Moved trigger and blacklister to ssadmin

This commit moves the in-container admin functions to a new admin executable. In particular, trigger and blacklisting functionality has been moved into a single ssadmin command in the controller image. All necessary changes to dockerfile, Makefile and gitignore are included.
adevhammer · Feb 19, 2019 · f173ef9 · f173ef9
1 parent 2bf46c5
commit f173ef9
Show file tree

Hide file tree

Showing 11 changed files with 56 additions and 67 deletions.
diff --git a/.gitignore b/.gitignore
@@ -14,11 +14,13 @@
 .glide/
 
 /controller
+/ssadmin
 /kubeseal
 /controller.image
 /*-static
 /controller.yaml
 /sealedsecret-crd.yaml
 /docker/controller
+/docker/ssadmin
 *.iml
 .idea
diff --git a/Makefile b/Makefile
@@ -31,19 +31,16 @@ endif
 
 GO_LD_FLAGS = -X main.VERSION=$(VERSION)
 
-all: controller trigger kubeseal
+all: controller ssadmin kubeseal
 
 generate: $(GO_FILES)
 	$(GO) generate $(GO_PACKAGES)
 
 controller: $(GO_FILES)
 	$(GO) build -o $@ $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/controller
 
-trigger: $(GO_FILES)
-	$(GO) build -o $@ $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/trigger
-
-blacklist: $(GO_FILES)
-	$(GO) build -o $@ $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/blacklist
+ssadmin: $(GO_FILES)
+	$(GO) build -o $@ $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/ssadmin
 
 kubeseal: $(GO_FILES)
 	$(GO) build -o $@ $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/kubeseal
@@ -54,13 +51,10 @@ kubeseal: $(GO_FILES)
 docker/controller: controller-static
 	cp $< $@
 
-docker/trigger: trigger-static
-	cp $< $@
-
-docker/blacklist: blacklist-static
+docker/ssadmin: ssadmin-static
 	cp $< $@
 
-controller.image: docker/Dockerfile docker/controller docker/trigger docker/blacklist
+controller.image: docker/Dockerfile docker/controller docker/ssadmin
 	$(DOCKER) build -t $(CONTROLLER_IMAGE) docker/
 	echo $(CONTROLLER_IMAGE) >$@.tmp
 	mv $@.tmp $@

diff --git a/cmd/blacklist/main.go b/cmd/blacklist/main.go
diff --git a/cmd/controller/funcs.go b/cmd/controller/funcs.go
@@ -123,7 +123,7 @@ func writeKeyToKube(client kubernetes.Interface, key *rsa.PrivateKey, cert *x509
 	return err
 }
 
-func createBlacklist(client kubernetes.Interface, r io.Reader, namespace, blacklistName string, keyRegistry *KeyRegistry, trigger func()) (func(string) error, error) {
+func createBlacklist(client kubernetes.Interface, r io.Reader, namespace, blacklistName string, keyRegistry *KeyRegistry, trigger func()) (func(string) (bool, error), error) {
 	privkey, cert, err := newKey(r)
 	if err != nil {
 		return nil, err
@@ -142,21 +142,22 @@ func createBlacklist(client kubernetes.Interface, r io.Reader, namespace, blackl
 	if _, err := client.Core().Secrets(namespace).Create(blacklist); err != nil {
 		return nil, err
 	}
-	return func(keyName string) error {
+	return func(keyName string) (bool, error) {
 		blacklist, err := client.Core().Secrets(namespace).Get(blacklistName, metav1.GetOptions{})
 		if err != nil {
-			return err
+			return false, err
 		}
 		blacklist.Data[keyName] = []byte{}
 		if _, err = client.Core().Secrets(namespace).Update(blacklist); err != nil {
-			return err
+			return false, err
 		}
 		keyRegistry.blacklistKey(keyName)
 		// If the latest key is being blacklisted, generate a new key
 		if keyName == keyRegistry.CurrentKeyName() {
 			trigger()
+			return true, nil
 		}
-		return nil
+		return false, nil
 	}, nil
 }
 

diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -294,7 +294,7 @@ func main2() error {
 	cnp := func() (string, error) {
 		return keyRegistry.CurrentKeyName(), nil
 	}
-	close, err := triggerserver(blacklister, keyGenTrigger)
+	close, err := adminserver(blacklister, keyGenTrigger)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/controller/server.go b/cmd/controller/server.go
@@ -30,19 +30,21 @@ type secretChecker func([]byte) (bool, error)
 type secretRotator func([]byte) ([]byte, error)
 
 // local server functions
-type blacklistFunc func(string) error
+type blacklistFunc func(string) (bool, error)
 type keyGenTrigger func()
 
-func (b blacklistFunc) Blacklist(keyname string, blank *struct{}) error {
-	return b(keyname)
+func (b blacklistFunc) Blacklist(keyname string, generated *bool) error {
+	gen, err := b(keyname)
+	*generated = gen
+	return err
 }
 
 func (t keyGenTrigger) Trigger(struct{}, *struct{}) error {
 	t()
 	return nil
 }
 
-func triggerserver(bl blacklistFunc, kg keyGenTrigger) (func() error, error) {
+func adminserver(bl blacklistFunc, kg keyGenTrigger) (func() error, error) {
 	lis, err := net.Listen("tcp", *localAddr)
 	if err != nil {
 		return nil, err

diff --git a/cmd/ssadmin/main.go b/cmd/ssadmin/main.go
@@ -0,0 +1,35 @@
+package main
+
+import (
+	"flag"
+	"net"
+	"net/rpc"
+)
+
+var t = false
+
+var (
+	generateKey      = flag.Bool("key-gen", false, "Force controller to generate a new key immediately")
+	blacklistKeyname = flag.String("blacklist", "", "Give a keyname to blacklist")
+
+	generated = &t
+)
+
+func main() {
+	flag.Parse()
+	conn, err := net.Dial("tcp", ":8081")
+	if err != nil {
+		panic(err)
+	}
+	client := rpc.NewClient(conn)
+	if *blacklistKeyname != "" {
+		if err = client.Call("blacklister.Blacklist", *blacklistKeyname, generated); err != nil {
+			panic(err)
+		}
+	}
+	if *generateKey && !*generated {
+		if err = client.Call("trigger.Trigger", struct{}{}, &struct{}{}); err != nil {
+			panic(err)
+		}
+	}
+}
diff --git a/cmd/trigger/main.go b/cmd/trigger/main.go
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,8 +1,7 @@
 FROM alpine
 MAINTAINER Angus Lees <gus@inodes.org>
 COPY controller /usr/local/bin/
-COPY trigger /usr/local/bin/
-COPY blacklist /usr/local/bin
+COPY ssadmin /usr/local/bin/
 
 EXPOSE 8080
 EXPOSE 8081

diff --git a/docker/blacklist b/docker/blacklist
diff --git a/docker/trigger b/docker/trigger