Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Network] avoid panic when setting gateway secretRef #3049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 29, 2025
Merged

[Network] avoid panic when setting gateway secretRef #3049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c9a6493
docs: added missing label on gateway secret manifest
fra98 May 22, 2025
19725db
fix: avoid panic on wireguard server controller
fra98 May 22, 2025
1aa53ec
fix: wggateway enforce labels on referenced secret
fra98 May 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/advanced/peering/peering-via-cr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ kind: Secret
metadata:
labels:
liqo.io/remote-cluster-id: <REMOTE_CLUSTER_ID>
networking.liqo.io/gateway-resource: "true"
name: gw-keys
namespace: <TENANT_NAMESPACE>
type: Opaque
Expand All @@ -146,7 +147,7 @@ spec:
publicKey: <REMOTE_WIREGUARD_PUBLIC_KEY>
```

In order to make things work, make sure that the PublicKey resource has the labels:
In order to make things work, make sure that both the Secret and PublicKey resources have the labels:

```yaml
liqo.io/remote-cluster-id: <HERE_THE_CLUSTER_ID_OF_PEER_CLUSTER>
Expand Down
39 changes: 31 additions & 8 deletions pkg/liqo-controller-manager/networking/external-network/wireguard/utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
rbacv1 "k8s.io/api/rbac/v1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/klog/v2"
Expand Down Expand Up @@ -170,22 +171,44 @@ func ensureKeysSecret(ctx context.Context, cl client.Client, wgObj metav1.Object
}
}

func checkExistingKeysSecret(ctx context.Context, cl client.Client, secretName, namespace string) error {
func checkExistingKeysSecret(ctx context.Context, cl client.Client, secretName, namespace string, wgObj metav1.Object) error {
var s corev1.Secret
if err := cl.Get(ctx, types.NamespacedName{Name: secretName, Namespace: namespace}, &s); err != nil {
return err
}

// check labels
if s.Labels == nil {
return fmt.Errorf("mandatory labels %q: \"true\" and %q are missing in secret %q", consts.GatewayResourceLabel, consts.RemoteClusterID, secretName)
// Check needed data fields are present
if s.Data == nil {
return fmt.Errorf("mandatory data %q and %q are missing in secret %q", consts.PrivateKeyField, consts.PublicKeyField, secretName)
}
if _, ok := s.Data[consts.PrivateKeyField]; !ok {
return fmt.Errorf("missing %q data in secret %q", consts.PrivateKeyField, secretName)
}
if _, ok := s.Data[consts.PublicKeyField]; !ok {
return fmt.Errorf("missing %q data in secret %q", consts.PublicKeyField, secretName)
}

if s.Labels[consts.GatewayResourceLabel] != consts.GatewayResourceLabelValue {
return fmt.Errorf("missing %q: \"true\" label in secret %q", consts.GatewayResourceLabel, secretName)
// Check remote cluster ID label match the parent wireguard object
remoteClusterID, exists := wgObj.GetLabels()[consts.RemoteClusterID]
if !exists || remoteClusterID == "" {
return fmt.Errorf("missing %q label in WireGuard gateway %q", consts.RemoteClusterID, wgObj.GetName())
}
if v, ok := s.Labels[consts.RemoteClusterID]; !ok || v == "" {
return fmt.Errorf("missing %q label in secret %q", consts.RemoteClusterID, secretName)
if s.Labels != nil {
if v, ok := s.Labels[consts.RemoteClusterID]; ok && v != remoteClusterID {
return fmt.Errorf("label %q in secret %q does not match the one in WireGuard gateway %q", consts.RemoteClusterID, secretName, wgObj.GetName())
}
}

// Enforce correct labels on the secret if not present
if s.Labels == nil || s.Labels[consts.RemoteClusterID] == "" || s.Labels[consts.GatewayResourceLabel] != consts.GatewayResourceLabelValue {
s.SetLabels(labels.Merge(s.GetLabels(), map[string]string{
consts.RemoteClusterID: remoteClusterID,
consts.GatewayResourceLabel: consts.GatewayResourceLabelValue,
}))
if err := cl.Update(ctx, &s); err != nil {
return fmt.Errorf("unable to update labels in secret %q: %w", secretName, err)
}
klog.Infof("Enforced correct gateway labels in secret %q", secretName)
}

return nil
Expand Down
19 changes: 10 additions & 9 deletions ...qo-controller-manager/networking/external-network/wireguard/wggatewayclient_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,13 +155,6 @@ func (r *WgGatewayClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
r.eventRecorder.Event(wgClient, corev1.EventTypeNormal, "Reconciled", "WireGuard gateway client reconciled")
}()

if err := r.handleSecretRefStatus(ctx, wgClient); err != nil {
klog.Errorf("Error while handling secret ref status: %v", err)
r.eventRecorder.Event(wgClient, corev1.EventTypeWarning, "SecretRefStatusFailed",
fmt.Sprintf("Failed to handle secret ref status: %s", err))
return ctrl.Result{}, err
}

if err := r.handleInternalEndpointStatus(ctx, wgClient, deploy); err != nil {
klog.Errorf("Error while handling internal endpoint status: %v", err)
r.eventRecorder.Event(wgClient, corev1.EventTypeWarning, "InternalEndpointStatusFailed",
Expand All @@ -178,11 +171,19 @@ func (r *WgGatewayClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
}
r.eventRecorder.Event(wgClient, corev1.EventTypeNormal, "KeysSecretEnforced", "Enforced keys secret")
} else {
// Check if the secret exists and has the correct labels
if err = checkExistingKeysSecret(ctx, r.Client, wgClient.Spec.SecretRef.Name, wgClient.Namespace); err != nil {
// Check that the secret exists and ensure is correctly labeled
if err = checkExistingKeysSecret(ctx, r.Client, wgClient.Spec.SecretRef.Name, wgClient.Namespace, wgClient.GetObjectMeta()); err != nil {
r.eventRecorder.Event(wgClient, corev1.EventTypeWarning, "KeysSecretCheckFailed", fmt.Sprintf("Failed to check keys secret: %s", err))
return ctrl.Result{}, err
}
r.eventRecorder.Event(wgClient, corev1.EventTypeNormal, "KeysSecretChecked", "Checked keys secret")
}

if err := r.handleSecretRefStatus(ctx, wgClient); err != nil {
klog.Errorf("Error while handling secret ref status: %v", err)
r.eventRecorder.Event(wgClient, corev1.EventTypeWarning, "SecretRefStatusFailed",
fmt.Sprintf("Failed to handle secret ref status: %s", err))
return ctrl.Result{}, err
}

// Ensure deployment (create or update)
Expand Down
19 changes: 10 additions & 9 deletions ...qo-controller-manager/networking/external-network/wireguard/wggatewayserver_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,20 +164,14 @@ func (r *WgGatewayServerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
return ctrl.Result{}, err
}

if err := r.handleSecretRefStatus(ctx, wgServer); err != nil {
klog.Errorf("Error while handling secret ref status: %v", err)
r.eventRecorder.Event(wgServer, corev1.EventTypeWarning, "SecretRefStatusFailed",
fmt.Sprintf("Failed to handle secret ref status: %s", err))
return ctrl.Result{}, err
}

if err := r.handleInternalEndpointStatus(ctx, wgServer, svcNsName, deploy); err != nil {
klog.Errorf("Error while handling internal endpoint status: %v", err)
r.eventRecorder.Event(wgServer, corev1.EventTypeWarning, "InternalEndpointStatusFailed",
fmt.Sprintf("Failed to handle internal endpoint status: %s", err))
return ctrl.Result{}, err
}

// If a secret has not been provided in the gateway specification, the controller is in charge of generating a secret with the Wireguard keys.
if wgServer.Spec.SecretRef.Name == "" {
// Ensure WireGuard keys secret (create or update)
if err = ensureKeysSecret(ctx, r.Client, wgServer, gateway.ModeServer); err != nil {
Expand All @@ -186,14 +180,21 @@ func (r *WgGatewayServerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
}
r.eventRecorder.Event(wgServer, corev1.EventTypeNormal, "KeysSecretEnforced", "Enforced keys secret")
} else {
// Check that the secret exists and is correctly labeled
if err = checkExistingKeysSecret(ctx, r.Client, wgServer.Status.SecretRef.Name, wgServer.Namespace); err != nil {
// Check that the secret exists and ensure is correctly labeled
if err = checkExistingKeysSecret(ctx, r.Client, wgServer.Spec.SecretRef.Name, wgServer.Namespace, wgServer.GetObjectMeta()); err != nil {
r.eventRecorder.Event(wgServer, corev1.EventTypeWarning, "KeysSecretCheckFailed", fmt.Sprintf("Failed to check keys secret: %s", err))
return ctrl.Result{}, err
}
r.eventRecorder.Event(wgServer, corev1.EventTypeNormal, "KeysSecretChecked", "Checked keys secret")
}

if err := r.handleSecretRefStatus(ctx, wgServer); err != nil {
klog.Errorf("Error while handling secret ref status: %v", err)
r.eventRecorder.Event(wgServer, corev1.EventTypeWarning, "SecretRefStatusFailed",
fmt.Sprintf("Failed to handle secret ref status: %s", err))
return ctrl.Result{}, err
}

// Ensure deployment (create or update)
_, err = r.ensureDeployment(ctx, wgServer, deployNsName)
if err != nil {
Expand Down