rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-08-19 15:27:35 +00:00
Code Issues Releases Wiki Activity

Restart api/rewrite secrets on config change

Browse Source
This commit is contained in:
Alena Prokharchyk 2019-11-04 11:34:49 -08:00
parent 5eaf28372b
commit 6bc2e1e8f8
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
cluster/encryption.go
View File

@ -41,7 +41,6 @@ type keyList struct {
} }
func ReconcileEncryptionProviderConfig(ctx context.Context, kubeCluster, currentCluster *Cluster) error { func ReconcileEncryptionProviderConfig(ctx context.Context, kubeCluster, currentCluster *Cluster) error {
log.Infof(ctx, "[%s] Reconciling cluster's encryption provider configuration..", services.ControlRole)
if len(kubeCluster.ControlPlaneHosts) == 0 { if len(kubeCluster.ControlPlaneHosts) == 0 {
return nil return nil
} }
@ -49,16 +48,31 @@ func ReconcileEncryptionProviderConfig(ctx context.Context, kubeCluster, current
if (currentCluster == nil || !currentCluster.IsEncryptionEnabled()) && if (currentCluster == nil || !currentCluster.IsEncryptionEnabled()) &&
kubeCluster.IsEncryptionEnabled() { kubeCluster.IsEncryptionEnabled() {
kubeCluster.EncryptionConfig.RewriteSecrets = true kubeCluster.EncryptionConfig.RewriteSecrets = true
logrus.Debugf("Encryption is enabled in the new spec; have to rewrite secrets")
return nil return nil
} }
// encryption is disabled // encryption is disabled
if !kubeCluster.IsEncryptionEnabled() && !currentCluster.IsEncryptionEnabled() { if !kubeCluster.IsEncryptionEnabled() && !currentCluster.IsEncryptionEnabled() {
logrus.Debugf("Encryption is disabled in both current and new spec; no action is required")
return nil return nil
} }
// disable encryption // disable encryption
if !kubeCluster.IsEncryptionEnabled() && currentCluster.IsEncryptionEnabled() { if !kubeCluster.IsEncryptionEnabled() && currentCluster.IsEncryptionEnabled() {
logrus.Debugf("Encryption is enabled in the current spec and disabled in the new spec")
return kubeCluster.DisableSecretsEncryption(ctx, currentCluster, currentCluster.IsEncryptionCustomConfig()) return kubeCluster.DisableSecretsEncryption(ctx, currentCluster, currentCluster.IsEncryptionCustomConfig())
} }
// encryption configuration updated
if kubeCluster.IsEncryptionEnabled() && currentCluster.IsEncryptionEnabled() &&
kubeCluster.EncryptionConfig.EncryptionProviderFile != currentCluster.EncryptionConfig.EncryptionProviderFile {
kubeCluster.EncryptionConfig.RewriteSecrets = true
log.Infof(ctx, "[%s] Encryption provider config has changed;"+
" reconciling cluster's encryption provider configuration", services.ControlRole)
return services.RestartKubeAPIWithHealthcheck(ctx, kubeCluster.ControlPlaneHosts,
kubeCluster.LocalConnDialerFactory, kubeCluster.Certificates)
}
return nil return nil
} }
@ -95,7 +109,7 @@ func (c *Cluster) DisableSecretsEncryption(ctx context.Context, currentCluster *
if err := c.DeployEncryptionProviderFile(ctx); err != nil { if err := c.DeployEncryptionProviderFile(ctx); err != nil {
return err return err
} }
log.Infof(ctx, "[%s] Secrets Encryption disabled successfully", services.ControlRole) log.Infof(ctx, "[%s] Secrets Encryption is disabled successfully", services.ControlRole)
return nil return nil
} }