mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Review comments and fixes
Signed-off-by: Derek Nola <derek.nola@suse.com>
This commit is contained in:
Derek Nola
parent
42c2ac95e2
commit
51f1a5a0ab
1
main.go
1
main.go
@ -45,6 +45,7 @@ func main() {
|
||||
secretsencrypt.Prepare,
|
||||
secretsencrypt.Rotate,
|
||||
secretsencrypt.Reencrypt,
|
||||
secretsencrypt.RotateKeys,
|
||||
),
|
||||
cmds.NewCertCommand(
|
||||
cmds.NewCertSubcommands(
|
||||
|
||||
@ -86,7 +86,7 @@ func NewSecretsEncryptCommands(status, enable, disable, prepare, rotate, reencry
|
||||
},
|
||||
{
|
||||
Name: "rotate-keys",
|
||||
Usage: "Add, rotate and rencryption with a new encryption key",
|
||||
Usage: "(experimental) Dynamically add a new secrets encryption key and re-encrypt secrets",
|
||||
SkipArgReorder: true,
|
||||
Action: rotateKeys,
|
||||
Flags: EncryptFlags,
|
||||
|
||||
@ -20,7 +20,7 @@ import (
|
||||
"k8s.io/utils/pointer"
|
||||
)
|
||||
|
||||
func commandPrep(app *cli.Context, cfg *cmds.Server) (*clientaccess.Info, error) {
|
||||
func commandPrep(cfg *cmds.Server) (*clientaccess.Info, error) {
|
||||
// hide process arguments from ps output, since they may contain
|
||||
// database credentials or other secrets.
|
||||
gspt.SetProcTitle(os.Args[0] + " secrets-encrypt")
|
||||
@ -46,11 +46,10 @@ func wrapServerError(err error) error {
|
||||
}
|
||||
|
||||
func Enable(app *cli.Context) error {
|
||||
var err error
|
||||
if err = cmds.InitLogging(); err != nil {
|
||||
if err := cmds.InitLogging(); err != nil {
|
||||
return err
|
||||
}
|
||||
info, err := commandPrep(app, &cmds.ServerConfig)
|
||||
info, err := commandPrep(&cmds.ServerConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -70,7 +69,7 @@ func Disable(app *cli.Context) error {
|
||||
if err := cmds.InitLogging(); err != nil {
|
||||
return err
|
||||
}
|
||||
info, err := commandPrep(app, &cmds.ServerConfig)
|
||||
info, err := commandPrep(&cmds.ServerConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -89,7 +88,7 @@ func Status(app *cli.Context) error {
|
||||
if err := cmds.InitLogging(); err != nil {
|
||||
return err
|
||||
}
|
||||
info, err := commandPrep(app, &cmds.ServerConfig)
|
||||
info, err := commandPrep(&cmds.ServerConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -147,11 +146,10 @@ func Status(app *cli.Context) error {
|
||||
}
|
||||
|
||||
func Prepare(app *cli.Context) error {
|
||||
var err error
|
||||
if err = cmds.InitLogging(); err != nil {
|
||||
if err := cmds.InitLogging(); err != nil {
|
||||
return err
|
||||
}
|
||||
info, err := commandPrep(app, &cmds.ServerConfig)
|
||||
info, err := commandPrep(&cmds.ServerConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -173,7 +171,7 @@ func Rotate(app *cli.Context) error {
|
||||
if err := cmds.InitLogging(); err != nil {
|
||||
return err
|
||||
}
|
||||
info, err := commandPrep(app, &cmds.ServerConfig)
|
||||
info, err := commandPrep(&cmds.ServerConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -192,11 +190,10 @@ func Rotate(app *cli.Context) error {
|
||||
}
|
||||
|
||||
func Reencrypt(app *cli.Context) error {
|
||||
var err error
|
||||
if err = cmds.InitLogging(); err != nil {
|
||||
if err := cmds.InitLogging(); err != nil {
|
||||
return err
|
||||
}
|
||||
info, err := commandPrep(app, &cmds.ServerConfig)
|
||||
info, err := commandPrep(&cmds.ServerConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -216,11 +213,10 @@ func Reencrypt(app *cli.Context) error {
|
||||
}
|
||||
|
||||
func RotateKeys(app *cli.Context) error {
|
||||
var err error
|
||||
if err = cmds.InitLogging(); err != nil {
|
||||
if err := cmds.InitLogging(); err != nil {
|
||||
return err
|
||||
}
|
||||
info, err := commandPrep(app, &cmds.ServerConfig)
|
||||
info, err := commandPrep(&cmds.ServerConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -233,6 +229,6 @@ func RotateKeys(app *cli.Context) error {
|
||||
if err = info.Put("/v1-"+version.Program+"/encrypt/config", b); err != nil {
|
||||
return wrapServerError(err)
|
||||
}
|
||||
fmt.Println("keys rotated, rencryption started")
|
||||
fmt.Println("keys rotated, reencryption started")
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -17,7 +17,6 @@ import (
|
||||
"github.com/k3s-io/k3s/pkg/daemons/config"
|
||||
"github.com/k3s-io/k3s/pkg/secretsencrypt"
|
||||
"github.com/k3s-io/k3s/pkg/util"
|
||||
"github.com/k3s-io/k3s/pkg/version"
|
||||
"github.com/rancher/wrangler/pkg/generated/controllers/core"
|
||||
"github.com/sirupsen/logrus"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
@ -140,9 +139,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool)
|
||||
logrus.Infoln("Secrets encryption already disabled")
|
||||
return nil
|
||||
} else if providers[0].Identity != nil && providers[1].AESCBC != nil && enable {
|
||||
if nodeArgs := getNodeArgs(server); !strings.Contains(nodeArgs, "secrets-encryption") {
|
||||
return fmt.Errorf("secrets encryption cannot be enabled without first starting the server with --secrets-encryption flag")
|
||||
}
|
||||
logrus.Infoln("Enabling secrets encryption")
|
||||
if err := secretsencrypt.WriteEncryptionConfig(server.Runtime, curKeys, enable); err != nil {
|
||||
return err
|
||||
@ -160,15 +156,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool)
|
||||
return setReencryptAnnotation(server)
|
||||
}
|
||||
|
||||
func getNodeArgs(server *config.Control) string {
|
||||
nodeName := os.Getenv("NODE_NAME")
|
||||
node, err := server.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
return node.Annotations[version.Program+".io/node-args"]
|
||||
}
|
||||
|
||||
func encryptionConfigHandler(ctx context.Context, server *config.Control) http.Handler {
|
||||
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
|
||||
if req.TLS == nil {
|
||||
@ -245,7 +232,6 @@ func encryptionPrepare(ctx context.Context, server *config.Control, force bool)
|
||||
}
|
||||
|
||||
func encryptionRotate(ctx context.Context, server *config.Control, force bool) error {
|
||||
|
||||
if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionPrepare); err != nil && !force {
|
||||
return err
|
||||
}
|
||||
@ -274,7 +260,6 @@ func encryptionRotate(ctx context.Context, server *config.Control, force bool) e
|
||||
}
|
||||
|
||||
func encryptionReencrypt(ctx context.Context, server *config.Control, force bool, skip bool) error {
|
||||
|
||||
if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionRotate); err != nil && !force {
|
||||
return err
|
||||
}
|
||||
@ -300,7 +285,6 @@ func encryptionReencrypt(ctx context.Context, server *config.Control, force bool
|
||||
}
|
||||
|
||||
func addAndRotateKeys(server *config.Control) error {
|
||||
|
||||
curKeys, err := secretsencrypt.GetEncryptionKeys(server.Runtime)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -357,7 +341,6 @@ func setReencryptAnnotation(server *config.Control) error {
|
||||
}
|
||||
|
||||
func AppendNewEncryptionKey(keys *[]apiserverconfigv1.Key) error {
|
||||
|
||||
aescbcKey := make([]byte, aescbcKeySize)
|
||||
_, err := rand.Read(aescbcKey)
|
||||
if err != nil {
|
||||
|
||||
@ -47,6 +47,7 @@ func AtomicWrite(fileName string, data []byte, perm os.FileMode) error {
|
||||
return err
|
||||
}
|
||||
tmpName := f.Name()
|
||||
defer os.Remove(tmpName)
|
||||
if _, err := f.Write(data); err != nil {
|
||||
f.Close()
|
||||
return err
|
||||
|
||||
Loading…
Reference in New Issue
Block a user