Update licences and fix lint errors

Signed-off-by: Danil Grigorev <[email protected]>

Author: Danil-Grigorev

bootstrap/internal/cloudinit/controlplane_init.go

@@ -35,7 +35,7 @@ runcmd:
   - '/opt/rke2-cis-script.sh'{{ end }}
   - 'systemctl enable rke2-server.service'
   - 'systemctl start rke2-server.service'
-  - 'kubectl create secret tls cluster-etcd -o yaml --dry-run=client -n kube-system --cert=/var/lib/rancher/rke2/server/tls/etcd/server-client.crt --key=/var/lib/rancher/rke2/server/tls/etcd/server-client.key --kubeconfig /var/lib/rancher/rke2/server/cred/api-server.kubeconfig | kubectl apply -f- --kubeconfig /var/lib/rancher/rke2/server/cred/api-server.kubeconfig'
+  - 'kubectl create secret tls cluster-etcd -o yaml --dry-run=client -n kube-system --cert=/var/lib/rancher/rke2/server/tls/etcd/server.crt --key=/var/lib/rancher/rke2/server/tls/etcd/server.key --kubeconfig /var/lib/rancher/rke2/server/cred/api-server.kubeconfig | kubectl apply -f- --kubeconfig /var/lib/rancher/rke2/server/cred/api-server.kubeconfig'
   - 'mkdir /run/cluster-api' 
   - '{{ .SentinelFileCommand }}'
 {{- template "commands" .PostRKE2Commands }}

bootstrap/internal/ignition/ignition.go

@@ -37,7 +37,7 @@ var (
 		"systemctl enable rke2-server.service",
 		"systemctl start rke2-server.service",
 		"kubectl create secret tls cluster-etcd -o yaml --dry-run=client -n kube-system " +
-			"--cert=/var/lib/rancher/rke2/server/tls/etcd/server-client.crt --key=/var/lib/rancher/rke2/server/tls/etcd/server-client.key " +
+			"--cert=/var/lib/rancher/rke2/server/tls/etcd/server.crt --key=/var/lib/rancher/rke2/server/tls/etcd/server.key " +
 			"--kubeconfig /var/lib/rancher/rke2/server/cred/api-server.kubeconfig |" +
 			" kubectl apply -f- --kubeconfig /var/lib/rancher/rke2/server/cred/api-server.kubeconfig",
 		"restorecon /etc/systemd/system/rke2-server.service",

controlplane/internal/controllers/rke2controlplane_controller.go

@@ -573,7 +573,7 @@ func (r *RKE2ControlPlaneReconciler) GetWorkloadCluster(ctx context.Context, con
 func (r *RKE2ControlPlaneReconciler) reconcileEtcdMembers(ctx context.Context, controlPlane *rke2.ControlPlane) error {
 	log := ctrl.LoggerFrom(ctx)
 
-	// If there is no KCP-owned control-plane machines, then control-plane has not been initialized yet.
+	// If there is no RKE-owned control-plane machines, then control-plane has not been initialized yet.
 	if controlPlane.Machines.Len() == 0 {
 		return nil
 	}

pkg/etcd/client_generator.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/etcd/client_generator_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/etcd/etcd.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/etcd/etcd_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/etcd/fake/client.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/etcd/util/util.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/proxy/addr.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package proxy implements kubeadm proxy functionality.
+// Package proxy implements proxy functionality.
 package proxy
 
 import (

pkg/proxy/conn.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/proxy/dial.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/proxy/proxy.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Kubernetes Authors.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

pkg/rke2/management_cluster.go

@@ -133,25 +133,27 @@ func (m *Management) getEtcdCAKeyPair(ctx context.Context, clusterKey ctrlclient
 	certificates := secret.Certificates{&secret.ManagedCertificate{
 		Purpose: secret.EtcdServerCA,
 	}}
+	secretName := secret.Name(clusterKey.Name, secret.EtcdServerCA)
 
 	// Try to get the certificate via the cached ctrlclient.
-	err := certificates.Lookup(ctx, m.SecretCachingClient, clusterKey)
-	if err != nil {
+	if err := certificates.Lookup(ctx, m.SecretCachingClient, clusterKey); err != nil {
 		// Return error if we got an errors which is not a NotFound error.
-		return nil, errors.Wrapf(err, "failed to get secret CA bungle; etcd CA bundle %s/%s", clusterKey.Namespace, secret.Name(clusterKey.Name, secret.EtcdServerCA))
+		return nil, errors.Wrapf(err, "failed to get secret CA bungle; etcd CA bundle %s/%s", clusterKey.Namespace, secretName)
 	}
 
-	s := certificates[0].AsSecret(clusterKey, metav1.OwnerReference{})
-	if err := m.SecretCachingClient.Get(ctx, ctrlclient.ObjectKeyFromObject(s), s); err != nil {
-		return nil, errors.Wrapf(err, "failed to get secret; etcd CA bundle %s/%s", clusterKey.Namespace, secret.Name(clusterKey.Name, secret.EtcdServerCA))
-	}
+	var keypair *certs.KeyPair
 
-	// External certificate needs to be fetched, to sync the content
-	if s.Labels == nil || s.Labels[secret.ExternalSecretPurposeLabel] != string(secret.EtcdServerCA) {
-		return nil, nil
+	if s, err := certificates[0].Lookup(ctx, m.SecretCachingClient, clusterKey); err != nil {
+		return nil, errors.Wrapf(err, "failed to get secret; etcd CA bundle %s/%s", clusterKey.Namespace, secretName)
+	} else if s == nil {
+		return keypair, nil
+	} else if s.Labels != nil && s.Labels[secret.ExternalPurposeLabel] == string(secret.EtcdServerCA) {
+		keypair = certificates[0].GetKeyPair()
 	}
 
-	return certificates[0].GetKeyPair(), nil
+	// External certificate needs to be fetched otherwise, to sync the content
+
+	return keypair, nil
 }
 
 func (m *Management) getRemoteKeyPair(ctx context.Context, remoteClient ctrlclient.Client, clusterKey ctrlclient.ObjectKey) (*certs.KeyPair, error) {

pkg/rke2/workload_cluster.go

@@ -103,40 +103,40 @@ func (m *Management) NewWorkload(
 	restConfig.Timeout = remoteEtcdTimeout
 
 	// Retrieves the etcd CA key Pair
-	keyPair, err := m.getEtcdCAKeyPair(ctx, clusterKey)
+	etcdKeyPair, err := m.getEtcdCAKeyPair(ctx, clusterKey)
 	if ctrlclient.IgnoreNotFound(err) != nil {
 		return nil, err
-	} else if apierrors.IsNotFound(err) || keyPair == nil {
-		keyPair, err = m.getRemoteKeyPair(ctx, cl, clusterKey)
+	} else if apierrors.IsNotFound(err) || etcdKeyPair == nil {
+		etcdKeyPair, err = m.getRemoteKeyPair(ctx, cl, clusterKey)
 		if ctrlclient.IgnoreNotFound(err) != nil {
 			return nil, err
-		} else if keyPair == nil {
+		} else if etcdKeyPair == nil {
 			log.FromContext(ctx).Info("Cluster does not provide etcd certificates for creating child etcd ctrlclient." +
 				"Please scale up the CP nodes by one to bootstrap the etcd secret content.")
 
 			return workload, nil
 		}
 	}
 
-	clientCert, err := tls.X509KeyPair(keyPair.Cert, keyPair.Key)
+	clientCert, err := tls.X509KeyPair(etcdKeyPair.Cert, etcdKeyPair.Key)
 	if err != nil {
 		return nil, err
 	}
 
-	if _, err := certs.DecodePrivateKeyPEM(keyPair.Key); err == nil {
+	if _, err := certs.DecodePrivateKeyPEM(etcdKeyPair.Key); err == nil {
 		clientKey, err := m.Tracker.GetEtcdClientCertificateKey(ctx, clusterKey)
 		if err != nil {
 			return nil, err
 		}
 
-		clientCert, err = generateClientCert(keyPair.Cert, keyPair.Key, clientKey)
+		clientCert, err = generateClientCert(etcdKeyPair.Cert, etcdKeyPair.Key, clientKey)
 		if err != nil {
 			return nil, err
 		}
 	}
 
 	caPool := x509.NewCertPool()
-	caPool.AppendCertsFromPEM(keyPair.Cert)
+	caPool.AppendCertsFromPEM(etcdKeyPair.Cert)
 	tlsConfig := &tls.Config{
 		RootCAs:      caPool,
 		Certificates: []tls.Certificate{clientCert},

pkg/secret/certificates.go

@@ -83,9 +83,9 @@ const (
 	// TenYears is the duration of one year.
 	TenYears = time.Hour * 24 * 365 * 10
 
-	// ExternalSecretPurposeLabel is a label set on external secrets, uniquely identifying their belonging
-	// to external source and used for a specified purpose
-	ExternalSecretPurposeLabel = "cluster.x-k8s.io/purpose"
+	// ExternalPurposeLabel is a label set on external secrets, uniquely identifying their belonging
+	// to external source and used for a specified purpose.
+	ExternalPurposeLabel = "cluster.x-k8s.io/purpose"
 )
 
 // Purpose is the name to append to the secret generated for a cluster.
@@ -600,7 +600,8 @@ func generateServiceAccountKeys() (*certs.KeyPair, error) {
 
 func asExternalSecret(data map[string][]byte, purpose Purpose, clusterName types.NamespacedName, owner metav1.OwnerReference) *corev1.Secret {
 	secret := asSecret(data, purpose, clusterName, owner)
-	secret.Labels[ExternalSecretPurposeLabel] = string(purpose)
+	secret.Labels[ExternalPurposeLabel] = string(purpose)
+
 	return secret
 }
 

test/e2e/e2e_upgrade_test.go

@@ -2,7 +2,7 @@
 // +build e2e
 
 /*
-Copyright 2023 SUSE.
+Copyright 2024 SUSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.