From 6f968d36d2fae9e7967bb93485da172b3690d671 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Fri, 22 Mar 2024 10:38:32 -0700 Subject: [PATCH] Enable apiserver to access updated encryption-config.json (#5604) * Mount server/cred directory. Allows apiserver to see hot reload for encryption-config.json * Make double mount a TODO Signed-off-by: Derek Nola --- pkg/podexecutor/staticpod.go | 4 ++++ pkg/staticpod/staticpod.go | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/pkg/podexecutor/staticpod.go b/pkg/podexecutor/staticpod.go index ee3a35d808..ad13755ddf 100644 --- a/pkg/podexecutor/staticpod.go +++ b/pkg/podexecutor/staticpod.go @@ -327,6 +327,10 @@ func (s *StaticPodConfig) APIServer(_ context.Context, etcdReady <-chan struct{} dirs = append(dirs, filepath.Dir(auditLogFile)) excludeFiles = append(excludeFiles, auditLogFile) } + // encryption config is refreshed by the secrets-encryption controller + // so we mount the directory to allow the pod to see the updates + dirs = append(dirs, filepath.Join(s.DataDir, "server/cred")) + excludeFiles = append(excludeFiles, filepath.Join(s.DataDir, "server/cred/encryption-config.json")) apiServerArgs := staticpod.Args{ Command: "kube-apiserver", diff --git a/pkg/staticpod/staticpod.go b/pkg/staticpod/staticpod.go index 69ca651cc4..ec687f91e5 100644 --- a/pkg/staticpod/staticpod.go +++ b/pkg/staticpod/staticpod.go @@ -109,6 +109,8 @@ func Run(dir string, args Args) error { return err } + // TODO Check to make sure we aren't double mounting directories and the files in those directories + args.Files = append(args.Files, files...) pod, err := pod(args) if err != nil { @@ -411,6 +413,9 @@ func addExtraEnv(p *v1.Pod, extraEnv []string) { } } +// readFiles takes in the arguments passed to the static pod and returns a list of all files +// embedded in those arguments to be included in the pod manifest as volumes. +// excludeFiles are not included in the returned list. func readFiles(args, excludeFiles []string) ([]string, error) { files := map[string]bool{} excludes := map[string]bool{}