Review comments and fixes

Signed-off-by: Derek Nola <derek.nola@suse.com>
1 year ago · 51f1a5a0ab
parent 42c2ac95e2
commit 51f1a5a0ab
5 changed files with 16 additions and 35 deletions
--- a/main.go
+++ b/main.go
@ -45,6 +45,7 @@ func main() {
 			secretsencrypt.Prepare,
 			secretsencrypt.Rotate,
 			secretsencrypt.Reencrypt,
+			secretsencrypt.RotateKeys,
 		),
 		cmds.NewCertCommand(
 			cmds.NewCertSubcommands(
--- a/pkg/cli/cmds/secrets_encrypt.go
+++ b/pkg/cli/cmds/secrets_encrypt.go
@ -86,7 +86,7 @@ func NewSecretsEncryptCommands(status, enable, disable, prepare, rotate, reencry
 			},
 			{
 				Name:           "rotate-keys",
-				Usage:          "Add, rotate and rencryption with a new encryption key",
+				Usage:          "(experimental) Dynamically add a new secrets encryption key and re-encrypt secrets",
 				SkipArgReorder: true,
 				Action:         rotateKeys,
 				Flags:          EncryptFlags,
--- a/pkg/cli/secretsencrypt/secrets_encrypt.go
+++ b/pkg/cli/secretsencrypt/secrets_encrypt.go
@ -20,7 +20,7 @@ import (
 	"k8s.io/utils/pointer"
 )

-func commandPrep(app *cli.Context, cfg *cmds.Server) (*clientaccess.Info, error) {
+func commandPrep(cfg *cmds.Server) (*clientaccess.Info, error) {
 	// hide process arguments from ps output, since they may contain
 	// database credentials or other secrets.
 	gspt.SetProcTitle(os.Args[0] + " secrets-encrypt")
@ -46,11 +46,10 @@ func wrapServerError(err error) error {
 }

 func Enable(app *cli.Context) error {
-	var err error
-	if err = cmds.InitLogging(); err != nil {
+	if err := cmds.InitLogging(); err != nil {
 		return err
 	}
-	info, err := commandPrep(app, &cmds.ServerConfig)
+	info, err := commandPrep(&cmds.ServerConfig)
 	if err != nil {
 		return err
 	}
@ -70,7 +69,7 @@ func Disable(app *cli.Context) error {
 	if err := cmds.InitLogging(); err != nil {
 		return err
 	}
-	info, err := commandPrep(app, &cmds.ServerConfig)
+	info, err := commandPrep(&cmds.ServerConfig)
 	if err != nil {
 		return err
 	}
@ -89,7 +88,7 @@ func Status(app *cli.Context) error {
 	if err := cmds.InitLogging(); err != nil {
 		return err
 	}
-	info, err := commandPrep(app, &cmds.ServerConfig)
+	info, err := commandPrep(&cmds.ServerConfig)
 	if err != nil {
 		return err
 	}
@ -147,11 +146,10 @@ func Status(app *cli.Context) error {
 }

 func Prepare(app *cli.Context) error {
-	var err error
-	if err = cmds.InitLogging(); err != nil {
+	if err := cmds.InitLogging(); err != nil {
 		return err
 	}
-	info, err := commandPrep(app, &cmds.ServerConfig)
+	info, err := commandPrep(&cmds.ServerConfig)
 	if err != nil {
 		return err
 	}
@ -173,7 +171,7 @@ func Rotate(app *cli.Context) error {
 	if err := cmds.InitLogging(); err != nil {
 		return err
 	}
-	info, err := commandPrep(app, &cmds.ServerConfig)
+	info, err := commandPrep(&cmds.ServerConfig)
 	if err != nil {
 		return err
 	}
@ -192,11 +190,10 @@ func Rotate(app *cli.Context) error {
 }

 func Reencrypt(app *cli.Context) error {
-	var err error
-	if err = cmds.InitLogging(); err != nil {
+	if err := cmds.InitLogging(); err != nil {
 		return err
 	}
-	info, err := commandPrep(app, &cmds.ServerConfig)
+	info, err := commandPrep(&cmds.ServerConfig)
 	if err != nil {
 		return err
 	}
@ -216,11 +213,10 @@ func Reencrypt(app *cli.Context) error {
 }

 func RotateKeys(app *cli.Context) error {
-	var err error
-	if err = cmds.InitLogging(); err != nil {
+	if err := cmds.InitLogging(); err != nil {
 		return err
 	}
-	info, err := commandPrep(app, &cmds.ServerConfig)
+	info, err := commandPrep(&cmds.ServerConfig)
 	if err != nil {
 		return err
 	}
@ -233,6 +229,6 @@ func RotateKeys(app *cli.Context) error {
 	if err = info.Put("/v1-"+version.Program+"/encrypt/config", b); err != nil {
 		return wrapServerError(err)
 	}
-	fmt.Println("keys rotated, rencryption started")
+	fmt.Println("keys rotated, reencryption started")
 	return nil
 }
--- a/pkg/server/secrets-encrypt.go
+++ b/pkg/server/secrets-encrypt.go
@ -17,7 +17,6 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/secretsencrypt"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/rancher/wrangler/pkg/generated/controllers/core"
 	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -140,9 +139,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool)
 		logrus.Infoln("Secrets encryption already disabled")
 		return nil
 	} else if providers[0].Identity != nil && providers[1].AESCBC != nil && enable {
-		if nodeArgs := getNodeArgs(server); !strings.Contains(nodeArgs, "secrets-encryption") {
-			return fmt.Errorf("secrets encryption cannot be enabled without first starting the server with --secrets-encryption flag")
-		}
 		logrus.Infoln("Enabling secrets encryption")
 		if err := secretsencrypt.WriteEncryptionConfig(server.Runtime, curKeys, enable); err != nil {
 			return err
@ -160,15 +156,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool)
 	return setReencryptAnnotation(server)
 }

-func getNodeArgs(server *config.Control) string {
-	nodeName := os.Getenv("NODE_NAME")
-	node, err := server.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
-	if err != nil {
-		return ""
-	}
-	return node.Annotations[version.Program+".io/node-args"]
-}
-
 func encryptionConfigHandler(ctx context.Context, server *config.Control) http.Handler {
 	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 		if req.TLS == nil {
@ -245,7 +232,6 @@ func encryptionPrepare(ctx context.Context, server *config.Control, force bool)
 }

 func encryptionRotate(ctx context.Context, server *config.Control, force bool) error {
-
 	if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionPrepare); err != nil && !force {
 		return err
 	}
@ -274,7 +260,6 @@ func encryptionRotate(ctx context.Context, server *config.Control, force bool) e
 }

 func encryptionReencrypt(ctx context.Context, server *config.Control, force bool, skip bool) error {
-
 	if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionRotate); err != nil && !force {
 		return err
 	}
@ -300,7 +285,6 @@ func encryptionReencrypt(ctx context.Context, server *config.Control, force bool
 }

 func addAndRotateKeys(server *config.Control) error {
-
 	curKeys, err := secretsencrypt.GetEncryptionKeys(server.Runtime)
 	if err != nil {
 		return err
@ -357,7 +341,6 @@ func setReencryptAnnotation(server *config.Control) error {
 }

 func AppendNewEncryptionKey(keys *[]apiserverconfigv1.Key) error {
-
 	aescbcKey := make([]byte, aescbcKeySize)
 	_, err := rand.Read(aescbcKey)
 	if err != nil {
--- a/pkg/util/file.go
+++ b/pkg/util/file.go
@ -47,6 +47,7 @@ func AtomicWrite(fileName string, data []byte, perm os.FileMode) error {
 		return err
 	}
 	tmpName := f.Name()
+	defer os.Remove(tmpName)
 	if _, err := f.Write(data); err != nil {
 		f.Close()
 		return err