Browse Source

Properly attach secrets-encrypt events to the node resource

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
pull/5332/head v1.23.5-rc2+k3s1
Brad Davidson 3 years ago committed by Brad Davidson
parent
commit
d25ae8fbc2
  1. 39
      pkg/secretsencrypt/controller.go

39
pkg/secretsencrypt/controller.go

@ -13,7 +13,7 @@ import (
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/pager" "k8s.io/client-go/tools/pager"
"k8s.io/client-go/tools/record" "k8s.io/client-go/tools/record"
@ -65,8 +65,17 @@ func (h *handler) onChangeNode(key string, node *corev1.Node) (*corev1.Node, err
return node, nil return node, nil
} }
// This is consistent with events attached to the node generated by the kubelet
// https://github.com/kubernetes/kubernetes/blob/612130dd2f4188db839ea5c2dea07a96b0ad8d1c/pkg/kubelet/kubelet.go#L479-L485
nodeRef := &corev1.ObjectReference{
Kind: "Node",
Name: node.Name,
UID: types.UID(node.Name),
Namespace: "",
}
if valid, err := h.validateReencryptStage(node, ann); err != nil { if valid, err := h.validateReencryptStage(node, ann); err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} else if !valid { } else if !valid {
return node, nil return node, nil
@ -74,19 +83,19 @@ func (h *handler) onChangeNode(key string, node *corev1.Node) (*corev1.Node, err
reencryptHash, err := GenReencryptHash(h.controlConfig.Runtime, EncryptionReencryptActive) reencryptHash, err := GenReencryptHash(h.controlConfig.Runtime, EncryptionReencryptActive)
if err != nil { if err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
ann = EncryptionReencryptActive + "-" + reencryptHash ann = EncryptionReencryptActive + "-" + reencryptHash
node.Annotations[EncryptionHashAnnotation] = ann node.Annotations[EncryptionHashAnnotation] = ann
node, err = h.nodes.Update(node) node, err = h.nodes.Update(node)
if err != nil { if err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
if err := h.updateSecrets(node); err != nil { if err := h.updateSecrets(node); err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
@ -102,26 +111,26 @@ func (h *handler) onChangeNode(key string, node *corev1.Node) (*corev1.Node, err
// Remove last key // Remove last key
curKeys, err := GetEncryptionKeys(h.controlConfig.Runtime) curKeys, err := GetEncryptionKeys(h.controlConfig.Runtime)
if err != nil { if err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
curKeys = curKeys[:len(curKeys)-1] curKeys = curKeys[:len(curKeys)-1]
if err = WriteEncryptionConfig(h.controlConfig.Runtime, curKeys, true); err != nil { if err = WriteEncryptionConfig(h.controlConfig.Runtime, curKeys, true); err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
logrus.Infoln("Removed key: ", curKeys[len(curKeys)-1]) logrus.Infoln("Removed key: ", curKeys[len(curKeys)-1])
if err != nil { if err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
if err := WriteEncryptionHashAnnotation(h.controlConfig.Runtime, node, EncryptionReencryptFinished); err != nil { if err := WriteEncryptionHashAnnotation(h.controlConfig.Runtime, node, EncryptionReencryptFinished); err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
if err := cluster.Save(h.ctx, h.controlConfig, true); err != nil { if err := cluster.Save(h.ctx, h.controlConfig, true); err != nil {
h.recorder.Event(node, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error()) h.recorder.Event(nodeRef, corev1.EventTypeWarning, secretsUpdateErrorEvent, err.Error())
return node, err return node, err
} }
return node, nil return node, nil
@ -175,6 +184,12 @@ func (h *handler) validateReencryptStage(node *corev1.Node, annotation string) (
} }
func (h *handler) updateSecrets(node *corev1.Node) error { func (h *handler) updateSecrets(node *corev1.Node) error {
nodeRef := &corev1.ObjectReference{
Kind: "Node",
Name: node.Name,
UID: types.UID(node.Name),
Namespace: "",
}
secretPager := pager.New(pager.SimplePageFunc(func(opts metav1.ListOptions) (runtime.Object, error) { secretPager := pager.New(pager.SimplePageFunc(func(opts metav1.ListOptions) (runtime.Object, error) {
return h.secrets.List("", opts) return h.secrets.List("", opts)
})) }))
@ -185,12 +200,12 @@ func (h *handler) updateSecrets(node *corev1.Node) error {
return fmt.Errorf("failed to reencrypted secret: %v", err) return fmt.Errorf("failed to reencrypted secret: %v", err)
} }
if i != 0 && i%10 == 0 { if i != 0 && i%10 == 0 {
h.recorder.Eventf(node, corev1.EventTypeNormal, secretsProgressEvent, "reencrypted %d secrets", i) h.recorder.Eventf(nodeRef, corev1.EventTypeNormal, secretsProgressEvent, "reencrypted %d secrets", i)
} }
i++ i++
} }
return nil return nil
}) })
h.recorder.Eventf(node, corev1.EventTypeNormal, secretsUpdateCompleteEvent, "completed reencrypt of %d secrets", i) h.recorder.Eventf(nodeRef, corev1.EventTypeNormal, secretsUpdateCompleteEvent, "completed reencrypt of %d secrets", i)
return nil return nil
} }

Loading…
Cancel
Save