Fix WICD updated kubeconfig usage

Author: mansikulkarni96

controllers/controllers.go

@@ -23,6 +23,7 @@ import (
 	"github.com/openshift/windows-machine-config-operator/pkg/metadata"
 	"github.com/openshift/windows-machine-config-operator/pkg/nodeconfig"
 	"github.com/openshift/windows-machine-config-operator/pkg/secrets"
+	"github.com/openshift/windows-machine-config-operator/pkg/signer"
 	"github.com/openshift/windows-machine-config-operator/version"
 )
 
@@ -107,12 +108,28 @@ func (r *instanceReconciler) instanceFromNode(ctx context.Context, node *core.No
 		return nil, err
 	}
 
-	// Decrypt username annotation to plain text using private key
+	// Get private key for decryption
 	privateKeyBytes, err := secrets.GetPrivateKey(ctx, kubeTypes.NamespacedName{Namespace: r.watchNamespace,
 		Name: secrets.PrivateKeySecret}, r.client)
 	if err != nil {
 		return nil, err
 	}
+
+	// Check if the username annotation is encrypted with the current private key by comparing public key hash
+	signer, err := signer.Create(ctx, kubeTypes.NamespacedName{Namespace: r.watchNamespace,
+		Name: secrets.PrivateKeySecret}, r.client)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create signer for public key hash verification: %w", err)
+	}
+	expectedPubKeyHash := nodeconfig.CreatePubKeyHashAnnotation(signer.PublicKey())
+	currentPubKeyHash := node.Annotations[nodeconfig.PubKeyHashAnnotation]
+
+	if currentPubKeyHash != expectedPubKeyHash {
+		// The username annotation is encrypted with an old private key and hasn't been updated yet
+		// This can happen during private key rotation. Return a specific error that can be retried.
+		return nil, fmt.Errorf("node %s username annotation is encrypted with an outdated private key, waiting for secret controller to update it", node.Name)
+	}
+
 	username, err := crypto.DecryptFromJSONString(usernameAnnotation, privateKeyBytes)
 	if err != nil {
 		return nil, fmt.Errorf("unable to decrypt username annotation for node %s: %w", node.Name, err)

pkg/nodeconfig/nodeconfig.go

@@ -184,7 +184,8 @@ func (nc *nodeConfig) Configure(ctx context.Context) error {
 		return fmt.Errorf("bootstrapping the Windows instance failed: %w", err)
 	}
 
-	var wicdNodeKC string
+	// Track which kubeconfig WICD is currently using for cleanup purposes
+	wicdActiveKubeconfig := wicdKC
 
 	// Perform rest of the configuration with the kubelet running
 	err = func() error {
@@ -227,6 +228,9 @@ func (nc *nodeConfig) Configure(ctx context.Context) error {
 		if err := nc.Windows.ConfigureWICD(nc.wmcoNamespace, wicdNodeKC); err != nil {
 			return fmt.Errorf("configuring WICD failed: %w", err)
 		}
+		// Update the active kubeconfig tracker since WICD was successfully reconfigured
+		wicdActiveKubeconfig = wicdNodeKC
+
 		// Set the desired version annotation, communicating to WICD which Windows services configmap to use
 		if err := metadata.ApplyDesiredVersionAnnotation(ctx, nc.client, *nc.node, wmcoVersion); err != nil {
 			return fmt.Errorf("error updating desired version annotation on node %s: %w", nc.node.GetName(), err)
@@ -261,7 +265,7 @@ func (nc *nodeConfig) Configure(ctx context.Context) error {
 	// Stop the kubelet so that the node is marked NotReady in case of an error in configuration. We are stopping all
 	// the required services as they are interdependent and is safer to do so given the node is going to be NotReady.
 	if err != nil {
-		if cleanupErr := nc.Windows.RunWICDCleanup(nc.wmcoNamespace, wicdNodeKC); cleanupErr != nil {
+		if cleanupErr := nc.Windows.RunWICDCleanup(nc.wmcoNamespace, wicdActiveKubeconfig); cleanupErr != nil {
 			nc.log.Info("Unable to mark node as NotReady", "error", cleanupErr)
 		}
 	}

pkg/windows/windows.go

@@ -558,6 +558,19 @@ func (vm *windows) Bootstrap(ctx context.Context, desiredVer, watchNamespace, wi
 
 // ConfigureWICD starts the Windows Instance Config Daemon service
 func (vm *windows) ConfigureWICD(watchNamespace, wicdKubeconfigContents string) error {
+	// Check if service is already running before updating files
+	serviceExists, err := vm.serviceExists(WicdServiceName)
+	if err != nil {
+		return fmt.Errorf("error checking if %s Windows service exists: %w", WicdServiceName, err)
+	}
+	serviceRunning := false
+	if serviceExists {
+		serviceRunning, err = vm.isRunning(WicdServiceName)
+		if err != nil {
+			return fmt.Errorf("error checking if %s Windows service is running: %w", WicdServiceName, err)
+		}
+	}
+
 	if err := vm.ensureWICDFilesExist(wicdKubeconfigContents); err != nil {
 		return err
 	}
@@ -590,6 +603,16 @@ func (vm *windows) ConfigureWICD(watchNamespace, wicdKubeconfigContents string)
 	if err != nil {
 		return fmt.Errorf("error creating %s service object: %w", WicdServiceName, err)
 	}
+
+	// If service was already running, stop it first so it picks up the new kubeconfig
+	// This ensures WICD always uses the latest configuration when ConfigureWICD is called
+	if serviceRunning {
+		vm.log.Info("stopping WICD service to reload configuration", "service", WicdServiceName)
+		if err := vm.stopService(wicdService); err != nil {
+			return fmt.Errorf("error stopping %s Windows service for reconfiguration: %w", WicdServiceName, err)
+		}
+	}
+
 	if err := vm.ensureServiceIsRunning(wicdService); err != nil {
 		return fmt.Errorf("error ensuring %s Windows service has started running: %w", WicdServiceName, err)
 	}