From e8dcd9cb1054bdb3b109466ecf107ef6f867620e Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Mon, 1 Oct 2018 15:21:15 -0700 Subject: [PATCH] Mirror secrets using API This is much cleaner than doing a file-tree copy, for example if extra files happened to be in the tree (though that's not really possible here) --- upup/pkg/fi/secrets/vfs_secretstore.go | 39 +++++++++++++++++++++++--- upup/pkg/fi/vfs_castore.go | 1 + 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/upup/pkg/fi/secrets/vfs_secretstore.go b/upup/pkg/fi/secrets/vfs_secretstore.go index 224be980b9..f2c7b02cd8 100644 --- a/upup/pkg/fi/secrets/vfs_secretstore.go +++ b/upup/pkg/fi/secrets/vfs_secretstore.go @@ -50,11 +50,42 @@ func (c *VFSSecretStore) VFSPath() vfs.Path { func (c *VFSSecretStore) MirrorTo(basedir vfs.Path) error { if basedir.Path() == c.basedir.Path() { + glog.V(2).Infof("Skipping mirror of secret store from %q to %q (same path)", c.basedir, basedir) return nil } glog.V(2).Infof("Mirroring secret store from %q to %q", c.basedir, basedir) - return vfs.CopyTree(c.basedir, basedir, func(p vfs.Path) (vfs.ACL, error) { return acls.GetACL(p, c.cluster) }) + secrets, err := c.ListSecrets() + if err != nil { + return fmt.Errorf("error listing secrets for mirror: %v", err) + } + + for _, name := range secrets { + secret, err := c.FindSecret(name) + if err != nil { + return fmt.Errorf("error reading secret %q for mirror: %v", name, err) + } + + if secret == nil { + return fmt.Errorf("unable to find secret %q for mirror", name) + } + + p := BuildVfsSecretPath(basedir, name) + + acl, err := acls.GetACL(p, c.cluster) + if err != nil { + return fmt.Errorf("error building acl for secret %q for mirror: %v", name, err) + } + + glog.Infof("mirroring secret %s -> %s", name, p) + + err = createSecret(secret, p, acl, true) + if err != nil { + return fmt.Errorf("error writing secret %q for mirror: %v", name, err) + } + } + + return nil } func BuildVfsSecretPath(basedir vfs.Path, name string) vfs.Path { @@ -122,7 +153,7 @@ func (c *VFSSecretStore) GetOrCreateSecret(id string, secret *fi.Secret) (*fi.Se return nil, false, err } - err = c.createSecret(secret, p, acl, false) + err = createSecret(secret, p, acl, false) if err != nil { if os.IsExist(err) && i == 0 { glog.Infof("Got already-exists error when writing secret; likely due to concurrent creation. Will retry") @@ -154,7 +185,7 @@ func (c *VFSSecretStore) ReplaceSecret(id string, secret *fi.Secret) (*fi.Secret return nil, err } - err = c.createSecret(secret, p, acl, true) + err = createSecret(secret, p, acl, true) if err != nil { return nil, fmt.Errorf("unable to write secret: %v", err) } @@ -183,7 +214,7 @@ func (c *VFSSecretStore) loadSecret(p vfs.Path) (*fi.Secret, error) { } // createSecret will create the Secret, overwriting an existing secret if replace is true -func (c *VFSSecretStore) createSecret(s *fi.Secret, p vfs.Path, acl vfs.ACL, replace bool) error { +func createSecret(s *fi.Secret, p vfs.Path, acl vfs.ACL, replace bool) error { data, err := json.Marshal(s) if err != nil { return fmt.Errorf("error serializing secret: %v", err) diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go index 0fee50fddf..c216d3b4de 100644 --- a/upup/pkg/fi/vfs_castore.go +++ b/upup/pkg/fi/vfs_castore.go @@ -631,6 +631,7 @@ func (c *VFSCAStore) ListSSHCredentials() ([]*kops.SSHCredential, error) { // MirrorTo will copy keys to a vfs.Path, which is often easier for a machine to read func (c *VFSCAStore) MirrorTo(basedir vfs.Path) error { if basedir.Path() == c.basedir.Path() { + glog.V(2).Infof("Skipping key store mirror from %q to %q (same paths)", c.basedir, basedir) return nil } glog.V(2).Infof("Mirroring key store from %q to %q", c.basedir, basedir)