fix file non-existent error when kmesh start with --enable-ipsec=true#1473
fix file non-existent error when kmesh start with --enable-ipsec=true#1473kmesh-bot merged 4 commits intokmesh-net:mainfrom
Conversation
…psec=true, so resolve no such file error Signed-off-by: aicee <hhbin2000@foxmail.com>
There was a problem hiding this comment.
Summary of Changes
Hello @zrggw, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request addresses a critical initialization error in Kmesh when IPsec is enabled. Previously, the IPsec controller would fail to start because it attempted to read the IPsec key secret before it was created. My changes introduce a mechanism to automatically generate and persist a default IPsec key as a Kubernetes Secret if one is not found, ensuring the controller can always initialize successfully. This involves updates to the IPsec handler, controller logic, Kubernetes deployment configurations (DaemonSet and RBAC), and includes new unit tests to validate the key generation and secret management.
Highlights
- Automatic IPsec Key Generation: I've introduced a new
initConfigfunction within the IPsec handler that automatically generates a default IPsec key and stores it as a Kubernetes Secret if one doesn't already exist. This ensures that the IPsec controller has a key available from the start. - Improved IPsec Controller Initialization: The IPsec controller's initialization flow has been updated to call this new
initConfigfunction. This resolves an issue where the controller would fail if it tried to read the IPsec key secret before it was created. - Kubernetes Deployment Configuration Updates: I've updated the Kmesh Helm chart's
daemonset.yamlto include a volume mount for the IPsec key file and to define thekmesh-ipsecsecret volume, making the key accessible to the Kmesh pods. - Enhanced RBAC Permissions: The necessary RBAC permissions have been added to
kmesh-rbac.yamlandclusterrole.yaml, allowing Kmesh toget,create,update,delete,list, andwatchKubernetessecretsresources, which is essential for managing the IPsec key. - New Unit Tests for Key Management: Comprehensive unit tests have been added for the
initConfigfunction, verifying its behavior in scenarios where the secret already exists (ensuring it's not overwritten) and confirming the randomness of generated keys.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
A secret key, unseen, Generated, strong, and keen. If not found, then made anew, For secure paths, fresh and true.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Pull Request Overview
This PR addresses a bug where Kmesh fails to initialize when IPsec is enabled due to a missing IPsec key secret. The solution generates a default IPsec key during controller initialization to prevent startup failures.
- Adds an
initConfigfunction that creates a default IPsec key secret if none exists - Updates error handling to log warnings instead of failing initialization when key files are missing
- Adds RBAC permissions for secret management and volume mounts for IPsec configuration
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/controller/encryption/ipsec/ipsec_handler.go | Implements initConfig function to generate default IPsec keys and updates constants |
| pkg/controller/encryption/ipsec/ipsec_controller.go | Calls initConfig during initialization and changes file loading errors to warnings |
| pkg/controller/encryption/ipsec/ipsec_handler_test.go | Adds comprehensive unit tests for the new initConfig functionality |
| deploy/yaml/clusterrole.yaml | Grants secrets management permissions to the cluster role |
| deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml | Grants secrets management permissions in Helm chart RBAC |
| deploy/charts/kmesh-helm/templates/daemonset.yaml | Adds optional secret volume mount for IPsec configuration |
Comments suppressed due to low confidence (1)
pkg/controller/encryption/ipsec/ipsec_handler_test.go:673
- [nitpick] This test only runs 5 iterations to check key uniqueness. With a 32-byte key, the probability of collision is extremely low, but the test could be strengthened by verifying that keys are not all zeros or have reasonable entropy characteristics.
assert.False(t, aeadKeySet[string(key.AeadKey)], "Key should be unique for each initConfig call")
|
cc @hzxuzhonghu |
There was a problem hiding this comment.
Code Review
This pull request addresses a startup issue with the IPsec controller by ensuring the IPsec key secret is created before being used. The changes are logically sound, but there are a few critical issues to address. Specifically, a potential security vulnerability due to an unchecked error in random key generation, and error handling that could lead to silent failures of the IPsec functionality. I've provided detailed comments and suggestions to improve the robustness and security of the implementation.
|
In my opinion, We shoudld add a |
I am not sure why not waiting until the secret mounted rather than generating an useless key |
To avoid an error (#1289) during IPSec controller initialization, the |
|
I understand, so is there no need to add IPsec configuration when enabling --enable-ipsec=true during kmesh startup? And only let |
Signed-off-by: aicee <hhbin2000@foxmail.com>
Signed-off-by: aicee <hhbin2000@foxmail.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request correctly addresses a startup error when IPsec is enabled without the necessary secret by making the secret volume mount optional and checking for the key file's existence before use. The changes are logical and well-implemented. My review includes one suggestion to improve the robustness of the file existence check in ipsec_controller.go to ensure that potential configuration or permission errors are logged, rather than being silently ignored, which is important for a security-related feature.
Codecov Report❌ Patch coverage is
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
|
I was thinking maybe we can optimize the secret part of kmeshctl related to IPsec and design the command as
Currently, all these operations are performed by default on the kmesh-ipsec secret. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hzxuzhonghu The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
/kind enhancement
What this PR does / why we need it:
When kmesh starts, if you set
--enable-ipsec=true, it will report errors during initialization of the ipsec controller because it reads non-existent file. Add a check for whether the file exists before reading the file.Which issue(s) this PR fixes:
Fixes #1289
Special notes for your reviewer:
Does this PR introduce a user-facing change?: