Create the oauthConfig session secrets

bindata/v3.11.0/kube-apiserver/defaultconfig.yaml

@@ -76,7 +76,7 @@ oauthConfig:
   sessionConfig:
     sessionMaxAgeSeconds: 300
     sessionName: ssn
-    sessionSecretsFile: ""
+    sessionSecretsFile: /var/run/secrets/session-secret/secrets
   templates: null
   tokenConfig:
     accessTokenMaxAgeSeconds: 86400

bindata/v3.11.0/kube-apiserver/pod.yaml

@@ -21,6 +21,8 @@ spec:
     volumeMounts:
     - mountPath: /etc/kubernetes/static-pod-resources
       name: resource-dir
+    - mountPath: /var/run/secrets/session-secret
+      name: session-secret
     livenessProbe:
       httpGet:
         scheme: HTTPS
@@ -40,3 +42,6 @@ spec:
   - hostPath:
       path: /etc/kubernetes/static-pod-resources/kube-apiserver-pod-REVISION
     name: resource-dir
+  - secret:
+      secretName: session-secret
+    name: session-secret

bindata/v3.11.0/kube-apiserver/session-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: openshift-kube-apiserver
+  name: session-secret
+type: Opaque
+data:
+  secrets:

pkg/operator/crypto/keybits.go

@@ -0,0 +1,33 @@
+package crypto
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+)
+
+const (
+	sha256KeyLenBits = sha256.BlockSize * 8 // max key size with HMAC SHA256
+	aes256KeyLenBits = 256                  // max key size with AES (AES-256)
+)
+
+func RandomAuthKeyBits() []byte {
+	return randomBits(sha256KeyLenBits)
+}
+
+func RandomEncKeyBits() []byte {
+	return randomBits(aes256KeyLenBits)
+}
+
+// randomBits returns a random byte slice with at least the requested bits of entropy.
+// Callers should avoid using a value less than 256 unless they have a very good reason.
+func randomBits(bits int) []byte {
+	size := bits / 8
+	if bits%8 != 0 {
+		size++
+	}
+	b := make([]byte, size)
+	if _, err := rand.Read(b); err != nil {
+		panic(err) // rand should never fail
+	}
+	return b
+}

pkg/operator/target_config_reconciler_v311_00.go

@@ -7,17 +7,33 @@ import (
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/version"
 
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
 	coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 
+	legacyv1 "github.com/openshift/api/legacyconfig/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/apis/kubeapiserver/v1alpha1"
+	cryptohelpers "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/crypto"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/v311_00_assets"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
 	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceread"
 	v1helpers "github.com/openshift/library-go/pkg/operator/v1helpers"
 )
 
+var (
+	Scheme              = runtime.NewScheme()
+	Codecs              = serializer.NewCodecFactory(Scheme)
+	legacySchemeBuilder = runtime.NewSchemeBuilder(legacyv1.InstallLegacy)
+)
+
+func init() {
+	legacySchemeBuilder.AddToScheme(Scheme)
+}
+
 // createTargetConfigReconciler_v311_00_to_latest takes care of creation of valid resources in a fixed name.  These are inputs to other control loops.
 // returns whether or not requeue and if an error happened when updating status.  Normally it updates status itself.
 func createTargetConfigReconciler_v311_00_to_latest(c TargetConfigReconciler, operatorConfig *v1alpha1.KubeAPIServerOperatorConfig) (bool, error) {
@@ -44,6 +60,11 @@ func createTargetConfigReconciler_v311_00_to_latest(c TargetConfigReconciler, op
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/deployment-kube-apiserver-config", err))
 	}
+	_, _, err = manageSessionSecret_v311_00_to_latest(c.kubeClient.CoreV1())
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "secret/session-secret", err))
+	}
+
 	_, _, err = managePod_v311_00_to_latest(c.kubeClient.CoreV1(), operatorConfig, c.targetImagePullSpec)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-pod", err))
@@ -106,6 +127,33 @@ func manageKubeApiserverConfigMap_v311_00_to_latest(client coreclientv1.ConfigMa
 	return resourceapply.ApplyConfigMap(client, requiredConfigMap)
 }
 
+func manageSessionSecret_v311_00_to_latest(client coreclientv1.SecretsGetter) (*corev1.Secret, bool, error) {
+	secret := resourceread.ReadSecretV1OrDie(v311_00_assets.MustAsset("v3.11.0/kube-apiserver/session-secret.yaml"))
+	actualSecret, err := client.Secrets(secret.Namespace).Get(secret.Name, v1.GetOptions{})
+	if err == nil {
+		return actualSecret, false, nil
+	}
+
+	if err != nil && !errors.IsNotFound(err) {
+		return nil, false, err
+	}
+
+	// No session secret exists, generate it
+	sessionSecretsYaml := runtime.EncodeOrDie(Codecs.LegacyCodec(legacyv1.LegacySchemeGroupVersion), &legacyv1.SessionSecrets{
+		Secrets: []legacyv1.SessionSecret{
+			{
+				Authentication: string(cryptohelpers.RandomAuthKeyBits()),
+				Encryption:     string(cryptohelpers.RandomEncKeyBits()),
+			},
+		},
+	})
+
+	secret.Data = map[string][]byte{}
+	secret.Data["secrets"] = []byte(sessionSecretsYaml)
+
+	return resourceapply.ApplySecret(client, secret)
+}
+
 func managePod_v311_00_to_latest(client coreclientv1.ConfigMapsGetter, operatorConfig *v1alpha1.KubeAPIServerOperatorConfig, imagePullSpec string) (*corev1.ConfigMap, bool, error) {
 	required := resourceread.ReadPodV1OrDie(v311_00_assets.MustAsset("v3.11.0/kube-apiserver/pod.yaml"))
 	required.Spec.Containers[0].ImagePullPolicy = corev1.PullAlways