Delete secrets created if it fails on tenant creation (#274)
Also a fix on a parity condition has been fixed.
This commit is contained in:
Cesar N
GitHub
@@ -422,7 +422,7 @@ func getListTenantsResponse(session *models.Principal, params admin_api.ListTena
|
||||
return listT, nil
|
||||
}
|
||||
|
||||
func getTenantCreatedResponse(session *models.Principal, params admin_api.CreateTenantParams) (*models.CreateTenantResponse, *models.Error) {
|
||||
func getTenantCreatedResponse(session *models.Principal, params admin_api.CreateTenantParams) (response *models.CreateTenantResponse, mError *models.Error) {
|
||||
tenantReq := params.Body
|
||||
minioImage := tenantReq.Image
|
||||
ctx := context.Background()
|
||||
@@ -478,11 +478,24 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
if err != nil {
|
||||
return nil, prepareError(err)
|
||||
}
|
||||
// delete secrets created if an error occurred during tenant creation,
|
||||
defer func() {
|
||||
if mError != nil {
|
||||
log.Printf("deleting secrets created for failed tenant: %s if any\n", tenantName)
|
||||
opts := metav1.ListOptions{
|
||||
LabelSelector: fmt.Sprintf("%s=%s", operator.TenantLabel, tenantName),
|
||||
}
|
||||
err = clientSet.CoreV1().Secrets(ns).DeleteCollection(ctx, metav1.DeleteOptions{}, opts)
|
||||
if err != nil {
|
||||
log.Println("error deleting tenant's secrets:", err)
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
var envrionmentVariables []corev1.EnvVar
|
||||
// Check the Erasure Coding Parity for validity and pass it to Tenant
|
||||
if tenantReq.ErasureCodingParity > 0 {
|
||||
if tenantReq.ErasureCodingParity < 2 && tenantReq.ErasureCodingParity > 8 {
|
||||
if tenantReq.ErasureCodingParity < 2 || tenantReq.ErasureCodingParity > 8 {
|
||||
return nil, prepareError(errorInvalidErasureCodingValue)
|
||||
}
|
||||
envrionmentVariables = append(envrionmentVariables, corev1.EnvVar{
|
||||
@@ -713,7 +726,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
|
||||
if tenantReq.ImagePullSecret != "" {
|
||||
imagePullSecret = tenantReq.ImagePullSecret
|
||||
} else if imagePullSecret, err = setImageRegistry(ctx, tenantName, tenantReq.ImageRegistry, clientSet.CoreV1(), ns); err != nil {
|
||||
} else if imagePullSecret, err = setImageRegistry(ctx, tenantReq.ImageRegistry, clientSet.CoreV1(), ns, tenantName); err != nil {
|
||||
return nil, prepareError(err)
|
||||
}
|
||||
// pass the image pull secret to the Tenant
|
||||
@@ -752,7 +765,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
return nil, prepareError(err)
|
||||
}
|
||||
}
|
||||
response := &models.CreateTenantResponse{
|
||||
response = &models.CreateTenantResponse{
|
||||
AccessKey: accessKey,
|
||||
SecretKey: secretKey,
|
||||
}
|
||||
@@ -768,7 +781,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
|
||||
// setImageRegistry creates a secret to store the private registry credentials, if one exist it updates the existing one
|
||||
// returns the name of the secret created/updated
|
||||
func setImageRegistry(ctx context.Context, tenantName string, req *models.ImageRegistry, clientset v1.CoreV1Interface, namespace string) (string, error) {
|
||||
func setImageRegistry(ctx context.Context, req *models.ImageRegistry, clientset v1.CoreV1Interface, namespace, tenantName string) (string, error) {
|
||||
if req == nil || req.Registry == nil || req.Username == nil || req.Password == nil {
|
||||
return "", nil
|
||||
}
|
||||
@@ -839,7 +852,7 @@ func updateTenantAction(ctx context.Context, operatorClient OperatorClientI, cli
|
||||
minInst.Spec.ImagePullSecret.Name = params.Body.ImagePullSecret
|
||||
} else {
|
||||
// update the image pull secret content
|
||||
if _, err := setImageRegistry(ctx, params.Tenant, imageRegistryReq, clientset, namespace); err != nil {
|
||||
if _, err := setImageRegistry(ctx, imageRegistryReq, clientset, namespace, params.Tenant); err != nil {
|
||||
log.Println("error setting image registry secret:", err)
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -183,10 +183,6 @@ func getTenantUpdateEncryptionResponse(session *models.Principal, params admin_a
|
||||
// getKESConfiguration will generate the KES server certificate secrets, the tenant client secrets for mTLS authentication between MinIO and KES and the
|
||||
// kes-configuration.yaml file used by the KES service (how to connect to the external KMS, eg: Vault, AWS, Gemalto, etc)
|
||||
func getKESConfiguration(ctx context.Context, clientSet K8sClientI, ns string, encryptionCfg *models.EncryptionConfiguration, secretName, tenantName string, autoCert bool) (kesConfiguration *operator.KESConfig, err error) {
|
||||
// Secrets used by the MiniO tenant service
|
||||
//
|
||||
// tenantExternalClientCertSecretName is the name of the secret that will store the certificates for mTLS between MinIO and the KES, eg: app.key and app.crt
|
||||
tenantExternalClientCertSecretName := fmt.Sprintf("%s-tenant-external-client-cert", secretName)
|
||||
// Secrets used by the KES service
|
||||
//
|
||||
// kesExternalCertSecretName is the name of the secret that will store the certificates for TLS in the KES server, eg: server.key and server.crt
|
||||
@@ -195,28 +191,7 @@ func getKESConfiguration(ctx context.Context, clientSet K8sClientI, ns string, e
|
||||
kesClientCertSecretName := fmt.Sprintf("%s-kes-client-cert", secretName)
|
||||
// kesConfigurationSecretName is the name of the secret that will store the configuration file, eg: kes-configuration.yaml
|
||||
kesConfigurationSecretName := fmt.Sprintf("%s-kes-configuration", secretName)
|
||||
// if there's an error during this process we delete all KES configuration secrets
|
||||
defer func() {
|
||||
if err != nil {
|
||||
errDelete := clientSet.deleteSecret(ctx, ns, tenantExternalClientCertSecretName, metav1.DeleteOptions{})
|
||||
if errDelete != nil {
|
||||
log.Print(errDelete)
|
||||
}
|
||||
errDelete = clientSet.deleteSecret(ctx, ns, kesExternalCertSecretName, metav1.DeleteOptions{})
|
||||
if errDelete != nil {
|
||||
log.Print(errDelete)
|
||||
}
|
||||
errDelete = clientSet.deleteSecret(ctx, ns, kesClientCertSecretName, metav1.DeleteOptions{})
|
||||
if errDelete != nil {
|
||||
log.Print(errDelete)
|
||||
}
|
||||
errDelete = clientSet.deleteSecret(ctx, ns, kesConfigurationSecretName, metav1.DeleteOptions{})
|
||||
if errDelete != nil {
|
||||
log.Print(errDelete)
|
||||
}
|
||||
return
|
||||
}
|
||||
}()
|
||||
|
||||
kesConfiguration = &operator.KESConfig{
|
||||
Image: "minio/kes:v0.11.0",
|
||||
Replicas: 1,
|
||||
|
||||
Reference in New Issue
Block a user