fix: create secret with kube certs and cleanup talos secret

rsmitty · rsmitty · commit 346df6604d4e · 2020-04-13T16:57:07.000-04:00
This PR will create a new secret called `$cluster_name-ca` that holds
certs that were generated for kubernetes. Cluster API uses these certs
to create a kubeconfig for the cluster. Additionally, in exploring this,
I discovered that we should be adding owners to our secrets so that they
get deleted automatically upon cluster deletion.

Signed-off-by: Spencer Smith &lt;robertspencersmith@gmail.com&gt;
diff --git a/controllers/secrets.go b/controllers/secrets.go
@@ -20,28 +20,30 @@ import (
 
 	bootstrapv1alpha2 "github.com/talos-systems/cluster-api-bootstrap-provider-talos/api/v1alpha2"
 	"github.com/talos-systems/talos/pkg/config/types/v1alpha1/generate"
+	"github.com/talos-systems/talos/pkg/crypto/x509"
 	"gopkg.in/yaml.v2"
 	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func (r *TalosConfigReconciler) fetchInputSecret(ctx context.Context, config *bootstrapv1alpha2.TalosConfig, clusterName string) (*corev1.Secret, error) {
-
-	inputSecret := &corev1.Secret{}
+func (r *TalosConfigReconciler) fetchSecret(ctx context.Context, config *bootstrapv1alpha2.TalosConfig, secretName string) (*corev1.Secret, error) {
+	retSecret := &corev1.Secret{}
 	err := r.Client.Get(context.Background(), client.ObjectKey{
 		Namespace: config.GetNamespace(),
-		Name:      clusterName,
-	}, inputSecret)
+		Name:      secretName,
+	}, retSecret)
 
 	if err != nil {
 		return nil, err
 	}
 
-	return inputSecret, nil
+	return retSecret, nil
 }
 
-func (r *TalosConfigReconciler) writeInputSecret(ctx context.Context, config *bootstrapv1alpha2.TalosConfig, clusterName string, input *generate.Input) (*corev1.Secret, error) {
+func (r *TalosConfigReconciler) writeInputSecret(ctx context.Context, scope *TalosConfigScope, input *generate.Input) (*corev1.Secret, error) {
 
 	certMarshal, err := yaml.Marshal(input.Certs)
 	if err != nil {
@@ -60,8 +62,19 @@ func (r *TalosConfigReconciler) writeInputSecret(ctx context.Context, config *bo
 
 	certSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: config.GetNamespace(),
-			Name:      clusterName,
+			Namespace: scope.Config.Namespace,
+			Name:      scope.Cluster.Name + "-talos",
+			Labels: map[string]string{
+				clusterv1.MachineClusterLabelName: scope.Cluster.Name,
+			},
+			OwnerReferences: []metav1.OwnerReference{
+				metav1.OwnerReference{
+					APIVersion: clusterv1.GroupVersion.String(),
+					Kind:       "Cluster",
+					Name:       scope.Cluster.Name,
+					UID:        scope.Cluster.UID,
+				},
+			},
 		},
 		Data: map[string][]byte{
 			"certs":       certMarshal,
@@ -77,13 +90,56 @@ func (r *TalosConfigReconciler) writeInputSecret(ctx context.Context, config *bo
 	return certSecret, nil
 }
 
-func (r *TalosConfigReconciler) deleteInputSecret(ctx context.Context, config *bootstrapv1alpha2.TalosConfig, clusterName string) error {
-	return r.Client.Delete(ctx,
+func (r *TalosConfigReconciler) writeK8sCASecret(ctx context.Context, scope *TalosConfigScope, certs *x509.PEMEncodedCertificateAndKey) error {
+	// Create ca secret only if it doesn't already exist
+	_, err := r.fetchSecret(ctx, scope.Config, scope.Cluster.Name+"-ca")
+	if k8serrors.IsNotFound(err) {
+		certSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: scope.Config.Namespace,
+				Name:      scope.Cluster.Name + "-ca",
+				Labels: map[string]string{
+					clusterv1.MachineClusterLabelName: scope.Cluster.Name,
+				},
+				OwnerReferences: []metav1.OwnerReference{
+					metav1.OwnerReference{
+						APIVersion: clusterv1.GroupVersion.String(),
+						Kind:       "Cluster",
+						Name:       scope.Cluster.Name,
+						UID:        scope.Cluster.UID,
+					},
+				},
+			},
+			Data: map[string][]byte{
+				"tls.crt": certs.Crt,
+				"tls.key": certs.Key,
+			},
+		}
+
+		err = r.Client.Create(ctx, certSecret)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *TalosConfigReconciler) deleteSecret(ctx context.Context, config *bootstrapv1alpha2.TalosConfig, secretName string) error {
+	err := r.Client.Delete(ctx,
 		&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: config.GetNamespace(),
-				Name:      clusterName,
+				Name:      secretName,
 			},
 		},
 	)
+
+	if err != nil && !k8serrors.IsNotFound(err) {
+		return err
+	}
+
+	return nil
 }
diff --git a/controllers/talosconfig_controller.go b/controllers/talosconfig_controller.go
@@ -73,6 +73,13 @@ type talosConfigContext struct {
 	Key    string
 }
 
+func (r *TalosConfigReconciler) SetupWithManager(mgr ctrl.Manager, options controller.Options) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		WithOptions(options).
+		For(&bootstrapv1alpha2.TalosConfig{}).
+		Complete(r)
+}
+
 // +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=talosconfigs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=talosconfigs/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;machines;machines/status,verbs=get;list;watch
@@ -135,7 +142,7 @@ func (r *TalosConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, rerr
 
 	// Handle deleted machines
 	if !config.ObjectMeta.DeletionTimestamp.IsZero() {
-		return r.reconcileDelete(ctx, config, cluster.ObjectMeta.Name)
+		return r.reconcileDelete(ctx, config)
 	}
 
 	// bail super early if it's already ready
@@ -187,29 +194,14 @@ func (r *TalosConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, rerr
 	return ctrl.Result{}, nil
 }
 
-func (r *TalosConfigReconciler) reconcileDelete(ctx context.Context, config *bootstrapv1alpha2.TalosConfig, clusterName string) (ctrl.Result, error) {
-
-	if config.Spec.GenerateType == "init" {
-		err := r.deleteInputSecret(ctx, config, clusterName)
-		if err != nil {
-			return ctrl.Result{}, err
-		}
-	}
-
+func (r *TalosConfigReconciler) reconcileDelete(ctx context.Context, config *bootstrapv1alpha2.TalosConfig) (ctrl.Result, error) {
 	// Config is deleted so remove the finalizer.
 	config.Finalizers = util.Filter(config.Finalizers, bootstrapv1alpha2.ConfigFinalizer)
 
 	return ctrl.Result{}, nil
 
 }
 
-func (r *TalosConfigReconciler) SetupWithManager(mgr ctrl.Manager, options controller.Options) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		WithOptions(options).
-		For(&bootstrapv1alpha2.TalosConfig{}).
-		Complete(r)
-}
-
 func genTalosConfigFile(clusterName string, certs *generate.Certs) (string, error) {
 	talosConfig := &talosConfig{
 		Context: clusterName,
@@ -241,6 +233,14 @@ func (r *TalosConfigReconciler) userConfigs(ctx context.Context, scope *TalosCon
 		return retBundle, err
 	}
 
+	// Create the secret with kubernetes certs so a kubeconfig can be generated
+	if userConfig.Machine().Type() == configmachine.TypeInit {
+		err = r.writeK8sCASecret(ctx, scope, userConfig.Cluster().CA())
+		if err != nil {
+			return retBundle, err
+		}
+	}
+
 	userConfigStr, err := userConfig.String()
 	if err != nil {
 		return retBundle, err
@@ -265,17 +265,29 @@ func (r *TalosConfigReconciler) genConfigs(ctx context.Context, scope *TalosConf
 	}
 
 	APIEndpointPort := strconv.Itoa(scope.Cluster.Status.APIEndpoints[0].Port)
-	input, err := generate.NewInput(scope.Cluster.ObjectMeta.Name,
+	input, err := generate.NewInput(scope.Cluster.Name,
 		"https://"+scope.Cluster.Status.APIEndpoints[0].Host+":"+APIEndpointPort,
 		*scope.Machine.Spec.Version,
 	)
 	if err != nil {
 		return retBundle, err
 	}
 
-	inputSecret, err := r.fetchInputSecret(ctx, scope.Config, scope.Cluster.ObjectMeta.Name)
+	// Stash our generated input secrets so that we can reuse them for other nodes
+	inputSecret, err := r.fetchSecret(ctx, scope.Config, scope.Cluster.Name+"-talos")
+	if machineType == configmachine.TypeInit && k8serrors.IsNotFound(err) {
+		inputSecret, err = r.writeInputSecret(ctx, scope, input)
+		if err != nil {
+			return retBundle, err
+		}
+	} else if err != nil {
+		return retBundle, err
+	}
+
+	// Create the secret with kubernetes certs so a kubeconfig can be generated
+	_, err = r.fetchSecret(ctx, scope.Config, scope.Cluster.Name+"-ca")
 	if machineType == configmachine.TypeInit && k8serrors.IsNotFound(err) {
-		inputSecret, err = r.writeInputSecret(ctx, scope.Config, scope.Cluster.ObjectMeta.Name, input)
+		err = r.writeK8sCASecret(ctx, scope, input.Certs.K8s)
 		if err != nil {
 			return retBundle, err
 		}
