Merge #192

192: Import legacy key r=mkmik a=mkmik Closes #189 Co-authored-by: Marko Mikulicic <mkm@bitnami.com>
bitnami-labs · Jul 19, 2019 · ef3d3fd · ef3d3fd
2 parents bc25e8b + ee67c88
commit ef3d3fd
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 2 deletions.
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -16,6 +16,7 @@ import (
 	"time"
 
 	flag "github.com/spf13/pflag"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/client-go/kubernetes"
@@ -70,9 +71,20 @@ func initKeyRegistry(client kubernetes.Interface, r io.Reader, namespace, prefix
 	if err != nil {
 		return nil, err
 	}
+	items := secretList.Items
+	if len(items) == 0 {
+		s, err := client.Core().Secrets(namespace).Get(prefix, metav1.GetOptions{})
+		if !errors.IsNotFound(err) {
+			if err != nil {
+				return nil, err
+			}
+			items = append(items, *s)
+			// TODO(mkm): add the label to the legacy secret
+		}
+	}
 	keyRegistry := NewKeyRegistry(client, namespace, prefix, label, keysize)
-	sort.Sort(ssv1alpha1.ByCreationTimestamp(secretList.Items))
-	for _, secret := range secretList.Items {
+	sort.Sort(ssv1alpha1.ByCreationTimestamp(items))
+	for _, secret := range items {
 		key, certs, err := readKey(secret)
 		if err != nil {
 			log.Printf("Error reading key %s: %v", secret.Name, err)

diff --git a/cmd/controller/main_test.go b/cmd/controller/main_test.go
@@ -6,8 +6,12 @@ import (
 	"testing"
 	"time"
 
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
 	ktesting "k8s.io/client-go/testing"
+	certUtil "k8s.io/client-go/util/cert"
 )
 
 func findAction(fake *fake.Clientset, verb, resource string) ktesting.Action {
@@ -152,3 +156,62 @@ func TestReuseKey(t *testing.T) {
 		t.Errorf("initKeyRotation() should not create a new secret when one already exist and rotation is disabled")
 	}
 }
+
+func writeLegacyKey(client kubernetes.Interface, key *rsa.PrivateKey, certs []*x509.Certificate, namespace, name string) (string, error) {
+	certbytes := []byte{}
+	for _, cert := range certs {
+		certbytes = append(certbytes, certUtil.EncodeCertPEM(cert)...)
+	}
+	secret := v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      name,
+		},
+		Data: map[string][]byte{
+			v1.TLSPrivateKeyKey: certUtil.EncodePrivateKeyPEM(key),
+			v1.TLSCertKey:       certbytes,
+		},
+		Type: v1.SecretTypeTLS,
+	}
+
+	createdSecret, err := client.Core().Secrets(namespace).Create(&secret)
+	if err != nil {
+		return "", err
+	}
+	return createdSecret.Name, nil
+}
+
+func TestLegacySecret(t *testing.T) {
+	rand := testRand()
+	key, err := rsa.GenerateKey(rand, 512)
+	if err != nil {
+		t.Fatalf("Failed to generate test key: %v", err)
+	}
+
+	cert, err := signKey(rand, key)
+	if err != nil {
+		t.Fatalf("signKey failed: %v", err)
+	}
+
+	client := fake.NewSimpleClientset()
+
+	_, err = writeLegacyKey(client, key, []*x509.Certificate{cert}, "namespace", "prefix")
+	if err != nil {
+		t.Errorf("writeKey() failed with: %v", err)
+	}
+
+	client.ClearActions()
+
+	registry, err := initKeyRegistry(client, rand, "namespace", "prefix", SealedSecretsKeyLabel, 1024)
+	if err != nil {
+		t.Fatalf("initKeyRegistry() returned err: %v", err)
+	}
+
+	_, err = initKeyRotation(registry, 0)
+	if err != nil {
+		t.Fatalf("initKeyRotation() returned err: %v", err)
+	}
+	if hasAction(client, "create", "secrets") {
+		t.Errorf("initKeyRotation() should not create a new secret when one already exist and rotation is disabled")
+	}
+}