Read secrets for client-onboarding-token-validation

controllers/storagecluster/storageclient.go

@@ -17,8 +17,7 @@ import (
 )
 
 const (
-	tokenLifetimeInHours         = 48
-	onboardingPrivateKeyFilePath = "/etc/private-key/key"
+	tokenLifetimeInHours = 48
 
 	ocsClientConfigMapName = "ocs-client-operator-config"
 	manageNoobaaSubKey     = "manageNoobaaSubscription"
@@ -47,7 +46,11 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste
 	storageClient.Name = storagecluster.Name
 	_, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error {
 		if storageClient.Status.ConsumerID == "" {
-			token, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil, storagecluster.UID)
+			privateKey, err := util.LoadOnboardingValidationPrivateKey(r.ctx, r.Client, r.OperatorNamespace)
+			if err != nil {
+				return fmt.Errorf("unable to get Parsed Private Key: %v", err)
+			}
+			token, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, privateKey, nil, storagecluster.UID)
 			if err != nil {
 				return fmt.Errorf("unable to generate onboarding token: %v", err)
 			}

controllers/util/provider.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
@@ -10,19 +11,22 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/red-hat-storage/ocs-operator/v4/services"
 
 	"github.com/google/uuid"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+const onboardingValidationPrivateKeySecretName = "onboarding-private-key"
+
 // GenerateClientOnboardingToken generates a ocs-client token valid for a duration of "tokenLifetimeInHours".
 // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath".
 // The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster.
-func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotainGib *uint, storageClusterUID types.UID) (string, error) {
+func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKey *rsa.PrivateKey, storageQuotainGib *uint, storageClusterUID types.UID) (string, error) {
 	tokenExpirationDate := time.Now().
 		Add(time.Duration(tokenLifetimeInHours) * time.Hour).
 		Unix()
@@ -35,7 +39,7 @@ func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath stri
 		StorageCluster:    storageClusterUID,
 	}
 
-	token, err := encodeAndSignOnboardingToken(privateKeyPath, ticket)
+	token, err := encodeAndSignOnboardingToken(privateKey, ticket)
 	if err != nil {
 		return "", err
 	}
@@ -44,7 +48,7 @@ func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath stri
 
 // GeneratePeerOnboardingToken generates a ocs-peer token valid for a duration of "tokenLifetimeInHours".
 // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath".
-func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageClusterUID types.UID) (string, error) {
+func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKey *rsa.PrivateKey, storageClusterUID types.UID) (string, error) {
 	tokenExpirationDate := time.Now().
 		Add(time.Duration(tokenLifetimeInHours) * time.Hour).
 		Unix()
@@ -55,7 +59,7 @@ func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string
 		SubjectRole:    services.PeerRole,
 		StorageCluster: storageClusterUID,
 	}
-	token, err := encodeAndSignOnboardingToken(privateKeyPath, ticket)
+	token, err := encodeAndSignOnboardingToken(privateKey, ticket)
 	if err != nil {
 		return "", err
 	}
@@ -64,7 +68,7 @@ func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string
 
 // encodeAndSignOnboardingToken generates a token from the ticket.
 // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath".
-func encodeAndSignOnboardingToken(privateKeyPath string, ticket services.OnboardingTicket) (string, error) {
+func encodeAndSignOnboardingToken(privateKey *rsa.PrivateKey, ticket services.OnboardingTicket) (string, error) {
 	payload, err := json.Marshal(ticket)
 	if err != nil {
 		return "", fmt.Errorf("failed to marshal the payload: %v", err)
@@ -79,11 +83,6 @@ func encodeAndSignOnboardingToken(privateKeyPath string, ticket services.Onboard
 		return "", fmt.Errorf("failed to hash onboarding token payload: %v", err)
 	}
 
-	privateKey, err := readAndDecodePrivateKey(privateKeyPath)
-	if err != nil {
-		return "", fmt.Errorf("failed to read and decode private key: %v", err)
-	}
-
 	msgHashSum := msgHash.Sum(nil)
 	// In order to generate the signature, we provide a random number generator,
 	// our private key, the hashing algorithm that we used, and the hash sum
@@ -97,16 +96,30 @@ func encodeAndSignOnboardingToken(privateKeyPath string, ticket services.Onboard
 	return fmt.Sprintf("%s.%s", encodedPayload, encodedSignature), nil
 }
 
-func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) {
-	pemString, err := os.ReadFile(privateKeyPath)
+func LoadOnboardingValidationPrivateKey(ctx context.Context, cl client.Client, namespace string) (*rsa.PrivateKey, error) {
+	privateSecret := &corev1.Secret{}
+	privateSecret.Name = onboardingValidationPrivateKeySecretName
+	privateSecret.Namespace = namespace
+
+	err := cl.Get(ctx, client.ObjectKeyFromObject(privateSecret), privateSecret)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read private key: %v", err)
+		return nil, fmt.Errorf("failed to get private secret: %v", err)
 	}
 
-	Block, _ := pem.Decode(pemString)
-	privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes)
+	privateSecretKey := privateSecret.Data["key"]
+	if len(privateSecretKey) == 0 {
+		return nil, fmt.Errorf("No data found in secret")
+	}
+
+	block, rest := pem.Decode(privateSecretKey)
+	if len(rest) > 0 {
+		return nil, fmt.Errorf("PEM block not found in private key: %s", rest)
+	}
+
+	privateKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse private key: %v", err)
 	}
+
 	return privateKey, nil
 }

deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml

@@ -647,8 +647,6 @@ spec:
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
                 volumeMounts:
-                - mountPath: /etc/private-key
-                  name: onboarding-private-key
                 - mountPath: /etc/tls/private
                   name: ux-cert-secret
               - args:
@@ -684,10 +682,6 @@ spec:
                 operator: Equal
                 value: "true"
               volumes:
-              - name: onboarding-private-key
-                secret:
-                  optional: true
-                  secretName: onboarding-private-key
               - name: ux-proxy-secret
                 secret:
                   secretName: ux-backend-proxy

deploy/ocs-operator/manifests/onboarding-validation-keys-generator-role.yaml

@@ -19,3 +19,10 @@ rules:
     verbs:
       - get
       - list
+  - apiGroups:
+      - ocs.openshift.io
+    resources:
+      - storageclusters/finalizers
+    verbs:
+      - update
+

onboarding-validation-keys-generator/main.go

@@ -81,7 +81,7 @@ func main() {
 		klog.Exitf("failed to delete public secret: %v", err)
 	}
 
-	err = controllerutil.SetOwnerReference(storageCluster, privateSecret, cl.Scheme())
+	err = controllerutil.SetControllerReference(storageCluster, privateSecret, cl.Scheme())
 	if err != nil {
 		klog.Exitf("failed to set owner reference for private secret: %v", err)
 	}
@@ -95,7 +95,7 @@ func main() {
 		klog.Exitf("failed to create private secret: %v", err)
 	}
 
-	err = controllerutil.SetOwnerReference(storageCluster, publicSecret, cl.Scheme())
+	err = controllerutil.SetControllerReference(storageCluster, publicSecret, cl.Scheme())
 	if err != nil {
 		klog.Exitf("failed to set owner reference for public secret: %v", err)
 	}

rbac/onboarding-validation-keys-generator-role.yaml

@@ -19,3 +19,10 @@ rules:
     verbs:
       - get
       - list
+  - apiGroups:
+      - ocs.openshift.io
+    resources:
+      - storageclusters/finalizers
+    verbs:
+      - update
+

services/ux-backend/handlers/onboarding/clienttokens/handler.go

@@ -14,10 +14,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-const (
-	onboardingPrivateKeyFilePath = "/etc/private-key/key"
-)
-
 var unitToGib = map[string]uint{
 	"Gi": 1,
 	"Ti": 1024,
@@ -37,13 +33,13 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int
 	var storageQuotaInGiB *uint
 	// When ContentLength is 0 that means request body is empty and
 	// storage quota is unlimited
-	var err error
+
 	if r.ContentLength != 0 {
 		var quota = struct {
 			Value uint   `json:"value"`
 			Unit  string `json:"unit"`
 		}{}
-		if err = json.NewDecoder(r.Body).Decode(&quota); err != nil {
+		if err := json.NewDecoder(r.Body).Decode(&quota); err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
@@ -66,7 +62,19 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int
 		return
 	}
 
-	if onboardingToken, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB, storageCluster.UID); err != nil {
+	klog.Info("Loading onboarding validation private Key")
+	privateKey, err := util.LoadOnboardingValidationPrivateKey(r.Context(), cl, namespace)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Failed loading onboarding validation private key: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	if onboardingToken, err := util.GenerateClientOnboardingToken(
+		tokenLifetimeInHours,
+		privateKey,
+		storageQuotaInGiB,
+		storageCluster.UID,
+	); err != nil {
 		klog.Errorf("failed to get onboarding token: %v", err)
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Header().Set("Content-Type", handlers.ContentTypeTextPlain)