feat: node key secret to configmap #466
Draft
+493
−476
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ry, using pre-existing node key value if present
…s to take into account the new node key config value
…onfigmaps, pass node keys to both
…id non-deterministic json marshall if key found in existing config
…r collection and configmap builder. Add test helper for creating mock node keys for a crd, update configmap builder test to pass proper nodekeys.
|
This is looking great, I believe all that's missing is removing the secrets from the CRD RBAC perms. As we discussed, we'll want to document the migration strategy so that operators have a way to retain their node keys if desired. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR completely removes the usage of Secrets for Node Keys, instead storing them in ConfigMaps prior to mounting into the fullnode.
The changes follow this pattern:
NodeKeyCollectortype that replaces the secret builder. It gets the node keys from a previous config map or generates new node keys, associating them with theObjectKeyfor a replicaNodeKeysare then passed to:PeerCollector, replacing the Get for Secrets when collecting peersConfigMapControl, for reconciling the node keys during config map buildingNote: In order to prevent
NodeKeysfrom causing unnecessary updates when marshalled to JSON (non-deterministic) and injected into the config map, theNodeKeyCollectorstores the marshalled JSON alongside the NodeKey type. This value will contain the unchanged JSON from the previous configmap, ensuring that non-deterministic JSON marshalling doesn't cause changes to the configmap between reconciles.