Remove secrets encryption controller (k3s-io#10612)

* Remove secrets encryption controller Signed-off-by: Derek Nola <derek.nola@suse.com>
dereknola · Sep 3, 2024 · bf8fa1a · bf8fa1a
1 parent 34be6d9
commit bf8fa1a
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 297 deletions.
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
@@ -227,8 +227,6 @@ type Control struct {
  ClusterInit bool
  ClusterReset bool
  ClusterResetRestorePath string
- EncryptForce bool
- EncryptSkip bool
  MinTLSVersion string
  CipherSuites []string
  TLSMinVersion uint16 `json:"-"`

diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
@@ -14,7 +14,6 @@ import (
  "github.com/k3s-io/k3s/pkg/daemons/config"
  "github.com/k3s-io/k3s/pkg/daemons/control/deps"
  "github.com/k3s-io/k3s/pkg/daemons/executor"
- "github.com/k3s-io/k3s/pkg/secretsencrypt"
  "github.com/k3s-io/k3s/pkg/util"
  "github.com/k3s-io/k3s/pkg/version"
  "github.com/pkg/errors"
@@ -61,18 +60,6 @@ func Server(ctx context.Context, cfg *config.Control) error {
  if err := apiServer(ctx, cfg); err != nil {
  return err
  }
- if cfg.EncryptSecrets {
- controllerName := "reencrypt-secrets"
- cfg.Runtime.ClusterControllerStarts[controllerName] = func(ctx context.Context) {
- // cfg.Runtime.Core is populated before this callback is triggered
- if err := secretsencrypt.Register(ctx,
- controllerName,
- cfg,
- cfg.Runtime.Core.Core().V1().Node()); err != nil {
- logrus.Errorf("Failed to register %s controller: %v", controllerName, err)
- }
- }
- }
  }
 
  // Wait for an apiserver to become available before starting additional controllers,

diff --git a/pkg/secretsencrypt/config.go b/pkg/secretsencrypt/config.go
@@ -27,13 +27,19 @@ import (
 )
 
 const (
- EncryptionStart string = "start"
- EncryptionPrepare string = "prepare"
- EncryptionRotate string = "rotate"
- EncryptionRotateKeys string = "rotate_keys"
- EncryptionReencryptRequest string = "reencrypt_request"
- EncryptionReencryptActive string = "reencrypt_active"
- EncryptionReencryptFinished string = "reencrypt_finished"
+ EncryptionStart string = "start"
+ EncryptionPrepare string = "prepare"
+ EncryptionRotate string = "rotate"
+ EncryptionRotateKeys string = "rotate_keys"
+ EncryptionReencryptRequest string = "reencrypt_request"
+ EncryptionReencryptActive string = "reencrypt_active"
+ EncryptionReencryptFinished string = "reencrypt_finished"
+ SecretListPageSize int64 = 20
+ SecretQPS float32 = 200
+ SecretBurst int = 200
+ SecretsUpdateErrorEvent string = "SecretsUpdateError"
+ SecretsProgressEvent string = "SecretsProgress"
+ SecretsUpdateCompleteEvent string = "SecretsUpdateComplete"
 )
 
 var EncryptionHashAnnotation = version.Program + ".io/encryption-config-hash"
@@ -178,7 +184,9 @@ func BootstrapEncryptionHashAnnotation(node *corev1.Node, runtime *config.Contro
  return nil
 }
 
-func WriteEncryptionHashAnnotation(runtime *config.ControlRuntime, node *corev1.Node, stage string) error {
+// WriteEncryptionHashAnnotation writes the encryption hash to the node annotation and optionally to a file.
+// The file is used to track the last stage of the reencryption process.
+func WriteEncryptionHashAnnotation(runtime *config.ControlRuntime, node *corev1.Node, skipFile bool, stage string) error {
  encryptionConfigHash, err := GenEncryptionConfigHash(runtime)
  if err != nil {
  return err
@@ -192,6 +200,9 @@ func WriteEncryptionHashAnnotation(runtime *config.ControlRuntime, node *corev1.
  return err
  }
  logrus.Debugf("encryption hash annotation set successfully on node: %s\n", node.ObjectMeta.Name)
+ if skipFile {
+ return nil
+ }
  return os.WriteFile(runtime.EncryptionHash, []byte(ann), 0600)
 }
 

diff --git a/pkg/secretsencrypt/controller.go b/pkg/secretsencrypt/controller.go