From e1e35d4522c208541871f88a7aa22b493600a0c8 Mon Sep 17 00:00:00 2001 From: Sean McGinnis Date: Thu, 8 Dec 2022 21:02:13 +0000 Subject: [PATCH] migrations: Add migration for kubelet private key path This adds a migration to update the `kubelet-server.key` file location used for Kubernetes PKI. This was moved from the common location with the public key to a separate private location so users would still be able to read the public key if needed. Signed-off-by: Sean McGinnis --- Release.toml | 4 +- sources/Cargo.lock | 8 ++ sources/Cargo.toml | 3 +- .../v1.12.0/k8s-private-pki-path/Cargo.toml | 13 +++ .../v1.12.0/k8s-private-pki-path/src/main.rs | 81 +++++++++++++++++++ 5 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/Cargo.toml create mode 100644 sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/src/main.rs diff --git a/Release.toml b/Release.toml index 53f5f45b4d2..463841b6f75 100644 --- a/Release.toml +++ b/Release.toml @@ -171,4 +171,6 @@ version = "1.12.0" "migrate_v1.11.0_public-control-container-v0-6-4.lz4", ] "(1.11.0, 1.11.1)" = [] -"(1.11.1, 1.12.0)" = [] +"(1.11.1, 1.12.0)" = [ + "migrate_v1.12.0_k8s-private-pki-path.lz4", +] diff --git a/sources/Cargo.lock b/sources/Cargo.lock index 5a3d559718f..db993f6d0cf 100644 --- a/sources/Cargo.lock +++ b/sources/Cargo.lock @@ -1972,6 +1972,14 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "k8s-private-pki-path" +version = "0.1.0" +dependencies = [ + "migration-helpers", + "serde_json", +] + [[package]] name = "language-tags" version = "0.3.2" diff --git a/sources/Cargo.toml b/sources/Cargo.toml index b479dc273ac..c3d70773fc6 100644 --- a/sources/Cargo.toml +++ b/sources/Cargo.toml @@ -25,7 +25,8 @@ members = [ "api/prairiedog", # "api/migration/migrations/vX.Y.Z/..." - # (all migrations currently archived; replace this line with new ones) + # (all previous migrations archived; add new ones after this line) + "api/migration/migrations/v1.12.0/k8s-private-pki-path", "bottlerocket-release", diff --git a/sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/Cargo.toml b/sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/Cargo.toml new file mode 100644 index 00000000000..7148c291242 --- /dev/null +++ b/sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/Cargo.toml @@ -0,0 +1,13 @@ +[package] +name = "k8s-private-pki-path" +version = "0.1.0" +authors = ["Sean McGinnis "] +license = "Apache-2.0 OR MIT" +edition = "2018" +publish = false +# Don't rebuild crate just because of changes to README. +exclude = ["README.md"] + +[dependencies] +migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} +serde_json = "1.0" diff --git a/sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/src/main.rs b/sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/src/main.rs new file mode 100644 index 00000000000..6c9cc80c193 --- /dev/null +++ b/sources/api/migration/migrations/v1.12.0/k8s-private-pki-path/src/main.rs @@ -0,0 +1,81 @@ +#![deny(rust_2018_idioms)] + +use migration_helpers::{migrate, Migration, MigrationData, Result}; +use std::process; + +const SETTING: &'static str = "configuration-files.kubelet-server-key.path"; +const OLD_VALUE: &'static str = "/etc/kubernetes/pki/kubelet-server.key"; +const NEW_VALUE: &'static str = "/etc/kubernetes/pki/private/kubelet-server.key"; + +/// We moved the render output location for the kubelet PKI private key to be in a restricted +/// subdirectory. We need to update this output path in the stored configuration so updated nodes +/// pick up the change. +fn run() -> Result<()> { + migrate(KubeletServerKey {}) +} + +pub struct KubeletServerKey {} + +impl KubeletServerKey { + fn migrate(&mut self, mut input: MigrationData, action: &'static str) -> Result { + let old_value; + let new_value; + if action == "upgrade" { + old_value = OLD_VALUE; + new_value = NEW_VALUE; + } else { + // Downgrade: everything old is new again + old_value = NEW_VALUE; + new_value = OLD_VALUE; + } + + if let Some(data) = input.data.get_mut(SETTING) { + match data { + serde_json::Value::String(current_value) => { + if current_value == old_value { + *data = new_value.into(); + println!( + "Changed '{}' from {:?} to {:?} on {}", + SETTING, old_value, new_value, action + ); + } else { + println!( + "'{}' is already set to {:?}, leaving alone", + SETTING, new_value + ); + } + } + _ => { + println!( + "'{}' is set to non-string value '{}'; KubeletServerKey only handles strings", + SETTING, data + ); + } + } + } else { + println!("Found no setting '{}'", SETTING); + } + + Ok(input) + } +} + +impl Migration for KubeletServerKey { + fn forward(&mut self, input: MigrationData) -> Result { + self.migrate(input, "upgrade") + } + + fn backward(&mut self, input: MigrationData) -> Result { + self.migrate(input, "downgrade") + } +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{}", e); + process::exit(1); + } +}