Merge pull request #1545 from LiZhenCheng9527/refactor-kmeshctl-secret

kmesh-bot · web-flow · commit 0a2807bf1b31 · 2025-12-01T16:52:27.000+08:00
refactor kmeshctl secret command
diff --git a/ctl/secret/secret.go b/ctl/secret/secret.go
@@ -30,7 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"kmesh.net/kmesh/ctl/utils"
-	"kmesh.net/kmesh/pkg/controller/encryption/ipsec"
+	"kmesh.net/kmesh/pkg/controller/encryption"
 	"kmesh.net/kmesh/pkg/kube"
 	"kmesh.net/kmesh/pkg/logger"
 )
@@ -118,7 +118,7 @@ func createKubeClientOrExit() kube.CLIClient {
 }
 
 func CreateOrUpdateSecret(cmd *cobra.Command, args []string) {
-	var ipSecKey, ipSecKeyOld ipsec.IpSecKey
+	var ipSecKey, ipSecKeyOld encryption.IpSecKey
 	var err error
 
 	ipSecKey.AeadKeyName = AeadAlgoName
@@ -215,7 +215,7 @@ func GetSecret() {
 	}
 
 	// Parse the IPsec data
-	var ipSecKey ipsec.IpSecKey
+	var ipSecKey encryption.IpSecKey
 	if err := json.Unmarshal(secret.Data["ipSec"], &ipSecKey); err != nil {
 		log.Errorf("failed to unmarshal secret data: %v", err)
 		os.Exit(1)
diff --git a/pkg/controller/encryption/common.go b/pkg/controller/encryption/common.go
@@ -0,0 +1,24 @@
+/*
+ * Copyright The Kmesh Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package encryption
+
+type IpSecKey struct {
+	Spi         int    `json:"spi"`
+	AeadKeyName string `json:"aeadKeyName"`
+	AeadKey     []byte `json:"aeadKey"`
+	Length      int    `json:"length"`
+}
diff --git a/pkg/controller/encryption/ipsec/ipsec_handler.go b/pkg/controller/encryption/ipsec/ipsec_handler.go
@@ -32,30 +32,24 @@ import (
 	"istio.io/istio/pkg/filewatcher"
 
 	"kmesh.net/kmesh/pkg/constants"
+	"kmesh.net/kmesh/pkg/controller/encryption"
 	"kmesh.net/kmesh/pkg/kube/apis/kmeshnodeinfo/v1alpha1"
 )
 
 const (
 	IpSecKeyFile = "./kmesh-ipsec/ipSec"
 )
 
-type IpSecKey struct {
-	Spi         int    `json:"spi"`
-	AeadKeyName string `json:"aeadKeyName"`
-	AeadKey     []byte `json:"aeadKey"`
-	Length      int    `json:"length"`
-}
-
 type IpSecHandler struct {
 	Spi             int
 	mutex           sync.RWMutex
 	watcher         filewatcher.FileWatcher
-	historyIpSecKey map[int]IpSecKey
+	historyIpSecKey map[int]encryption.IpSecKey
 }
 
 func NewIpSecHandler() *IpSecHandler {
 	return &IpSecHandler{
-		historyIpSecKey: make(map[int]IpSecKey),
+		historyIpSecKey: make(map[int]encryption.IpSecKey),
 	}
 }
 
@@ -76,7 +70,7 @@ func (is *IpSecHandler) LoadIPSecKeyFromFile(filePath string) error {
 func (is *IpSecHandler) loadIPSecKeyFromIO(file *os.File) error {
 	reader := bufio.NewReader(file)
 	decoder := json.NewDecoder(reader)
-	var key IpSecKey
+	var key encryption.IpSecKey
 	if err := decoder.Decode(&key); err != nil {
 		return fmt.Errorf("ipsec config file decoder error, %v, please use Kmesh tool generate ipsec secret key", err)
 	}
@@ -231,7 +225,7 @@ func (is *IpSecHandler) createXfrmRuleIngress(rawRemoteIP, rawLocalNicIP, remote
  * ip xfrm state  add src {localNicIP} dst {remoteNicIP} proto esp spi {remoteSpi} mode tunnel reqid 1 {aead-algo} {aead-key} {aead-key-length}
  * ip xfrm policy add src 0.0.0.0/0    dst {remoteCIDR}  dir out tmpl src {localNicIP} dst {remoteNicIP} proto esp spi {remoteSpi} reqid 1 mode tunnel mark 0x{remoteNodeID}00e0
  */
-func (is *IpSecHandler) createXfrmRuleEgress(rawLocalNicIP, rawRemoteIP, localBootID, remoteBootID string, ipsecKey IpSecKey, podCIDRs []string) error {
+func (is *IpSecHandler) createXfrmRuleEgress(rawLocalNicIP, rawRemoteIP, localBootID, remoteBootID string, ipsecKey encryption.IpSecKey, podCIDRs []string) error {
 	src := net.ParseIP(rawLocalNicIP)
 	if src == nil {
 		return fmt.Errorf("failed to parser ip in inserting xfrm rule, input: %v", rawLocalNicIP)
@@ -267,7 +261,7 @@ func (is *IpSecHandler) createXfrmRuleEgress(rawLocalNicIP, rawRemoteIP, localBo
 	return nil
 }
 
-func (is *IpSecHandler) createStateRule(src net.IP, dst net.IP, key []byte, ipsecKey IpSecKey, ingress bool) error {
+func (is *IpSecHandler) createStateRule(src net.IP, dst net.IP, key []byte, ipsecKey encryption.IpSecKey, ingress bool) error {
 	state := &netlink.XfrmState{
 		Src:   src,
 		Dst:   dst,
