cli: declare mastersecret as immutable and print attestationCfg diff in warning (#2167)

2025-12-15 16:09:39 -05:00 · 2023-08-08 13:03:23 +02:00 · 2023-08-08 13:03:23 +02:00 · 70861ee8ad
commit 70861ee8ad
parent e97b2afc14
19 changed files with 219 additions and 105 deletions
--- a/cli/internal/kubernetes/kubernetes.go
+++ b/cli/internal/kubernetes/kubernetes.go
@ -10,3 +10,72 @@ Package kubernetes provides functions to interact with a live cluster to the CLI
 Currently it is used to implement the status and upgrade commands.
 */
 package kubernetes
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+func newClient(kubeconfigPath string) (kubernetes.Interface, error) {
+	kubeConfig, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath)
+	if err != nil {
+		return nil, fmt.Errorf("building kubernetes config: %w", err)
+	}
+
+	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("setting up kubernetes client: %w", err)
+	}
+	return kubeClient, nil
+}
+
+// StableInterface is an interface to interact with stable resources.
+type StableInterface interface {
+	GetCurrentConfigMap(ctx context.Context, name string) (*corev1.ConfigMap, error)
+	UpdateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error)
+	CreateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error)
+	KubernetesVersion() (string, error)
+}
+
+// NewStableClient returns a new StableClient.
+func NewStableClient(kubeconfigPath string) (StableInterface, error) {
+	client, err := newClient(kubeconfigPath)
+	if err != nil {
+		return nil, err
+	}
+	return &stableClient{client}, nil
+}
+
+type stableClient struct {
+	client kubernetes.Interface
+}
+
+// GetCurrentConfigMap returns a ConfigMap given it's name.
+func (u *stableClient) GetCurrentConfigMap(ctx context.Context, name string) (*corev1.ConfigMap, error) {
+	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Get(ctx, name, metav1.GetOptions{})
+}
+
+// UpdateConfigMap updates the given ConfigMap.
+func (u *stableClient) UpdateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
+	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Update(ctx, configMap, metav1.UpdateOptions{})
+}
+
+// CreateConfigMap creates the given ConfigMap.
+func (u *stableClient) CreateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
+	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Create(ctx, configMap, metav1.CreateOptions{})
+}
+
+// KubernetesVersion returns the Kubernetes version of the cluster.
+func (u *stableClient) KubernetesVersion() (string, error) {
+	serverVersion, err := u.client.Discovery().ServerVersion()
+	if err != nil {
+		return "", err
+	}
+	return serverVersion.GitVersion, nil
+}
--- a/cli/internal/kubernetes/upgrade.go
+++ b/cli/internal/kubernetes/upgrade.go
@ -42,7 +42,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/util/retry"
 	kubeadmv1beta3 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
@ -121,18 +120,17 @@ func NewUpgrader(
 		upgradeID:    upgradeID,
 	}

-	kubeConfig, err := clientcmd.BuildConfigFromFlags("", kubeConfigPath)
+	kubeClient, err := newClient(kubeConfigPath)
 	if err != nil {
-		return nil, fmt.Errorf("building kubernetes config: %w", err)
-	}
-
-	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
-	if err != nil {
-		return nil, fmt.Errorf("setting up kubernetes client: %w", err)
+		return nil, err
 	}
 	u.stableInterface = &stableClient{client: kubeClient}

 	// use unstructured client to avoid importing the operator packages
+	kubeConfig, err := clientcmd.BuildConfigFromFlags("", kubeConfigPath)
+	if err != nil {
+		return nil, fmt.Errorf("building kubernetes config: %w", err)
+	}
 	unstructuredClient, err := dynamic.NewForConfig(kubeConfig)
 	if err != nil {
 		return nil, fmt.Errorf("setting up custom resource client: %w", err)
@ -554,47 +552,6 @@ func upgradeInProgress(nodeVersion updatev1alpha1.NodeVersion) bool {
 	return false
 }

-// StableInterface is an interface to interact with stable resources.
-type StableInterface interface {
-	GetCurrentConfigMap(ctx context.Context, name string) (*corev1.ConfigMap, error)
-	UpdateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error)
-	CreateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error)
-	KubernetesVersion() (string, error)
-}
-
-// NewStableClient returns a new StableInterface.
-func NewStableClient(client kubernetes.Interface) StableInterface {
-	return &stableClient{client: client}
-}
-
-type stableClient struct {
-	client kubernetes.Interface
-}
-
-// GetCurrentConfigMap returns a ConfigMap given it's name.
-func (u *stableClient) GetCurrentConfigMap(ctx context.Context, name string) (*corev1.ConfigMap, error) {
-	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Get(ctx, name, metav1.GetOptions{})
-}
-
-// UpdateConfigMap updates the given ConfigMap.
-func (u *stableClient) UpdateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
-	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Update(ctx, configMap, metav1.UpdateOptions{})
-}
-
-// CreateConfigMap creates the given ConfigMap.
-func (u *stableClient) CreateConfigMap(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
-	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Create(ctx, configMap, metav1.CreateOptions{})
-}
-
-// KubernetesVersion returns the Kubernetes version of the cluster.
-func (u *stableClient) KubernetesVersion() (string, error) {
-	serverVersion, err := u.client.Discovery().ServerVersion()
-	if err != nil {
-		return "", err
-	}
-	return serverVersion.GitVersion, nil
-}
-
 type helmInterface interface {
 	Upgrade(ctx context.Context, config *config.Config, idFile clusterid.File, timeout time.Duration, allowDestructive, force bool, upgradeID string) error
 }
--- a/cli/internal/kubernetes/upgrade_test.go
+++ b/cli/internal/kubernetes/upgrade_test.go
@ -38,7 +38,7 @@ import (
 func TestUpgradeNodeVersion(t *testing.T) {
 	someErr := errors.New("some error")
 	testCases := map[string]struct {
-		stable                *stubStableClient
+		stable                *fakeStableClient
 		conditions            []metav1.Condition
 		currentImageVersion   string
 		newImageReference     string
@ -61,7 +61,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}(),
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -77,7 +77,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}(),
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -98,7 +98,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}(),
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -119,7 +119,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}(),
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable:                &stubStableClient{},
+			stable:                &fakeStableClient{},
 			wantErr:               true,
 			assertCorrectError: func(t *testing.T, err error) bool {
 				var upgradeErr *compatibility.InvalidUpgradeError
@ -139,7 +139,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}},
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable:                &stubStableClient{},
+			stable:                &fakeStableClient{},
 			wantErr:               true,
 			assertCorrectError: func(t *testing.T, err error) bool {
 				return assert.ErrorIs(t, err, ErrInProgress)
@ -158,7 +158,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}},
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable:                &stubStableClient{},
+			stable:                &fakeStableClient{},
 			force:                 true,
 			wantUpdate:            true,
 		},
@ -184,7 +184,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			newImageReference:     "path/to/image:v1.4.2",
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -206,7 +206,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			newImageReference:     "path/to/image:v1.4.2",
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -224,7 +224,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
 			badImageVersion:       "v3.2.1",
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -245,7 +245,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}(),
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -266,7 +266,7 @@ func TestUpgradeNodeVersion(t *testing.T) {
 			}(),
 			currentImageVersion:   "v1.2.2",
 			currentClusterVersion: versions.SupportedK8sVersions()[0],
-			stable: &stubStableClient{
+			stable: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
 				},
@ -340,13 +340,13 @@ func TestUpgradeNodeVersion(t *testing.T) {
 func TestUpdateMeasurements(t *testing.T) {
 	someErr := errors.New("error")
 	testCases := map[string]struct {
-		updater    *stubStableClient
+		updater    *fakeStableClient
 		newConfig  config.AttestationCfg
 		wantUpdate bool
 		wantErr    bool
 	}{
 		"success": {
-			updater: &stubStableClient{
+			updater: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
@ -359,7 +359,7 @@ func TestUpdateMeasurements(t *testing.T) {
 			wantUpdate: true,
 		},
 		"measurements are the same": {
-			updater: &stubStableClient{
+			updater: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
@ -371,7 +371,7 @@ func TestUpdateMeasurements(t *testing.T) {
 			},
 		},
 		"setting warnOnly to true is allowed": {
-			updater: &stubStableClient{
+			updater: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
@ -384,7 +384,7 @@ func TestUpdateMeasurements(t *testing.T) {
 			wantUpdate: true,
 		},
 		"setting warnOnly to false is allowed": {
-			updater: &stubStableClient{
+			updater: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":true}}}`),
 				},
@ -397,7 +397,7 @@ func TestUpdateMeasurements(t *testing.T) {
 			wantUpdate: true,
 		},
 		"getCurrent error": {
-			updater: &stubStableClient{getErr: someErr},
+			updater: &fakeStableClient{getErr: someErr},
 			newConfig: &config.GCPSEVES{
 				Measurements: measurements.M{
 					0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength),
@ -406,7 +406,7 @@ func TestUpdateMeasurements(t *testing.T) {
 			wantErr: true,
 		},
 		"update error": {
-			updater: &stubStableClient{
+			updater: &fakeStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
 					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
@ -616,7 +616,7 @@ func (u *stubDynamicClient) Update(_ context.Context, updatedObject *unstructure
 	return u.updatedObject, u.updateErr
 }

-type stubStableClient struct {
+type fakeStableClient struct {
 	configMaps        map[string]*corev1.ConfigMap
 	updatedConfigMaps map[string]*corev1.ConfigMap
 	k8sVersion        string
@ -626,11 +626,11 @@ type stubStableClient struct {
 	k8sErr            error
 }

-func (s *stubStableClient) GetCurrentConfigMap(_ context.Context, name string) (*corev1.ConfigMap, error) {
+func (s *fakeStableClient) GetCurrentConfigMap(_ context.Context, name string) (*corev1.ConfigMap, error) {
 	return s.configMaps[name], s.getErr
 }

-func (s *stubStableClient) UpdateConfigMap(_ context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
+func (s *fakeStableClient) UpdateConfigMap(_ context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
 	if s.updatedConfigMaps == nil {
 		s.updatedConfigMaps = map[string]*corev1.ConfigMap{}
 	}
@ -638,7 +638,7 @@ func (s *stubStableClient) UpdateConfigMap(_ context.Context, configMap *corev1.
 	return s.updatedConfigMaps[configMap.ObjectMeta.Name], s.updateErr
 }

-func (s *stubStableClient) CreateConfigMap(_ context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
+func (s *fakeStableClient) CreateConfigMap(_ context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
 	if s.configMaps == nil {
 		s.configMaps = map[string]*corev1.ConfigMap{}
 	}
@ -646,7 +646,7 @@ func (s *stubStableClient) CreateConfigMap(_ context.Context, configMap *corev1.
 	return s.configMaps[configMap.ObjectMeta.Name], s.createErr
 }

-func (s *stubStableClient) KubernetesVersion() (string, error) {
+func (s *fakeStableClient) KubernetesVersion() (string, error) {
 	return s.k8sVersion, s.k8sErr
 }