Test kubeconfig cert rotation

Signed-off-by: Andrea Mazzotti <[email protected]>

Author: anmazzotti

controlplane/internal/controllers/rke2controlplane_controller.go

@@ -845,6 +845,7 @@ func (r *RKE2ControlPlaneReconciler) reconcileKubeconfig(
 
 	switch {
 	case apierrors.IsNotFound(err):
+		logger.Info("Kubeconfig Secret not found, creating a new one")
 		createErr := kubeconfig.CreateSecretWithOwner(
 			ctx,
 			r.Client,
@@ -853,6 +854,7 @@ func (r *RKE2ControlPlaneReconciler) reconcileKubeconfig(
 			controllerOwnerRef,
 		)
 		if errors.Is(createErr, kubeconfig.ErrDependentCertificateNotFound) {
+			logger.Info("Could not find Secret CA to create Kubeconfig Secret, requeuing...")
 			return ctrl.Result{RequeueAfter: dependentCertRequeueAfter}, nil
 		}
 		// always return if we have just created in order to skip rotation checks
@@ -864,6 +866,7 @@ func (r *RKE2ControlPlaneReconciler) reconcileKubeconfig(
 
 	// only do rotation on owned secrets
 	if !util.IsControlledBy(configSecret, rcp) {
+		logger.Info("Kubeconfig Secret not controlled by RKE2ControlPlane, nothing to do")
 		return ctrl.Result{}, nil
 	}
 
@@ -874,8 +877,7 @@ func (r *RKE2ControlPlaneReconciler) reconcileKubeconfig(
 
 	if needsRotation {
 		logger.Info("Rotating kubeconfig secret")
-
-		if err := kubeconfig.CreateSecretWithOwner(ctx, r.Client, clusterName, endpoint.String(), controllerOwnerRef); err != nil {
+		if err := kubeconfig.UpdateSecret(ctx, r.Client, clusterName, endpoint.String(), configSecret); err != nil {
 			return ctrl.Result{}, errors.Wrap(err, "failed to regenerate kubeconfig")
 		}
 	}

controlplane/internal/controllers/rke2controlplane_controller_test.go

@@ -16,8 +16,10 @@ import (
 	bootstrapv1 "github.com/rancher/cluster-api-provider-rke2/bootstrap/api/v1beta1"
 	controlplanev1 "github.com/rancher/cluster-api-provider-rke2/controlplane/api/v1beta1"
 	"github.com/rancher/cluster-api-provider-rke2/pkg/rke2"
+	"github.com/rancher/cluster-api-provider-rke2/pkg/secret"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util/certs"
 	"sigs.k8s.io/cluster-api/util/collections"
@@ -212,6 +214,15 @@ var _ = Describe("Reconcile control plane conditions", func() {
 		Expect(testEnv.Client.Create(ctx, cluster)).To(Succeed())
 
 		rcp = &controlplanev1.RKE2ControlPlane{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test",
+				Namespace: ns.Name,
+				UID:       "foobar",
+			},
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: controlplanev1.GroupVersion.String(),
+				Kind:       rke2ControlPlaneKind,
+			},
 			Status: controlplanev1.RKE2ControlPlaneStatus{
 				Initialized: true,
 			},
@@ -220,16 +231,34 @@ var _ = Describe("Reconcile control plane conditions", func() {
 		cp, err = rke2.NewControlPlane(ctx, testEnv.GetClient(), cluster, rcp, collections.FromMachineList(&ml))
 		Expect(err).ToNot(HaveOccurred())
 
-		ref := metav1.OwnerReference{
-			APIVersion: clusterv1.GroupVersion.String(),
-			Kind:       clusterv1.ClusterKind,
-			UID:        cp.Cluster.GetUID(),
-			Name:       cp.Cluster.GetName(),
+		// Generate new Secret Cluster CA
+		certPEM, _, err := generateCertAndKey(time.Now().Add(3650 * 24 * time.Hour)) // 10 years from now
+		Expect(err).ShouldNot(HaveOccurred())
+		caSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secret.Name(cluster.Name, secret.ClusterCA),
+				Namespace: ns.Name,
+			},
+			StringData: map[string]string{
+				secret.TLSCrtDataName: string(certPEM),
+			},
 		}
-		Expect(testEnv.Client.Create(ctx, kubeconfig.GenerateSecretWithOwner(
-			client.ObjectKeyFromObject(cp.Cluster),
-			kubeconfig.FromEnvTestConfig(testEnv.Config, cp.Cluster),
-			ref))).To(Succeed())
+		Expect(testEnv.Client.Create(ctx, caSecret)).Should(Succeed())
+
+		// Generate new Secret Client Cluster CA
+		certPEM, keyPEM, err := generateCertAndKey(time.Now().Add(3650 * 24 * time.Hour)) // 10 years from now
+		Expect(err).ShouldNot(HaveOccurred())
+		ccaSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secret.Name(cluster.Name, secret.ClientClusterCA),
+				Namespace: ns.Name,
+			},
+			StringData: map[string]string{
+				secret.TLSCrtDataName: string(certPEM),
+				secret.TLSKeyDataName: string(keyPEM),
+			},
+		}
+		Expect(testEnv.Client.Create(ctx, ccaSecret)).Should(Succeed())
 	})
 
 	AfterEach(func() {
@@ -244,6 +273,18 @@ var _ = Describe("Reconcile control plane conditions", func() {
 			managementCluster:         &rke2.Management{Client: testEnv.GetClient(), SecretCachingClient: testEnv.GetClient()},
 			managementClusterUncached: &rke2.Management{Client: testEnv.GetClient()},
 		}
+		// Create a new Kubeconfig Secret
+		ref := metav1.OwnerReference{
+			APIVersion: clusterv1.GroupVersion.String(),
+			Kind:       clusterv1.ClusterKind,
+			UID:        cp.Cluster.GetUID(),
+			Name:       cp.Cluster.GetName(),
+		}
+		Expect(testEnv.Client.Create(ctx, kubeconfig.GenerateSecretWithOwner(
+			client.ObjectKeyFromObject(cp.Cluster),
+			kubeconfig.FromEnvTestConfig(testEnv.Config, cp.Cluster),
+			ref))).To(Succeed())
+
 		_, err := r.reconcileControlPlaneConditions(ctx, cp)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(testEnv.Get(ctx, client.ObjectKeyFromObject(machine), machine)).To(Succeed())
@@ -269,22 +310,34 @@ var _ = Describe("Reconcile control plane conditions", func() {
 		clusterName := client.ObjectKey{Namespace: ns.Name, Name: "test"}
 		endpoint := clusterv1.APIEndpoint{Host: "1.2.3.4", Port: 6443}
 
-		// Create kubeconfig secret with short expiry
-		shortExpiryDate := time.Now().Add(24 * time.Hour) // 1 day from now
-		secret, err := createKubeconfigSecret(ns.Name, shortExpiryDate)
+		// Trigger first reconcile to generate a new Kubeconfig Secret
+		_, err = r.reconcileKubeconfig(ctx, clusterName, endpoint, rcp)
 		Expect(err).ToNot(HaveOccurred())
-		Expect(testEnv.Create(ctx, secret)).To(Succeed())
+
+		// Fetch the original Kubeconfig Secret
+		kubeconfigSecret := &corev1.Secret{}
+		Expect(testEnv.Get(ctx, types.NamespacedName{
+			Namespace: ns.Name,
+			Name:      secret.Name(clusterName.Name, secret.Kubeconfig),
+		}, kubeconfigSecret)).Should(Succeed())
+		originalSecret := kubeconfigSecret.DeepCopy()
+
+		// Override the kubeconfig secret with short expiry
+		shortExpiryDate := time.Now().Add(24 * time.Hour) // 1 day from now
+		Expect(updateKubeconfigSecret(kubeconfigSecret, shortExpiryDate)).Should(Succeed())
+		Expect(testEnv.Update(ctx, kubeconfigSecret)).To(Succeed())
 
 		// Check that rotation is needed
-		needsRotation, err := kubeconfig.NeedsClientCertRotation(secret, certs.ClientCertificateRenewalDuration)
+		needsRotation, err := kubeconfig.NeedsClientCertRotation(kubeconfigSecret, certs.ClientCertificateRenewalDuration)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(needsRotation).To(BeTrue())
 
 		// Rotate kubeconfig secret
 		_, err = r.reconcileKubeconfig(ctx, clusterName, endpoint, rcp)
 		Expect(err).ToNot(HaveOccurred())
 
-		Expect(testEnv.Get(ctx, client.ObjectKey{Namespace: ns.Name, Name: secret.Name}, secret)).To(Succeed())
+		Expect(testEnv.Get(ctx, client.ObjectKey{Namespace: ns.Name, Name: kubeconfigSecret.Name}, kubeconfigSecret)).To(Succeed())
+		Expect(kubeconfigSecret.StringData[secret.KubeconfigDataName]).Should(Equal(originalSecret.StringData[secret.KubeconfigDataName]), "Kubeconfig data must have been updated")
 	})
 
 	It("should not rotate kubeconfig secret if not needed", func() {
@@ -297,22 +350,38 @@ var _ = Describe("Reconcile control plane conditions", func() {
 		clusterName := client.ObjectKey{Namespace: ns.Name, Name: "test"}
 		endpoint := clusterv1.APIEndpoint{Host: "1.2.3.4", Port: 6443}
 
-		// Create kubeconfig secret with long expiry
-		longExpiryDate := time.Now().Add(365 * 24 * time.Hour) // 1 year from now
-		secret, err := createKubeconfigSecret(ns.Name, longExpiryDate)
+		// Trigger first reconcile to generate a new Kubeconfig Secret
+		_, err = r.reconcileKubeconfig(ctx, clusterName, endpoint, rcp)
 		Expect(err).ToNot(HaveOccurred())
-		Expect(testEnv.Create(ctx, secret)).To(Succeed())
+		kubeconfigSecret := &corev1.Secret{}
+		Expect(testEnv.Get(ctx, types.NamespacedName{
+			Namespace: ns.Name,
+			Name:      secret.Name(clusterName.Name, secret.Kubeconfig),
+		}, kubeconfigSecret)).Should(Succeed())
+
+		// Override the kubeconfig secret with a long expiry
+		longExpiryDate := time.Now().Add(365 * 24 * time.Hour) // 1 year from now
+		Expect(updateKubeconfigSecret(kubeconfigSecret, longExpiryDate)).Should(Succeed())
+		Expect(testEnv.Update(ctx, kubeconfigSecret)).To(Succeed())
 
 		// Check that no rotation is needed
-		needsRotation, err := kubeconfig.NeedsClientCertRotation(secret, certs.ClientCertificateRenewalDuration)
+		needsRotation, err := kubeconfig.NeedsClientCertRotation(kubeconfigSecret, certs.ClientCertificateRenewalDuration)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(needsRotation).To(BeFalse())
 
+		// Fetch the overridden kubeconfigSecret
+		Expect(testEnv.Get(ctx, types.NamespacedName{
+			Namespace: ns.Name,
+			Name:      secret.Name(clusterName.Name, secret.Kubeconfig),
+		}, kubeconfigSecret)).Should(Succeed())
+		updatedSecret := kubeconfigSecret.DeepCopy()
+
 		// Ensure no rotation occurs
 		_, err = r.reconcileKubeconfig(ctx, clusterName, endpoint, rcp)
 		Expect(err).ToNot(HaveOccurred())
 
-		Expect(testEnv.Get(ctx, client.ObjectKey{Namespace: ns.Name, Name: secret.Name}, secret)).To(Succeed())
+		Expect(testEnv.Get(ctx, client.ObjectKey{Namespace: ns.Name, Name: kubeconfigSecret.Name}, kubeconfigSecret)).To(Succeed())
+		Expect(kubeconfigSecret.StringData[secret.KubeconfigDataName]).Should(Equal(updatedSecret.StringData[secret.KubeconfigDataName]), "Kubeconfig data must stay the same")
 	})
 })
 
@@ -347,20 +416,14 @@ func generateCertAndKey(expiryDate time.Time) ([]byte, []byte, error) {
 	return certPEM, keyPEM, nil
 }
 
-// createKubeconfigSecret creates a Kubernetes secret with a kubeconfig containing a client certificate and key.
-func createKubeconfigSecret(namespace string, expiryDate time.Time) (*corev1.Secret, error) {
+// updateKubeconfigSecret updates a Kubernetes secret with a kubeconfig containing a client certificate and key.
+func updateKubeconfigSecret(configSecret *corev1.Secret, expiryDate time.Time) error {
 	certPEM, keyPEM, err := generateCertAndKey(expiryDate)
 	if err != nil {
-		return nil, err
+		return fmt.Errorf("Generating Cert and Key: %w", err)
 	}
 
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-kubeconfig-secret",
-			Namespace: namespace,
-		},
-		Data: map[string][]byte{
-			"value": []byte(fmt.Sprintf(`
+	configSecret.Data[secret.KubeconfigDataName] = []byte(fmt.Sprintf(`
 apiVersion: v1
 kind: Config
 clusters:
@@ -378,9 +441,7 @@ users:
   user:
     client-certificate-data: %s
     client-key-data: %s
-`, base64.StdEncoding.EncodeToString(certPEM), base64.StdEncoding.EncodeToString(keyPEM))),
-		},
-	}
+`, base64.StdEncoding.EncodeToString(certPEM), base64.StdEncoding.EncodeToString(keyPEM)))
 
-	return secret, nil
+	return nil
 }

pkg/kubeconfig/kubeconfig.go

@@ -45,7 +45,7 @@ func generateKubeconfig(ctx context.Context, c client.Client, clusterName client
 	clusterCA, err := secret.GetFromNamespacedName(ctx, c, clusterName, secret.ClusterCA)
 	if err != nil {
 		if apierrors.IsNotFound(errors.Cause(err)) {
-			return nil, ErrDependentCertificateNotFound
+			return nil, fmt.Errorf("getting Cluster CA: %w", ErrDependentCertificateNotFound)
 		}
 
 		return nil, err
@@ -54,7 +54,7 @@ func generateKubeconfig(ctx context.Context, c client.Client, clusterName client
 	clientClusterCA, err := secret.GetFromNamespacedName(ctx, c, clusterName, secret.ClientClusterCA)
 	if err != nil {
 		if apierrors.IsNotFound(errors.Cause(err)) {
-			return nil, ErrDependentCertificateNotFound
+			return nil, fmt.Errorf("getting Client Cluster CA: %w", ErrDependentCertificateNotFound)
 		}
 
 		return nil, err
@@ -166,6 +166,19 @@ func CreateSecretWithOwner(ctx context.Context, c client.Client, clusterName cli
 	return c.Create(ctx, GenerateSecretWithOwner(clusterName, out, owner))
 }
 
+// UpdateSecretWithOwner updates the Kubeconfig secret for the given cluster name, namespace, endpoint, and owner reference.
+func UpdateSecret(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, configSecret *corev1.Secret) error {
+	server := "https://" + endpoint
+
+	out, err := generateKubeconfig(ctx, c, clusterName, server)
+	if err != nil {
+		return err
+	}
+	configSecret.Data[secret.KubeconfigDataName] = out
+
+	return c.Update(ctx, configSecret)
+}
+
 // GenerateSecret returns a Kubernetes secret for the given Cluster and kubeconfig data.
 func GenerateSecret(cluster *clusterv1.Cluster, data []byte) *corev1.Secret {
 	name := util.ObjectKey(cluster)