secretsrotation

package
v1.74.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2023 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// AnnotationKeyNewEncryptionKeyPopulated is an annotation indicating that the new ETCD encryption key was populated
	AnnotationKeyNewEncryptionKeyPopulated = "credentials.gardener.cloud/new-encryption-key-populated"

	// AnnotationKeyEtcdSnapshotted is an annotation indicating that ETCD snapshot was completed
	AnnotationKeyEtcdSnapshotted = "credentials.gardener.cloud/etcd-snapshotted"
)

Variables

This section is empty.

Functions

func CreateNewServiceAccountSecrets

func CreateNewServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, secretsManager secretsmanager.Interface) error

CreateNewServiceAccountSecrets creates new secrets for all service accounts in the target cluster. This should only be executed in the 'Preparing' phase of the service account signing key rotation operation.

func DeleteOldServiceAccountSecrets

func DeleteOldServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, serviceAccountLastInitiationFinishedTime time.Time) error

DeleteOldServiceAccountSecrets deletes old secrets for all service accounts in the target cluster. This should only be executed in the 'Completing' phase of the service account signing key rotation operation.

func PatchKubeAPIServerDeploymentMeta

func PatchKubeAPIServerDeploymentMeta(ctx context.Context, c client.Client, namespace, namePrefix string, mutate func(deployment *metav1.PartialObjectMetadata)) error

PatchKubeAPIServerDeploymentMeta patches metadata of a Kubernetes API-Server deployment

func RewriteEncryptedDataAddLabel added in v1.73.0

func RewriteEncryptedDataAddLabel(
	ctx context.Context,
	log logr.Logger,
	c client.Client,
	secretsManager secretsmanager.Interface,
	gvks ...schema.GroupVersionKind,
) error

RewriteEncryptedDataAddLabel patches all encrypted data in all namespaces in the target clusters and adds a label whose value is the name of the current ETCD encryption key secret. This function is useful for the ETCD encryption key secret rotation which requires all encrypted data to be rewritten to ETCD so that they become encrypted with the new key. After it's done, it snapshots ETCD so that we can restore backups in case we lose the cluster before the next incremental snapshot has been taken.

func RewriteEncryptedDataRemoveLabel added in v1.73.0

func RewriteEncryptedDataRemoveLabel(
	ctx context.Context,
	log logr.Logger,
	runtimeClient client.Client,
	targetClient client.Client,
	kubeAPIServerNamespace string,
	namePrefix string,
	gvks ...schema.GroupVersionKind,
) error

RewriteEncryptedDataRemoveLabel patches all encrypted data in all namespaces in the target clusters and removes the label whose value is the name of the current ETCD encryption key secret. This function is useful for the ETCD encryption key secret rotation which requires all encrypted data to be rewritten to ETCD so that they become encrypted with the new key.

func SnapshotETCDAfterRewritingEncryptedData added in v1.73.0

func SnapshotETCDAfterRewritingEncryptedData(
	ctx context.Context,
	runtimeClient client.Client,
	snapshotEtcd func(ctx context.Context) error,
	kubeAPIServerNamespace string,
	namePrefix string,
) error

SnapshotETCDAfterRewritingEncryptedData performs a full snapshot on ETCD after the encrypted data (like secrets) have been rewritten as part of the ETCD encryption secret rotation. It adds an annotation to the kube-apiserver deployment after it's done so that it does not take another snapshot again after it succeeded once.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL