
values Values
secrets Secrets
}

type vpnSecret struct {
Expand Down Expand Up @@ -242,7 +241,6 @@ func (v *vpnShoot) computeResourcesData(secretCAVPN *corev1.Secret, secretsVPNSh
Type: corev1.SecretTypeOpaque,
Data: secretVPNSeedServerTLSAuth.Data,
}
secretDH *corev1.Secret
clusterRole *rbacv1.ClusterRole
clusterRoleBinding *rbacv1.ClusterRoleBinding
)
Expand Down Expand Up @@ -390,7 +388,6 @@ func (v *vpnShoot) computeResourcesData(secretCAVPN *corev1.Secret, secretsVPNSh
objects = append(objects,
secretCA,
secretTLSAuth,
secretDH,
serviceAccount,
networkPolicy,
networkPolicyFromSeed,
Expand Down Expand Up @@ -538,16 +535,6 @@ func (v *vpnShoot) statefulSet(labels map[string]string, template *corev1.PodTem
}
}

// Secrets is collection of secrets for the vpn-shoot.
type Secrets struct {
// DH is a secret containing the Diffie-Hellman credentials.
DH *component.Secret
}

func (v *vpnShoot) SetSecrets(secrets Secrets) {
v.secrets = secrets
}

func getLabels() map[string]string {
return map[string]string{v1beta1constants.LabelApp: LabelValue}
}
Expand Down

0 comments on commit 6e6e14e

Please sign in to comment.