Commit 51f1a5a0 authored by Derek Nola's avatar Derek Nola

Review comments and fixes

parent 42c2ac95
...@@ -45,6 +45,7 @@ func main() { ...@@ -45,6 +45,7 @@ func main() {
secretsencrypt.Prepare, secretsencrypt.Prepare,
secretsencrypt.Rotate, secretsencrypt.Rotate,
secretsencrypt.Reencrypt, secretsencrypt.Reencrypt,
secretsencrypt.RotateKeys,
), ),
cmds.NewCertCommand( cmds.NewCertCommand(
cmds.NewCertSubcommands( cmds.NewCertSubcommands(
......
...@@ -86,7 +86,7 @@ func NewSecretsEncryptCommands(status, enable, disable, prepare, rotate, reencry ...@@ -86,7 +86,7 @@ func NewSecretsEncryptCommands(status, enable, disable, prepare, rotate, reencry
}, },
{ {
Name: "rotate-keys", Name: "rotate-keys",
Usage: "Add, rotate and rencryption with a new encryption key", Usage: "(experimental) Dynamically add a new secrets encryption key and re-encrypt secrets",
SkipArgReorder: true, SkipArgReorder: true,
Action: rotateKeys, Action: rotateKeys,
Flags: EncryptFlags, Flags: EncryptFlags,
......
...@@ -20,7 +20,7 @@ import ( ...@@ -20,7 +20,7 @@ import (
"k8s.io/utils/pointer" "k8s.io/utils/pointer"
) )
func commandPrep(app *cli.Context, cfg *cmds.Server) (*clientaccess.Info, error) { func commandPrep(cfg *cmds.Server) (*clientaccess.Info, error) {
// hide process arguments from ps output, since they may contain // hide process arguments from ps output, since they may contain
// database credentials or other secrets. // database credentials or other secrets.
gspt.SetProcTitle(os.Args[0] + " secrets-encrypt") gspt.SetProcTitle(os.Args[0] + " secrets-encrypt")
...@@ -46,11 +46,10 @@ func wrapServerError(err error) error { ...@@ -46,11 +46,10 @@ func wrapServerError(err error) error {
} }
func Enable(app *cli.Context) error { func Enable(app *cli.Context) error {
var err error if err := cmds.InitLogging(); err != nil {
if err = cmds.InitLogging(); err != nil {
return err return err
} }
info, err := commandPrep(app, &cmds.ServerConfig) info, err := commandPrep(&cmds.ServerConfig)
if err != nil { if err != nil {
return err return err
} }
...@@ -70,7 +69,7 @@ func Disable(app *cli.Context) error { ...@@ -70,7 +69,7 @@ func Disable(app *cli.Context) error {
if err := cmds.InitLogging(); err != nil { if err := cmds.InitLogging(); err != nil {
return err return err
} }
info, err := commandPrep(app, &cmds.ServerConfig) info, err := commandPrep(&cmds.ServerConfig)
if err != nil { if err != nil {
return err return err
} }
...@@ -89,7 +88,7 @@ func Status(app *cli.Context) error { ...@@ -89,7 +88,7 @@ func Status(app *cli.Context) error {
if err := cmds.InitLogging(); err != nil { if err := cmds.InitLogging(); err != nil {
return err return err
} }
info, err := commandPrep(app, &cmds.ServerConfig) info, err := commandPrep(&cmds.ServerConfig)
if err != nil { if err != nil {
return err return err
} }
...@@ -147,11 +146,10 @@ func Status(app *cli.Context) error { ...@@ -147,11 +146,10 @@ func Status(app *cli.Context) error {
} }
func Prepare(app *cli.Context) error { func Prepare(app *cli.Context) error {
var err error if err := cmds.InitLogging(); err != nil {
if err = cmds.InitLogging(); err != nil {
return err return err
} }
info, err := commandPrep(app, &cmds.ServerConfig) info, err := commandPrep(&cmds.ServerConfig)
if err != nil { if err != nil {
return err return err
} }
...@@ -173,7 +171,7 @@ func Rotate(app *cli.Context) error { ...@@ -173,7 +171,7 @@ func Rotate(app *cli.Context) error {
if err := cmds.InitLogging(); err != nil { if err := cmds.InitLogging(); err != nil {
return err return err
} }
info, err := commandPrep(app, &cmds.ServerConfig) info, err := commandPrep(&cmds.ServerConfig)
if err != nil { if err != nil {
return err return err
} }
...@@ -192,11 +190,10 @@ func Rotate(app *cli.Context) error { ...@@ -192,11 +190,10 @@ func Rotate(app *cli.Context) error {
} }
func Reencrypt(app *cli.Context) error { func Reencrypt(app *cli.Context) error {
var err error if err := cmds.InitLogging(); err != nil {
if err = cmds.InitLogging(); err != nil {
return err return err
} }
info, err := commandPrep(app, &cmds.ServerConfig) info, err := commandPrep(&cmds.ServerConfig)
if err != nil { if err != nil {
return err return err
} }
...@@ -216,11 +213,10 @@ func Reencrypt(app *cli.Context) error { ...@@ -216,11 +213,10 @@ func Reencrypt(app *cli.Context) error {
} }
func RotateKeys(app *cli.Context) error { func RotateKeys(app *cli.Context) error {
var err error if err := cmds.InitLogging(); err != nil {
if err = cmds.InitLogging(); err != nil {
return err return err
} }
info, err := commandPrep(app, &cmds.ServerConfig) info, err := commandPrep(&cmds.ServerConfig)
if err != nil { if err != nil {
return err return err
} }
...@@ -233,6 +229,6 @@ func RotateKeys(app *cli.Context) error { ...@@ -233,6 +229,6 @@ func RotateKeys(app *cli.Context) error {
if err = info.Put("/v1-"+version.Program+"/encrypt/config", b); err != nil { if err = info.Put("/v1-"+version.Program+"/encrypt/config", b); err != nil {
return wrapServerError(err) return wrapServerError(err)
} }
fmt.Println("keys rotated, rencryption started") fmt.Println("keys rotated, reencryption started")
return nil return nil
} }
...@@ -17,7 +17,6 @@ import ( ...@@ -17,7 +17,6 @@ import (
"github.com/k3s-io/k3s/pkg/daemons/config" "github.com/k3s-io/k3s/pkg/daemons/config"
"github.com/k3s-io/k3s/pkg/secretsencrypt" "github.com/k3s-io/k3s/pkg/secretsencrypt"
"github.com/k3s-io/k3s/pkg/util" "github.com/k3s-io/k3s/pkg/util"
"github.com/k3s-io/k3s/pkg/version"
"github.com/rancher/wrangler/pkg/generated/controllers/core" "github.com/rancher/wrangler/pkg/generated/controllers/core"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
...@@ -140,9 +139,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool) ...@@ -140,9 +139,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool)
logrus.Infoln("Secrets encryption already disabled") logrus.Infoln("Secrets encryption already disabled")
return nil return nil
} else if providers[0].Identity != nil && providers[1].AESCBC != nil && enable { } else if providers[0].Identity != nil && providers[1].AESCBC != nil && enable {
if nodeArgs := getNodeArgs(server); !strings.Contains(nodeArgs, "secrets-encryption") {
return fmt.Errorf("secrets encryption cannot be enabled without first starting the server with --secrets-encryption flag")
}
logrus.Infoln("Enabling secrets encryption") logrus.Infoln("Enabling secrets encryption")
if err := secretsencrypt.WriteEncryptionConfig(server.Runtime, curKeys, enable); err != nil { if err := secretsencrypt.WriteEncryptionConfig(server.Runtime, curKeys, enable); err != nil {
return err return err
...@@ -160,15 +156,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool) ...@@ -160,15 +156,6 @@ func encryptionEnable(ctx context.Context, server *config.Control, enable bool)
return setReencryptAnnotation(server) return setReencryptAnnotation(server)
} }
func getNodeArgs(server *config.Control) string {
nodeName := os.Getenv("NODE_NAME")
node, err := server.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
if err != nil {
return ""
}
return node.Annotations[version.Program+".io/node-args"]
}
func encryptionConfigHandler(ctx context.Context, server *config.Control) http.Handler { func encryptionConfigHandler(ctx context.Context, server *config.Control) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
if req.TLS == nil { if req.TLS == nil {
...@@ -245,7 +232,6 @@ func encryptionPrepare(ctx context.Context, server *config.Control, force bool) ...@@ -245,7 +232,6 @@ func encryptionPrepare(ctx context.Context, server *config.Control, force bool)
} }
func encryptionRotate(ctx context.Context, server *config.Control, force bool) error { func encryptionRotate(ctx context.Context, server *config.Control, force bool) error {
if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionPrepare); err != nil && !force { if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionPrepare); err != nil && !force {
return err return err
} }
...@@ -274,7 +260,6 @@ func encryptionRotate(ctx context.Context, server *config.Control, force bool) e ...@@ -274,7 +260,6 @@ func encryptionRotate(ctx context.Context, server *config.Control, force bool) e
} }
func encryptionReencrypt(ctx context.Context, server *config.Control, force bool, skip bool) error { func encryptionReencrypt(ctx context.Context, server *config.Control, force bool, skip bool) error {
if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionRotate); err != nil && !force { if err := verifyEncryptionHashAnnotation(server.Runtime, server.Runtime.Core.Core(), secretsencrypt.EncryptionRotate); err != nil && !force {
return err return err
} }
...@@ -300,7 +285,6 @@ func encryptionReencrypt(ctx context.Context, server *config.Control, force bool ...@@ -300,7 +285,6 @@ func encryptionReencrypt(ctx context.Context, server *config.Control, force bool
} }
func addAndRotateKeys(server *config.Control) error { func addAndRotateKeys(server *config.Control) error {
curKeys, err := secretsencrypt.GetEncryptionKeys(server.Runtime) curKeys, err := secretsencrypt.GetEncryptionKeys(server.Runtime)
if err != nil { if err != nil {
return err return err
...@@ -357,7 +341,6 @@ func setReencryptAnnotation(server *config.Control) error { ...@@ -357,7 +341,6 @@ func setReencryptAnnotation(server *config.Control) error {
} }
func AppendNewEncryptionKey(keys *[]apiserverconfigv1.Key) error { func AppendNewEncryptionKey(keys *[]apiserverconfigv1.Key) error {
aescbcKey := make([]byte, aescbcKeySize) aescbcKey := make([]byte, aescbcKeySize)
_, err := rand.Read(aescbcKey) _, err := rand.Read(aescbcKey)
if err != nil { if err != nil {
......
...@@ -47,6 +47,7 @@ func AtomicWrite(fileName string, data []byte, perm os.FileMode) error { ...@@ -47,6 +47,7 @@ func AtomicWrite(fileName string, data []byte, perm os.FileMode) error {
return err return err
} }
tmpName := f.Name() tmpName := f.Name()
defer os.Remove(tmpName)
if _, err := f.Write(data); err != nil { if _, err := f.Write(data); err != nil {
f.Close() f.Close()
return err return err
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment