Merge pull request #5011 from fluxcd/remove-deprecated-tls-flags

Remove TLS deprecated flags from `flux create secret`
fluxcd · Sep 27, 2024 · cf26cf2 · cf26cf2
2 parents 3e4524b + a3dbf31
commit cf26cf2
Show file tree

Hide file tree

Showing 16 changed files with 29 additions and 200 deletions.
diff --git a/cmd/flux/bootstrap_bitbucket_server.go b/cmd/flux/bootstrap_bitbucket_server.go
@@ -226,7 +226,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {

diff --git a/cmd/flux/bootstrap_git.go b/cmd/flux/bootstrap_git.go
@@ -243,7 +243,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Password = gitArgs.password
 		}
 
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname

diff --git a/cmd/flux/bootstrap_gitea.go b/cmd/flux/bootstrap_gitea.go
@@ -210,7 +210,7 @@ func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = gtToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)

diff --git a/cmd/flux/bootstrap_github.go b/cmd/flux/bootstrap_github.go
@@ -217,7 +217,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)

diff --git a/cmd/flux/bootstrap_gitlab.go b/cmd/flux/bootstrap_gitlab.go
@@ -257,10 +257,10 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else if gitlabArgs.deployTokenAuth {
 		// the actual deploy token will be reconciled later
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {

diff --git a/cmd/flux/create_secret_git.go b/cmd/flux/create_secret_git.go
@@ -87,7 +87,6 @@ type secretGitFlags struct {
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
-	caFile         string
 	caCrtFile      string
 	privateKeyFile string
 	bearerToken    string
@@ -102,8 +101,7 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
-	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
-	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates; takes precedence over --ca-file")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
 
@@ -169,11 +167,6 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
-		} else if secretGitArgs.caFile != "" {
-			opts.CAFile, err = os.ReadFile(secretGitArgs.caFile)
-			if err != nil {
-				return fmt.Errorf("unable to read TLS CA file: %w", err)
-			}
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)

diff --git a/cmd/flux/create_secret_helm.go b/cmd/flux/create_secret_helm.go
@@ -58,12 +58,9 @@ func init() {
 	flags := createSecretHelmCmd.Flags()
 	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
 	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
-
-	initSecretDeprecatedTLSFlags(flags, &secretHelmArgs.secretTLSFlags)
-	deprecationMsg := "please use the command `flux create secret tls` to generate TLS secrets"
-	flags.MarkDeprecated("cert-file", deprecationMsg)
-	flags.MarkDeprecated("key-file", deprecationMsg)
-	flags.MarkDeprecated("ca-file", deprecationMsg)
+	flags.StringVar(&secretHelmArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
+	flags.StringVar(&secretHelmArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
+	flags.StringVar(&secretHelmArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
@@ -77,20 +74,20 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	caBundle := []byte{}
-	if secretHelmArgs.caFile != "" {
+	if secretHelmArgs.caCrtFile != "" {
 		var err error
-		caBundle, err = os.ReadFile(secretHelmArgs.caFile)
+		caBundle, err = os.ReadFile(secretHelmArgs.caCrtFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 
 	var certFile, keyFile []byte
-	if secretHelmArgs.certFile != "" && secretHelmArgs.keyFile != "" {
-		if certFile, err = os.ReadFile(secretHelmArgs.certFile); err != nil {
+	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
+		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
-		if keyFile, err = os.ReadFile(secretHelmArgs.keyFile); err != nil {
+		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
@@ -101,9 +98,9 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		Labels:    labels,
 		Username:  secretHelmArgs.username,
 		Password:  secretHelmArgs.password,
-		CAFile:    caBundle,
-		CertFile:  certFile,
-		KeyFile:   keyFile,
+		CACrt:     caBundle,
+		TLSCrt:    certFile,
+		TLSKey:    keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {

diff --git a/cmd/flux/create_secret_tls.go b/cmd/flux/create_secret_tls.go
@@ -22,7 +22,6 @@ import (
 	"os"
 
 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 
@@ -33,8 +32,8 @@ import (
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
-	Long:  withPreviewNote(`The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`),
-	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
+	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
+	Example: ` # Create a TLS secret on disk and encrypt it with SOPS.
   # Files are expected to be PEM-encoded.
   flux create secret tls certs \
     --namespace=my-namespace \
@@ -49,36 +48,17 @@ var createSecretTLSCmd = &cobra.Command{
 }
 
 type secretTLSFlags struct {
-	certFile   string
-	keyFile    string
-	caFile     string
 	caCrtFile  string
 	tlsKeyFile string
 	tlsCrtFile string
 }
 
 var secretTLSArgs secretTLSFlags
 
-func initSecretDeprecatedTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
-	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
-	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
-	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
-}
-
-func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
-	flags.StringVar(&args.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
-	flags.StringVar(&args.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
-	flags.StringVar(&args.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
-}
-
 func init() {
-	flags := createSecretTLSCmd.Flags()
-	initSecretDeprecatedTLSFlags(flags, &secretTLSArgs)
-	initSecretTLSFlags(flags, &secretTLSArgs)
-
-	flags.MarkDeprecated("cert-file", "please use --tls-crt-file instead")
-	flags.MarkDeprecated("key-file", "please use --tls-key-file instead")
-	flags.MarkDeprecated("ca-file", "please use --ca-crt-file instead")
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
@@ -102,11 +82,6 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
-	} else if secretTLSArgs.caFile != "" {
-		opts.CAFile, err = os.ReadFile(secretTLSArgs.caFile)
-		if err != nil {
-			return fmt.Errorf("unable to read TLS CA file: %w", err)
-		}
 	}
 
 	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
@@ -116,13 +91,6 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
-	} else if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
-		if opts.CertFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
-			return fmt.Errorf("failed to read cert file: %w", err)
-		}
-		if opts.KeyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
-			return fmt.Errorf("failed to read key file: %w", err)
-		}
 	}
 
 	secret, err := sourcesecret.Generate(opts)

diff --git a/cmd/flux/create_secret_tls_test.go b/cmd/flux/create_secret_tls_test.go
@@ -18,10 +18,6 @@ func TestCreateTlsSecret(t *testing.T) {
 			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
-		{
-			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --ca-file=./testdata/create_secret/tls/test-ca.pem --export",
-			assert: assertGoldenFile("testdata/create_secret/tls/deprecated-secret-tls.yaml"),
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/cmd/flux/create_source_git.go b/cmd/flux/create_source_git.go
@@ -293,7 +293,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 				if err != nil {
 					return fmt.Errorf("unable to read TLS CA file: %w", err)
 				}
-				secretOpts.CAFile = caBundle
+				secretOpts.CACrt = caBundle
 			}
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password

diff --git a/cmd/flux/create_source_helm.go b/cmd/flux/create_source_helm.go
@@ -197,9 +197,9 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			Namespace:    *kubeconfigArgs.Namespace,
 			Username:     sourceHelmArgs.username,
 			Password:     sourceHelmArgs.password,
-			CAFile:       caBundle,
-			CertFile:     certFile,
-			KeyFile:      keyFile,
+			CACrt:        caBundle,
+			TLSCrt:       certFile,
+			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
 		secret, err := sourcesecret.Generate(secretOpts)

diff --git a/cmd/flux/testdata/create_secret/tls/deprecated-secret-tls.yaml b/cmd/flux/testdata/create_secret/tls/deprecated-secret-tls.yaml
diff --git a/go.mod b/go.mod
@@ -47,7 +47,6 @@ require (
 	github.com/onsi/gomega v1.34.1
 	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
 	github.com/spf13/cobra v1.8.1
-	github.com/spf13/pflag v1.0.5
 	github.com/theckman/yacspin v0.13.12
 	golang.org/x/crypto v0.27.0
 	golang.org/x/term v0.24.0
@@ -203,6 +202,7 @@ require (
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect

diff --git a/pkg/bootstrap/bootstrap_plain_git.go b/pkg/bootstrap/bootstrap_plain_git.go
@@ -229,7 +229,7 @@ func (b *PlainGitBootstrapper) ReconcileSourceSecret(ctx context.Context, option
 	}
 
 	// Return early if exists and no custom config is passed
-	if ok && options.Keypair == nil && len(options.CAFile) == 0 && len(options.Username+options.Password) == 0 {
+	if ok && options.Keypair == nil && len(options.CACrt) == 0 && len(options.Username+options.Password) == 0 {
 		b.logger.Successf("source secret up to date")
 		return nil
 	}