Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement kubeconfig rotation #48

Merged
merged 40 commits into from
Nov 7, 2023
Merged

Implement kubeconfig rotation #48

merged 40 commits into from
Nov 7, 2023

Conversation

Disper
Copy link
Member

@Disper Disper commented Sep 26, 2023
edited by akgalwas
Loading

Description

Changes proposed in this pull request:

  • Periodic secret rotation implemented
  • Forced secret rotation implemented
  • Statuses set for operations

Related issue(s)
#10

@kyma-bot kyma-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 26, 2023
@kyma-bot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kyma-bot kyma-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Sep 26, 2023
@Disper Disper mentioned this pull request Sep 26, 2023
Closed
6 tasks
@Disper Disper self-assigned this Sep 27, 2023
@Disper Disper marked this pull request as ready for review September 29, 2023 14:04
@Disper Disper requested a review from a team as a code owner September 29, 2023 14:04
@Disper Disper changed the title [WiP] Update GardenerCluster statuses Update GardenerCluster statuses Sep 29, 2023
@kyma-bot kyma-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 29, 2023
@Disper Disper removed their assignment Sep 29, 2023
@kyma-bot kyma-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 20, 2023
@akgalwas akgalwas changed the title Update GardenerCluster statuses Implement kubeconfig rotation Oct 21, 2023
Disper
Disper commented Oct 25, 2023
View reviewed changes
internal/controller/gardener_cluster_controller.go
}
var clusterToUpdate imv1.GardenerCluster

err := controller.Client.Get(ctx, key, &clusterToUpdate)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a comment for myself - this prevents 409 error

Disper
Disper commented Oct 25, 2023
View reviewed changes
internal/controller/gardener_cluster_controller.go
now := time.Now()
alreadyValidFor := now.Sub(lastSyncTime)

return alreadyValidFor.Minutes() >= rotationPeriodRatio*rotationPeriod.Minutes()
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be possible to remove this rotationPeriodRatio parameter?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

without that, @akgalwas had a test case where instead after 36 minutes, rotation happened after ~72 minutes and if I recall correctly, for 12 minutes the kubeconfig was invalid.

Disper
Disper commented Oct 25, 2023
View reviewed changes
internal/controller/gardener_cluster_controller_test.go
return false
}

readyState := newGardenerCluster.Status.State == imv1.ReadyState
Copy link
Member Author

@Disper Disper Oct 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happened to fail for @akgalwas locally

@akgalwas
Copy link
Contributor

What should be taken into account during review:

  • Errors handling
  • Resilience: we must be sure that the controller is self healing
  • Unit tests should be reviewed
  • Unit test stability (it would be good to run it couple of times)
  • Force rotation scenario: there is update failure caused by the Kubebuilder cache

m00g3n
m00g3n approved these changes Nov 7, 2023
View reviewed changes
Copy link
Contributor

@m00g3n m00g3n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kyma-bot kyma-bot added the lgtm Looks good to me! label Nov 7, 2023
@kyma-bot kyma-bot merged commit 59b1cb1 into kyma-project:main Nov 7, 2023
5 checks passed
@Disper Disper deleted the controller_states3 branch December 15, 2023 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@m00g3n m00g3n m00g3n approved these changes

@akgalwas akgalwas Awaiting requested review from akgalwas

Assignees

@m00g3n m00g3n

Labels
lgtm Looks good to me! size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Disper @kyma-bot @akgalwas @m00g3n