Skip to content

Commit

Permalink
Generate and rotate keys
Browse files Browse the repository at this point in the history
After configuration change, keys need to be
added/removed and rotated in the proper order
to ensure that the sessions don't expire
prematurely.
  • Loading branch information
xek committed Oct 17, 2024
1 parent 01272cf commit 9444571
Showing 1 changed file with 95 additions and 27 deletions.
122 changes: 95 additions & 27 deletions controllers/keystoneapi_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1382,42 +1382,110 @@ func (r *KeystoneAPIReconciler) ensureFernetKeys(

if err != nil && !k8s_errors.IsNotFound(err) {
return err
} else if k8s_errors.IsNotFound(err) {
fernetKeys := map[string]string{
"CredentialKeys0": keystone.GenerateFernetKey(),
"CredentialKeys1": keystone.GenerateFernetKey(),
}
var numberKeys int
fmt.Sscan(instance.Spec.FernetMaxActiveKeys, &numberKeys)
for i := 0; i < numberKeys; i++ {
fernetKeys[fmt.Sprintf("FernetKeys%d", i)] = keystone.GenerateFernetKey()
}

tmpl := []util.Template{
{
Name: secretName,
Namespace: instance.Namespace,
Type: util.TemplateTypeNone,
CustomData: fernetKeys,
Labels: labels,
},
}
err := oko_secret.EnsureSecrets(ctx, helper, instance, tmpl, envVars)
if err != nil {
return err
}
} else {
// add hash to envVars
(*envVars)[secret.Name] = env.SetValue(hash)
}

fernetKeys := map[string]string{
"CredentialKeys0": keystone.GenerateFernetKey(),
"CredentialKeys1": keystone.GenerateFernetKey(),
}
var numberKeys int
fmt.Sscan(instance.Spec.FernetMaxActiveKeys, &numberKeys)

var numberKeys int
fmt.Sscan(instance.Spec.FernetMaxActiveKeys, &numberKeys)
changed_keys := false

for i := 0; i < numberKeys; i++ {
key := fmt.Sprintf("FernetKeys%d", i)
v, exists := secret.Data[key]
if exists {
fernetKeys[key] = string(v[:])
} else {
fernetKeys[key] = keystone.GenerateFernetKey()
//
// Remove extra keys when FernetMaxActiveKeys changes
//
extra_key := fmt.Sprintf("FernetKeys%d", numberKeys)
for {
_, exists := secret.Data[extra_key]
if !exists {
break
}
changed_keys = true
i := 1
for {
key := fmt.Sprintf("FernetKeys%d", i)
i += 1
next_key := fmt.Sprintf("FernetKeys%d", i)
_, exists = secret.Data[next_key]
if !exists {
break
}
secret.Data[key] = secret.Data[next_key]
delete(secret.Data, next_key)
}
}
}

tmpl := []util.Template{
{
Name: secretName,
Namespace: instance.Namespace,
Type: util.TemplateTypeNone,
CustomData: fernetKeys,
Labels: labels,
},
}
//
// Add extra keys when FernetMaxActiveKeys changes
//
last_key := fmt.Sprintf("FernetKeys%d", numberKeys-1)
for {
_, exists := secret.Data[last_key]
if exists {
break
}
changed_keys = true
i := 1
next_key_value := []byte(keystone.GenerateFernetKey())
for {
key := fmt.Sprintf("FernetKeys%d", i)
i += 1
key_value, exists := secret.Data[key]
secret.Data[key] = next_key_value
next_key_value = key_value
if !exists {
break
}
}
}

err = oko_secret.EnsureSecrets(ctx, helper, instance, tmpl, envVars)
if err != nil {
return err
if !changed_keys {
return nil
}

fernetKeys := make(map[string]string, len(secret.Data))
for k, v := range secret.Data {
fernetKeys[k] = string(v[:])
}

tmpl := []util.Template{
{
Name: secretName,
Namespace: instance.Namespace,
Type: util.TemplateTypeNone,
CustomData: fernetKeys,
Labels: labels,
},
}

err = oko_secret.EnsureSecrets(ctx, helper, instance, tmpl, envVars)
if err != nil {
return err
}
}

return nil
Expand Down

0 comments on commit 9444571

Please sign in to comment.