Skip to content

Commit 1aa53ec

Browse files
fra98fra98
committed
fix: wggateway enforce labels on referenced secret
1 parent 19725db commit 1aa53ec

File tree

3 files changed

+35
-12
lines changed

3 files changed

+35
-12
lines changed

pkg/liqo-controller-manager/networking/external-network/wireguard/utils.go

Lines changed: 31 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ import (
2323
rbacv1 "k8s.io/api/rbac/v1"
2424
kerrors "k8s.io/apimachinery/pkg/api/errors"
2525
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
26+
"k8s.io/apimachinery/pkg/labels"
2627
"k8s.io/apimachinery/pkg/types"
2728
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
2829
"k8s.io/klog/v2"
@@ -170,22 +171,44 @@ func ensureKeysSecret(ctx context.Context, cl client.Client, wgObj metav1.Object
170171
}
171172
}
172173

173-
func checkExistingKeysSecret(ctx context.Context, cl client.Client, secretName, namespace string) error {
174+
func checkExistingKeysSecret(ctx context.Context, cl client.Client, secretName, namespace string, wgObj metav1.Object) error {
174175
var s corev1.Secret
175176
if err := cl.Get(ctx, types.NamespacedName{Name: secretName, Namespace: namespace}, &s); err != nil {
176177
return err
177178
}
178179

179-
// check labels
180-
if s.Labels == nil {
181-
return fmt.Errorf("mandatory labels %q: \"true\" and %q are missing in secret %q", consts.GatewayResourceLabel, consts.RemoteClusterID, secretName)
180+
// Check needed data fields are present
181+
if s.Data == nil {
182+
return fmt.Errorf("mandatory data %q and %q are missing in secret %q", consts.PrivateKeyField, consts.PublicKeyField, secretName)
183+
}
184+
if _, ok := s.Data[consts.PrivateKeyField]; !ok {
185+
return fmt.Errorf("missing %q data in secret %q", consts.PrivateKeyField, secretName)
186+
}
187+
if _, ok := s.Data[consts.PublicKeyField]; !ok {
188+
return fmt.Errorf("missing %q data in secret %q", consts.PublicKeyField, secretName)
182189
}
183190

184-
if s.Labels[consts.GatewayResourceLabel] != consts.GatewayResourceLabelValue {
185-
return fmt.Errorf("missing %q: \"true\" label in secret %q", consts.GatewayResourceLabel, secretName)
191+
// Check remote cluster ID label match the parent wireguard object
192+
remoteClusterID, exists := wgObj.GetLabels()[consts.RemoteClusterID]
193+
if !exists || remoteClusterID == "" {
194+
return fmt.Errorf("missing %q label in WireGuard gateway %q", consts.RemoteClusterID, wgObj.GetName())
186195
}
187-
if v, ok := s.Labels[consts.RemoteClusterID]; !ok || v == "" {
188-
return fmt.Errorf("missing %q label in secret %q", consts.RemoteClusterID, secretName)
196+
if s.Labels != nil {
197+
if v, ok := s.Labels[consts.RemoteClusterID]; ok && v != remoteClusterID {
198+
return fmt.Errorf("label %q in secret %q does not match the one in WireGuard gateway %q", consts.RemoteClusterID, secretName, wgObj.GetName())
199+
}
200+
}
201+
202+
// Enforce correct labels on the secret if not present
203+
if s.Labels == nil || s.Labels[consts.RemoteClusterID] == "" || s.Labels[consts.GatewayResourceLabel] != consts.GatewayResourceLabelValue {
204+
s.SetLabels(labels.Merge(s.GetLabels(), map[string]string{
205+
consts.RemoteClusterID: remoteClusterID,
206+
consts.GatewayResourceLabel: consts.GatewayResourceLabelValue,
207+
}))
208+
if err := cl.Update(ctx, &s); err != nil {
209+
return fmt.Errorf("unable to update labels in secret %q: %w", secretName, err)
210+
}
211+
klog.Infof("Enforced correct gateway labels in secret %q", secretName)
189212
}
190213

191214
return nil

pkg/liqo-controller-manager/networking/external-network/wireguard/wggatewayclient_controller.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -171,8 +171,8 @@ func (r *WgGatewayClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
171171
}
172172
r.eventRecorder.Event(wgClient, corev1.EventTypeNormal, "KeysSecretEnforced", "Enforced keys secret")
173173
} else {
174-
// Check that the secret exists and is correctly labeled
175-
if err = checkExistingKeysSecret(ctx, r.Client, wgClient.Spec.SecretRef.Name, wgClient.Namespace); err != nil {
174+
// Check that the secret exists and ensure is correctly labeled
175+
if err = checkExistingKeysSecret(ctx, r.Client, wgClient.Spec.SecretRef.Name, wgClient.Namespace, wgClient.GetObjectMeta()); err != nil {
176176
r.eventRecorder.Event(wgClient, corev1.EventTypeWarning, "KeysSecretCheckFailed", fmt.Sprintf("Failed to check keys secret: %s", err))
177177
return ctrl.Result{}, err
178178
}

pkg/liqo-controller-manager/networking/external-network/wireguard/wggatewayserver_controller.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -180,8 +180,8 @@ func (r *WgGatewayServerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
180180
}
181181
r.eventRecorder.Event(wgServer, corev1.EventTypeNormal, "KeysSecretEnforced", "Enforced keys secret")
182182
} else {
183-
// Check that the secret exists and is correctly labeled
184-
if err = checkExistingKeysSecret(ctx, r.Client, wgServer.Spec.SecretRef.Name, wgServer.Namespace); err != nil {
183+
// Check that the secret exists and ensure is correctly labeled
184+
if err = checkExistingKeysSecret(ctx, r.Client, wgServer.Spec.SecretRef.Name, wgServer.Namespace, wgServer.GetObjectMeta()); err != nil {
185185
r.eventRecorder.Event(wgServer, corev1.EventTypeWarning, "KeysSecretCheckFailed", fmt.Sprintf("Failed to check keys secret: %s", err))
186186
return ctrl.Result{}, err
187187
}

0 commit comments

Comments
 (0)