From 32bb329bb3e13d892ab9f64964b7749ab63dbc6c Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Wed, 10 Apr 2024 17:31:17 +0200 Subject: [PATCH] Bump library-go --- go.mod | 1 + go.sum | 4 +-- .../pkg/operator/certrotation/cabundle.go | 11 ++++++- .../client_cert_rotation_controller.go | 2 +- .../pkg/operator/certrotation/signer.go | 31 ++++++++++--------- .../pkg/operator/certrotation/target.go | 15 ++++++--- .../operator/resource/resourceapply/core.go | 7 +++-- vendor/modules.txt | 3 +- 8 files changed, 47 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index f0d7a2d289..02ccc6313c 100644 --- a/go.mod +++ b/go.mod @@ -138,5 +138,6 @@ require ( replace ( github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 + github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20240410150628-bb03acf01a85 vbom.ml/util => github.com/fvbommel/util v0.0.0-20180919145318-efcd4e0f9787 ) diff --git a/go.sum b/go.sum index ce3bfe9f03..cd21c0fea8 100644 --- a/go.sum +++ b/go.sum @@ -311,8 +311,6 @@ github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d h1:RR github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20231218140158-47f6d749b9d9 h1:kjgW3luAkf9NWu+8u+jqNNbexDG+CY82/INw8hGbG14= github.com/openshift/client-go v0.0.0-20231218140158-47f6d749b9d9/go.mod h1:kKmxYRXTMutfF7XzGppFdbLhNGX1brXkRsZx5ID8c7U= -github.com/openshift/library-go v0.0.0-20240404133914-6b235e9156fa h1:xGGzEFdvZFYH3kSbo0pkVtIarc3dhkFh9SqafAE4KpU= -github.com/openshift/library-go v0.0.0-20240404133914-6b235e9156fa/go.mod h1:sb0m3u8GuEtCmkVWsosk/XBAzvnJjaOKcZ4m+oYsOa0= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= @@ -414,6 +412,8 @@ github.com/vishvananda/netlink v1.0.0 h1:bqNY2lgheFIu1meHUFSH3d7vG93AFyqg3oGbJCO github.com/vishvananda/netlink v1.0.0/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA= github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= +github.com/vrutkovs/library-go v0.0.0-20240410150628-bb03acf01a85 h1:IOoCWIEvwuWwhEJZOCLoWvUUMwfvB+dnpiKEsFGxw1I= +github.com/vrutkovs/library-go v0.0.0-20240410150628-bb03acf01a85/go.mod h1:sb0m3u8GuEtCmkVWsosk/XBAzvnJjaOKcZ4m+oYsOa0= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go index 7ec91f7863..7ce228fce8 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go @@ -18,6 +18,7 @@ import ( "k8s.io/client-go/util/cert" "k8s.io/klog/v2" + "github.com/google/go-cmp/cmp" "github.com/openshift/library-go/pkg/certs" "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" @@ -75,7 +76,15 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC return nil, err } if originalCABundleConfigMap == nil || originalCABundleConfigMap.Data == nil || !equality.Semantic.DeepEqual(originalCABundleConfigMap.Data, caBundleConfigMap.Data) { - c.EventRecorder.Eventf("CABundleUpdateRequired", "%q in %q requires a new cert", c.Name, c.Namespace) + reason := "" + if originalCABundleConfigMap == nil { + reason = "configmap doesn't exist" + } else if originalCABundleConfigMap.Data == nil { + reason = "configmap is empty" + } else if !equality.Semantic.DeepEqual(originalCABundleConfigMap.Data, caBundleConfigMap.Data) { + reason = fmt.Sprintf("diff: %q", cmp.Diff(originalCABundleConfigMap.Data, caBundleConfigMap.Data)) + } + c.EventRecorder.Eventf("CABundleUpdateRequired", "%q in %q requires a new cert: %s", c.Name, c.Namespace, reason) LabelAsManagedConfigMap(caBundleConfigMap, CertificateTypeCABundle) actualCABundleConfigMap, modified, err := resourceapply.ApplyConfigMap(ctx, c.Client, c.EventRecorder, caBundleConfigMap) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go index 5159f562a3..67015d7b1b 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go @@ -122,7 +122,7 @@ func (c CertRotationController) Sync(ctx context.Context, syncCtx factory.SyncCo } func (c CertRotationController) SyncWorker(ctx context.Context) error { - signingCertKeyPair, _, err := c.RotatedSigningCASecret.EnsureSigningCertKeyPair(ctx) + signingCertKeyPair, err := c.RotatedSigningCASecret.EnsureSigningCertKeyPair(ctx) if err != nil { return err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go index 4cf805bb7b..f0c8ece09c 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go @@ -53,19 +53,17 @@ type RotatedSigningCASecret struct { Client corev1client.SecretsGetter EventRecorder events.Recorder - // Deprecated: DO NOT enable, it is intended as a short term hack for a very specific use case, + // Deprecated: DO NOT eanble, it is intended as a short term hack for a very specific use case, // and it works in tandem with a particular carry patch applied to the openshift kube-apiserver. // we will remove this when we migrate all of the affected secret // objects to their intended type: https://issues.redhat.com/browse/API-1800 UseSecretUpdateOnly bool } -// EnsureSigningCertKeyPair manages the entire lifecycle of a signer cert as a secret, from creation to continued rotation. -// It always returns the currently used CA pair, a bool indicating whether it was created/updated within this function call and an error. -func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*crypto.CA, bool, error) { +func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*crypto.CA, error) { originalSigningCertKeyPairSecret, err := c.Lister.Secrets(c.Namespace).Get(c.Name) if err != nil && !apierrors.IsNotFound(err) { - return nil, false, err + return nil, err } signingCertKeyPairSecret := originalSigningCertKeyPairSecret.DeepCopy() if apierrors.IsNotFound(err) { @@ -90,34 +88,32 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* if ensureMetadataUpdate(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(signingCertKeyPairSecret) { actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) if err != nil { - return nil, false, err + return nil, err } signingCertKeyPairSecret = actualSigningCertKeyPairSecret } - signerUpdated := false - if needed, reason := needNewSigningCertKeyPair(signingCertKeyPairSecret.Annotations, c.Refresh, c.RefreshOnlyWhenExpired); needed { + if needed, reason := needNewSigningCertKeyPair(signingCertKeyPairSecret, c.Refresh, c.RefreshOnlyWhenExpired); needed { c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason) if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, c.Validity); err != nil { - return nil, false, err + return nil, err } LabelAsManagedSecret(signingCertKeyPairSecret, CertificateTypeSigner) actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) if err != nil { - return nil, false, err + return nil, err } signingCertKeyPairSecret = actualSigningCertKeyPairSecret - signerUpdated = true } // at this point, the secret has the correct signer, so we should read that signer to be able to sign signingCertKeyPair, err := crypto.GetCAFromBytes(signingCertKeyPairSecret.Data["tls.crt"], signingCertKeyPairSecret.Data["tls.key"]) if err != nil { - return nil, signerUpdated, err + return nil, err } - return signingCertKeyPair, signerUpdated, nil + return signingCertKeyPair, nil } // ensureOwnerReference adds the owner to the list of owner references in meta, if necessary @@ -136,7 +132,12 @@ func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference) return false } -func needNewSigningCertKeyPair(annotations map[string]string, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) { +func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) { + if secret.ResourceVersion == "" { + return true, "secret doesn't exist" + } + + annotations := secret.Annotations notBefore, notAfter, reason := getValidityFromAnnotations(annotations) if len(reason) > 0 { return true, reason @@ -153,7 +154,7 @@ func needNewSigningCertKeyPair(annotations map[string]string, refresh time.Durat validity := notAfter.Sub(notBefore) at80Percent := notAfter.Add(-validity / 5) if time.Now().After(at80Percent) { - return true, fmt.Sprintf("past its latest possible time %v", at80Percent) + return true, fmt.Sprintf("past refresh time (80%% of validity): %v", at80Percent) } developerSpecifiedRefresh := notBefore.Add(refresh) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go index 413665d351..0839a5031a 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go @@ -146,7 +146,12 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont return targetCertKeyPairSecret, nil } -func needNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { +func needNewTargetCertKeyPair(secret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { + if secret.ResourceVersion == "" { + return "secret doesn't exist" + } + + annotations := secret.Annotations if reason := needNewTargetCertKeyPairForTime(annotations, signer, refresh, refreshOnlyWhenExpired); len(reason) > 0 { return reason } @@ -203,7 +208,7 @@ func needNewTargetCertKeyPairForTime(annotations map[string]string, signer *cryp validity := notAfter.Sub(notBefore) at80Percent := notAfter.Add(-validity / 5) if time.Now().After(at80Percent) { - return fmt.Sprintf("past its latest possible time %v", at80Percent) + return fmt.Sprintf("past refresh time (80%% of validity): %v", at80Percent) } // If Certificate is past its refresh time, we may have action to take. We only do this if the signer is old enough. @@ -264,7 +269,7 @@ func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duratio } func (r *ClientRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { - return needNewTargetCertKeyPair(currentCertSecret.Annotations, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) + return needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) } func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { @@ -289,7 +294,7 @@ func (r *ServingRotation) RecheckChannel() <-chan struct{} { } func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { - reason := needNewTargetCertKeyPair(currentCertSecret.Annotations, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) + reason := needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) if len(reason) > 0 { return reason } @@ -335,7 +340,7 @@ func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duratio } func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { - return needNewTargetCertKeyPair(currentCertSecret.Annotations, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) + return needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) } func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go index a154809bad..d25f14d857 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go @@ -16,6 +16,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/sets" + coreapplyv1 "k8s.io/client-go/applyconfigurations/core/v1" coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/klog/v2" ) @@ -454,7 +455,9 @@ func applySecretImproved(ctx context.Context, client coreclientv1.SecretsGetter, } if existingCopy.Type == existing.Type { - actual, err = client.Secrets(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) + existingCopyConfiguration, err := coreapplyv1.ExtractSecret(existingCopy, "library-go") + reportUpdateEvent(recorder, existingCopy, err) + actual, err = client.Secrets(required.Namespace).Apply(ctx, existingCopyConfiguration, metav1.ApplyOptions{}) reportUpdateEvent(recorder, existingCopy, err) if err == nil { @@ -466,7 +469,7 @@ func applySecretImproved(ctx context.Context, client coreclientv1.SecretsGetter, } // if the field was immutable on a secret, we're going to be stuck until we delete it. Try to delete and then create - deleteErr := client.Secrets(required.Namespace).Delete(ctx, existingCopy.Name, metav1.DeleteOptions{}) + deleteErr := client.Secrets(required.Namespace).Delete(ctx, existingCopy.Name, metav1.DeleteOptions{Preconditions: &metav1.Preconditions{ResourceVersion: &existing.ResourceVersion}}) reportDeleteEvent(recorder, existingCopy, deleteErr) // clear the RV and track the original actual and error for the return like our create value. diff --git a/vendor/modules.txt b/vendor/modules.txt index 9d35cce3b9..44893ec6a7 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -324,7 +324,7 @@ github.com/openshift/client-go/operator/informers/externalversions/operator/v1 github.com/openshift/client-go/operator/informers/externalversions/operator/v1alpha1 github.com/openshift/client-go/operator/listers/operator/v1 github.com/openshift/client-go/operator/listers/operator/v1alpha1 -# github.com/openshift/library-go v0.0.0-20240404133914-6b235e9156fa +# github.com/openshift/library-go v0.0.0-20240404133914-6b235e9156fa => github.com/vrutkovs/library-go v0.0.0-20240410150628-bb03acf01a85 ## explicit; go 1.21 github.com/openshift/library-go/pkg/assets github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer @@ -1523,4 +1523,5 @@ sigs.k8s.io/structured-merge-diff/v4/value ## explicit; go 1.12 sigs.k8s.io/yaml # github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 +# github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20240410150628-bb03acf01a85 # vbom.ml/util => github.com/fvbommel/util v0.0.0-20180919145318-efcd4e0f9787