Merge pull request #69 from RobotSail/secret-update

Create Unique Identities for IPFS Containers

Author: RobotSail

controllers/ipfs_controller.go

@@ -143,9 +143,10 @@ func (r *IpfsReconciler) createTrackedObjects(
 
 	mutsa := r.serviceAccount(instance, &sa)
 	mutsvc, svcName := r.serviceCluster(instance, &svc)
+
 	mutCmScripts, cmScriptName := r.ConfigMapScripts(ctx, instance, &cmScripts)
+	mutSecConfig, secConfigName := r.secretConfig(ctx, instance, &secConfig, []byte(clusterSecret), []byte(privateString))
 	mutCmConfig, cmConfigName := r.configMapConfig(instance, &cmConfig, peerID.String())
-	mutSecConfig, secConfigName := r.secretConfig(instance, &secConfig, []byte(clusterSecret), []byte(privateString))
 	mutSts := r.statefulSet(instance, &sts, svcName, secConfigName, cmConfigName, cmScriptName)
 
 	trackedObjects := map[client.Object]controllerutil.MutateFn{

controllers/scripts/config.go

@@ -5,12 +5,10 @@ import (
 	"encoding/json"
 	"fmt"
 	"math"
-	"os"
 	"strconv"
 	"text/template"
 
 	"github.com/alecthomas/units"
-	"github.com/ipfs/interface-go-ipfs-core/options"
 	"github.com/ipfs/kubo/config"
 	"github.com/libp2p/go-libp2p-core/peer"
 )
@@ -28,6 +26,11 @@ user=ipfs
 # This is a custom entrypoint for k8s designed to run ipfs nodes in an appropriate
 # setup for production scenarios.
 
+INDEX="${HOSTNAME##*-}"
+
+PRIVATE_KEY=$(cat "/node-data/privateKey-${INDEX}")
+PEER_ID=$(cat "/node-data/peerID-${INDEX}")
+
 if [[ -f /data/ipfs/config ]]; then
 	if [[ -f /data/ipfs/repo.lock ]]; then
 		rm /data/ipfs/repo.lock
@@ -36,6 +39,9 @@ if [[ -f /data/ipfs/config ]]; then
 fi
 
 echo '{{ .FlattenedConfig }}' > config.json
+sed -i s,_peer-id_,"${PEER_ID}",g config.json
+sed -i s,_private-key_,"${PRIVATE_KEY}",g config.json
+
 ipfs init -- config.json
 
 chown -R ipfs: /data/ipfs
@@ -182,7 +188,7 @@ func applyFlatfsServer(conf *config.Config) error {
 
 // setFlatfsShardFunc Attempts to update the given flatfs configuration to use a shardFunc
 // with the given `n`. If unsuccessful, false will be returned.
-func setFlatfsShardFunc(conf *config.Config, n uint8) error {
+func setFlatfsShardFunc(conf *config.Config, n int8) error {
 	// we want to use next-to-last/3 as the sharding function
 	// as per this issue:
 	// https://github.com/redhat-et/ipfs-operator/issues/32
@@ -210,7 +216,7 @@ func setFlatfsShardFunc(conf *config.Config, n uint8) error {
 			continue
 		}
 		if dsType == "flatfs" {
-			child["shardFunc"] = "/repo/flatfs/shard/v1/next-to-last/" + strconv.FormatUint(uint64(n), 10)
+			child["shardFunc"] = "/repo/flatfs/shard/v1/next-to-last/" + strconv.FormatInt(int64(n), 10)
 			break
 		}
 	}
@@ -241,17 +247,10 @@ func createTemplateConfig(
 	rc config.RelayClient,
 ) (conf config.Config, err error) {
 	// attempt to generate an identity
-	var identity config.Identity
 
-	// try to generate an elliptic curve key first
-	identity, err = config.CreateIdentity(os.Stdout, []options.KeyGenerateOption{
-		options.Key.Type(options.Ed25519Key),
-	})
-	if err != nil {
-		return
-	}
 	// set keys + defaults
-	conf.Identity = identity
+	conf.Identity.PeerID = "_peer-id_"
+	conf.Identity.PrivKey = "_private-key_"
 
 	// apply the server + flatfs profiles
 	if err = applyFlatfsServer(&conf); err != nil {

controllers/secret.go

@@ -1,37 +1,115 @@
 package controllers
 
 import (
+	"context"
+	"strconv"
+	"strings"
+
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	clusterv1alpha1 "github.com/redhat-et/ipfs-operator/api/v1alpha1"
 )
 
+const (
+	peerIDPrefix     = "peerID-"
+	privateKeyPrefix = "privateKey-"
+)
+
+// errorFunc Returns a function which returns the provided
+// error when it is called.
+func errorFunc(err error) controllerutil.MutateFn {
+	return func() error {
+		return err
+	}
+}
+
 func (r *IpfsReconciler) secretConfig(
+	ctx context.Context,
 	m *clusterv1alpha1.Ipfs,
 	sec *corev1.Secret,
 	clusterSecret,
 	bootstrapPrivateKey []byte,
 ) (controllerutil.MutateFn, string) {
 	secName := "ipfs-cluster-" + m.Name
-	expected := &corev1.Secret{
+
+	expectedSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secName,
 			Namespace: m.Namespace,
 		},
-		Data: map[string][]byte{
-			"CLUSTER_SECRET":          clusterSecret,
-			"BOOTSTRAP_PEER_PRIV_KEY": bootstrapPrivateKey,
-		},
 	}
-	expected.DeepCopyInto(sec)
+	// find secret
+	err := r.Get(ctx, client.ObjectKeyFromObject(expectedSecret), expectedSecret)
+	if err != nil && !errors.IsNotFound(err) {
+		return errorFunc(err), ""
+	}
+	// initialize the secret, if needed
+	if err != nil && errors.IsNotFound(err) {
+		expectedSecret.Data = make(map[string][]byte, 0)
+		expectedSecret.StringData = make(map[string]string, 0)
+		// secret doesn't exist
+		err = generateNewIdentities(expectedSecret, 0, m.Spec.Replicas)
+		if err != nil {
+			return errorFunc(err), ""
+		}
+		expectedSecret.Data["CLUSTER_SECRET"] = clusterSecret
+		expectedSecret.Data["BOOTSTRAP_PEER_PRIV_KEY"] = bootstrapPrivateKey
+	}
+
+	// secret does exist
+	numIdentities := countIdentities(expectedSecret)
+	if numIdentities != m.Spec.Replicas {
+		// create more identities if needed, otherwise they will be reused
+		// when scaling down and then up again
+		if numIdentities < m.Spec.Replicas {
+			// create more
+			err = generateNewIdentities(expectedSecret, numIdentities, m.Spec.Replicas)
+			if err != nil {
+				return errorFunc(err), ""
+			}
+		}
+	}
+
+	expectedSecret.DeepCopyInto(sec)
 	// FIXME: catch this error before we run the function being returned
-	if err := ctrl.SetControllerReference(m, sec, r.Scheme); err != nil {
-		return func() error { return err }, ""
+	if err = ctrl.SetControllerReference(m, sec, r.Scheme); err != nil {
+		return errorFunc(err), ""
 	}
 	return func() error {
+		sec.Data = expectedSecret.Data
 		return nil
 	}, secName
 }
+
+// countIdentities Counts the amount of unique peer identities present in the secret.
+func countIdentities(secret *corev1.Secret) int32 {
+	var count int32
+	for key := range secret.Data {
+		if strings.Contains(key, peerIDPrefix) {
+			count++
+		}
+	}
+	return count
+}
+
+// generateNewIdentities Populates the secret data with new Peer IDs
+// and private keys which are mapped based on the replica number.
+func generateNewIdentities(secret *corev1.Secret, start, n int32) error {
+	for i := start; i < n; i++ {
+		// generate new private key & peer id
+		peerID, privKey, err := generateIdentity()
+		if err != nil {
+			return err
+		}
+		peerIDKey := peerIDPrefix + strconv.Itoa(int(i))
+		secret.StringData[peerIDKey] = peerID.String()
+		secretKey := privateKeyPrefix + strconv.Itoa(int(i))
+		secret.StringData[secretKey] = privKey
+	}
+	return nil
+}

controllers/statefulset.go

@@ -101,6 +101,10 @@ func (r *IpfsReconciler) statefulSet(m *clusterv1alpha1.Ipfs,
 									Name:      "configure-script",
 									MountPath: "custom",
 								},
+								{
+									Name:      "ipfs-node-data",
+									MountPath: "/node-data",
+								},
 							},
 						},
 					},
@@ -265,6 +269,14 @@ func (r *IpfsReconciler) statefulSet(m *clusterv1alpha1.Ipfs,
 								},
 							},
 						},
+						{
+							Name: "ipfs-node-data",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: secretName,
+								},
+							},
+						},
 					},
 				},
 			},