Skip to content

Commit

Permalink
Revert "Ensure unique VPN tlsauth secrets for different tlsauth keys"
Browse files Browse the repository at this point in the history
This reverts commit a205370.
  • Loading branch information
LucaBernstein committed Nov 7, 2024
1 parent 518b3f0 commit 5d7d141
Show file tree
Hide file tree
Showing 8 changed files with 12 additions and 83 deletions.
6 changes: 0 additions & 6 deletions .gitguardian.yaml

This file was deleted.

6 changes: 3 additions & 3 deletions pkg/component/kubernetes/apiserver/apiserver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ var _ = Describe("KubeAPIServer", func() {
secretNameServiceAccountKey = "service-account-key-c37a87f6"
secretNameServiceAccountKeyBundle = "service-account-key-bundle"
secretNameVPNSeedClient = "vpn-seed-client"
secretNameVPNSeedServerTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00-2a3206b8"
secretNameVPNSeedServerTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00"

configMapNameAdmissionConfigs = "kube-apiserver-admission-config-e38ff146"
secretNameAdmissionKubeconfigs = "kube-apiserver-admission-kubeconfigs-e3b0c442"
Expand Down Expand Up @@ -2851,7 +2851,7 @@ kind: AuthorizationConfiguration
Expect(deployment.Annotations).To(Equal(utils.MergeStringMaps(defaultAnnotations, map[string]string{
"reference.resources.gardener.cloud/secret-8ddd8e24": secretNameCAVPN,
"reference.resources.gardener.cloud/secret-a41fe9a3": secretNameVPNSeedClient,
"reference.resources.gardener.cloud/secret-065be996": secretNameVPNSeedServerTLSAuth,
"reference.resources.gardener.cloud/secret-facfe649": secretNameVPNSeedServerTLSAuth,
"reference.resources.gardener.cloud/configmap-a9a818ab": "kube-root-ca.crt",
})))
})
Expand Down Expand Up @@ -3040,7 +3040,7 @@ kind: AuthorizationConfiguration
Expect(deployment.Spec.Template.Annotations).To(Equal(utils.MergeStringMaps(defaultAnnotations, map[string]string{
"reference.resources.gardener.cloud/secret-8ddd8e24": secretNameCAVPN,
"reference.resources.gardener.cloud/secret-a41fe9a3": secretNameVPNSeedClient,
"reference.resources.gardener.cloud/secret-065be996": secretNameVPNSeedServerTLSAuth,
"reference.resources.gardener.cloud/secret-facfe649": secretNameVPNSeedServerTLSAuth,
"reference.resources.gardener.cloud/configmap-a9a818ab": "kube-root-ca.crt",
})))
})
Expand Down
6 changes: 4 additions & 2 deletions pkg/component/kubernetes/apiserver/secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ import (
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
"github.com/gardener/gardener/pkg/component/apiserver"
vpnseedserver "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver"
kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
secretsutils "github.com/gardener/gardener/pkg/utils/secrets"
secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager"
"github.com/gardener/gardener/pkg/utils/secrets/vpntlsauth"
versionutils "github.com/gardener/gardener/pkg/utils/version"
)

Expand Down Expand Up @@ -227,7 +227,9 @@ func (k *kubeAPIServer) reconcileSecretHAVPNSeedClientTLSAuth(ctx context.Contex
return nil, nil
}

return vpntlsauth.GenerateSecret(ctx, k.secretsManager)
return k.secretsManager.Generate(ctx, &secretsutils.VPNTLSAuthConfig{
Name: vpnseedserver.SecretNameTLSAuth,
}, secretsmanager.Rotate(secretsmanager.InPlace))
}

type tlsSNISecret struct {
Expand Down
7 changes: 4 additions & 3 deletions pkg/component/networking/vpn/seedserver/seedserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,13 @@ import (
kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
secretsutils "github.com/gardener/gardener/pkg/utils/secrets"
secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager"
"github.com/gardener/gardener/pkg/utils/secrets/vpntlsauth"
)

const (
// GatewayPort is the port exposed by the istio ingress gateway
GatewayPort = 8132
// SecretNameTLSAuth is the name of seed server tlsauth Secret.
SecretNameTLSAuth = vpntlsauth.SecretNameTLSAuth
SecretNameTLSAuth = "vpn-seed-server-tlsauth" // #nosec G101 -- No credential.
deploymentName = v1beta1constants.DeploymentNameVPNSeedServer
// ServiceName is the name of the vpn seed server service running internally on the control plane in seed.
ServiceName = deploymentName
Expand Down Expand Up @@ -200,7 +199,9 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error {
return err
}

secretTLSAuth, err := vpntlsauth.GenerateSecret(ctx, v.secretsManager)
secretTLSAuth, err := v.secretsManager.Generate(ctx, &secretsutils.VPNTLSAuthConfig{
Name: SecretNameTLSAuth,
}, secretsmanager.Rotate(secretsmanager.InPlace))
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/component/networking/vpn/seedserver/seedserver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ var _ = Describe("VpnSeedServer", func() {
controlledValues = vpaautoscalingv1.ContainerControlledValuesRequestsOnly
namespaceUID = types.UID("123456")

secretNameTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00-2a3206b8"
secretNameTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00"

listenAddress = "0.0.0.0"
listenAddressV6 = "::"
Expand Down
66 changes: 0 additions & 66 deletions pkg/utils/secrets/vpntlsauth/vpn_tlsauth.go

This file was deleted.

1 change: 0 additions & 1 deletion skaffold-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,6 @@ build:
- pkg/utils/retry
- pkg/utils/secrets
- pkg/utils/secrets/manager
- pkg/utils/secrets/vpntlsauth
- pkg/utils/timewindow
- pkg/utils/validation/admissionplugins
- pkg/utils/validation/apigroups
Expand Down
1 change: 0 additions & 1 deletion skaffold.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1280,7 +1280,6 @@ build:
- pkg/utils/retry
- pkg/utils/secrets
- pkg/utils/secrets/manager
- pkg/utils/secrets/vpntlsauth
- pkg/utils/time
- pkg/utils/timewindow
- pkg/utils/validation/admissionplugins
Expand Down

0 comments on commit 5d7d141

Please sign in to comment.