From 44f06562ab664b3ca71a54570b4bd326241d60ad Mon Sep 17 00:00:00 2001 From: Anjan Nath Date: Wed, 15 Jan 2025 12:51:06 +0530 Subject: [PATCH] Copy dependencies of systemd units copy pull secret file into the VM this removes code adding the pull-secret to the cluster using `oc`, instead it copies the pull secret file to /opt/crc/crc-pullsecret which is then used by a systemd service in the bundle to add the pull secret to the cluster for both the openshift and microshift presets Update cluster user passwords via systemd this copies the generated kubeadmin and developer user passwords to `/opt/crc/` which is then used by a systemd service and modifies the needed ocp resources Use systemd to add the root CA for API server access this removes the code patching the configmap admin-kubeconfig-client-ca to use the custom CA, instead it copies the generated CA to '/opt/crc/' which is then used by a systemd service to created the required secret and updates the configmap --- pkg/crc/cluster/cluster.go | 44 ++------------------------- pkg/crc/cluster/kubeadmin_password.go | 33 +++----------------- pkg/crc/machine/start.go | 22 +++++++++----- 3 files changed, 21 insertions(+), 78 deletions(-) diff --git a/pkg/crc/cluster/cluster.go b/pkg/crc/cluster/cluster.go index da963715c9..a2668dcda4 100644 --- a/pkg/crc/cluster/cluster.go +++ b/pkg/crc/cluster/cluster.go @@ -3,7 +3,6 @@ package cluster import ( "context" "crypto/x509" - "encoding/base64" "encoding/json" "fmt" "math" @@ -179,40 +178,6 @@ func EnsureSSHKeyPresentInTheCluster(ctx context.Context, ocConfig oc.Config, ss return nil } -func EnsurePullSecretPresentInTheCluster(ctx context.Context, ocConfig oc.Config, pullSec PullSecretLoader) error { - if err := WaitForOpenshiftResource(ctx, ocConfig, "secret"); err != nil { - return err - } - - stdout, stderr, err := ocConfig.RunOcCommandPrivate("get", "secret", "pull-secret", "-n", "openshift-config", "-o", `jsonpath="{['data']['\.dockerconfigjson']}"`) - if err != nil { - return fmt.Errorf("Failed to get pull secret %v: %s", err, stderr) - } - decoded, err := base64.StdEncoding.DecodeString(stdout) - if err != nil { - return err - } - if err := validation.ImagePullSecret(string(decoded)); err == nil { - return nil - } - - logging.Info("Adding user's pull secret to the cluster...") - content, err := pullSec.Value() - if err != nil { - return err - } - base64OfPullSec := base64.StdEncoding.EncodeToString([]byte(content)) - cmdArgs := []string{"patch", "secret", "pull-secret", "-p", - fmt.Sprintf(`'{"data":{".dockerconfigjson":"%s"}}'`, base64OfPullSec), - "-n", "openshift-config", "--type", "merge"} - - _, stderr, err = ocConfig.RunOcCommandPrivate(cmdArgs...) - if err != nil { - return fmt.Errorf("Failed to add Pull secret %v: %s", err, stderr) - } - return nil -} - func EnsureGeneratedClientCAPresentInTheCluster(ctx context.Context, ocConfig oc.Config, sshRunner *ssh.Runner, selfSignedCACert *x509.Certificate, adminCert string) error { selfSignedCAPem := crctls.CertToPem(selfSignedCACert) if err := WaitForOpenshiftResource(ctx, ocConfig, "configmaps"); err != nil { @@ -232,13 +197,10 @@ func EnsureGeneratedClientCAPresentInTheCluster(ctx context.Context, ocConfig oc } logging.Info("Updating root CA cert to admin-kubeconfig-client-ca configmap...") - jsonPath := fmt.Sprintf(`'{"data": {"ca-bundle.crt": %q}}'`, selfSignedCAPem) - cmdArgs := []string{"patch", "configmap", "admin-kubeconfig-client-ca", - "-n", "openshift-config", "--patch", jsonPath} - _, stderr, err = ocConfig.RunOcCommand(cmdArgs...) - if err != nil { - return fmt.Errorf("Failed to patch admin-kubeconfig-client-ca config map with new CA` %v: %s", err, stderr) + if err := sshRunner.CopyDataPrivileged(selfSignedCAPem, "/opt/crc/custom-ca.crt", 0644); err != nil { + return fmt.Errorf("Failed to copy generated CA file to VM: %v", err) } + if err := sshRunner.CopyFile(constants.KubeconfigFilePath, ocConfig.KubeconfigPath, 0644); err != nil { return fmt.Errorf("Failed to copy generated kubeconfig file to VM: %v", err) } diff --git a/pkg/crc/cluster/kubeadmin_password.go b/pkg/crc/cluster/kubeadmin_password.go index f8beb9fb13..1fcf5f79ba 100644 --- a/pkg/crc/cluster/kubeadmin_password.go +++ b/pkg/crc/cluster/kubeadmin_password.go @@ -13,7 +13,7 @@ import ( "github.com/crc-org/crc/v2/pkg/crc/constants" "github.com/crc-org/crc/v2/pkg/crc/logging" - "github.com/crc-org/crc/v2/pkg/crc/oc" + "github.com/crc-org/crc/v2/pkg/crc/ssh" "golang.org/x/crypto/bcrypt" ) @@ -29,7 +29,7 @@ func GenerateKubeAdminUserPassword() error { } // UpdateKubeAdminUserPassword updates the htpasswd secret -func UpdateKubeAdminUserPassword(ctx context.Context, ocConfig oc.Config, newPassword string) error { +func UpdateKubeAdminUserPassword(ctx context.Context, sshRunner *ssh.Runner, newPassword string) error { if newPassword != "" { logging.Infof("Overriding password for kubeadmin user") if err := os.WriteFile(constants.GetKubeAdminPasswordPath(), []byte(strings.TrimSpace(newPassword)), 0600); err != nil { @@ -41,39 +41,14 @@ func UpdateKubeAdminUserPassword(ctx context.Context, ocConfig oc.Config, newPas if err != nil { return fmt.Errorf("Cannot read the kubeadmin user password from file: %w", err) } - credentials := map[string]string{ - "developer": "developer", - "kubeadmin": kubeAdminPassword, - } - if err := WaitForOpenshiftResource(ctx, ocConfig, "secret"); err != nil { + if err := sshRunner.CopyDataPrivileged([]byte(kubeAdminPassword), "/opt/crc/pass_kubeadmin", 0600); err != nil { return err } - given, stderr, err := ocConfig.RunOcCommandPrivate("get", "secret", "htpass-secret", "-n", "openshift-config", "-o", `jsonpath="{.data.htpasswd}"`) - if err != nil { - return fmt.Errorf("%s:%v", stderr, err) - } - ok, externals, err := compareHtpasswd(given, credentials) - if err != nil { + if err := sshRunner.CopyDataPrivileged([]byte("developer"), "/opt/crc/pass_developer", 0600); err != nil { return err } - if ok { - return nil - } - - logging.Infof("Changing the password for the kubeadmin user") - expected, err := getHtpasswd(credentials, externals) - if err != nil { - return err - } - cmdArgs := []string{"patch", "secret", "htpass-secret", "-p", - fmt.Sprintf(`'{"data":{"htpasswd":"%s"}}'`, expected), - "-n", "openshift-config", "--type", "merge"} - _, stderr, err = ocConfig.RunOcCommandPrivate(cmdArgs...) - if err != nil { - return fmt.Errorf("Failed to update kubeadmin password %v: %s", err, stderr) - } return nil } diff --git a/pkg/crc/machine/start.go b/pkg/crc/machine/start.go index 9fad1815a7..6173472879 100644 --- a/pkg/crc/machine/start.go +++ b/pkg/crc/machine/start.go @@ -424,6 +424,15 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig) } } + // copy the pull secret into /opt/crc/pull-secret in the instance + pullSecret, err := startConfig.PullSecret.Value() + if err != nil { + return nil, err + } + if err := sshRunner.CopyDataPrivileged([]byte(pullSecret), "/opt/crc/pull-secret", 0600); err != nil { + return nil, errors.Wrap(err, "Unable to send pull-secret to instance") + } + // Add nameserver to VM if provided by User if startConfig.NameServer != "" { if err = addNameServerToInstance(sshRunner, startConfig.NameServer); err != nil { @@ -509,6 +518,11 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig) }, nil } + // Send the kubeadmin and developer new passwords to the VM + if err := cluster.UpdateKubeAdminUserPassword(ctx, sshRunner, startConfig.KubeAdminPassword); err != nil { + return nil, errors.Wrap(err, "Failed to update kubeadmin user password") + } + // Check the certs validity inside the vm logging.Info("Verifying validity of the kubelet certificates...") certsExpired, err := cluster.CheckCertsValidity(sshRunner) @@ -541,10 +555,6 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig) return nil, err } - if err := cluster.EnsurePullSecretPresentInTheCluster(ctx, ocConfig, startConfig.PullSecret); err != nil { - return nil, errors.Wrap(err, "Failed to update cluster pull secret") - } - if err := cluster.EnsureSSHKeyPresentInTheCluster(ctx, ocConfig, constants.GetPublicKeyPath()); err != nil { return nil, errors.Wrap(err, "Failed to update ssh public key to machine config") } @@ -553,10 +563,6 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig) return nil, errors.Wrap(err, "Failed to update pull secret on the disk") } - if err := cluster.UpdateKubeAdminUserPassword(ctx, ocConfig, startConfig.KubeAdminPassword); err != nil { - return nil, errors.Wrap(err, "Failed to update kubeadmin user password") - } - if client.monitoringEnabled() { logging.Info("Enabling cluster monitoring operator...") if err := cluster.StartMonitoring(ocConfig); err != nil {