Use patch helper for secrets-encryption labels and annotations

Signed-off-by: Brad Davidson <[email protected]>

Author: brandond

pkg/secretsencrypt/config.go

@@ -221,31 +221,35 @@ func getEncryptionHashFile(runtime *config.ControlRuntime) (string, error) {
 	return string(curEncryptionByte), nil
 }
 
-func BootstrapEncryptionHashAnnotation(node *corev1.Node, runtime *config.ControlRuntime) error {
+func BootstrapEncryptionHashAnnotation(ctx context.Context, runtime *config.ControlRuntime, nodeName string) error {
 	existingAnn, err := getEncryptionHashFile(runtime)
 	if err != nil {
 		return err
 	}
-	node.Annotations[EncryptionHashAnnotation] = existingAnn
-	return nil
+	patch := util.NewPatchList()
+	patcher := util.NewPatcher[*corev1.Node](runtime.Core.Core().V1().Node())
+	patch.Add(existingAnn, "metadata", "annotations", EncryptionHashAnnotation)
+
+	_, err = patcher.Patch(ctx, patch, nodeName)
+	return err
 }
 
 // WriteEncryptionHashAnnotation writes the encryption hash to the node annotation and optionally to a file.
 // The file is used to track the last stage of the reencryption process.
-func WriteEncryptionHashAnnotation(runtime *config.ControlRuntime, node *corev1.Node, skipFile bool, stage string) error {
+func WriteEncryptionHashAnnotation(ctx context.Context, runtime *config.ControlRuntime, nodeName string, skipFile bool, stage string) error {
 	encryptionConfigHash, err := GenEncryptionConfigHash(runtime)
 	if err != nil {
 		return err
 	}
-	if node.Annotations == nil {
-		return fmt.Errorf("node annotations do not exist for %s", node.ObjectMeta.Name)
-	}
 	ann := stage + "-" + encryptionConfigHash
-	node.Annotations[EncryptionHashAnnotation] = ann
-	if _, err = runtime.Core.Core().V1().Node().Update(node); err != nil {
+
+	patch := util.NewPatchList()
+	patcher := util.NewPatcher[*corev1.Node](runtime.Core.Core().V1().Node())
+	patch.Add(ann, "metadata", "annotations", EncryptionHashAnnotation)
+	if _, err = patcher.Patch(ctx, patch, nodeName); err != nil {
 		return err
 	}
-	logrus.Debugf("encryption hash annotation set successfully on node: %s\n", node.ObjectMeta.Name)
+	logrus.Debugf("encryption hash annotation set successfully on node: %s\n", nodeName)
 	if skipFile {
 		return nil
 	}

pkg/server/handlers/secrets-encrypt.go

@@ -28,7 +28,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	apiserverconfigv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
 	"k8s.io/client-go/tools/pager"
-	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/ptr"
 )
 
@@ -252,17 +251,12 @@ func encryptionPrepare(ctx context.Context, control *config.Control, force bool)
 	if err := secretsencrypt.WriteEncryptionConfig(control.Runtime, curKeys, control.EncryptProvider, true); err != nil {
 		return err
 	}
+
 	nodeName := os.Getenv("NODE_NAME")
-	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		node, err := control.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
-		if err != nil {
-			return err
-		}
-		return secretsencrypt.WriteEncryptionHashAnnotation(control.Runtime, node, false, secretsencrypt.EncryptionPrepare)
-	})
-	if err != nil {
+	if err := secretsencrypt.WriteEncryptionHashAnnotation(ctx, control.Runtime, nodeName, false, secretsencrypt.EncryptionPrepare); err != nil {
 		return err
 	}
+
 	return cluster.Save(ctx, control, true)
 }
 
@@ -289,21 +283,16 @@ func encryptionRotate(ctx context.Context, control *config.Control, force bool)
 		curKeys.SBKeys = rotatedKeys
 	}
 
-	if err = secretsencrypt.WriteEncryptionConfig(control.Runtime, curKeys, control.EncryptProvider, true); err != nil {
+	if err := secretsencrypt.WriteEncryptionConfig(control.Runtime, curKeys, control.EncryptProvider, true); err != nil {
 		return err
 	}
 	logrus.Infof("Encryption %s keys right rotated\n", control.EncryptProvider)
+
 	nodeName := os.Getenv("NODE_NAME")
-	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		node, err := control.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
-		if err != nil {
-			return err
-		}
-		return secretsencrypt.WriteEncryptionHashAnnotation(control.Runtime, node, false, secretsencrypt.EncryptionRotate)
-	})
-	if err != nil {
+	if err := secretsencrypt.WriteEncryptionHashAnnotation(ctx, control.Runtime, nodeName, false, secretsencrypt.EncryptionRotate); err != nil {
 		return err
 	}
+
 	return cluster.Save(ctx, control, true)
 }
 
@@ -318,13 +307,7 @@ func encryptionReencrypt(ctx context.Context, control *config.Control, force boo
 	// Set the reencrypt-active annotation so other nodes know we are in the process of reencrypting.
 	// As this stage is not persisted, we do not write the annotation to file
 	nodeName := os.Getenv("NODE_NAME")
-	if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		node, err := control.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
-		if err != nil {
-			return err
-		}
-		return secretsencrypt.WriteEncryptionHashAnnotation(control.Runtime, node, true, secretsencrypt.EncryptionReencryptActive)
-	}); err != nil {
+	if err := secretsencrypt.WriteEncryptionHashAnnotation(ctx, control.Runtime, nodeName, true, secretsencrypt.EncryptionReencryptActive); err != nil {
 		return err
 	}
 
@@ -380,13 +363,7 @@ func encryptionRotateKeys(ctx context.Context, control *config.Control) error {
 	// Set the reencrypt-active annotation so other nodes know we are in the process of reencrypting.
 	// As this stage is not persisted, we do not write the annotation to file
 	nodeName := os.Getenv("NODE_NAME")
-	if err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		node, err := control.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
-		if err != nil {
-			return err
-		}
-		return secretsencrypt.WriteEncryptionHashAnnotation(control.Runtime, node, true, secretsencrypt.EncryptionReencryptActive)
-	}); err != nil {
+	if err := secretsencrypt.WriteEncryptionHashAnnotation(ctx, control.Runtime, nodeName, true, secretsencrypt.EncryptionReencryptActive); err != nil {
 		return err
 	}
 
@@ -408,16 +385,7 @@ func reencryptAndRemoveKey(ctx context.Context, control *config.Control, skip bo
 
 	// If skipping, revert back to the previous stage and do not remove the key
 	if skip {
-		err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
-			node, err := control.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
-			if err != nil {
-				return err
-			}
-			secretsencrypt.BootstrapEncryptionHashAnnotation(node, control.Runtime)
-			_, err = control.Runtime.Core.Core().V1().Node().Update(node)
-			return err
-		})
-		return err
+		return secretsencrypt.BootstrapEncryptionHashAnnotation(ctx, control.Runtime, nodeName)
 	}
 
 	// Remove old key. If there is only one of that key type, the cluster just
@@ -446,17 +414,11 @@ func reencryptAndRemoveKey(ctx context.Context, control *config.Control, skip bo
 		}
 	}
 
-	if err = secretsencrypt.WriteEncryptionConfig(control.Runtime, curKeys, control.EncryptProvider, true); err != nil {
+	if err := secretsencrypt.WriteEncryptionConfig(control.Runtime, curKeys, control.EncryptProvider, true); err != nil {
 		return err
 	}
 
-	if err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		node, err := control.Runtime.Core.Core().V1().Node().Get(nodeName, metav1.GetOptions{})
-		if err != nil {
-			return err
-		}
-		return secretsencrypt.WriteEncryptionHashAnnotation(control.Runtime, node, false, secretsencrypt.EncryptionReencryptFinished)
-	}); err != nil {
+	if err := secretsencrypt.WriteEncryptionHashAnnotation(ctx, control.Runtime, nodeName, false, secretsencrypt.EncryptionReencryptFinished); err != nil {
 		return err
 	}
 

pkg/server/server.go

@@ -37,6 +37,7 @@ import (
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 )
 
@@ -549,46 +550,30 @@ func setNodeLabelsAndAnnotations(ctx context.Context, nodes v1.NodeClient, confi
 	if config.DisableAgent || config.ControlConfig.DisableAPIServer {
 		return nil
 	}
-	for {
+
+	patcher := util.NewPatcher[*corev1.Node](nodes)
+	return wait.PollUntilContextCancel(ctx, time.Second, true, func(ctx context.Context) (bool, error) {
 		nodeName := os.Getenv("NODE_NAME")
 		if nodeName == "" {
 			logrus.Info("Waiting for control-plane node agent startup")
-			time.Sleep(1 * time.Second)
-			continue
-		}
-		node, err := nodes.Get(nodeName, metav1.GetOptions{})
-		if err != nil {
-			logrus.Infof("Waiting for control-plane node %s startup: %v", nodeName, err)
-			time.Sleep(1 * time.Second)
-			continue
-		}
-		if node.Labels == nil {
-			node.Labels = make(map[string]string)
+			return false, nil
 		}
-		v, ok := node.Labels[util.ControlPlaneRoleLabelKey]
-		if !ok || v != "true" {
-			node.Labels[util.ControlPlaneRoleLabelKey] = "true"
+
+		patch := util.NewPatchList().Add("true", "metadata", "labels", util.ControlPlaneRoleLabelKey)
+		if _, err := patcher.Patch(ctx, patch, nodeName); err != nil {
+			logrus.Infof("Unable to set control-plane role label: %v", err)
+			return false, nil
 		}
 
 		if config.ControlConfig.EncryptSecrets {
-			if err = secretsencrypt.BootstrapEncryptionHashAnnotation(node, config.ControlConfig.Runtime); err != nil {
-				logrus.Infof("Unable to set encryption hash annotation %s", err.Error())
-				break
+			if err := secretsencrypt.BootstrapEncryptionHashAnnotation(ctx, config.ControlConfig.Runtime, nodeName); err != nil {
+				logrus.Infof("Unable to set encryption hash annotation %v", err)
+				return false, nil
 			}
 		}
-
-		_, err = nodes.Update(node)
-		if err == nil {
-			logrus.Infof("Labels and annotations have been set successfully on node: %s", nodeName)
-			break
-		}
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-time.After(time.Second):
-		}
-	}
-	return nil
+		logrus.Infof("Labels and annotations have been set successfully on node: %s", nodeName)
+		return true, nil
+	})
 }
 
 func setClusterDNSConfig(ctx context.Context, config *Config, configMap v1.ConfigMapClient) error {