mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-26 19:45:35 +00:00
c919ff540f
We would call Update on the secret, but that was racey and would occasionaly fail. Instead use patch whenever we can. Fixes errors like ``` boot: 2023/08/29 01:03:53 failed to set serve config: sending serve config: updating config: writing ServeConfig to StateStore: Operation cannot be fulfilled on secrets "ts-webdav-kfrzv-0": the object has been modified; please apply your changes to the latest version and try again {"level":"error","ts":"2023-08-29T01:03:48Z","msg":"Reconciler error","controller":"ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"webdav","namespace":"default"},"namespace":"default","name":"webdav","reconcileID":"96f5cfed-7782-4834-9b75-b0950fd563ed","error":"failed to provision: failed to create or get API key secret: Operation cannot be fulfilled on secrets \"ts-webdav-kfrzv-0\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"} ``` Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>
121 lines
2.8 KiB
Go
121 lines
2.8 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
// Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets.
|
|
|
|
package kubestore
|
|
|
|
import (
|
|
"context"
|
|
"net"
|
|
"strings"
|
|
"time"
|
|
|
|
"tailscale.com/ipn"
|
|
"tailscale.com/kube"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
// Store is an ipn.StateStore that uses a Kubernetes Secret for persistence.
|
|
type Store struct {
|
|
client *kube.Client
|
|
canPatch bool
|
|
secretName string
|
|
}
|
|
|
|
// New returns a new Store that persists to the named secret.
|
|
func New(_ logger.Logf, secretName string) (*Store, error) {
|
|
c, err := kube.New()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
canPatch, err := c.CheckSecretPermissions(context.Background(), secretName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &Store{
|
|
client: c,
|
|
canPatch: canPatch,
|
|
secretName: secretName,
|
|
}, nil
|
|
}
|
|
|
|
func (s *Store) SetDialer(d func(ctx context.Context, network, address string) (net.Conn, error)) {
|
|
s.client.SetDialer(d)
|
|
}
|
|
|
|
func (s *Store) String() string { return "kube.Store" }
|
|
|
|
// ReadState implements the StateStore interface.
|
|
func (s *Store) ReadState(id ipn.StateKey) ([]byte, error) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
secret, err := s.client.GetSecret(ctx, s.secretName)
|
|
if err != nil {
|
|
if st, ok := err.(*kube.Status); ok && st.Code == 404 {
|
|
return nil, ipn.ErrStateNotExist
|
|
}
|
|
return nil, err
|
|
}
|
|
b, ok := secret.Data[sanitizeKey(id)]
|
|
if !ok {
|
|
return nil, ipn.ErrStateNotExist
|
|
}
|
|
return b, nil
|
|
}
|
|
|
|
func sanitizeKey(k ipn.StateKey) string {
|
|
// The only valid characters in a Kubernetes secret key are alphanumeric, -,
|
|
// _, and .
|
|
return strings.Map(func(r rune) rune {
|
|
if r >= 'a' && r <= 'z' || r >= 'A' && r <= 'Z' || r >= '0' && r <= '9' || r == '-' || r == '_' || r == '.' {
|
|
return r
|
|
}
|
|
return '_'
|
|
}, string(k))
|
|
}
|
|
|
|
// WriteState implements the StateStore interface.
|
|
func (s *Store) WriteState(id ipn.StateKey, bs []byte) error {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
secret, err := s.client.GetSecret(ctx, s.secretName)
|
|
if err != nil {
|
|
if st, ok := err.(*kube.Status); ok && st.Code == 404 {
|
|
return s.client.CreateSecret(ctx, &kube.Secret{
|
|
TypeMeta: kube.TypeMeta{
|
|
APIVersion: "v1",
|
|
Kind: "Secret",
|
|
},
|
|
ObjectMeta: kube.ObjectMeta{
|
|
Name: s.secretName,
|
|
},
|
|
Data: map[string][]byte{
|
|
sanitizeKey(id): bs,
|
|
},
|
|
})
|
|
}
|
|
return err
|
|
}
|
|
if s.canPatch {
|
|
m := []kube.JSONPatch{
|
|
{
|
|
Op: "add",
|
|
Path: "/data/" + sanitizeKey(id),
|
|
Value: bs,
|
|
},
|
|
}
|
|
if err := s.client.JSONPatchSecret(ctx, s.secretName, m); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
secret.Data[sanitizeKey(id)] = bs
|
|
if err := s.client.UpdateSecret(ctx, secret); err != nil {
|
|
return err
|
|
}
|
|
return err
|
|
}
|