diff --git a/CHANGELOG.md b/CHANGELOG.md index 353ec2014..e929b6993 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ - (Bugfix) Do not tolerate False Bootstrap condition in UpToDate evaluation - (Improvement) Don't serialize and deprecate two DeploymentReplicationStatus fields - (Improvement) Improve error message when replication can't be configured +- (Bugfix) Fix License handling in case of broken license secret ## [1.2.20](https://github.com/arangodb/kube-arangodb/tree/1.2.20) (2022-10-25) - (Feature) Add action progress diff --git a/pkg/deployment/deployment_inspector.go b/pkg/deployment/deployment_inspector.go index 48a64545d..f3ef8ee18 100644 --- a/pkg/deployment/deployment_inspector.go +++ b/pkg/deployment/deployment_inspector.go @@ -273,11 +273,6 @@ func (d *Deployment) inspectDeploymentWithError(ctx context.Context, lastInterva return minInspectionInterval, errors.Wrapf(err, "Secret hash validation failed") } - // Check for LicenseKeySecret - if err := d.resources.ValidateLicenseKeySecret(d.GetCachedStatus()); err != nil { - return minInspectionInterval, errors.Wrapf(err, "License Key Secret invalid") - } - // Is the deployment in a good state? if status.Conditions.IsTrue(api.ConditionTypeSecretsChanged) { return minInspectionInterval, errors.Newf("Secrets changed") diff --git a/pkg/deployment/reconcile/action_set_license.go b/pkg/deployment/reconcile/action_set_license.go index 761b489e2..84495e7d2 100644 --- a/pkg/deployment/reconcile/action_set_license.go +++ b/pkg/deployment/reconcile/action_set_license.go @@ -52,10 +52,9 @@ func (a *actionLicenseSet) Start(ctx context.Context) (bool, error) { return true, nil } - l, ok := k8sutil.GetLicenseFromSecret(a.actionCtx.ACS().CurrentClusterCache(), spec.License.GetSecretName()) - - if !ok { - return true, nil + l, err := k8sutil.GetLicenseFromSecret(a.actionCtx.ACS().CurrentClusterCache(), spec.License.GetSecretName()) + if err != nil { + return true, err } if !l.V2.IsV2Set() { diff --git a/pkg/deployment/reconcile/plan_builder_license.go b/pkg/deployment/reconcile/plan_builder_license.go index 96a9f885c..4e3f8bba6 100644 --- a/pkg/deployment/reconcile/plan_builder_license.go +++ b/pkg/deployment/reconcile/plan_builder_license.go @@ -38,14 +38,14 @@ func (r *Reconciler) updateClusterLicense(ctx context.Context, apiObject k8sutil return nil } - l, ok := k8sutil.GetLicenseFromSecret(context.ACS().CurrentClusterCache(), spec.License.GetSecretName()) - if !ok { - r.log.Str("secret", spec.Authentication.GetJWTSecretName()).Trace("Unable to find license secret key") + l, err := k8sutil.GetLicenseFromSecret(context.ACS().CurrentClusterCache(), spec.License.GetSecretName()) + if err != nil { + r.log.Err(err).Error("License secret error") return nil } if !l.V2.IsV2Set() { - r.log.Str("secret", spec.Authentication.GetJWTSecretName()).Trace("V2 License key is not set") + r.log.Str("secret", spec.License.GetSecretName()).Error("V2 License key is not set") return nil } diff --git a/pkg/deployment/resources/license.go b/pkg/deployment/resources/license.go deleted file mode 100644 index 2fc91aca1..000000000 --- a/pkg/deployment/resources/license.go +++ /dev/null @@ -1,58 +0,0 @@ -// -// DISCLAIMER -// -// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// Copyright holder is ArangoDB GmbH, Cologne, Germany -// - -package resources - -import ( - "github.com/arangodb/kube-arangodb/pkg/util/constants" - "github.com/arangodb/kube-arangodb/pkg/util/errors" - inspectorInterface "github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector" -) - -// ValidateLicenseKeySecret checks if the licens key secret exists and is valid -func (r *Resources) ValidateLicenseKeySecret(cachedStatus inspectorInterface.Inspector) error { - spec := r.context.GetSpec().License - - if spec.HasSecretName() { - secretName := spec.GetSecretName() - - s, exists := cachedStatus.Secret().V1().GetSimple(secretName) - - if !exists { - return errors.Newf("License secret %s does not exist", s) - } - - if _, ok := s.Data[constants.SecretKeyToken]; ok { - return nil - } - - if _, ok := s.Data[constants.SecretKeyV2Token]; ok { - return nil - } - - if _, ok := s.Data[constants.SecretKeyV2License]; ok { - return nil - } - - return errors.Newf("Invalid secret format") - } - - return nil -} diff --git a/pkg/util/k8sutil/license.go b/pkg/util/k8sutil/license.go index 423c8c11a..8c05b1a93 100644 --- a/pkg/util/k8sutil/license.go +++ b/pkg/util/k8sutil/license.go @@ -26,6 +26,7 @@ import ( "github.com/arangodb/kube-arangodb/pkg/util" "github.com/arangodb/kube-arangodb/pkg/util/constants" + "github.com/arangodb/kube-arangodb/pkg/util/errors" "github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector/secret" ) @@ -44,10 +45,10 @@ type LicenseSecret struct { V2 License } -func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret, bool) { +func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret, error) { s, ok := secret.Secret().V1().GetSimple(name) if !ok { - return LicenseSecret{}, false + return LicenseSecret{}, errors.Newf("Secret %s not found", name) } var l LicenseSecret @@ -70,9 +71,12 @@ func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret, } else { l.V2 = License(v2) } + } else { + return LicenseSecret{}, errors.Newf("Key (%s, %s or %s) is missing in the license secret (%s)", + constants.SecretKeyToken, constants.SecretKeyV2License, constants.SecretKeyV2Token, name) } - return l, true + return l, nil } func isJSONBytes(s []byte) bool { diff --git a/pkg/util/k8sutil/license_test.go b/pkg/util/k8sutil/license_test.go index 7c49ad926..843ad3d52 100644 --- a/pkg/util/k8sutil/license_test.go +++ b/pkg/util/k8sutil/license_test.go @@ -98,8 +98,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) { require.NoError(t, i.Refresh(context.Background())) - license, ok := GetLicenseFromSecret(i, n) - require.True(t, ok) + license, err := GetLicenseFromSecret(i, n) + require.NoError(t, err) require.Empty(t, license.V1) require.NotEmpty(t, license.V2) @@ -111,8 +111,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) { require.NoError(t, i.Refresh(context.Background())) - license, ok := GetLicenseFromSecret(i, n) - require.True(t, ok) + license, err := GetLicenseFromSecret(i, n) + require.NoError(t, err) require.Empty(t, license.V1) require.NotEmpty(t, license.V2) @@ -126,8 +126,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) { require.NoError(t, i.Refresh(context.Background())) - license, ok := GetLicenseFromSecret(i, n) - require.True(t, ok) + license, err := GetLicenseFromSecret(i, n) + require.NoError(t, err) require.Empty(t, license.V1) require.NotEmpty(t, license.V2) @@ -139,12 +139,27 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) { require.NoError(t, i.Refresh(context.Background())) - license, ok := GetLicenseFromSecret(i, n) - require.True(t, ok) + license, err := GetLicenseFromSecret(i, n) + require.NoError(t, err) require.Empty(t, license.V1) require.NotEmpty(t, license.V2) require.EqualValues(t, encoded, license.V2) }) + + t.Run("Non existing Secret license", func(t *testing.T) { + require.NoError(t, i.Refresh(context.Background())) + + _, err := GetLicenseFromSecret(i, "non-existing-secret") + require.Error(t, err) + }) + t.Run("Non existing license secret key", func(t *testing.T) { + n := createLicenseSecret(t, c, "wrong-key", raw) + + require.NoError(t, i.Refresh(context.Background())) + + _, err := GetLicenseFromSecret(i, n) + require.Error(t, err) + }) }) }