From 93643f846b8edae0820511d249efd5e42a3a0114 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fynn=20Sp=C3=A4ker?= Date: Wed, 13 Jul 2022 14:37:25 +0200 Subject: [PATCH] Supp/sshkey rotation (#14) * Deletes old sshkey after sshkey rotation Signed-off-by: Fynn * Add the case, that infra object has no status.providerStatus Signed-off-by: Fynn * Add Label on sshkeys Signed-off-by: Fynn * Remove seed name as label Signed-off-by: Fynn Co-authored-by: Fynn --- .../infrastructure/actuator_reconcile.go | 22 ++++++++++++++++++- .../infrastructure/ensurer/ssh_public_key.go | 11 ++++++---- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/pkg/controller/infrastructure/actuator_reconcile.go b/pkg/controller/infrastructure/actuator_reconcile.go index c2391b298..3e60f758d 100644 --- a/pkg/controller/infrastructure/actuator_reconcile.go +++ b/pkg/controller/infrastructure/actuator_reconcile.go @@ -55,7 +55,27 @@ func (a *actuator) reconcile(ctx context.Context, infra *extensionsv1alpha1.Infr client := apis.GetClientForToken(string(actuatorConfig.token)) - sshFingerprint, err := ensurer.EnsureSSHPublicKey(ctx, client, infra.Spec.SSHPublicKey) + oldProviderStatus, err := transcoder.DecodeInfrastructureStatus(infra.Status.GetProviderStatus()) + if err == nil { + oldFingerprint := oldProviderStatus.SSHFingerprint + newFingerprint, err := apis.GetSSHFingerprint(infra.Spec.SSHPublicKey) + if nil != err { + return err + } + if oldFingerprint != newFingerprint { + sshKey, _, err := client.SSHKey.GetByFingerprint(ctx, oldFingerprint) + if nil != err { + return err + } else if sshKey != nil { + _, err := client.SSHKey.Delete(ctx, sshKey) + if nil != err { + return err + } + } + } + } + + sshFingerprint, err := ensurer.EnsureSSHPublicKey(ctx, client, cluster, infra.Spec.SSHPublicKey) if err != nil { return err } diff --git a/pkg/controller/infrastructure/ensurer/ssh_public_key.go b/pkg/controller/infrastructure/ensurer/ssh_public_key.go index ebb68ad4e..923c754f2 100644 --- a/pkg/controller/infrastructure/ensurer/ssh_public_key.go +++ b/pkg/controller/infrastructure/ensurer/ssh_public_key.go @@ -23,6 +23,7 @@ import ( "github.com/23technologies/gardener-extension-provider-hcloud/pkg/hcloud/apis" "github.com/23technologies/gardener-extension-provider-hcloud/pkg/hcloud/apis/controller" + extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" "github.com/hetznercloud/hcloud-go/hcloud" ) @@ -32,7 +33,7 @@ import ( // ctx context.Context Execution context // client *hcloud.Client HCloud client // publicKey []byte SSH public key -func EnsureSSHPublicKey(ctx context.Context, client *hcloud.Client, publicKey []byte) (string, error) { +func EnsureSSHPublicKey(ctx context.Context, client *hcloud.Client, cluster *extensionscontroller.Cluster, publicKey []byte) (string, error) { if len(publicKey) == 0 { return "", fmt.Errorf("SSH public key given is empty") } @@ -42,16 +43,18 @@ func EnsureSSHPublicKey(ctx context.Context, client *hcloud.Client, publicKey [] return "", err } - labels := map[string]string{ "hcloud.provider.extensions.gardener.cloud/role": "infrastructure-ssh-v1" } + labels := map[string]string{"hcloud.provider.extensions.gardener.cloud/role": "infrastructure-ssh-v1"} + labels["cluster.gardener.cloud/name"] = cluster.Shoot.Name + labels["cluster.gardener.cloud/id"] = string(cluster.Shoot.GetUID()) sshKey, _, err := client.SSHKey.GetByFingerprint(ctx, fingerprint) if nil != err { return "", err } else if sshKey == nil { opts := hcloud.SSHKeyCreateOpts{ - Name: fmt.Sprintf("infrastructure-ssh-%s", fingerprint), + Name: fmt.Sprintf("infrastructure-ssh-%s", fingerprint), PublicKey: string(publicKey), - Labels: labels, + Labels: labels, } sshKey, _, err := client.SSHKey.Create(ctx, opts)