New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNV-33847: KubeVirt: create the etcd encryption key secret, if missing #3148
Conversation
4cd9993
to
7a8af5d
Compare
/test e2e-aws |
7a8af5d
to
180c1da
Compare
// make sure there is an encryption key secret for etcd | ||
if hc.Spec.SecretEncryption == nil { | ||
etcdEnc, err := getOrCreateETCDEncKey(ctx, r.Client, hc) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
hc.Spec.SecretEncryption = &hyperv1.SecretEncryptionSpec{ | ||
Type: hyperv1.AESCBC, | ||
AESCBC: &hyperv1.AESCBCSpec{ | ||
ActiveKey: corev1.LocalObjectReference{ | ||
Name: etcdEnc.Name, | ||
}, | ||
}, | ||
} | ||
} else if hc.Spec.SecretEncryption.Type == hyperv1.AESCBC { | ||
etcdEnc, err := getOrCreateETCDEncKey(ctx, r.Client, hc) | ||
|
||
if err != nil { | ||
return err | ||
} | ||
|
||
if hc.Spec.SecretEncryption.AESCBC != nil { | ||
hc.Spec.SecretEncryption.AESCBC = &hyperv1.AESCBCSpec{} | ||
} | ||
|
||
if len(hc.Spec.SecretEncryption.AESCBC.ActiveKey.Name) == 0 { | ||
hc.Spec.SecretEncryption.AESCBC.ActiveKey.Name = etcdEnc.Name | ||
} | ||
} else { | ||
log.Error(fmt.Errorf("wrong encryption key type %s", hc.Spec.SecretEncryption.Type), "") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think much of this logic could be simplified using the createOrUpdate function. Below is a skeleton of how that might look along with some suggestions about things we should look out for when generating the secret
if hc.Spec.SecretEncryption == nil ||
hc.Spec.SecretEncryption.Type == "" ||
(hc.Spec.SecretEncryption.Type == hyperv1.AESCBC && hc.Spec.SecretEncryption.AESCBC == nil) {
### Maybe add this function to hypershift-operator/controllers/manifests/manifests.go to be consistent with how other objects are created for hosted cluster?
secret := manifests.GeneratedAESCBCSecret(hc.Namespace, hc.Name)
### use createOrUpdate function to handle the case where the secret was already created but we failed to apply the hostedCluster.spec change the first go around>
if _, err := createOrUpdate(ctx, r.Client, secret, func() error {
### don't override existing key just in case something weird happened >
_, exists := secret.Data[hyperv1.AESCBCKeySecretKey]
if exists {
return nil
}
### If we generated the secret, then the secret needs to be cleaned up automatically when the HostedCluster is deleted>
ownerRef := config.OwnerRefFrom(hc)
ownerRef.ApplyTo(secret)
### generate key and add to the secret's data
return nil
}); err != nil {
return fmt.Errorf("failed to generate ETCD SecretEncryption key for KubeVirt platform HostedCluster: %w", err)
}
### apply new secret reference to hosted cluster
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if hc.Spec.SecretEncryption == nil ||
hc.Spec.SecretEncryption.Type == "" ||
(hc.Spec.SecretEncryption.Type == hyperv1.AESCBC && hc.Spec.SecretEncryption.AESCBC == nil) {
### Maybe add this function to hypershift-operator/controllers/manifests/manifests.go to be consistent with how other objects are created for hosted cluster?
secret := manifests.GeneratedAESCBCSecret(hc.Namespace, hc.Name) // <<<< this is in a new etcd package, to be also used from api/fixtures. No code in api/fixtures uses manifests
### use createOrUpdate function to handle the case where the secret was already created but we failed to apply the hostedCluster.spec change the first go around>
if _, err := createOrUpdate(ctx, r.Client, secret, func() error {
### don't override existing key just in case something weird happened >
_, exists := secret.Data[hyperv1.AESCBCKeySecretKey] // not sure about this code. This is just created and we know the key was generated
if exists {
return nil
}
### If we generated the secret, then the secret needs to be cleaned up automatically when the HostedCluster is deleted>
ownerRef := config.OwnerRefFrom(hc)
ownerRef.ApplyTo(secret)
### generate key and add to the secret's data
return nil
}); err != nil {
return fmt.Errorf("failed to generate ETCD SecretEncryption key for KubeVirt platform HostedCluster: %w", err)
}
### apply new secret reference to hosted cluster
}
@nunnatsa: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
180c1da
to
c8a0c70
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice! I just had one really minor comment about that log
object. other than that, this looks really good
@@ -4574,7 +4577,7 @@ func (r *HostedClusterReconciler) serviceAccountSigningKeyBytes(ctx context.Cont | |||
return privateKeyPEMBytes, publicKeyPEMBytes, nil | |||
} | |||
|
|||
func (r *HostedClusterReconciler) reconcileKubevirtPlatformDefaultSettings(ctx context.Context, hc *hyperv1.HostedCluster) error { | |||
func (r *HostedClusterReconciler) reconcileKubevirtPlatformDefaultSettings(ctx context.Context, hc *hyperv1.HostedCluster, createOrUpdate upsert.CreateOrUpdateFN, log logr.Logger) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the log
used?
also, you can get the logger from the ctx i believe
log := ctrl.LoggerFrom(ctx)
To allow creating of KubeVirt hosted cluster using the hosted cluster API (rather than using the cli). When creating the hosted cluster using the cli, the cli also creates the secret. But when creating the hosted cluster using the hosted cluster API, the secret is not created. This PR changes hypershift so it now creates the etcd encryption key secret, if it is not already exist. Signed-off-by: Nahshon Unna-Tsameret <nunnatsa@redhat.com>
c8a0c70
to
e05a228
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidvossel, nunnatsa The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@nunnatsa: This pull request references CNV-33847 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
To allow creating of KubeVirt hosted cluster using the hosted cluster API (rather than using the cli).
When creating the hosted cluster using the cli, the cli also creates the secret. But when creating the hosted cluster using the hosted cluster API, the secret is not created.
This PR changes hypershift so it now creates the etcd encryption key secret, if it is not already exist.
Which issue(s) this PR fixes:
Fixes #CNV-33847
Checklist