Cache kubeadm certificate keys to avoid race conditions

Signed-off-by: daniel-weisse <daniel.weisse@gmx.net>

joinservice/internal/kubeadm/keymanager.go

@@ -0,0 +1,58 @@
+package kubeadm
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts"
+	"k8s.io/utils/clock"
+)
+
+// certificateKeyTTL is the time a certificate key is valid for.
+const certificateKeyTTL = time.Hour
+
+// keyManager handles creation of certificate encryption keys.
+type keyManager struct {
+	mux            sync.Mutex
+	key            string
+	expirationDate time.Time
+	clock          clock.Clock
+}
+
+func newKeyManager() *keyManager {
+	return &keyManager{
+		clock: clock.RealClock{},
+	}
+}
+
+// getCertificatetKey returns the encryption key to use for uploading PKI certificates to Kubernetes.
+// A Key is cached for one hour, but its expiration date is extended by two minutes if a request is made
+// within two minutes of the key expiring to avoid just-expired keys.
+// This is necessary since uploading a certificate with a different key overwrites any others.
+// This means we can no longer decrypt the certificates using an old key.
+func (k *keyManager) getCertificatetKey() (string, error) {
+	k.mux.Lock()
+	defer k.mux.Unlock()
+
+	switch {
+	case k.key == "" || k.expirationDate.Before(k.clock.Now()):
+		// key was not yet generated, or has expired
+		// generate a new key and set TTL
+		key, err := copycerts.CreateCertificateKey()
+		if err != nil {
+			return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
+		}
+		k.expirationDate = k.clock.Now().Add(certificateKeyTTL)
+		k.key = key
+	case k.expirationDate.After(k.clock.Now()):
+		// key is still valid
+		// if TTL is less than 2 minutes away, increase it by 2 minutes
+		// this is to avoid the key expiring too soon when a node uses it to join the cluster
+		if k.expirationDate.Sub(k.clock.Now()) < 2*time.Minute {
+			k.expirationDate = k.expirationDate.Add(2 * time.Minute)
+		}
+	}
+
+	return k.key, nil
+}

joinservice/internal/kubeadm/keymanager_test.go

@@ -0,0 +1,63 @@
+package kubeadm
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/utils/clock"
+	testclock "k8s.io/utils/clock/testing"
+)
+
+func TestKeyManager(t *testing.T) {
+	testCases := map[string]struct {
+		clock       clock.Clock
+		ttl         time.Time
+		key         string
+		shouldReuse bool
+	}{
+		"no key exists": {
+			clock: testclock.NewFakeClock(time.Time{}),
+		},
+		"key exists and is valid": {
+			clock:       testclock.NewFakeClock(time.Time{}),
+			ttl:         time.Time{}.Add(time.Hour),
+			key:         "key",
+			shouldReuse: true,
+		},
+		"key has expired": {
+			clock: testclock.NewFakeClock(time.Time{}.Add(time.Hour)),
+			ttl:   time.Time{},
+			key:   "key",
+		},
+		"key expires in the next 30 seconds": {
+			clock:       testclock.NewFakeClock(time.Time{}),
+			ttl:         time.Time{}.Add(30 * time.Second),
+			key:         "key",
+			shouldReuse: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			km := &keyManager{
+				expirationDate: tc.ttl,
+				key:            tc.key,
+				clock:          tc.clock,
+			}
+
+			key, err := km.getCertificatetKey()
+			assert.NoError(err)
+			assert.True(km.expirationDate.After(tc.clock.Now().Add(2 * time.Minute)))
+
+			if tc.shouldReuse {
+				assert.Equal(tc.key, key)
+			} else {
+				assert.Equal(km.key, key)
+				assert.NotEqual(tc.key, key)
+			}
+		})
+	}
+}

joinservice/internal/kubeadm/kubeadm.go

@@ -28,6 +28,7 @@ import (
 type Kubeadm struct {
 	apiServerEndpoint string
 	log               *logger.Logger
+	keyManager        *keyManager
 	client            clientset.Interface
 	file              file.Handler
 }
@@ -47,6 +48,7 @@ func New(apiServerEndpoint string, log *logger.Logger) (*Kubeadm, error) {
 	return &Kubeadm{
 		apiServerEndpoint: apiServerEndpoint,
 		log:               log,
+		keyManager:        newKeyManager(),
 		client:            client,
 		file:              file,
 	}, nil
@@ -112,7 +114,7 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov
 // The key can be used by new nodes to join the cluster as a control plane node.
 func (k *Kubeadm) GetControlPlaneCertificateKey() (string, error) {
 	k.log.Infof("Creating new random control plane certificate key")
-	key, err := copycerts.CreateCertificateKey()
+	key, err := k.keyManager.getCertificatetKey()
 	if err != nil {
 		return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
 	}

joinservice/internal/kubeadm/kubeadm_test.go

@@ -18,6 +18,7 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
+	testclock "k8s.io/utils/clock/testing"
 )
 
 func TestMain(m *testing.M) {
@@ -83,9 +84,10 @@ kind: Config`,
 			require := require.New(t)
 
 			client := &Kubeadm{
-				log:    logger.NewTest(t),
-				file:   file.NewHandler(afero.NewMemMapFs()),
-				client: fake.NewSimpleClientset(),
+				log:        logger.NewTest(t),
+				keyManager: &keyManager{clock: testclock.NewFakeClock(time.Time{})},
+				file:       file.NewHandler(afero.NewMemMapFs()),
+				client:     fake.NewSimpleClientset(),
 			}
 			if tc.adminConf != "" {
 				require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone))
@@ -124,8 +126,9 @@ func TestGetControlPlaneCertificateKey(t *testing.T) {
 			assert := assert.New(t)
 
 			client := &Kubeadm{
-				log:    logger.NewTest(t),
-				client: tc.client,
+				keyManager: &keyManager{clock: testclock.NewFakeClock(time.Time{})},
+				log:        logger.NewTest(t),
+				client:     tc.client,
 			}
 
 			_, err := client.GetControlPlaneCertificateKey()