From 30e2f00bd796af213e6f9d3373df33fd8f496506 Mon Sep 17 00:00:00 2001 From: mrudraia Date: Tue, 23 Jul 2024 11:19:21 +0530 Subject: [PATCH] Read secrets for onboarding-token validation Signed-off-by: mrudraia Signed-off-by: mrudraia --- controllers/util/provider.go | 63 ++++++++++++++++++++++++++++++---- tools/csv-merger/csv-merger.go | 13 ------- 2 files changed, 57 insertions(+), 19 deletions(-) diff --git a/controllers/util/provider.go b/controllers/util/provider.go index 35db1f49a2..3a1a05beb3 100644 --- a/controllers/util/provider.go +++ b/controllers/util/provider.go @@ -1,6 +1,7 @@ package util import ( + "context" "crypto" "crypto/rand" "crypto/rsa" @@ -10,11 +11,25 @@ import ( "encoding/json" "encoding/pem" "fmt" - "os" "time" "github.com/google/uuid" "github.com/red-hat-storage/ocs-operator/v4/services" + v1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + kerrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + "k8s.io/klog" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/config" +) + +const ( + // Name of existing public key which is used ocs-operator + onboardingValidationPublicKeySecretName = "onboarding-ticket-key" + onboardingValidationPrivateKeySecretName = "onboarding-private-key" + storageClusterName = "ocs-storagecluster" ) // GenerateOnboardingToken generates a token valid for a duration of "tokenLifetimeInHours". @@ -46,7 +61,7 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st return "", fmt.Errorf("failed to hash onboarding token payload: %v", err) } - privateKey, err := readAndDecodePrivateKey(privateKeyPath) + privateKey, err := readAndDecodePrivateKey() if err != nil { return "", fmt.Errorf("failed to read and decode private key: %v", err) } @@ -64,16 +79,52 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st return fmt.Sprintf("%s.%s", encodedPayload, encodedSignature), nil } -func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) { - pemString, err := os.ReadFile(privateKeyPath) +func readAndDecodePrivateKey() (*rsa.PrivateKey, error) { + cl, err := newClient() + if err != nil { + klog.Exitf("failed to create client: %v", err) + } + ctx := context.Background() + operatorNamespace, err := GetOperatorNamespace() if err != nil { - return nil, fmt.Errorf("failed to read private key: %v", err) + klog.Exitf("unable to get operator namespace: %v", err) } - Block, _ := pem.Decode(pemString) + privateSecret := &corev1.Secret{} + privateSecret.Name = onboardingValidationPrivateKeySecretName + privateSecret.Namespace = operatorNamespace + err = cl.Get(ctx, types.NamespacedName{Name: storageClusterName, Namespace: operatorNamespace}, privateSecret) + if err != nil && !kerrors.IsNotFound(err) { + klog.Exitf("failed to get private secret: %v", err) + } + + pubKeyBytes := privateSecret.Data["key"] + + Block, _ := pem.Decode(pubKeyBytes) privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes) if err != nil { return nil, fmt.Errorf("failed to parse private key: %v", err) } return privateKey, nil } + +func newClient() (client.Client, error) { + klog.Info("Setting up k8s client") + scheme := runtime.NewScheme() + if err := v1.AddToScheme(scheme); err != nil { + return nil, err + } + if err := corev1.AddToScheme(scheme); err != nil { + return nil, err + } + config, err := config.GetConfig() + if err != nil { + return nil, err + } + k8sClient, err := client.New(config, client.Options{Scheme: scheme}) + if err != nil { + return nil, err + } + + return k8sClient, nil +} diff --git a/tools/csv-merger/csv-merger.go b/tools/csv-merger/csv-merger.go index 65e0da6262..8a400e8cb2 100644 --- a/tools/csv-merger/csv-merger.go +++ b/tools/csv-merger/csv-merger.go @@ -644,10 +644,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { { Name: "ux-backend-server", VolumeMounts: []corev1.VolumeMount{ - { - Name: "onboarding-private-key", - MountPath: "/etc/private-key", - }, { Name: "ux-cert-secret", MountPath: "/etc/tls/private", @@ -716,15 +712,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { }, }, Volumes: []corev1.Volume{ - { - Name: "onboarding-private-key", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "onboarding-private-key", - Optional: ptr.To(true), - }, - }, - }, { Name: "ux-proxy-secret", VolumeSource: corev1.VolumeSource{