forked from joeholley/supergloo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathistio_secret_deleter.go
103 lines (86 loc) · 3.04 KB
/
istio_secret_deleter.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
package istio
import (
"context"
"fmt"
"strings"
"github.com/solo-io/go-utils/contextutils"
"github.com/solo-io/go-utils/errors"
v1 "github.com/solo-io/supergloo/pkg/api/v1"
kubev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
)
type IstioSecretDeleter struct {
kube kubernetes.Interface
}
func NewIstioSecretDeleter(kube kubernetes.Interface) *IstioSecretDeleter {
return &IstioSecretDeleter{kube: kube}
}
func (d *IstioSecretDeleter) Sync(ctx context.Context, snap *v1.RegistrationSnapshot) error {
ctx = contextutils.WithLogger(ctx, fmt.Sprintf("istio-secret-deleter-%v", snap.Hash()))
logger := contextutils.LoggerFrom(ctx)
logger.Infof("begin sync %v: %v", snap.Hash(), snap.Stringer())
defer logger.Infof("end sync %v", snap.Hash())
logger.Debugf("full snapshot: %v", snap)
var managedNamespaces []string
// delete citadel certs for any istio mesh which specifies a root cert
for _, mesh := range snap.Meshes.List() {
_, ok := mesh.MeshType.(*v1.Mesh_Istio)
if !ok {
continue
}
if mesh.MtlsConfig == nil || !mesh.MtlsConfig.MtlsEnabled || mesh.MtlsConfig.RootCertificate == nil {
continue
}
// TODO (ilackarms): make managed namespaces a config option on a mesh
// that way we can restrict which meshes we are managing in this syncer
// currently we must list all namespaces and assume that istio is managing all of them
allNamespaces, err := listAllNamespaces(d.kube)
if err != nil {
return errors.Wrapf(err, "listing all namespaces")
}
managedNamespaces = allNamespaces
break
}
for _, ns := range managedNamespaces {
if err := d.deleteCitadelCerts(ctx, ns); err != nil {
return errors.Wrapf(err, "deleting citadel certs in namespace %v", ns)
}
}
return nil
}
func listAllNamespaces(kube kubernetes.Interface) ([]string, error) {
nss, err := kube.CoreV1().Namespaces().List(metav1.ListOptions{})
if err != nil {
return nil, err
}
var namespaces []string
for _, ns := range nss.Items {
namespaces = append(namespaces, ns.Name)
}
return namespaces, nil
}
// > To make sure the workloads obtain the new certificates promptly,
// > delete the secrets generated by Citadel (named as istio.*).
func (d *IstioSecretDeleter) deleteCitadelCerts(ctx context.Context, namespace string) error {
secrets, err := d.kube.CoreV1().Secrets(namespace).List(metav1.ListOptions{})
if err != nil {
return errors.Wrapf(err, "listing istio namespace secrets")
}
var citadelSecrets []kubev1.Secret
// https://istio.io/docs/tasks/security/plugin-ca-cert/#plugging-in-the-existing-certificate-and-key
for _, sec := range secrets.Items {
if strings.HasPrefix(sec.Name, "istio.") {
citadelSecrets = append(citadelSecrets, sec)
}
}
if len(citadelSecrets) > 0 {
contextutils.LoggerFrom(ctx).Infof("deleting %v citadel secrets", len(citadelSecrets))
}
for _, sec := range citadelSecrets {
if err := d.kube.CoreV1().Secrets(namespace).Delete(sec.Name, nil); err != nil {
return errors.Wrapf(err, "failed to delete citadel secret %v", sec.Name)
}
}
return nil
}