From 5d7d141a1846707e4e779e167fc9522823f443f8 Mon Sep 17 00:00:00 2001 From: Luca Bernstein Date: Thu, 7 Nov 2024 14:47:00 +0100 Subject: [PATCH] Revert "Ensure unique VPN tlsauth secrets for different tlsauth keys" This reverts commit a20537055ecac5af38ab99701d05f7b44a8ff9ab. --- .gitguardian.yaml | 6 -- .../kubernetes/apiserver/apiserver_test.go | 6 +- pkg/component/kubernetes/apiserver/secrets.go | 6 +- .../networking/vpn/seedserver/seedserver.go | 7 +- .../vpn/seedserver/seedserver_test.go | 2 +- pkg/utils/secrets/vpntlsauth/vpn_tlsauth.go | 66 ------------------- skaffold-operator.yaml | 1 - skaffold.yaml | 1 - 8 files changed, 12 insertions(+), 83 deletions(-) delete mode 100644 .gitguardian.yaml delete mode 100644 pkg/utils/secrets/vpntlsauth/vpn_tlsauth.go diff --git a/.gitguardian.yaml b/.gitguardian.yaml deleted file mode 100644 index 94689737760..00000000000 --- a/.gitguardian.yaml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 - -secret: - ignored_matches: - - match: vpn-seed-server-tlsauth-a1d0aa00-2a3206b8 - name: it's a secret name only diff --git a/pkg/component/kubernetes/apiserver/apiserver_test.go b/pkg/component/kubernetes/apiserver/apiserver_test.go index aae45a86b5c..c802bd8dec6 100644 --- a/pkg/component/kubernetes/apiserver/apiserver_test.go +++ b/pkg/component/kubernetes/apiserver/apiserver_test.go @@ -100,7 +100,7 @@ var _ = Describe("KubeAPIServer", func() { secretNameServiceAccountKey = "service-account-key-c37a87f6" secretNameServiceAccountKeyBundle = "service-account-key-bundle" secretNameVPNSeedClient = "vpn-seed-client" - secretNameVPNSeedServerTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00-2a3206b8" + secretNameVPNSeedServerTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00" configMapNameAdmissionConfigs = "kube-apiserver-admission-config-e38ff146" secretNameAdmissionKubeconfigs = "kube-apiserver-admission-kubeconfigs-e3b0c442" @@ -2851,7 +2851,7 @@ kind: AuthorizationConfiguration Expect(deployment.Annotations).To(Equal(utils.MergeStringMaps(defaultAnnotations, map[string]string{ "reference.resources.gardener.cloud/secret-8ddd8e24": secretNameCAVPN, "reference.resources.gardener.cloud/secret-a41fe9a3": secretNameVPNSeedClient, - "reference.resources.gardener.cloud/secret-065be996": secretNameVPNSeedServerTLSAuth, + "reference.resources.gardener.cloud/secret-facfe649": secretNameVPNSeedServerTLSAuth, "reference.resources.gardener.cloud/configmap-a9a818ab": "kube-root-ca.crt", }))) }) @@ -3040,7 +3040,7 @@ kind: AuthorizationConfiguration Expect(deployment.Spec.Template.Annotations).To(Equal(utils.MergeStringMaps(defaultAnnotations, map[string]string{ "reference.resources.gardener.cloud/secret-8ddd8e24": secretNameCAVPN, "reference.resources.gardener.cloud/secret-a41fe9a3": secretNameVPNSeedClient, - "reference.resources.gardener.cloud/secret-065be996": secretNameVPNSeedServerTLSAuth, + "reference.resources.gardener.cloud/secret-facfe649": secretNameVPNSeedServerTLSAuth, "reference.resources.gardener.cloud/configmap-a9a818ab": "kube-root-ca.crt", }))) }) diff --git a/pkg/component/kubernetes/apiserver/secrets.go b/pkg/component/kubernetes/apiserver/secrets.go index ceef87f4b77..ab209f225fa 100644 --- a/pkg/component/kubernetes/apiserver/secrets.go +++ b/pkg/component/kubernetes/apiserver/secrets.go @@ -21,10 +21,10 @@ import ( gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" "github.com/gardener/gardener/pkg/component/apiserver" + vpnseedserver "github.com/gardener/gardener/pkg/component/networking/vpn/seedserver" kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes" secretsutils "github.com/gardener/gardener/pkg/utils/secrets" secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager" - "github.com/gardener/gardener/pkg/utils/secrets/vpntlsauth" versionutils "github.com/gardener/gardener/pkg/utils/version" ) @@ -227,7 +227,9 @@ func (k *kubeAPIServer) reconcileSecretHAVPNSeedClientTLSAuth(ctx context.Contex return nil, nil } - return vpntlsauth.GenerateSecret(ctx, k.secretsManager) + return k.secretsManager.Generate(ctx, &secretsutils.VPNTLSAuthConfig{ + Name: vpnseedserver.SecretNameTLSAuth, + }, secretsmanager.Rotate(secretsmanager.InPlace)) } type tlsSNISecret struct { diff --git a/pkg/component/networking/vpn/seedserver/seedserver.go b/pkg/component/networking/vpn/seedserver/seedserver.go index aebe1067ff4..7f4e5530d68 100644 --- a/pkg/component/networking/vpn/seedserver/seedserver.go +++ b/pkg/component/networking/vpn/seedserver/seedserver.go @@ -48,14 +48,13 @@ import ( kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes" secretsutils "github.com/gardener/gardener/pkg/utils/secrets" secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager" - "github.com/gardener/gardener/pkg/utils/secrets/vpntlsauth" ) const ( // GatewayPort is the port exposed by the istio ingress gateway GatewayPort = 8132 // SecretNameTLSAuth is the name of seed server tlsauth Secret. - SecretNameTLSAuth = vpntlsauth.SecretNameTLSAuth + SecretNameTLSAuth = "vpn-seed-server-tlsauth" // #nosec G101 -- No credential. deploymentName = v1beta1constants.DeploymentNameVPNSeedServer // ServiceName is the name of the vpn seed server service running internally on the control plane in seed. ServiceName = deploymentName @@ -200,7 +199,9 @@ func (v *vpnSeedServer) Deploy(ctx context.Context) error { return err } - secretTLSAuth, err := vpntlsauth.GenerateSecret(ctx, v.secretsManager) + secretTLSAuth, err := v.secretsManager.Generate(ctx, &secretsutils.VPNTLSAuthConfig{ + Name: SecretNameTLSAuth, + }, secretsmanager.Rotate(secretsmanager.InPlace)) if err != nil { return err } diff --git a/pkg/component/networking/vpn/seedserver/seedserver_test.go b/pkg/component/networking/vpn/seedserver/seedserver_test.go index 5220ea460f5..e0408b980a0 100644 --- a/pkg/component/networking/vpn/seedserver/seedserver_test.go +++ b/pkg/component/networking/vpn/seedserver/seedserver_test.go @@ -66,7 +66,7 @@ var _ = Describe("VpnSeedServer", func() { controlledValues = vpaautoscalingv1.ContainerControlledValuesRequestsOnly namespaceUID = types.UID("123456") - secretNameTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00-2a3206b8" + secretNameTLSAuth = "vpn-seed-server-tlsauth-a1d0aa00" listenAddress = "0.0.0.0" listenAddressV6 = "::" diff --git a/pkg/utils/secrets/vpntlsauth/vpn_tlsauth.go b/pkg/utils/secrets/vpntlsauth/vpn_tlsauth.go deleted file mode 100644 index 1d2bb2fd6a1..00000000000 --- a/pkg/utils/secrets/vpntlsauth/vpn_tlsauth.go +++ /dev/null @@ -1,66 +0,0 @@ -// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors -// -// SPDX-License-Identifier: Apache-2.0 - -package vpntlsauth - -import ( - "context" - - corev1 "k8s.io/api/core/v1" - - secretsutils "github.com/gardener/gardener/pkg/utils/secrets" - secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager" -) - -const ( - // SecretNameTLSAuth is the name of seed server tlsauth Secret. - SecretNameTLSAuth = "vpn-seed-server-tlsauth" // #nosec G101 -- No credential. -) - -// VPNTLSAuthConfigFromSecret is a configuration for a VPN TLS auth secret with the tlsauth key itself as part -// of the configuration. -type VPNTLSAuthConfigFromSecret struct { - Name string - Data map[string][]byte -} - -var _ secretsutils.ConfigInterface = &VPNTLSAuthConfigFromSecret{} -var _ secretsutils.DataInterface = &VPNTLSAuthConfigFromSecret{} - -// GetName returns the name of the secret. -func (s *VPNTLSAuthConfigFromSecret) GetName() string { - return s.Name -} - -// Generate implements ConfigInterface. -func (s *VPNTLSAuthConfigFromSecret) Generate() (secretsutils.DataInterface, error) { - return s, nil -} - -// SecretData computes the data map which can be used in a Kubernetes secret. -func (s *VPNTLSAuthConfigFromSecret) SecretData() map[string][]byte { - return s.Data -} - -// GenerateSecret generates a VPN TLS auth secret using the provided secrets manager. -// It is used for two-staged generation of tlsauth secret to include the tlsauth key in the secret name hash. -func GenerateSecret(ctx context.Context, secretsManager secretsmanager.Interface) (*corev1.Secret, error) { - // generate a secret with the tlsauth key - secretTLSAuthIntermediate, err := secretsManager.Generate(ctx, &secretsutils.VPNTLSAuthConfig{ - Name: SecretNameTLSAuth, - }, secretsmanager.Rotate(secretsmanager.InPlace)) - if err != nil { - return nil, err - } - - // use the secret to get a secret with same data but including the tlsauth key itself in name hash - secretTLSAuth, err := secretsManager.Generate(ctx, &VPNTLSAuthConfigFromSecret{ - Name: secretTLSAuthIntermediate.Name, - Data: secretTLSAuthIntermediate.Data, - }, secretsmanager.Rotate(secretsmanager.InPlace)) - if err != nil { - return nil, err - } - return secretTLSAuth, nil -} diff --git a/skaffold-operator.yaml b/skaffold-operator.yaml index 6c76b0619e3..5c3c5a53eea 100644 --- a/skaffold-operator.yaml +++ b/skaffold-operator.yaml @@ -304,7 +304,6 @@ build: - pkg/utils/retry - pkg/utils/secrets - pkg/utils/secrets/manager - - pkg/utils/secrets/vpntlsauth - pkg/utils/timewindow - pkg/utils/validation/admissionplugins - pkg/utils/validation/apigroups diff --git a/skaffold.yaml b/skaffold.yaml index fb22d84a69c..2d4b67d8ff1 100644 --- a/skaffold.yaml +++ b/skaffold.yaml @@ -1280,7 +1280,6 @@ build: - pkg/utils/retry - pkg/utils/secrets - pkg/utils/secrets/manager - - pkg/utils/secrets/vpntlsauth - pkg/utils/time - pkg/utils/timewindow - pkg/utils/validation/admissionplugins