Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cleanup] Drop VPN Diffie–Hellman parameters #9386

Merged
merged 4 commits into from
Mar 26, 2024
Merged

[Cleanup] Drop VPN Diffie–Hellman parameters #9386

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
be23065
Drop VPN Diffie–Hellman parameters
ary1992 Mar 14, 2024
f22c259
Run make generate
ary1992 Mar 14, 2024
4e8ae6d
Address PR review feedback
ary1992 Mar 18, 2024
96832be
Address PR review feedback
ary1992 Mar 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 0 additions & 2 deletions pkg/apis/core/v1beta1/constants/types_constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,8 +281,6 @@ const (
GardenRoleDefaultDomain = "default-domain"
// GardenRoleInternalDomain is the value of the GardenRole key indicating type 'internal-domain'.
GardenRoleInternalDomain = "internal-domain"
// GardenRoleOpenVPNDiffieHellman is the value of the GardenRole key indicating type 'openvpn-diffie-hellman'.
GardenRoleOpenVPNDiffieHellman = "openvpn-diffie-hellman"
// GardenRoleGlobalMonitoring is the value of the GardenRole key indicating type 'global-monitoring'
GardenRoleGlobalMonitoring = "global-monitoring"
// GardenRoleGlobalShootRemoteWriteMonitoring is the value of the GardenRole key indicating type 'global-shoot-remote-write-monitoring'
Expand Down
12 changes: 0 additions & 12 deletions pkg/component/networking/vpn/seedserver/mock/mocks.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

46 changes: 2 additions & 44 deletions pkg/component/networking/vpn/seedserver/seedserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,21 +100,13 @@ type Interface interface {
component.MonitoringComponent

SetNodeNetworkCIDR(nodes *string)
// SetSecrets sets the secrets.
SetSecrets(Secrets)
// SetSeedNamespaceObjectUID sets UID for the namespace
SetSeedNamespaceObjectUID(namespaceUID types.UID)

// GetValues returns the current configuration values of the deployer.
GetValues() Values
}

// Secrets is collection of secrets for the vpn-seed-server.
type Secrets struct {
// DiffieHellmanKey is a secret containing the diffie hellman key.
DiffieHellmanKey component.Secret
}

// NetworkValues contains the configuration values for the network.
type NetworkValues struct {
// PodCIDR is the CIDR of the pod network.
Expand Down Expand Up @@ -172,7 +164,6 @@ type vpnSeedServer struct {
secretsManager secretsmanager.Interface
namespaceUID types.UID
values Values
secrets Secrets
istioNamespaceFunc func() string
}

Expand All @@ -181,10 +172,6 @@ func (v *vpnSeedServer) GetValues() Values {
}

func (v *vpnSeedServer) Deploy(ctx context.Context) error {
if v.secrets.DiffieHellmanKey.Name == "" || v.secrets.DiffieHellmanKey.Checksum == "" {
return fmt.Errorf("missing DH secret information")
}

var (
configMap = &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -195,19 +182,9 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
fileNameEnvoyConfig: v.getEnvoyConfig(),
},
}

dhSecret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretNameDH,
ialidzhikov marked this conversation as resolved.
Show resolved Hide resolved
Namespace: v.namespace,
},
Type: corev1.SecretTypeOpaque,
Data: v.secrets.DiffieHellmanKey.Data,
}
)

utilruntime.Must(kubernetesutils.MakeUnique(configMap))
utilruntime.Must(kubernetesutils.MakeUnique(dhSecret))

secretCAVPN, found := v.secretsManager.Get(v1beta1constants.SecretNameCAVPN)
if !found {
Expand Down Expand Up @@ -236,11 +213,7 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
return err
}

if err := v.client.Create(ctx, dhSecret); client.IgnoreAlreadyExists(err) != nil {
return err
}

podTemplate := v.podTemplate(configMap, dhSecret, secretCAVPN, secretServer, secretTLSAuth)
podTemplate := v.podTemplate(configMap, secretCAVPN, secretServer, secretTLSAuth)
labels := getLabels()

if v.values.HighAvailabilityEnabled {
Expand Down Expand Up @@ -284,7 +257,7 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
return v.deployVPA(ctx)
}

func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secretCAVPN, secretServer, secretTLSAuth *corev1.Secret) *corev1.PodTemplateSpec {
func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, secretCAVPN, secretServer, secretTLSAuth *corev1.Secret) *corev1.PodTemplateSpec {
hostPathCharDev := corev1.HostPathCharDev
var ipFamilies []string
for _, v := range v.values.Network.IPFamilies {
Expand Down Expand Up @@ -386,10 +359,6 @@ func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secre
Name: volumeNameTLSAuth,
MountPath: volumeMountPathTLSAuth,
},
{
Name: volumeNameDH,
MountPath: volumeMountPathDH,
ialidzhikov marked this conversation as resolved.
Show resolved Hide resolved
},
},
},
},
Expand Down Expand Up @@ -451,15 +420,6 @@ func (v *vpnSeedServer) podTemplate(configMap *corev1.ConfigMap, dhSecret, secre
},
},
},
{
Name: volumeNameDH,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: dhSecret.Name,
DefaultMode: ptr.To(int32(0400)),
},
},
},
},
},
}
Expand Down Expand Up @@ -840,8 +800,6 @@ func (v *vpnSeedServer) Destroy(ctx context.Context) error {
func (v *vpnSeedServer) Wait(_ context.Context) error { return nil }
func (v *vpnSeedServer) WaitCleanup(_ context.Context) error { return nil }

func (v *vpnSeedServer) SetSecrets(secrets Secrets) { v.secrets = secrets }

func (v *vpnSeedServer) SetSeedNamespaceObjectUID(namespaceUID types.UID) {
v.namespaceUID = namespaceUID
}
Expand Down
50 changes: 0 additions & 50 deletions pkg/component/networking/vpn/seedserver/seedserver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ import (
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
"github.com/gardener/gardener/pkg/client/kubernetes"
"github.com/gardener/gardener/pkg/component"
. "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver"
comptest "github.com/gardener/gardener/pkg/component/test"
"github.com/gardener/gardener/pkg/resourcemanager/controller/garbagecollector/references"
Expand Down Expand Up @@ -72,26 +71,15 @@ var _ = Describe("VpnSeedServer", func() {
controlledValues = vpaautoscalingv1.ContainerControlledValuesRequestsOnly
namespaceUID = types.UID("123456")

secretNameDH = "vpn-seed-server-dh"
secretNameTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00"
secretChecksumDH = "9012"
secretDataDH = map[string][]byte{"dh2048.pem": []byte("baz")}
secrets = Secrets{}

listenAddress = "0.0.0.0"
listenAddressV6 = "::"
dnsLookUpFamily = "ALL"

expectedConfigMap *corev1.ConfigMap
expectedSecretDH = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Name: "vpn-seed-server-dh", Namespace: namespace},
Type: corev1.SecretTypeOpaque,
Data: secretDataDH,
}
)

Expect(kubernetesutils.MakeUnique(expectedSecretDH)).To(Succeed())

var (
deploymentObjectMeta = &metav1.ObjectMeta{
Name: DeploymentName,
Expand Down Expand Up @@ -202,10 +190,6 @@ var _ = Describe("VpnSeedServer", func() {
Name: "tlsauth",
MountPath: "/srv/secrets/tlsauth",
},
{
Name: "dh",
MountPath: "/srv/secrets/dh",
},
},
},
},
Expand Down Expand Up @@ -267,15 +251,6 @@ var _ = Describe("VpnSeedServer", func() {
},
},
},
{
Name: "dh",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: expectedSecretDH.Name,
DefaultMode: ptr.To(int32(0400)),
},
},
},
},
},
}
Expand Down Expand Up @@ -636,10 +611,6 @@ var _ = Describe("VpnSeedServer", func() {
BeforeEach(func() {
runtimeKubernetesVersion = semver.MustParse("1.25.0")

secrets = Secrets{
DiffieHellmanKey: component.Secret{Name: secretNameDH, Checksum: secretChecksumDH, Data: secretDataDH},
}

values = Values{
ImageAPIServerProxy: "envoyproxy/envoy:v4.5.6",
ImageVPNSeedServer: vpnImage,
Expand Down Expand Up @@ -668,21 +639,10 @@ var _ = Describe("VpnSeedServer", func() {

values.RuntimeKubernetesVersion = runtimeKubernetesVersion
vpnSeedServer = New(c, namespace, sm, istioNamespaceFunc, values)
vpnSeedServer.SetSecrets(secrets)
vpnSeedServer.SetSeedNamespaceObjectUID(namespaceUID)
})

Describe("#Deploy", func() {
Context("missing secret information", func() {
BeforeEach(func() {
secrets = Secrets{}
})

It("should return an error because the DH secret information is not provided", func() {
Expect(vpnSeedServer.Deploy(ctx)).To(MatchError(ContainSubstring("missing DH secret information")))
})
})

Context("secret information available", func() {
JustBeforeEach(func() {
statefulSet := statefulSet(values.Network.NodeCIDR)
Expand Down Expand Up @@ -711,11 +671,6 @@ var _ = Describe("VpnSeedServer", func() {
Expect(actualSecretTLSAuth.Immutable).To(PointTo(BeTrue()))
Expect(actualSecretTLSAuth.Data).NotTo(BeEmpty())

actualSecretDH := &corev1.Secret{}
Expect(c.Get(ctx, kubernetesutils.Key(expectedSecretDH.Namespace, expectedSecretDH.Name), actualSecretDH)).To(Succeed())
Expect(expectedSecretDH.Immutable).To(PointTo(BeTrue()))
Expect(expectedSecretDH.Data).NotTo(BeEmpty())

actualService := &corev1.Service{}
Expect(c.Get(ctx, kubernetesutils.Key(expectedService.Namespace, expectedService.Name), actualService)).To(Succeed())
Expect(actualService).To(DeepEqual(expectedService))
Expand Down Expand Up @@ -822,11 +777,6 @@ var _ = Describe("VpnSeedServer", func() {
Expect(actualSecretTLSAuth.Immutable).To(PointTo(BeTrue()))
Expect(actualSecretTLSAuth.Data).NotTo(BeEmpty())

actualSecretDH := &corev1.Secret{}
Expect(c.Get(ctx, kubernetesutils.Key(expectedSecretDH.Namespace, expectedSecretDH.Name), actualSecretDH)).To(Succeed())
Expect(expectedSecretDH.Immutable).To(PointTo(BeTrue()))
Expect(expectedSecretDH.Data).NotTo(BeEmpty())

for i := 0; i < 2; i++ {
actualDestinationRule := &istionetworkingv1beta1.DestinationRule{}
expectedDestinationRule := indexedDestinationRule(i)
Expand Down
13 changes: 0 additions & 13 deletions pkg/component/networking/vpn/shoot/shoot.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,6 @@ type vpnShoot struct {
namespace string
secretsManager secretsmanager.Interface
values Values
secrets Secrets
}

type vpnSecret struct {
Expand Down Expand Up @@ -242,7 +241,6 @@ func (v *vpnShoot) computeResourcesData(secretCAVPN *corev1.Secret, secretsVPNSh
Type: corev1.SecretTypeOpaque,
Data: secretVPNSeedServerTLSAuth.Data,
}
secretDH *corev1.Secret
clusterRole *rbacv1.ClusterRole
clusterRoleBinding *rbacv1.ClusterRoleBinding
)
Expand Down Expand Up @@ -390,7 +388,6 @@ func (v *vpnShoot) computeResourcesData(secretCAVPN *corev1.Secret, secretsVPNSh
objects = append(objects,
secretCA,
secretTLSAuth,
secretDH,
serviceAccount,
networkPolicy,
networkPolicyFromSeed,
Expand Down Expand Up @@ -538,16 +535,6 @@ func (v *vpnShoot) statefulSet(labels map[string]string, template *corev1.PodTem
}
}

// Secrets is collection of secrets for the vpn-shoot.
type Secrets struct {
// DH is a secret containing the Diffie-Hellman credentials.
DH *component.Secret
}

func (v *vpnShoot) SetSecrets(secrets Secrets) {
v.secrets = secrets
}

func getLabels() map[string]string {
return map[string]string{v1beta1constants.LabelApp: LabelValue}
}
Expand Down
37 changes: 0 additions & 37 deletions pkg/gardenlet/operation/botanist/vpnseedserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,46 +20,10 @@ import (
"k8s.io/utils/ptr"

"github.com/gardener/gardener/imagevector"
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
"github.com/gardener/gardener/pkg/component"
vpnseedserver "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver"
"github.com/gardener/gardener/pkg/utils"
imagevectorutils "github.com/gardener/gardener/pkg/utils/imagevector"
)

var (
diffieHellmanKeyData = map[string][]byte{
"dh2048.pem": []byte(`-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA7cBXxG9an6KRz/sB5uiSOTf7Eg+uWVkhXO4peKDTARzMYa8b7WR8
B/Aw+AyUXtB3tXtrzeC5M3IHnuhFwMo3K4oSOkFJxatLlYKeY15r+Kt5vnOOT3BW
eN5OnWlR5Wi7GZBWbaQgXVR79N4yst43sVhJus6By0lN6Olc9xD/ys9GH/ykJVIh
Z/NLrxAC5lxjwCqJMd8hrryChuDlz597vg6gYFuRV60U/YU4DK71F4H7mI07aGJ9
l+SK8TbkKWF5ITI7kYWbc4zmtfXSXaGjMhM9omQUaTH9csB96hzFJdeZ4XjxybRf
Vc3t7XP5q7afeaKmM3FhSXdeHKCTqQzQuwIBAg==
-----END DH PARAMETERS-----
`,
)}
diffieHellmanKeyChecksum string
)

// init calculates the checksum of the default diffie hellman key
func init() {
diffieHellmanKeyChecksum = utils.ComputeChecksum(diffieHellmanKeyData)
}

func (b *Botanist) getDiffieHellmanSecret() component.Secret {
data, checksum := diffieHellmanKeyData, diffieHellmanKeyChecksum
if secret := b.LoadSecret(v1beta1constants.GardenRoleOpenVPNDiffieHellman); secret != nil {
data, checksum = secret.Data, utils.ComputeSecretChecksum(secret.Data)
}

return component.Secret{
Name: v1beta1constants.GardenRoleOpenVPNDiffieHellman,
Data: data,
Checksum: checksum,
}
}

// DefaultVPNSeedServer returns a deployer for the vpn-seed-server.
func (b *Botanist) DefaultVPNSeedServer() (vpnseedserver.Interface, error) {
imageAPIServerProxy, err := imagevector.ImageVector().FindImage(imagevector.ImageNameApiserverProxy, imagevectorutils.RuntimeVersion(b.SeedVersion()), imagevectorutils.TargetVersion(b.ShootVersion()))
Expand Down Expand Up @@ -108,7 +72,6 @@ func (b *Botanist) DefaultVPNSeedServer() (vpnseedserver.Interface, error) {
// DeployVPNServer deploys the vpn-seed-server.
func (b *Botanist) DeployVPNServer(ctx context.Context) error {
b.Shoot.Components.ControlPlane.VPNSeedServer.SetNodeNetworkCIDR(b.Shoot.GetInfo().Spec.Networking.Nodes)
b.Shoot.Components.ControlPlane.VPNSeedServer.SetSecrets(vpnseedserver.Secrets{DiffieHellmanKey: b.getDiffieHellmanSecret()})
b.Shoot.Components.ControlPlane.VPNSeedServer.SetSeedNamespaceObjectUID(b.SeedNamespaceObject.UID)

return b.Shoot.Components.ControlPlane.VPNSeedServer.Deploy(ctx)
Expand Down