Read secrets for client-onboarding-token-validation

[mrudraia1]

This PR reads the secrets instead of reading the secrets from the volume mounts.
whenever the new onboarding secrets are created, it takes more time to read the secrets from the volume mounts,
The user clicks the rotate onboarding keys, the kubernetes still uses the old public, private keys , the new keys are mounted later, So this PR will read the secrets directly from the kubernetes secrets.

[leelavg]

a suggestion, we are seeing this PR for third time, second time it's fine that you weren't able to recover GH (remember you can't create new a/c every-time though) but last time it's better if you can focus on rebasing properly.

yes, GH doesn't have any issue w/ closing & opening a new PR but for reviewers it's kinda hard to relook from the start.

[mrudraia1]

I have tested this PR, with the latest 4.18 build. I could see the keys getting exchanged when the rotate signing key is clicked in storageclient page.

[leelavg]

I have tested this PR, with the latest 4.18 build. I could see the keys getting exchanged when the rotate signing key is clicked in storageclient page.

• ack, only minor comments now. @nb-ohad possible for a final review?

[nb-ohad]

Why do we need a MatchEveryOwner here? Isn't StorageCluster the controller owner of the secret we want to watch?

[mrudraia1]

controller owner reference set to secrets, ack

[nb-ohad]

This comment was not addressed as tall! You are matching by controller ownership, it does not make sense to match every owner

[mrudraia1]

Owner reference were set during creation of secrets in on-boarding job, when the rotate signing key is clicked the re-consiliation is not happening, The onboarding-token needs to be created which is failing.

Any suggestion for this issue.

[nb-ohad]

If there is a controller owner ref on the secret and then someone deletes that secret then a delete event will be sent here. And because the item had an owner ref (with controller set) then a reconcile request will be queued. Now if that is not happening there can be a bug in a couple of places:

• The predicate might be the one the drops the event (should not, but might be)
• The reconcile is initiated but the reconcile code might not re-create the secret (might happen because of stale cache)
• Are we sure we are adding a controller reference on the secret? if not and we are only adding an owner ref then that is your bug

@mrudraia1 You need to identify the issue, and only after you fully understand what is going on you can suggest a fix.

[leelavg]

Owner reference were set during creation of secrets in on-boarding job, when the rotate signing key is clicked the re-consiliation is not happening, The onboarding-token needs to be created which is failing.
[...]
Are we sure we are adding a controller reference on the secret? if not and we are only adding an owner ref then that is your bug

• ouch, so the issue all along is storagecluster not getting a reconcile event when rotate keys is invoked (ie, deletion of secrets) but not the delay b/n rotation and kubelet updating the secret as diagnosed in https://bugzilla.redhat.com/show_bug.cgi?id=2311012#c5?

@rchikatw was there a discussion w/ @mrudraia1 along these lines when he started to work on this? @mrudraia1 did you observe the same behavior from when the work started on this PR, end of July and in latest revision I don't see this change which basically means we are just refactoring the code w/o any observable behavior and not fixing the issue.

[mrudraia1]

@leelavg earlier secret keys are read from the volume mounts , which is now changed to read directly by reading the secrets.

OwnerReference of the secrets changed to ControllerReference.

[leelavg]

secrets are read from volumemounts is correct but the bug was when the rotation was clicked new secrets aren't realized which is a 2 step process.

1. storagecluster controller gets an event and onboarding job will be rerun creating new secrets
2. presence of new secrets are known by kubelet and get updated in ux-backend

the description in BZ mentioned that the problem was in (2) but the observation in this comment says the root cause probably is (1), ie, storagecluster controller isn't getting an event

[mrudraia1]

yes, know with this PR build I tested, I can observe the

1. creation of new on-boarding_token immediately after the clicking of Rotate signing key.
2. earlier I was using MatchEveryOwner to watch the secrets, Know the ControllerOwner is set to watch the resources.

[rchikatw]

I am not aware of any discussions about changing the predicate, and I'm not sure why we are changing from OwnerRef to ControllerRef: Here. Because of this change, you might be experiencing issues with job creation not occurring when keys are rotated—this is just a guess. To my knowledge, a job is typically created when keys are rotated, and the QE team has tested this. You can also verify this in your cluster without implementing your change to see if the job is triggered when keys are rotated.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mrudraia1
Once this PR has been reviewed and has the lgtm label, please ask for approval from nb-ohad. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

infra issue
/test images

[nb-ohad]

This comment was not addressed as tall! You are matching by controller ownership, it does not make sense to match every owner

[nb-ohad]

We should not ignore decode errors. What if the key is corrupted?

[mrudraia1]

Ack

[leelavg]

lower case Block and as per pem.Decode func signature the second return value isn't err but a slice of bytes which should be empty.

Suggested change

	Block, err1 := pem.Decode(privateSecretKey)
	if err1 != nil {
	return nil, fmt.Errorf("Failed to decode private key: %v", err1)
	block, rest := pem.Decode(privateSecretKey)
	if len(rest) > 0 {
	return nil, fmt.Errorf("PEM block not found in private key: %s", rest)

[mrudraia1]

pem.Decode returns byte, changed as suggested by Leela

[leelavg]

I also mentioned to lowercase Block as it doesn't have any extra significance.

[mrudraia1]

ack

[leelavg]

Suggested change

	http.Error(w, fmt.Sprintf("Failed loading onboarding validation private: %v", err), http.StatusBadRequest)
	http.Error(w, fmt.Sprintf("Failed loading onboarding validation private key: %v", err), http.StatusBadRequest)

[mrudraia1]

Ack

[leelavg]

Suggested change

	http.Error(w, fmt.Sprintf("Failed loading onboarding validation private: %v", err), http.StatusBadRequest)
	http.Error(w, fmt.Sprintf("Failed loading onboarding validation private key: %v", err), http.StatusBadRequest)

[mrudraia1]

Ack

[leelavg]

pls run make deps-update to update vendor.

[rewantsoni]

You would need additional permissions inorder to add a ControllerReference, please make sure that you add the required permissions

[mrudraia1]

Added the permissions for ControllerReference

[rchikatw]

I believe Rewant mentioned adding additional permissions, not removing existing ones, which suggests Owner and Controller are needed. @rewantsoni am I right here?

[leelavg]

Proposed rbac will provide update access to storagecluster which isn't good, use a new section for only update on finalizers and the job doesn't has controller and watch isn't required.

[mrudraia1]

Ack