[Bugfix] Fix License handling in case of broken license secret (#1180)

2024-12-14 11:57:37 +00:00 · 2022-11-21 23:38:05 +01:00 · 2022-11-21 23:38:05 +01:00 · 8b6fe89a1d
commit 8b6fe89a1d
parent 0d15c83525
7 changed files with 38 additions and 82 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,6 +22,7 @@
 - (Bugfix) Do not tolerate False Bootstrap condition in UpToDate evaluation
 - (Improvement) Don't serialize and deprecate two DeploymentReplicationStatus fields
 - (Improvement) Improve error message when replication can't be configured
+- (Bugfix) Fix License handling in case of broken license secret

 ## [1.2.20](https://github.com/arangodb/kube-arangodb/tree/1.2.20) (2022-10-25)
 - (Feature) Add action progress
--- a/pkg/deployment/deployment_inspector.go
+++ b/pkg/deployment/deployment_inspector.go
@ -273,11 +273,6 @@ func (d *Deployment) inspectDeploymentWithError(ctx context.Context, lastInterva
 		return minInspectionInterval, errors.Wrapf(err, "Secret hash validation failed")
 	}

-	// Check for LicenseKeySecret
-	if err := d.resources.ValidateLicenseKeySecret(d.GetCachedStatus()); err != nil {
-		return minInspectionInterval, errors.Wrapf(err, "License Key Secret invalid")
-	}
-
 	// Is the deployment in a good state?
 	if status.Conditions.IsTrue(api.ConditionTypeSecretsChanged) {
 		return minInspectionInterval, errors.Newf("Secrets changed")
--- a/pkg/deployment/reconcile/action_set_license.go
+++ b/pkg/deployment/reconcile/action_set_license.go
@ -52,10 +52,9 @@ func (a *actionLicenseSet) Start(ctx context.Context) (bool, error) {
 		return true, nil
 	}

-	l, ok := k8sutil.GetLicenseFromSecret(a.actionCtx.ACS().CurrentClusterCache(), spec.License.GetSecretName())
-
-	if !ok {
-		return true, nil
+	l, err := k8sutil.GetLicenseFromSecret(a.actionCtx.ACS().CurrentClusterCache(), spec.License.GetSecretName())
+	if err != nil {
+		return true, err
 	}

 	if !l.V2.IsV2Set() {
--- a/pkg/deployment/reconcile/plan_builder_license.go
+++ b/pkg/deployment/reconcile/plan_builder_license.go
@ -38,14 +38,14 @@ func (r *Reconciler) updateClusterLicense(ctx context.Context, apiObject k8sutil
 		return nil
 	}

-	l, ok := k8sutil.GetLicenseFromSecret(context.ACS().CurrentClusterCache(), spec.License.GetSecretName())
-	if !ok {
-		r.log.Str("secret", spec.Authentication.GetJWTSecretName()).Trace("Unable to find license secret key")
+	l, err := k8sutil.GetLicenseFromSecret(context.ACS().CurrentClusterCache(), spec.License.GetSecretName())
+	if err != nil {
+		r.log.Err(err).Error("License secret error")
 		return nil
 	}

 	if !l.V2.IsV2Set() {
-		r.log.Str("secret", spec.Authentication.GetJWTSecretName()).Trace("V2 License key is not set")
+		r.log.Str("secret", spec.License.GetSecretName()).Error("V2 License key is not set")
 		return nil
 	}

--- a/pkg/deployment/resources/license.go
+++ b/pkg/deployment/resources/license.go
@ -1,58 +0,0 @@
-//
-// DISCLAIMER
-//
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-// Copyright holder is ArangoDB GmbH, Cologne, Germany
-//
-
-package resources
-
-import (
-	"github.com/arangodb/kube-arangodb/pkg/util/constants"
-	"github.com/arangodb/kube-arangodb/pkg/util/errors"
-	inspectorInterface "github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector"
-)
-
-// ValidateLicenseKeySecret checks if the licens key secret exists and is valid
-func (r *Resources) ValidateLicenseKeySecret(cachedStatus inspectorInterface.Inspector) error {
-	spec := r.context.GetSpec().License
-
-	if spec.HasSecretName() {
-		secretName := spec.GetSecretName()
-
-		s, exists := cachedStatus.Secret().V1().GetSimple(secretName)
-
-		if !exists {
-			return errors.Newf("License secret %s does not exist", s)
-		}
-
-		if _, ok := s.Data[constants.SecretKeyToken]; ok {
-			return nil
-		}
-
-		if _, ok := s.Data[constants.SecretKeyV2Token]; ok {
-			return nil
-		}
-
-		if _, ok := s.Data[constants.SecretKeyV2License]; ok {
-			return nil
-		}
-
-		return errors.Newf("Invalid secret format")
-	}
-
-	return nil
-}
--- a/pkg/util/k8sutil/license.go
+++ b/pkg/util/k8sutil/license.go
@ -26,6 +26,7 @@ import (

 	"github.com/arangodb/kube-arangodb/pkg/util"
 	"github.com/arangodb/kube-arangodb/pkg/util/constants"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector/secret"
 )

@ -44,10 +45,10 @@ type LicenseSecret struct {
 	V2 License
 }

-func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret, bool) {
+func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret, error) {
 	s, ok := secret.Secret().V1().GetSimple(name)
 	if !ok {
-		return LicenseSecret{}, false
+		return LicenseSecret{}, errors.Newf("Secret %s not found", name)
 	}

 	var l LicenseSecret
@ -70,9 +71,12 @@ func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret,
 		} else {
 			l.V2 = License(v2)
 		}
+	} else {
+		return LicenseSecret{}, errors.Newf("Key (%s, %s or %s) is missing in the license secret (%s)",
+			constants.SecretKeyToken, constants.SecretKeyV2License, constants.SecretKeyV2Token, name)
 	}

-	return l, true
+	return l, nil
 }

 func isJSONBytes(s []byte) bool {
--- a/pkg/util/k8sutil/license_test.go
+++ b/pkg/util/k8sutil/license_test.go
@ -98,8 +98,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {

 			require.NoError(t, i.Refresh(context.Background()))

-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)

 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
@ -111,8 +111,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {

 			require.NoError(t, i.Refresh(context.Background()))

-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)

 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
@ -126,8 +126,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {

 			require.NoError(t, i.Refresh(context.Background()))

-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)

 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
@ -139,12 +139,27 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {

 			require.NoError(t, i.Refresh(context.Background()))

-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)

 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
 			require.EqualValues(t, encoded, license.V2)
 		})
+
+		t.Run("Non existing Secret license", func(t *testing.T) {
+			require.NoError(t, i.Refresh(context.Background()))
+
+			_, err := GetLicenseFromSecret(i, "non-existing-secret")
+			require.Error(t, err)
+		})
+		t.Run("Non existing license secret key", func(t *testing.T) {
+			n := createLicenseSecret(t, c, "wrong-key", raw)
+
+			require.NoError(t, i.Refresh(context.Background()))
+
+			_, err := GetLicenseFromSecret(i, n)
+			require.Error(t, err)
+		})
 	})
 }