Skip to content

Delay secret unmount #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Jakob-Naucke wants to merge 2 commits into
base: main
Choose a base branch
from
+185 −177
Open

Delay secret unmount #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dddd632
trustee: Generate volumes & mounts directly
Jakob-Naucke Dec 17, 2025
c7a706e
Delay secret unmount
Jakob-Naucke Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/v1alpha1/crds.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ var (

// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;create;patch;update
// +kubebuilder:rbac:groups="",resources=services,verbs=create
// +kubebuilder:rbac:groups="",resources=secrets,verbs=create
// +kubebuilder:rbac:groups="",resources=secrets,verbs=create;list;delete
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;create;update
// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;list;watch
// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters,verbs=list;watch
Expand Down
42 changes: 7 additions & 35 deletions operator/src/register_server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
//
// SPDX-License-Identifier: MIT

use anyhow::{Result, anyhow};
use anyhow::Result;
use futures_util::StreamExt;
use k8s_openapi::{
api::{
Expand All @@ -17,11 +17,7 @@ use k8s_openapi::{
util::intstr::IntOrString,
},
};
use kube::runtime::{
controller::{Action, Controller},
finalizer,
finalizer::Event,
};
use kube::runtime::controller::{Action, Controller};
use kube::{Api, Client, Resource};
use log::info;
use std::{collections::BTreeMap, sync::Arc};
Expand All @@ -31,8 +27,6 @@ use operator::*;
use trusted_cluster_operator_lib::Machine;

const INTERNAL_REGISTER_SERVER_PORT: i32 = 8000;
/// Finalizer name to discard decryption keys when a machine is deleted
const MACHINE_FINALIZER: &str = "finalizer.machine.trusted-execution-clusters.io";

pub async fn create_register_server_deployment(
client: Client,
Expand Down Expand Up @@ -128,33 +122,11 @@ async fn keygen_reconcile(
machine: Arc<Machine>,
client: Arc<Client>,
) -> Result<Action, ControllerError> {
let machines: Api<Machine> = Api::default_namespaced(Arc::unwrap_or_clone(client.clone()));
finalizer(&machines, MACHINE_FINALIZER, machine, |ev| async move {
match ev {
Event::Apply(machine) => {
let kube_client = Arc::unwrap_or_clone(client);
let id = &machine.spec.id.clone();
async {
let owner_reference = generate_owner_reference(&Arc::unwrap_or_clone(machine))?;
trustee::generate_secret(kube_client.clone(), id, owner_reference).await?;
trustee::mount_secret(kube_client, id).await
}
.await
.map(|_| Action::await_change())
.map_err(|e| finalizer::Error::<ControllerError>::ApplyFailed(e.into()))
}
Event::Cleanup(machine) => {
let kube_client = Arc::unwrap_or_clone(client);
let id = &machine.spec.id;
trustee::unmount_secret(kube_client, id)
.await
.map(|_| Action::await_change())
.map_err(|e| finalizer::Error::<ControllerError>::CleanupFailed(e.into()))
}
}
})
.await
.map_err(|e| anyhow!("failed to reconcile on machine: {e}").into())
let kube_client = Arc::unwrap_or_clone(client);
let id = &machine.spec.id.clone();
trustee::generate_secret(kube_client.clone(), id).await?;
trustee::update_secrets(kube_client).await?;
Ok(Action::await_change())
}

pub async fn launch_keygen_controller(client: Client) {
Expand Down
Loading