Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read secrets for client-onboarding-token-validation #2827

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

mrudraia1
Copy link

This PR reads the secrets instead of reading the secrets from the volume mounts.
whenever the new onboarding secrets are created, it takes more time to read the secrets from the volume mounts,
The user clicks the rotate onboarding keys, the kubernetes still uses the old public, private keys , the new keys are mounted later, So this PR will read the secrets directly from the kubernetes secrets.

controllers/storagecluster/storageclient.go Outdated Show resolved Hide resolved
controllers/storagecluster/storageclient.go Outdated Show resolved Hide resolved
controllers/util/provider.go Show resolved Hide resolved
controllers/util/provider.go Outdated Show resolved Hide resolved
controllers/util/provider.go Outdated Show resolved Hide resolved
services/ux-backend/handlers/common.go Outdated Show resolved Hide resolved
services/ux-backend/main.go Outdated Show resolved Hide resolved
tools/csv-merger/csv-merger.go Outdated Show resolved Hide resolved
@leelavg
Copy link
Contributor

leelavg commented Oct 1, 2024

a suggestion, we are seeing this PR for third time, second time it's fine that you weren't able to recover GH (remember you can't create new a/c every-time though) but last time it's better if you can focus on rebasing properly.

yes, GH doesn't have any issue w/ closing & opening a new PR but for reviewers it's kinda hard to relook from the start.

@mrudraia1
Copy link
Author

I have tested this PR, with the latest 4.18 build. I could see the keys getting exchanged when the rotate signing key is clicked in storageclient page.

@leelavg
Copy link
Contributor

leelavg commented Oct 15, 2024

I have tested this PR, with the latest 4.18 build. I could see the keys getting exchanged when the rotate signing key is clicked in storageclient page.

  • ack, only minor comments now. @nb-ohad possible for a final review?

controllers/storagecluster/storageclient.go Outdated Show resolved Hide resolved
@@ -225,7 +225,7 @@ func (r *StorageClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
Owns(&appsv1.Deployment{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.Service{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.ConfigMap{}, builder.MatchEveryOwner, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.Secret{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.Secret{}, builder.MatchEveryOwner, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need a MatchEveryOwner here? Isn't StorageCluster the controller owner of the secret we want to watch?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

controller owner reference set to secrets, ack

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment was not addressed as tall! You are matching by controller ownership, it does not make sense to match every owner

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Owner reference were set during creation of secrets in on-boarding job, when the rotate signing key is clicked the re-consiliation is not happening, The onboarding-token needs to be created which is failing.

Any suggestion for this issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is a controller owner ref on the secret and then someone deletes that secret then a delete event will be sent here. And because the item had an owner ref (with controller set) then a reconcile request will be queued. Now if that is not happening there can be a bug in a couple of places:

  • The predicate might be the one the drops the event (should not, but might be)
  • The reconcile is initiated but the reconcile code might not re-create the secret (might happen because of stale cache)
  • Are we sure we are adding a controller reference on the secret? if not and we are only adding an owner ref then that is your bug

@mrudraia1 You need to identify the issue, and only after you fully understand what is going on you can suggest a fix.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

StorageCluster is the owner of the secrets, not the controller owner here

controllers/util/provider.go Show resolved Hide resolved
controllers/util/provider.go Outdated Show resolved Hide resolved
controllers/util/provider.go Outdated Show resolved Hide resolved
services/ux-backend/main.go Outdated Show resolved Hide resolved
services/ux-backend/main.go Outdated Show resolved Hide resolved
services/ux-backend/main.go Outdated Show resolved Hide resolved
services/ux-backend/main.go Outdated Show resolved Hide resolved
Copy link
Contributor

openshift-ci bot commented Oct 16, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mrudraia1
Once this PR has been reviewed and has the lgtm label, please ask for approval from nb-ohad. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deepsm007
Copy link

infra issue
/test images

@@ -225,7 +225,7 @@ func (r *StorageClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
Owns(&appsv1.Deployment{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.Service{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.ConfigMap{}, builder.MatchEveryOwner, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.Secret{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Owns(&corev1.Secret{}, builder.MatchEveryOwner, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment was not addressed as tall! You are matching by controller ownership, it does not make sense to match every owner

controllers/util/provider.go Outdated Show resolved Hide resolved
controllers/util/provider.go Outdated Show resolved Hide resolved
services/ux-backend/main.go Outdated Show resolved Hide resolved
services/ux-backend/main.go Outdated Show resolved Hide resolved
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 12, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 12, 2024
}

Block, _ := pem.Decode(pemString)
Block, _ := pem.Decode(privateSecretKey)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not ignore decode errors. What if the key is corrupted?

controllers/util/provider.go Outdated Show resolved Hide resolved
@mrudraia1 mrudraia1 force-pushed the onboarding branch 2 times, most recently from 4f84a13 to 64dfa2f Compare November 19, 2024 13:54
@mrudraia1 mrudraia1 force-pushed the onboarding branch 2 times, most recently from 8fbaa53 to 8d4a61d Compare November 20, 2024 11:09
Signed-off-by: Mrudraia1 <mrudraia@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants