Skip to content

Commit

Permalink
Merge pull request kyma-project#48 from Disper/controller_states3
Browse files Browse the repository at this point in the history
Implement kubeconfig rotation
  • Loading branch information
kyma-bot authored Nov 7, 2023
2 parents 9cff167 + 0e0d1bc commit 59b1cb1
Show file tree
Hide file tree
Showing 7 changed files with 493 additions and 83 deletions.
74 changes: 70 additions & 4 deletions api/v1/gardenercluster_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ limitations under the License.
package v1

import (
"fmt"

"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -67,10 +70,25 @@ type Secret struct {
type State string

const (
ReadyState State = "Ready"
ProcessingState State = "Processing"
ErrorState State = "Error"
DeletingState State = "Deleting"
ReadyState State = "Ready"
ErrorState State = "Error"
)

type ConditionReason string

const (
ConditionReasonKubeconfigSecretCreated ConditionReason = "KubeconfigSecretCreated"
ConditionReasonKubeconfigSecretRotated ConditionReason = "KubeconfigSecretRotated"
ConditionReasonFailedToGetSecret ConditionReason = "FailedToCheckSecret"
ConditionReasonFailedToCreateSecret ConditionReason = "ConditionReasonFailedToCreateSecret"
ConditionReasonFailedToUpdateSecret ConditionReason = "FailedToUpdateSecret"
ConditionReasonFailedToGetKubeconfig ConditionReason = "FailedToGetKubeconfig"
)

type ConditionType string

const (
ConditionTypeKubeconfigManagement ConditionType = "KubeconfigManagement"
)

// GardenerClusterStatus defines the observed state of GardenerCluster
Expand All @@ -86,6 +104,54 @@ type GardenerClusterStatus struct {
Conditions []metav1.Condition `json:"conditions,omitempty"`
}

func (cluster *GardenerCluster) UpdateConditionForReadyState(conditionType ConditionType, reason ConditionReason, conditionStatus metav1.ConditionStatus) {
cluster.Status.State = ReadyState

condition := metav1.Condition{
Type: string(conditionType),
Status: conditionStatus,
LastTransitionTime: metav1.Now(),
Reason: string(reason),
Message: getMessage(reason),
}
meta.RemoveStatusCondition(&cluster.Status.Conditions, condition.Type)
meta.SetStatusCondition(&cluster.Status.Conditions, condition)
}

func (cluster *GardenerCluster) UpdateConditionForErrorState(conditionType ConditionType, reason ConditionReason, conditionStatus metav1.ConditionStatus, error error) {
cluster.Status.State = ErrorState

condition := metav1.Condition{
Type: string(conditionType),
Status: conditionStatus,
LastTransitionTime: metav1.Now(),
Reason: string(reason),
Message: fmt.Sprintf("%s Error: %s", getMessage(reason), error.Error()),
}
meta.RemoveStatusCondition(&cluster.Status.Conditions, condition.Type)
meta.SetStatusCondition(&cluster.Status.Conditions, condition)
}

func getMessage(reason ConditionReason) string {
switch reason {
case ConditionReasonKubeconfigSecretCreated:
return "Secret created successfully."
case ConditionReasonKubeconfigSecretRotated:
return "Secret rotated successfully."
case ConditionReasonFailedToCreateSecret:
return "Failed to create secret."
case ConditionReasonFailedToUpdateSecret:
return "Failed to rotate secret."
case ConditionReasonFailedToGetSecret:
return "Failed to get secret."
case ConditionReasonFailedToGetKubeconfig:
return "Failed to get kubeconfig."

default:
return "Unknown condition"
}
}

func init() {
SchemeBuilder.Register(&GardenerCluster{}, &GardenerClusterList{})
}
16 changes: 10 additions & 6 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ import (
"sigs.k8s.io/controller-runtime/pkg/log/zap"
)

// The ratio determines what is the minimal time that needs to pass to rotate certificate.
const minimalRotationTimeRatio = 0.6

var (
scheme = runtime.NewScheme() //nolint:gochecknoglobals
setupLog = ctrl.Log.WithName("setup") //nolint:gochecknoglobals
Expand Down Expand Up @@ -106,15 +109,15 @@ func main() {
}

gardenerNamespace := fmt.Sprintf("garden-%s", gardenerProjectName)
expirationInSeconds := int64(expirationTime.Seconds())
kubeconfigProvider, err := setupKubernetesKubeconfigProvider(gardenerKubeconfigPath, gardenerNamespace, expirationInSeconds)
kubeconfigProvider, err := setupKubernetesKubeconfigProvider(gardenerKubeconfigPath, gardenerNamespace, expirationTime)

if err != nil {
setupLog.Error(err, "unable to initialize kubeconfig provider", "controller", "GardenerCluster")
os.Exit(1)
}

if err = (controller.NewGardenerClusterController(mgr, kubeconfigProvider, logger)).SetupWithManager(mgr); err != nil {
rotationPeriod := time.Duration(minimalRotationTimeRatio*expirationTime.Minutes()) * time.Minute
if err = (controller.NewGardenerClusterController(mgr, kubeconfigProvider, logger, rotationPeriod)).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "GardenerCluster")
os.Exit(1)
}
Expand All @@ -129,14 +132,15 @@ func main() {
os.Exit(1)
}

setupLog.Info("starting manager")
setupLog.Info("Starting Manager", "kubeconfigExpirationTime", expirationTime, "kubeconfigRotationPeriod", rotationPeriod)

if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
setupLog.Error(err, "problem running manager")
os.Exit(1)
}
}

func setupKubernetesKubeconfigProvider(kubeconfigPath string, namespace string, expirationInSeconds int64) (gardener.KubeconfigProvider, error) {
func setupKubernetesKubeconfigProvider(kubeconfigPath string, namespace string, expirationTime time.Duration) (gardener.KubeconfigProvider, error) {
restConfig, err := gardener.NewRestConfigFromFile(kubeconfigPath)
if err != nil {
return gardener.KubeconfigProvider{}, err
Expand All @@ -163,5 +167,5 @@ func setupKubernetesKubeconfigProvider(kubeconfigPath string, namespace string,
return gardener.NewKubeconfigProvider(shootClient,
dynamicKubeconfigAPI,
namespace,
expirationInSeconds), nil
int64(expirationTime.Seconds())), nil
}
6 changes: 6 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,9 @@ rules:
- gardenerclusters/finalizers
verbs:
- update
- apiGroups:
- infrastructuremanager.kyma-project.io
resources:
- gardenerclusters/status
verbs:
- update
Loading

0 comments on commit 59b1cb1

Please sign in to comment.