Skip to content

Documentation: fix key rotation command in encryption guide #15365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 17, 2021
Merged

Documentation: fix key rotation command in encryption guide #15365

merged 1 commit into from
Mar 17, 2021

Conversation

mauriciovasquezbernal
Copy link
Contributor

"kubectl get secret -n kube-system cilium-ipsec-keys" outputs two lines
with "keys:", one is the real key data and other is a "managedField":

$ kubectl get secret -n kube-system cilium-ipsec-keys -o yaml | grep keys:
keys: MyByZmM0MTA2KGdjbShhZXMpKSA3ZTE1YmZlNmQyZjczNGUzZmQ0YTEzM2FlZDU2MGQwMjEzZjBjNmRmIDEyOA==
f:keys: {}

It makes the whole command to get the key id to fail:

$ KEYID=$(kubectl get secret -n kube-system cilium-ipsec-keys -o yaml|grep keys: | awk '{print $2}' | base64 -d | awk '{print $1}')
base64: invalid input

This will be fixed in next Kubernetes release
(kubernetes/kubernetes#96878), in the meanwhile
we can just use "-m 1" for grep to make it only return the first result.

Fixes: 4ea52ae ("cilium: encryption, docs key updates")

Signed-off-by: Mauricio Vásquez mauricio@accuknox.com
Signed-off-by: Mauricio Vásquez mauricio@kinvolk.io

@mauriciovasquezbernal mauriciovasquezbernal requested a review from a team as a code owner March 16, 2021 15:03
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 16, 2021
qmonnet
qmonnet requested changes Mar 16, 2021
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot!
Looks good, but please find a suggestion below.

@qmonnet qmonnet added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/misc This PR makes changes that have no direct user impact. labels Mar 16, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 16, 2021
@maintainer-s-little-helper
Copy link

Commit b6b767b8465bfbd1729550270ed5b954001874ae does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Mar 16, 2021
@mauriciovasquezbernal
Documentation: fix key rotation command in encryption guide
537bf79 
"kubectl get secret -n kube-system cilium-ipsec-keys" outputs two lines
with "keys:", one is the real key data and other is a "managedField":

$ kubectl get secret -n kube-system cilium-ipsec-keys -o yaml | grep keys:
  keys: MyByZmM0MTA2KGdjbShhZXMpKSA3ZTE1YmZlNmQyZjczNGUzZmQ0YTEzM2FlZDU2MGQwMjEzZjBjNmRmIDEyOA==
        f:keys: {}

It makes the whole command to get the key id to fail:

$ KEYID=$(kubectl get secret -n kube-system cilium-ipsec-keys -o yaml|grep keys: | awk '{print $2}' | base64 -d | awk '{print $1}')
base64: invalid input

This will be fixed in next Kubernetes release
(kubernetes/kubernetes#96878), in the meanwhile
just use a regular expression in awk to match "keys:" at the begining.

Fixes: 4ea52ae ("cilium: encryption, docs key updates")

Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com>
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
@mauriciovasquezbernal mauriciovasquezbernal force-pushed the mauricio/fix-encryption-key-rotation-command branch from b6b767b to 537bf79 Compare March 16, 2021 16:18
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Mar 16, 2021
qmonnet
qmonnet approved these changes Mar 16, 2021
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot!

@qmonnet qmonnet added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 16, 2021
@joestringer joestringer merged commit 458c623 into cilium:master Mar 17, 2021
@mauriciovasquezbernal mauriciovasquezbernal deleted the mauricio/fix-encryption-key-rotation-command branch March 17, 2021 01:06
@jrajahalme jrajahalme mentioned this pull request Mar 19, 2021
Merged
This was referenced Mar 19, 2021
Merged
Merged
@pchaigno pchaigno mentioned this pull request Mar 26, 2021
Merged
This was referenced Apr 20, 2021
Merged
Merged
Merged
This was referenced Apr 28, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qmonnet qmonnet qmonnet approved these changes

Assignees

@qmonnet qmonnet

Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mauriciovasquezbernal @qmonnet @joestringer @jrajahalme