istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/pkg/k8s/controller/casecret.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/pkg/k8s/controller/casecret.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package controller
    16  
    17  import (
    18  	"context"
    19  	"time"
    20  
    21  	v1 "k8s.io/api/core/v1"
    22  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    23  	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
    24  
    25  	"istio.io/istio/pkg/log"
    26  )
    27  
    28  var k8sControllerLog = log.RegisterScope("secretcontroller", "Citadel kubernetes controller log")
    29  
    30  // CaSecretController manages the self-signed signing CA secret.
    31  type CaSecretController struct {
    32  	client corev1.CoreV1Interface
    33  }
    34  
    35  // NewCaSecretController returns a pointer to a newly constructed SecretController instance.
    36  func NewCaSecretController(core corev1.CoreV1Interface) *CaSecretController {
    37  	cs := &CaSecretController{
    38  		client: core,
    39  	}
    40  	return cs
    41  }
    42  
    43  // LoadCASecretWithRetry reads CA secret with retries until timeout.
    44  func (csc *CaSecretController) LoadCASecretWithRetry(secretName, namespace string,
    45  	retryInterval, timeout time.Duration,
    46  ) (*v1.Secret, error) {
    47  	start := time.Now()
    48  	var caSecret *v1.Secret
    49  	var scrtErr error
    50  	for {
    51  		caSecret, scrtErr = csc.client.Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
    52  		if scrtErr == nil {
    53  			return caSecret, nil
    54  		}
    55  		k8sControllerLog.Errorf("Failed on loading CA secret %s:%s.",
    56  			namespace, secretName)
    57  
    58  		if time.Since(start) > timeout {
    59  			k8sControllerLog.Errorf("Timeout on loading CA secret %s:%s.",
    60  				namespace, secretName)
    61  			return caSecret, scrtErr
    62  		}
    63  		time.Sleep(retryInterval)
    64  	}
    65  }
    66  
    67  // UpdateCASecretWithRetry updates CA secret with retries until timeout.
    68  func (csc *CaSecretController) UpdateCASecretWithRetry(caSecret *v1.Secret,
    69  	retryInterval, timeout time.Duration,
    70  ) error {
    71  	start := time.Now()
    72  	for {
    73  		_, scrtErr := csc.client.Secrets(caSecret.Namespace).Update(context.TODO(), caSecret, metav1.UpdateOptions{})
    74  		if scrtErr == nil {
    75  			return nil
    76  		}
    77  		k8sControllerLog.Errorf("Failed on updating CA secret %s:%s.",
    78  			caSecret.Namespace, caSecret.Name)
    79  
    80  		if time.Since(start) > timeout {
    81  			k8sControllerLog.Errorf("Timeout on updating CA secret %s:%s.",
    82  				caSecret.Namespace, caSecret.Name)
    83  			return scrtErr
    84  		}
    85  		time.Sleep(retryInterval)
    86  	}
    87  }