From 4f02d5f1e9f732bcde37bb0d14db1736f5552865 Mon Sep 17 00:00:00 2001 From: Sagar Muchhal Date: Mon, 30 Nov 2020 11:09:53 -0800 Subject: [PATCH] Update secret generation util functions Set the Type field for CAPI Secrets generated by the util functions. This will eventually be used by the controllers to access only a certain type of secrets. Signed-off-by: Sagar Muchhal --- util/kubeconfig/kubeconfig.go | 1 + util/kubeconfig/kubeconfig_test.go | 3 +++ util/secret/certificates.go | 39 ++++++++++++++++++------------ 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/util/kubeconfig/kubeconfig.go b/util/kubeconfig/kubeconfig.go index f3b1aea834d1..c03678375c65 100644 --- a/util/kubeconfig/kubeconfig.go +++ b/util/kubeconfig/kubeconfig.go @@ -143,6 +143,7 @@ func GenerateSecretWithOwner(clusterName client.ObjectKey, data []byte, owner me Data: map[string][]byte{ secret.KubeconfigDataName: data, }, + Type: clusterv1.ClusterSecretType, } } diff --git a/util/kubeconfig/kubeconfig_test.go b/util/kubeconfig/kubeconfig_test.go index 4d0f6dc06eca..a0bd4b14e9e8 100644 --- a/util/kubeconfig/kubeconfig_test.go +++ b/util/kubeconfig/kubeconfig_test.go @@ -74,6 +74,7 @@ users: Data: map[string][]byte{ secret.KubeconfigDataName: []byte(validKubeConfig), }, + Type: clusterv1.ClusterSecretType, } ) @@ -281,6 +282,7 @@ func TestCreateSecretWithOwner(t *testing.T) { key := client.ObjectKey{Name: "test1-kubeconfig", Namespace: "test"} g.Expect(c.Get(ctx, key, s)).To(Succeed()) g.Expect(s.OwnerReferences).To(ContainElement(owner)) + g.Expect(s.Type).To(Equal(clusterv1.ClusterSecretType)) clientConfig, err := clientcmd.NewClientConfigFromBytes(s.Data[secret.KubeconfigDataName]) g.Expect(err).NotTo(HaveOccurred()) @@ -343,6 +345,7 @@ func TestCreateSecret(t *testing.T) { APIVersion: clusterv1.GroupVersion.String(), }, )) + g.Expect(s.Type).To(Equal(clusterv1.ClusterSecretType)) clientConfig, err := clientcmd.NewClientConfigFromBytes(s.Data[secret.KubeconfigDataName]) g.Expect(err).NotTo(HaveOccurred()) diff --git a/util/secret/certificates.go b/util/secret/certificates.go index b0de9c3f69c0..cecbace3862b 100644 --- a/util/secret/certificates.go +++ b/util/secret/certificates.go @@ -241,29 +241,14 @@ func (c Certificates) EnsureAllExist() error { return nil } -// TODO: consider moving a generating function into the Certificate object itself? -type certGenerator func() (*certs.KeyPair, error) - // Generate will generate any certificates that do not have KeyPair data. func (c Certificates) Generate() error { for _, certificate := range c { if certificate.KeyPair == nil { - var generator certGenerator - switch certificate.Purpose { - case APIServerEtcdClient: // Do not generate the APIServerEtcdClient key pair. It is user supplied - continue - case ServiceAccount: - generator = generateServiceAccountKeys - default: - generator = generateCACert - } - - kp, err := generator() + err := certificate.Generate() if err != nil { return err } - certificate.KeyPair = kp - certificate.Generated = true } } return nil @@ -345,6 +330,7 @@ func (c *Certificate) AsSecret(clusterName client.ObjectKey, owner metav1.OwnerR TLSKeyDataName: c.KeyPair.Key, TLSCrtDataName: c.KeyPair.Cert, }, + Type: clusterv1.ClusterSecretType, } if c.Generated { @@ -375,6 +361,27 @@ func (c *Certificate) AsFiles() []bootstrapv1.File { return out } +func (c *Certificate) Generate() error { + // Do not generate the APIServerEtcdClient key pair. It is user supplied + if c.Purpose == APIServerEtcdClient { + return nil + } + + generator := generateCACert + if c.Purpose == ServiceAccount { + generator = generateServiceAccountKeys + } + + kp, err := generator() + if err != nil { + return err + } + c.KeyPair = kp + c.Generated = true + + return nil +} + // AsFiles converts a slice of certificates into bootstrap files. func (c Certificates) AsFiles() []bootstrapv1.File { clusterCA := c.GetByPurpose(ClusterCA)