Add Secrets Encryption to CriticalArgs (#6409)

* Add EncryptSecrets to Critical Control Args
* use deep comparison to extract differences

Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>
pull/6410/head
Derek Nola 2022-11-04 10:35:29 -07:00 committed by GitHub
parent 861f8ed8f8
commit 13c633da12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 39 additions and 29 deletions

1
go.mod
View File

@ -80,6 +80,7 @@ require (
github.com/flannel-io/flannel v0.20.1 github.com/flannel-io/flannel v0.20.1
github.com/go-bindata/go-bindata v3.1.2+incompatible github.com/go-bindata/go-bindata v3.1.2+incompatible
github.com/go-sql-driver/mysql v1.6.0 github.com/go-sql-driver/mysql v1.6.0
github.com/go-test/deep v1.0.7
github.com/google/cadvisor v0.45.0 github.com/google/cadvisor v0.45.0
github.com/google/uuid v1.3.0 github.com/google/uuid v1.3.0
github.com/gorilla/mux v1.8.0 github.com/gorilla/mux v1.8.0

View File

@ -8,7 +8,7 @@ set -e
# #
# Example: # Example:
# Installing a server without traefik: # Installing a server without traefik:
# curl ... | INSTALL_K3S_EXEC="--no-deploy=traefik" sh - # curl ... | INSTALL_K3S_EXEC="--disable=traefik" sh -
# Installing an agent to point at a server: # Installing an agent to point at a server:
# curl ... | K3S_TOKEN=xxx K3S_URL=https://server-url:6443 sh - # curl ... | K3S_TOKEN=xxx K3S_URL=https://server-url:6443 sh -
# #
@ -66,11 +66,11 @@ set -e
# of EXEC and script args ($@). # of EXEC and script args ($@).
# #
# The following commands result in the same behavior: # The following commands result in the same behavior:
# curl ... | INSTALL_K3S_EXEC="--no-deploy=traefik" sh -s - # curl ... | INSTALL_K3S_EXEC="--disable=traefik" sh -s -
# curl ... | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s - # curl ... | INSTALL_K3S_EXEC="server --disable=traefik" sh -s -
# curl ... | INSTALL_K3S_EXEC="server" sh -s - --no-deploy=traefik # curl ... | INSTALL_K3S_EXEC="server" sh -s - --disable=traefik
# curl ... | sh -s - server --no-deploy=traefik # curl ... | sh -s - server --disable=traefik
# curl ... | sh -s - --no-deploy=traefik # curl ... | sh -s - --disable=traefik
# #
# - INSTALL_K3S_NAME # - INSTALL_K3S_NAME
# Name of systemd service to create, will default from the k3s exec command # Name of systemd service to create, will default from the k3s exec command

View File

@ -14,6 +14,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/go-test/deep"
"github.com/k3s-io/k3s/pkg/bootstrap" "github.com/k3s-io/k3s/pkg/bootstrap"
"github.com/k3s-io/k3s/pkg/clientaccess" "github.com/k3s-io/k3s/pkg/clientaccess"
"github.com/k3s-io/k3s/pkg/daemons/config" "github.com/k3s-io/k3s/pkg/daemons/config"
@ -475,10 +476,18 @@ func (c *Cluster) compareConfig() error {
clusterControl.CriticalControlArgs.EgressSelectorMode = c.config.CriticalControlArgs.EgressSelectorMode clusterControl.CriticalControlArgs.EgressSelectorMode = c.config.CriticalControlArgs.EgressSelectorMode
} }
if !reflect.DeepEqual(clusterControl.CriticalControlArgs, c.config.CriticalControlArgs) { if diff := deep.Equal(c.config.CriticalControlArgs, clusterControl.CriticalControlArgs); diff != nil {
logrus.Debugf("This is the server CriticalControlArgs: %#v", clusterControl.CriticalControlArgs) rc := reflect.ValueOf(clusterControl.CriticalControlArgs).Type()
logrus.Debugf("This is the local CriticalControlArgs: %#v", c.config.CriticalControlArgs) for _, d := range diff {
return errors.New("critical configuration value mismatch") field := strings.Split(d, ":")[0]
v, _ := rc.FieldByName(field)
if cliTag, found := v.Tag.Lookup("cli"); found {
logrus.Warnf("critical configuration mismatched: %s", cliTag)
} else {
logrus.Warnf("critical configuration mismatched: %s", field)
}
}
return errors.New("critical configuration value mismatch between servers")
} }
return nil return nil
} }

View File

@ -126,23 +126,24 @@ type Agent struct {
} }
// CriticalControlArgs contains parameters that all control plane nodes in HA must share // CriticalControlArgs contains parameters that all control plane nodes in HA must share
// The cli tag is used to provide better error information to the user on mismatch
type CriticalControlArgs struct { type CriticalControlArgs struct {
ClusterDNSs []net.IP ClusterDNSs []net.IP `cli:"cluster-dns"`
ClusterIPRanges []*net.IPNet ClusterIPRanges []*net.IPNet `cli:"cluster-cidr"`
ClusterDNS net.IP ClusterDNS net.IP `cli:"cluster-dns"`
ClusterDomain string ClusterDomain string `cli:"cluster-domain"`
ClusterIPRange *net.IPNet ClusterIPRange *net.IPNet `cli:"cluster-cidr"`
DisableCCM bool DisableCCM bool `cli:"disable-cloud-controller"`
DisableHelmController bool DisableHelmController bool `cli:"disable-helm-controller"`
DisableNPC bool DisableNPC bool `cli:"disable-network-policy"`
DisableServiceLB bool DisableServiceLB bool `cli:"disable-service-lb"`
FlannelBackend string EncryptSecrets bool `cli:"secrets-encryption"`
FlannelIPv6Masq bool FlannelBackend string `cli:"flannel-backend"`
FlannelExternalIP bool FlannelIPv6Masq bool `cli:"flannel-ipv6-masq"`
EgressSelectorMode string FlannelExternalIP bool `cli:"flannel-external-ip"`
NoCoreDNS bool EgressSelectorMode string `cli:"egress-selector-mode"`
ServiceIPRange *net.IPNet ServiceIPRange *net.IPNet `cli:"service-cidr"`
ServiceIPRanges []*net.IPNet ServiceIPRanges []*net.IPNet `cli:"service-cidr"`
} }
type Control struct { type Control struct {
@ -187,7 +188,6 @@ type Control struct {
ClusterInit bool ClusterInit bool
ClusterReset bool ClusterReset bool
ClusterResetRestorePath string ClusterResetRestorePath string
EncryptSecrets bool
EncryptForce bool EncryptForce bool
EncryptSkip bool EncryptSkip bool
TLSMinVersion uint16 TLSMinVersion uint16

View File

@ -28,11 +28,11 @@ write_files:
if [ ${db_engine} == "embedded-etcd" ]; then if [ ${db_engine} == "embedded-etcd" ]; then
curl -sfL https://get.k3s.io | K3S_CLUSTER_SECRET="${k3s_cluster_secret}" \ curl -sfL https://get.k3s.io | K3S_CLUSTER_SECRET="${k3s_cluster_secret}" \
INSTALL_K3S_VERSION="${install_k3s_version}" \ INSTALL_K3S_VERSION="${install_k3s_version}" \
INSTALL_K3S_EXEC="${k3s_server_args} --cluster-cidr=10.0.0.0/8 --no-deploy traefik --no-deploy servicelb --tls-san ${lb_address} %{ if master_index != 0 } --server https://${lb_address}:6443 %{ else } --cluster-init %{ endif }" sh - INSTALL_K3S_EXEC="${k3s_server_args} --cluster-cidr=10.0.0.0/8 --disable traefik --disable servicelb --tls-san ${lb_address} %{ if master_index != 0 } --server https://${lb_address}:6443 %{ else } --cluster-init %{ endif }" sh -
else else
curl -sfL https://get.k3s.io | K3S_CLUSTER_SECRET="${k3s_cluster_secret}" \ curl -sfL https://get.k3s.io | K3S_CLUSTER_SECRET="${k3s_cluster_secret}" \
INSTALL_K3S_VERSION="${install_k3s_version}" \ INSTALL_K3S_VERSION="${install_k3s_version}" \
INSTALL_K3S_EXEC="${k3s_server_args} --cluster-cidr=10.0.0.0/8 --no-deploy traefik --no-deploy servicelb --tls-san ${lb_address} %{ if use_ha == "true" } --datastore-endpoint=$STORAGE_ENDPOINT %{ endif }" sh - INSTALL_K3S_EXEC="${k3s_server_args} --cluster-cidr=10.0.0.0/8 --disable traefik --disable servicelb --tls-san ${lb_address} %{ if use_ha == "true" } --datastore-endpoint=$STORAGE_ENDPOINT %{ endif }" sh -
fi fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
break break