Supp/sshkey rotation (#14)

* Deletes old sshkey after sshkey rotation Signed-off-by: Fynn <[email protected]> * Add the case, that infra object has no status.providerStatus Signed-off-by: Fynn <[email protected]> * Add Label on sshkeys Signed-off-by: Fynn <[email protected]> * Remove seed name as label Signed-off-by: Fynn <[email protected]> Co-authored-by: Fynn <[email protected]>
23technologies · Jul 13, 2022 · 93643f8 · 93643f8
1 parent 8ca8b9a
commit 93643f8
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 5 deletions.
diff --git a/pkg/controller/infrastructure/actuator_reconcile.go b/pkg/controller/infrastructure/actuator_reconcile.go
@@ -55,7 +55,27 @@ func (a *actuator) reconcile(ctx context.Context, infra *extensionsv1alpha1.Infr
 
 	client := apis.GetClientForToken(string(actuatorConfig.token))
 
-	sshFingerprint, err := ensurer.EnsureSSHPublicKey(ctx, client, infra.Spec.SSHPublicKey)
+	oldProviderStatus, err := transcoder.DecodeInfrastructureStatus(infra.Status.GetProviderStatus())
+	if err == nil {
+		oldFingerprint := oldProviderStatus.SSHFingerprint
+		newFingerprint, err := apis.GetSSHFingerprint(infra.Spec.SSHPublicKey)
+		if nil != err {
+			return err
+		}
+		if oldFingerprint != newFingerprint {
+			sshKey, _, err := client.SSHKey.GetByFingerprint(ctx, oldFingerprint)
+			if nil != err {
+				return err
+			} else if sshKey != nil {
+				_, err := client.SSHKey.Delete(ctx, sshKey)
+				if nil != err {
+					return err
+				}
+			}
+		}
+	}
+
+	sshFingerprint, err := ensurer.EnsureSSHPublicKey(ctx, client, cluster, infra.Spec.SSHPublicKey)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/controller/infrastructure/ensurer/ssh_public_key.go b/pkg/controller/infrastructure/ensurer/ssh_public_key.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/23technologies/gardener-extension-provider-hcloud/pkg/hcloud/apis"
 	"github.com/23technologies/gardener-extension-provider-hcloud/pkg/hcloud/apis/controller"
+	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
 	"github.com/hetznercloud/hcloud-go/hcloud"
 )
 
@@ -32,7 +33,7 @@ import (
 // ctx       context.Context  Execution context
 // client    *hcloud.Client   HCloud client
 // publicKey []byte           SSH public key
-func EnsureSSHPublicKey(ctx context.Context, client *hcloud.Client, publicKey []byte) (string, error) {
+func EnsureSSHPublicKey(ctx context.Context, client *hcloud.Client, cluster *extensionscontroller.Cluster, publicKey []byte) (string, error) {
 	if len(publicKey) == 0 {
 		return "", fmt.Errorf("SSH public key given is empty")
 	}
@@ -42,16 +43,18 @@ func EnsureSSHPublicKey(ctx context.Context, client *hcloud.Client, publicKey []
 		return "", err
 	}
 
-	labels := map[string]string{ "hcloud.provider.extensions.gardener.cloud/role": "infrastructure-ssh-v1" }
+	labels := map[string]string{"hcloud.provider.extensions.gardener.cloud/role": "infrastructure-ssh-v1"}
+	labels["cluster.gardener.cloud/name"] = cluster.Shoot.Name
+	labels["cluster.gardener.cloud/id"] = string(cluster.Shoot.GetUID())
 
 	sshKey, _, err := client.SSHKey.GetByFingerprint(ctx, fingerprint)
 	if nil != err {
 		return "", err
 	} else if sshKey == nil {
 		opts := hcloud.SSHKeyCreateOpts{
-			Name: fmt.Sprintf("infrastructure-ssh-%s", fingerprint),
+			Name:      fmt.Sprintf("infrastructure-ssh-%s", fingerprint),
 			PublicKey: string(publicKey),
-			Labels: labels,
+			Labels:    labels,
 		}
 
 		sshKey, _, err := client.SSHKey.Create(ctx, opts)