feat(k8s): set secret immutable by default for 1.21

Fixes #1090 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Co-authored-by: Erkan <erkan.zileli@trendyol.com> Signed-off-by: Furkan <furkan.turkal@trendyol.com>
sigstore · Nov 22, 2021 · ad93a8d · ad93a8d
1 parent aff2e37
commit ad93a8d
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 10 deletions.
diff --git a/pkg/cosign/kubernetes/client.go b/pkg/cosign/kubernetes/client.go
@@ -19,6 +19,7 @@ import (
 
 	"k8s.io/client-go/kubernetes"
 
+	utilversion "k8s.io/apimachinery/pkg/util/version"
 	// Initialize all known client auth plugins
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
@@ -57,3 +58,16 @@ func Client() (kubernetes.Interface, error) {
 	}
 	return kubernetes.NewForConfig(config)
 }
+
+func CheckImmutableSecretSupported(client kubernetes.Interface) (bool, error) {
+	k8sVer, err := client.Discovery().ServerVersion()
+	if err != nil {
+		return false, err
+	}
+	semVer, err := utilversion.ParseSemantic(k8sVer.String())
+	if err != nil {
+		return false, err
+	}
+	// https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable
+	return semVer.Major() >= 1 && semVer.Minor() >= 21, nil
+}
diff --git a/pkg/cosign/kubernetes/secret.go b/pkg/cosign/kubernetes/secret.go
@@ -20,6 +20,8 @@ import (
 	"os"
 	"strings"
 
+	"k8s.io/utils/pointer"
+
 	"github.com/pkg/errors"
 	v1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -67,18 +69,22 @@ func KeyPairSecret(ctx context.Context, k8sRef string, pf cosign.PassFunc) error
 	if err != nil {
 		return errors.Wrap(err, "new for config")
 	}
+	immutable, err := CheckImmutableSecretSupported(client)
+	if err != nil {
+		return errors.Wrap(err, "check immutable")
+	}
 	var s *v1.Secret
 	if s, err = client.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{}); err != nil {
 		if k8serrors.IsNotFound(err) {
-			s, err = client.CoreV1().Secrets(namespace).Create(ctx, secret(keys, namespace, name, nil), metav1.CreateOptions{})
+			s, err = client.CoreV1().Secrets(namespace).Create(ctx, secret(keys, namespace, name, nil, immutable), metav1.CreateOptions{})
 			if err != nil {
 				return errors.Wrapf(err, "creating secret %s in ns %s", name, namespace)
 			}
 		} else {
 			return errors.Wrap(err, "checking if secret exists")
 		}
 	} else { // Update the existing secret
-		s, err = client.CoreV1().Secrets(namespace).Update(ctx, secret(keys, namespace, name, s.Data), metav1.UpdateOptions{})
+		s, err = client.CoreV1().Secrets(namespace).Update(ctx, secret(keys, namespace, name, s.Data, immutable), metav1.UpdateOptions{})
 		if err != nil {
 			return errors.Wrapf(err, "updating secret %s in ns %s", name, namespace)
 		}
@@ -96,20 +102,31 @@ func KeyPairSecret(ctx context.Context, k8sRef string, pf cosign.PassFunc) error
 // * cosign.key
 // * cosign.pub
 // * cosign.password
-func secret(keys *cosign.Keys, namespace, name string, data map[string][]byte) *v1.Secret {
+func secret(keys *cosign.Keys, namespace, name string, data map[string][]byte, immutable bool) *v1.Secret {
 	if data == nil {
 		data = map[string][]byte{}
 	}
 	data["cosign.key"] = keys.PrivateBytes
 	data["cosign.pub"] = keys.PublicBytes
 	data["cosign.password"] = keys.Password()
 
+	obj := metav1.ObjectMeta{
+		Name:      name,
+		Namespace: namespace,
+	}
+
+	// For Kubernetes >= 1.21, set Immutable by default
+	if immutable {
+		return &v1.Secret{
+			ObjectMeta: obj,
+			Data:       data,
+			Immutable:  pointer.Bool(true),
+		}
+	}
+
 	return &v1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: namespace,
-		},
-		Data: data,
+		ObjectMeta: obj,
+		Data:       data,
 	}
 }
 

diff --git a/pkg/cosign/kubernetes/secret_test.go b/pkg/cosign/kubernetes/secret_test.go
@@ -18,6 +18,8 @@ import (
 	"reflect"
 	"testing"
 
+	"k8s.io/utils/pointer"
+
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -41,8 +43,9 @@ func TestSecret(t *testing.T) {
 			"cosign.pub":      []byte("public"),
 			"cosign.password": nil,
 		},
+		Immutable: pointer.Bool(true),
 	}
-	actual := secret(keys, namespace, name, nil)
+	actual := secret(keys, namespace, name, nil, true)
 	if !reflect.DeepEqual(actual, expect) {
 		t.Errorf("secret: %v, want %v", expect, actual)
 	}
@@ -73,7 +76,7 @@ func TestSecretUpdate(t *testing.T) {
 			"cosign.password": nil,
 		},
 	}
-	actual := secret(keys, namespace, name, existing)
+	actual := secret(keys, namespace, name, existing, false)
 	if !reflect.DeepEqual(actual, expect) {
 		t.Errorf("secret: %v, want %v", expect, actual)
 	}