Read broker token and CA from a mounted secret

Fixes: submariner-io#301 Signed-off-by: Stephen Kitt <[email protected]>
skitt · Dec 16, 2021 · 87cbc7f · 87cbc7f
1 parent e7499a8
commit 87cbc7f
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 6 deletions.
diff --git a/pkg/resource/rest.go b/pkg/resource/rest.go
@@ -32,18 +32,18 @@ import (
 	"k8s.io/client-go/rest"
 )
 
-func GetAuthorizedRestConfig(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig,
+func GetAuthorizedRestConfigFromData(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig,
 	gvr schema.GroupVersionResource, namespace string) (restConfig *rest.Config, authorized bool, err error) {
 	// First try a REST config without the CA trust chain
-	restConfig, err = BuildRestConfig(apiServer, apiServerToken, "", tls)
+	restConfig, err = BuildRestConfigFromData(apiServer, apiServerToken, "", tls)
 	if err != nil {
 		return
 	}
 
 	authorized, err = IsAuthorizedFor(restConfig, gvr, namespace)
 	if !authorized {
 		// Now try with the trust chain
-		restConfig, err = BuildRestConfig(apiServer, apiServerToken, caData, tls)
+		restConfig, err = BuildRestConfigFromData(apiServer, apiServerToken, caData, tls)
 		if err != nil {
 			return
 		}
@@ -54,7 +54,29 @@ func GetAuthorizedRestConfig(apiServer, apiServerToken, caData string, tls *rest
 	return
 }
 
-func BuildRestConfig(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig) (*rest.Config, error) {
+func GetAuthorizedRestConfigFromFiles(apiServer, apiServerTokenFile, caFile string, tls *rest.TLSClientConfig,
+	gvr schema.GroupVersionResource, namespace string) (restConfig *rest.Config, authorized bool, err error) {
+	// First try a REST config without the CA trust chain
+	restConfig, err = BuildRestConfigFromFiles(apiServer, apiServerTokenFile, "", tls)
+	if err != nil {
+		return
+	}
+
+	authorized, err = IsAuthorizedFor(restConfig, gvr, namespace)
+	if !authorized {
+		// Now try with the trust chain
+		restConfig, err = BuildRestConfigFromFiles(apiServer, apiServerTokenFile, caFile, tls)
+		if err != nil {
+			return
+		}
+
+		authorized, err = IsAuthorizedFor(restConfig, gvr, namespace)
+	}
+
+	return
+}
+
+func BuildRestConfigFromData(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig) (*rest.Config, error) {
 	if tls == nil {
 		tls = &rest.TLSClientConfig{}
 	}
@@ -75,6 +97,22 @@ func BuildRestConfig(apiServer, apiServerToken, caData string, tls *rest.TLSClie
 	}, nil
 }
 
+func BuildRestConfigFromFiles(apiServer, apiServerTokenFile, caFile string, tls *rest.TLSClientConfig) (*rest.Config, error) {
+	if tls == nil {
+		tls = &rest.TLSClientConfig{}
+	}
+
+	if !tls.Insecure && caFile != "" {
+		tls.CAFile = caFile
+	}
+
+	return &rest.Config{
+		Host:            fmt.Sprintf("https://%s", apiServer),
+		TLSClientConfig: *tls,
+		BearerTokenFile: apiServerTokenFile,
+	}, nil
+}
+
 func IsAuthorizedFor(restConfig *rest.Config, gvr schema.GroupVersionResource, namespace string) (bool, error) {
 	client, err := dynamic.NewForConfig(restConfig)
 	if err != nil {

diff --git a/pkg/syncer/broker/config.go b/pkg/syncer/broker/config.go
@@ -33,6 +33,7 @@ type brokerSpecification struct {
 	RemoteNamespace string
 	Insecure        bool `default:"false"`
 	Ca              string
+	Secret          string
 }
 
 const brokerConfigPrefix = "broker_k8s"
@@ -61,3 +62,7 @@ func EnvironmentVariable(setting string) string {
 
 	panic(fmt.Sprintf("unknown Broker setting %s", setting))
 }
+
+func SecretPath(secretName string) string {
+	return fmt.Sprintf("/run/secrets/submariner.io/%s", secretName)
+}
diff --git a/pkg/syncer/broker/syncer.go b/pkg/syncer/broker/syncer.go
@@ -20,6 +20,7 @@ package broker
 
 import (
 	"fmt"
+	"path/filepath"
 	"reflect"
 	"time"
 
@@ -268,8 +269,14 @@ func createBrokerClient(config *SyncerConfig) error {
 
 		config.BrokerNamespace = spec.RemoteNamespace
 
-		config.BrokerRestConfig, authorized, err = resource.GetAuthorizedRestConfig(spec.APIServer, spec.APIServerToken, spec.Ca,
-			&rest.TLSClientConfig{Insecure: spec.Insecure}, *gvr, spec.RemoteNamespace)
+		if spec.Secret != "" {
+			config.BrokerRestConfig, authorized, err = resource.GetAuthorizedRestConfigFromFiles(spec.APIServer,
+				filepath.Join(SecretPath(spec.Secret), "token"), filepath.Join(SecretPath(spec.Secret), "ca.crt"),
+				&rest.TLSClientConfig{Insecure: spec.Insecure}, *gvr, spec.RemoteNamespace)
+		} else {
+			config.BrokerRestConfig, authorized, err = resource.GetAuthorizedRestConfigFromData(spec.APIServer, spec.APIServerToken, spec.Ca,
+				&rest.TLSClientConfig{Insecure: spec.Insecure}, *gvr, spec.RemoteNamespace)
+		}
 	}
 
 	if !authorized {