Skip to content

Commit

Permalink
Remove secrets encryption controller (k3s-io#10612)
Browse files Browse the repository at this point in the history
* Remove secrets encryption controller

Signed-off-by: Derek Nola <[email protected]>
  • Loading branch information
dereknola committed Sep 3, 2024
1 parent 07629eb commit 1cec954
Show file tree
Hide file tree
Showing 5 changed files with 136 additions and 297 deletions.
2 changes: 0 additions & 2 deletions pkg/daemons/config/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,8 +227,6 @@ type Control struct {
ClusterInit bool
ClusterReset bool
ClusterResetRestorePath string
EncryptForce bool
EncryptSkip bool
MinTLSVersion string
CipherSuites []string
TLSMinVersion uint16 `json:"-"`
Expand Down
13 changes: 0 additions & 13 deletions pkg/daemons/control/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import (
"github.com/k3s-io/k3s/pkg/daemons/config"
"github.com/k3s-io/k3s/pkg/daemons/control/deps"
"github.com/k3s-io/k3s/pkg/daemons/executor"
"github.com/k3s-io/k3s/pkg/secretsencrypt"
"github.com/k3s-io/k3s/pkg/util"
"github.com/k3s-io/k3s/pkg/version"
"github.com/pkg/errors"
Expand Down Expand Up @@ -61,18 +60,6 @@ func Server(ctx context.Context, cfg *config.Control) error {
if err := apiServer(ctx, cfg); err != nil {
return err
}
if cfg.EncryptSecrets {
controllerName := "reencrypt-secrets"
cfg.Runtime.ClusterControllerStarts[controllerName] = func(ctx context.Context) {
// cfg.Runtime.Core is populated before this callback is triggered
if err := secretsencrypt.Register(ctx,
controllerName,
cfg,
cfg.Runtime.Core.Core().V1().Node()); err != nil {
logrus.Errorf("Failed to register %s controller: %v", controllerName, err)
}
}
}
}

// Wait for an apiserver to become available before starting additional controllers,
Expand Down
27 changes: 19 additions & 8 deletions pkg/secretsencrypt/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,19 @@ import (
)

const (
EncryptionStart string = "start"
EncryptionPrepare string = "prepare"
EncryptionRotate string = "rotate"
EncryptionRotateKeys string = "rotate_keys"
EncryptionReencryptRequest string = "reencrypt_request"
EncryptionReencryptActive string = "reencrypt_active"
EncryptionReencryptFinished string = "reencrypt_finished"
EncryptionStart string = "start"
EncryptionPrepare string = "prepare"
EncryptionRotate string = "rotate"
EncryptionRotateKeys string = "rotate_keys"
EncryptionReencryptRequest string = "reencrypt_request"
EncryptionReencryptActive string = "reencrypt_active"
EncryptionReencryptFinished string = "reencrypt_finished"
SecretListPageSize int64 = 20
SecretQPS float32 = 200
SecretBurst int = 200
SecretsUpdateErrorEvent string = "SecretsUpdateError"
SecretsProgressEvent string = "SecretsProgress"
SecretsUpdateCompleteEvent string = "SecretsUpdateComplete"
)

var EncryptionHashAnnotation = version.Program + ".io/encryption-config-hash"
Expand Down Expand Up @@ -178,7 +184,9 @@ func BootstrapEncryptionHashAnnotation(node *corev1.Node, runtime *config.Contro
return nil
}

func WriteEncryptionHashAnnotation(runtime *config.ControlRuntime, node *corev1.Node, stage string) error {
// WriteEncryptionHashAnnotation writes the encryption hash to the node annotation and optionally to a file.
// The file is used to track the last stage of the reencryption process.
func WriteEncryptionHashAnnotation(runtime *config.ControlRuntime, node *corev1.Node, skipFile bool, stage string) error {
encryptionConfigHash, err := GenEncryptionConfigHash(runtime)
if err != nil {
return err
Expand All @@ -192,6 +200,9 @@ func WriteEncryptionHashAnnotation(runtime *config.ControlRuntime, node *corev1.
return err
}
logrus.Debugf("encryption hash annotation set successfully on node: %s\n", node.ObjectMeta.Name)
if skipFile {
return nil
}
return os.WriteFile(runtime.EncryptionHash, []byte(ann), 0600)
}

Expand Down
246 changes: 0 additions & 246 deletions pkg/secretsencrypt/controller.go

This file was deleted.

Loading

0 comments on commit 1cec954

Please sign in to comment.