cmd/containerboot: simplify k8s setup logic (#13627)

Rearrange conditionals to reduce indentation and make it a bit easier to read
the logic. Also makes some error message updates for better consistency
with the recent decision around capitalising resource names and the
upcoming addition of config secrets.

Updates #cleanup

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
pull/13729/head
Tom Proctor 1 month ago committed by GitHub
parent 866714a894
commit cba2e76568
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -130,44 +130,51 @@ func (cfg *settings) setupKube(ctx context.Context) error {
} }
canPatch, canCreate, err := kc.CheckSecretPermissions(ctx, cfg.KubeSecret) canPatch, canCreate, err := kc.CheckSecretPermissions(ctx, cfg.KubeSecret)
if err != nil { if err != nil {
return fmt.Errorf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err) return fmt.Errorf("some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
} }
cfg.KubernetesCanPatch = canPatch cfg.KubernetesCanPatch = canPatch
s, err := kc.GetSecret(ctx, cfg.KubeSecret) s, err := kc.GetSecret(ctx, cfg.KubeSecret)
if err != nil && kubeclient.IsNotFoundErr(err) && !canCreate { if err != nil {
return fmt.Errorf("Tailscale state Secret %s does not exist and we don't have permissions to create it. "+ if !kubeclient.IsNotFoundErr(err) {
"If you intend to store tailscale state elsewhere than a Kubernetes Secret, "+ return fmt.Errorf("getting Tailscale state Secret %s: %v", cfg.KubeSecret, err)
"you can explicitly set TS_KUBE_SECRET env var to an empty string. "+ }
"Else ensure that RBAC is set up that allows the service account associated with this installation to create Secrets.", cfg.KubeSecret)
} else if err != nil && !kubeclient.IsNotFoundErr(err) {
return fmt.Errorf("Getting Tailscale state Secret %s: %v", cfg.KubeSecret, err)
}
if cfg.AuthKey == "" && !isOneStepConfig(cfg) { if !canCreate {
if s == nil { return fmt.Errorf("tailscale state Secret %s does not exist and we don't have permissions to create it. "+
log.Print("TS_AUTHKEY not provided and kube secret does not exist, login will be interactive if needed.") "If you intend to store tailscale state elsewhere than a Kubernetes Secret, "+
return nil "you can explicitly set TS_KUBE_SECRET env var to an empty string. "+
"Else ensure that RBAC is set up that allows the service account associated with this installation to create Secrets.", cfg.KubeSecret)
} }
keyBytes, _ := s.Data["authkey"] }
key := string(keyBytes)
// Return early if we already have an auth key.
if cfg.AuthKey != "" || isOneStepConfig(cfg) {
return nil
}
if key != "" { if s == nil {
// This behavior of pulling authkeys from kube secrets was added log.Print("TS_AUTHKEY not provided and state Secret does not exist, login will be interactive if needed.")
// at the same time as the patch permission, so we can enforce return nil
// that we must be able to patch out the authkey after }
// authenticating if you want to use this feature. This avoids
// us having to deal with the case where we might leave behind keyBytes, _ := s.Data["authkey"]
// an unnecessary reusable authkey in a secret, like a rake in key := string(keyBytes)
// the grass.
if !cfg.KubernetesCanPatch { if key != "" {
return errors.New("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the secret to manage the authkey.") // Enforce that we must be able to patch out the authkey after
} // authenticating if you want to use this feature. This avoids
cfg.AuthKey = key // us having to deal with the case where we might leave behind
} else { // an unnecessary reusable authkey in a secret, like a rake in
log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.") // the grass.
if !cfg.KubernetesCanPatch {
return errors.New("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the Secret to manage the authkey.")
} }
cfg.AuthKey = key
} }
log.Print("No authkey found in state Secret and TS_AUTHKEY not provided, login will be interactive if needed.")
return nil return nil
} }

Loading…
Cancel
Save