From 2fa150896ec9252b0f618eaec99d4a81127ccf31 Mon Sep 17 00:00:00 2001 From: Lukasz Szaszkiewicz Date: Fri, 11 Jun 2021 11:51:48 +0200 Subject: [PATCH 1/2] pin library-go --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 1b9527a06..3ccb92d22 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/openshift/api v0.0.0-20210521075222-e273a339932a github.com/openshift/build-machinery-go v0.0.0-20210423112049-9415d7ebd33e github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142 - github.com/openshift/library-go v0.0.0-20210609150209-1c980926414c + github.com/openshift/library-go v0.0.0-20210611094144-35c8a075e255 github.com/prometheus/client_golang v1.7.1 github.com/prometheus/common v0.10.0 github.com/spf13/cobra v1.1.1 From 50806e65ed28c3957d272c3dcc380d0efef48c4e Mon Sep 17 00:00:00 2001 From: Lukasz Szaszkiewicz Date: Fri, 11 Jun 2021 11:51:58 +0200 Subject: [PATCH 2/2] bump(library-go) --- go.sum | 4 +- .../certsyncpod/certsync_controller.go | 5 ++- .../controller/prune/prune_controller.go | 5 ++- .../pkg/operator/staticpod/controllers.go | 1 + .../pkg/operator/staticpod/file_utils.go | 35 +++++++++++++++++ .../operator/staticpod/installerpod/cmd.go | 36 +++++++++++------- .../pkg/operator/staticpod/prune/cmd.go | 38 ++++++++++++++++++- vendor/modules.txt | 2 +- 8 files changed, 106 insertions(+), 20 deletions(-) create mode 100644 vendor/github.com/openshift/library-go/pkg/operator/staticpod/file_utils.go diff --git a/go.sum b/go.sum index 9d807a6bf..124e19855 100644 --- a/go.sum +++ b/go.sum @@ -405,8 +405,8 @@ github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142 h1:ZHRIMCFIJN1 github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142/go.mod h1:fjS8r9mqDVsPb5td3NehsNOAWa4uiFkYEfVZioQ2gH0= github.com/openshift/kubernetes-apiserver v0.0.0-20210419140141-620426e63a99 h1:KrCYRAJcgZYzMCB1PjJHJMYPu/d+dEkelq5eYyi0fDw= github.com/openshift/kubernetes-apiserver v0.0.0-20210419140141-620426e63a99/go.mod h1:w2YSn4/WIwYuxG5zJmcqtRdtqgW/J2JRgFAqps3bBpg= -github.com/openshift/library-go v0.0.0-20210609150209-1c980926414c h1:1U/zY54WyRyEsVoAHf6yLDgSHf5famdKnIBulyGOLGU= -github.com/openshift/library-go v0.0.0-20210609150209-1c980926414c/go.mod h1:C5DDOSPucn3EVA0T05fODKtAweTObMBrTYm/G3uUBI8= +github.com/openshift/library-go v0.0.0-20210611094144-35c8a075e255 h1:4lXXCXSNmAD56T+lL0CRQfm4aImnb1I6Va9QVtN/d+Q= +github.com/openshift/library-go v0.0.0-20210611094144-35c8a075e255/go.mod h1:C5DDOSPucn3EVA0T05fODKtAweTObMBrTYm/G3uUBI8= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_controller.go index 1d20f6522..73362057c 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_controller.go @@ -18,6 +18,7 @@ import ( "github.com/openshift/library-go/pkg/controller/factory" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/staticpod" "github.com/openshift/library-go/pkg/operator/staticpod/controller/installer" ) @@ -157,7 +158,7 @@ func (c *CertSyncController) sync(ctx context.Context, syncCtx factory.SyncConte } klog.Infof("Writing configmap manifest %q ...", fullFilename) - if err := ioutil.WriteFile(fullFilename, []byte(content), 0644); err != nil { + if err := staticpod.WriteFileAtomic([]byte(content), 0644, fullFilename); err != nil { c.eventRecorder.Warningf("CertificateUpdateFailed", "Failed writing file for configmap: %s/%s: %v", configMap.Namespace, configMap.Name, err) errors = append(errors, err) continue @@ -263,7 +264,7 @@ func (c *CertSyncController) sync(ctx context.Context, syncCtx factory.SyncConte } klog.Infof("Writing secret manifest %q ...", fullFilename) - if err := ioutil.WriteFile(fullFilename, content, 0644); err != nil { + if err := staticpod.WriteFileAtomic(content, 0644, fullFilename); err != nil { c.eventRecorder.Warningf("CertificateUpdateFailed", "Failed writing file for secret: %s/%s: %v", secret.Namespace, secret.Name, err) errors = append(errors, err) continue diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/prune/prune_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/prune/prune_controller.go index b23ad22ee..a6251898d 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/prune/prune_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/prune/prune_controller.go @@ -28,7 +28,7 @@ import ( // PruneController is a controller that watches static installer pod revision statuses and spawns // a pruner pod to delete old revision resources from disk type PruneController struct { - targetNamespace, podResourcePrefix string + targetNamespace, podResourcePrefix, certDir string // command is the string to use for the pruning pod command command []string @@ -57,6 +57,7 @@ const ( func NewPruneController( targetNamespace string, podResourcePrefix string, + certDir string, command []string, configMapGetter corev1client.ConfigMapsGetter, secretGetter corev1client.SecretsGetter, @@ -67,6 +68,7 @@ func NewPruneController( c := &PruneController{ targetNamespace: targetNamespace, podResourcePrefix: podResourcePrefix, + certDir: certDir, command: command, operatorClient: operatorClient, @@ -225,6 +227,7 @@ func (c *PruneController) ensurePrunePod(recorder events.Recorder, nodeName stri fmt.Sprintf("--max-eligible-revision=%d", maxEligibleRevision), fmt.Sprintf("--protected-revisions=%s", revisionsToString(protectedRevisions)), fmt.Sprintf("--resource-dir=%s", "/etc/kubernetes/static-pod-resources"), + fmt.Sprintf("--cert-dir=%s", c.certDir), fmt.Sprintf("--static-pod-name=%s", c.podResourcePrefix), ) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go index f89145cff..c087624a3 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go @@ -230,6 +230,7 @@ func (b *staticPodOperatorControllerBuilder) ToControllers() (manager.Controller manager.WithController(prune.NewPruneController( b.operandNamespace, b.staticPodPrefix, + b.certDir, b.pruneCommand, configMapClient, secretClient, diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/file_utils.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/file_utils.go new file mode 100644 index 000000000..9e6c91470 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/file_utils.go @@ -0,0 +1,35 @@ +package staticpod + +import ( + "fmt" + "os" + "path/filepath" + + "io/ioutil" +) + +func WriteFileAtomic(content []byte, filePerms os.FileMode, fullFilename string) error { + tmpFile, err := writeTemporaryFile(content, filePerms, fullFilename) + if err != nil { + return err + } + + return os.Rename(tmpFile, fullFilename) +} + +func writeTemporaryFile(content []byte, filePerms os.FileMode, fullFilename string) (string, error) { + contentDir := filepath.Dir(fullFilename) + filename := filepath.Base(fullFilename) + tmpfile, err := ioutil.TempFile(contentDir, fmt.Sprintf("%s.tmp", filename)) + if err != nil { + return "", err + } + defer tmpfile.Close() + if err := tmpfile.Chmod(filePerms); err != nil { + return "", err + } + if _, err := tmpfile.Write(content); err != nil { + return "", err + } + return tmpfile.Name(), nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go index 23ae52b46..0679f05ca 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go @@ -3,6 +3,7 @@ package installerpod import ( "context" "fmt" + "github.com/openshift/library-go/pkg/operator/staticpod" "io/ioutil" "os" "path" @@ -222,12 +223,7 @@ func (o *InstallOptions) copySecretsAndConfigMaps(ctx context.Context, resourceD return err } for filename, content := range secret.Data { - klog.Infof("Writing secret manifest %q ...", path.Join(contentDir, filename)) - filePerms := os.FileMode(0600) - if strings.HasSuffix(filename, ".sh") { - filePerms = 0700 - } - if err := ioutil.WriteFile(path.Join(contentDir, filename), content, filePerms); err != nil { + if err := writeSecret(content, path.Join(contentDir, filename)); err != nil { return err } } @@ -243,15 +239,9 @@ func (o *InstallOptions) copySecretsAndConfigMaps(ctx context.Context, resourceD return err } for filename, content := range configmap.Data { - klog.Infof("Writing config file %q ...", path.Join(contentDir, filename)) - filePerms := os.FileMode(0644) - if strings.HasSuffix(filename, ".sh") { - filePerms = 0755 - } - if err := ioutil.WriteFile(path.Join(contentDir, filename), []byte(content), filePerms); err != nil { + if err := writeConfig([]byte(content), path.Join(contentDir, filename)); err != nil { return err } - } } @@ -408,3 +398,23 @@ func (o *InstallOptions) Run(ctx context.Context) error { recorder.Eventf("StaticPodInstallerCompleted", "Successfully installed revision %s", o.Revision) return nil } + +func writeConfig(content []byte, fullFilename string) error { + klog.Infof("Writing config file %q ...", fullFilename) + + filePerms := os.FileMode(0644) + if strings.HasSuffix(fullFilename, ".sh") { + filePerms = 0755 + } + return staticpod.WriteFileAtomic(content, filePerms, fullFilename) +} + +func writeSecret(content []byte, fullFilename string) error { + klog.Infof("Writing secret manifest %q ...", fullFilename) + + filePerms := os.FileMode(0600) + if strings.HasSuffix(fullFilename, ".sh") { + filePerms = 0700 + } + return staticpod.WriteFileAtomic(content, filePerms, fullFilename) +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go index 205ca5a51..4590e9ead 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go @@ -5,8 +5,10 @@ import ( "io/ioutil" "os" "path" + "path/filepath" "strconv" "strings" + "time" "github.com/davecgh/go-spew/spew" "github.com/spf13/cobra" @@ -21,6 +23,7 @@ type PruneOptions struct { ProtectedRevisions []int ResourceDir string + CertDir string StaticPodName string } @@ -57,6 +60,7 @@ func (o *PruneOptions) AddFlags(fs *pflag.FlagSet) { fs.IntSliceVar(&o.ProtectedRevisions, "protected-revisions", o.ProtectedRevisions, "list of revision IDs to preserve (not delete)") fs.StringVar(&o.ResourceDir, "resource-dir", o.ResourceDir, "directory for all files supporting the static pod manifest") fs.StringVar(&o.StaticPodName, "static-pod-name", o.StaticPodName, "name of the static pod") + fs.StringVar(&o.CertDir, "cert-dir", o.CertDir, "directory for all certs") } func (o *PruneOptions) Validate() error { @@ -112,5 +116,37 @@ func (o *PruneOptions) Run() error { return err } } - return nil + + // prune any temporary certificate files + // we do create temporary files to atomically "write" various certificates to disk + // usually, these files are short-lived because they are immediately renamed, the following loop removes old/unused/dangling files + // + // the temporary files have the following form: + // /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/control-plane-node-kubeconfig/kubeconfig.tmp753375784 + // /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.key.tmp643092404 + if len(o.CertDir) == 0 { + return nil + } + + return filepath.Walk(path.Join(o.ResourceDir, o.CertDir), + func(filePath string, info os.FileInfo, err error) error { + if err != nil { + return err + } + if info.IsDir() { + return nil + } + // info.Name() gives just a filename like tls.key or tls.key.tmp643092404 + if !strings.Contains(info.Name(), ".tmp") { + return nil + } + if time.Now().Sub(info.ModTime()) > 30*time.Minute { + klog.Infof("Removing %s, the last time it was modified was %v", filePath, info.ModTime()) + if err := os.RemoveAll(filePath); err != nil { + return err + } + } + return nil + }, + ) } diff --git a/vendor/modules.txt b/vendor/modules.txt index ad2e35ca5..ae18a381d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -179,7 +179,7 @@ github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alp github.com/openshift/client-go/route/clientset/versioned github.com/openshift/client-go/route/clientset/versioned/scheme github.com/openshift/client-go/route/clientset/versioned/typed/route/v1 -# github.com/openshift/library-go v0.0.0-20210609150209-1c980926414c +# github.com/openshift/library-go v0.0.0-20210611094144-35c8a075e255 ## explicit github.com/openshift/library-go/pkg/assets github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer