From faaee27f151009dcad6fa45663d0d96c664127a2 Mon Sep 17 00:00:00 2001 From: Stephen Kitt Date: Mon, 6 Dec 2021 18:36:31 +0100 Subject: [PATCH] Read broker token and CA from a mounted secret Signed-off-by: Stephen Kitt --- pkg/resource/rest.go | 46 +++++++++++++++++++++++++++++++++---- pkg/syncer/broker/config.go | 5 ++++ pkg/syncer/broker/syncer.go | 11 +++++++-- 3 files changed, 56 insertions(+), 6 deletions(-) diff --git a/pkg/resource/rest.go b/pkg/resource/rest.go index aeb39c8d..665e9785 100644 --- a/pkg/resource/rest.go +++ b/pkg/resource/rest.go @@ -32,10 +32,10 @@ import ( "k8s.io/client-go/rest" ) -func GetAuthorizedRestConfig(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig, +func GetAuthorizedRestConfigFromData(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig, gvr schema.GroupVersionResource, namespace string) (restConfig *rest.Config, authorized bool, err error) { // First try a REST config without the CA trust chain - restConfig, err = BuildRestConfig(apiServer, apiServerToken, "", tls) + restConfig, err = BuildRestConfigFromData(apiServer, apiServerToken, "", tls) if err != nil { return } @@ -43,7 +43,7 @@ func GetAuthorizedRestConfig(apiServer, apiServerToken, caData string, tls *rest authorized, err = IsAuthorizedFor(restConfig, gvr, namespace) if !authorized { // Now try with the trust chain - restConfig, err = BuildRestConfig(apiServer, apiServerToken, caData, tls) + restConfig, err = BuildRestConfigFromData(apiServer, apiServerToken, caData, tls) if err != nil { return } @@ -54,7 +54,29 @@ func GetAuthorizedRestConfig(apiServer, apiServerToken, caData string, tls *rest return } -func BuildRestConfig(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig) (*rest.Config, error) { +func GetAuthorizedRestConfigFromFiles(apiServer, apiServerTokenFile, caFile string, tls *rest.TLSClientConfig, + gvr schema.GroupVersionResource, namespace string) (restConfig *rest.Config, authorized bool, err error) { + // First try a REST config without the CA trust chain + restConfig, err = BuildRestConfigFromFiles(apiServer, apiServerTokenFile, "", tls) + if err != nil { + return + } + + authorized, err = IsAuthorizedFor(restConfig, gvr, namespace) + if !authorized { + // Now try with the trust chain + restConfig, err = BuildRestConfigFromFiles(apiServer, apiServerTokenFile, caFile, tls) + if err != nil { + return + } + + authorized, err = IsAuthorizedFor(restConfig, gvr, namespace) + } + + return +} + +func BuildRestConfigFromData(apiServer, apiServerToken, caData string, tls *rest.TLSClientConfig) (*rest.Config, error) { if tls == nil { tls = &rest.TLSClientConfig{} } @@ -75,6 +97,22 @@ func BuildRestConfig(apiServer, apiServerToken, caData string, tls *rest.TLSClie }, nil } +func BuildRestConfigFromFiles(apiServer, apiServerTokenFile, caFile string, tls *rest.TLSClientConfig) (*rest.Config, error) { + if tls == nil { + tls = &rest.TLSClientConfig{} + } + + if !tls.Insecure && caFile != "" { + tls.CAFile = caFile + } + + return &rest.Config{ + Host: fmt.Sprintf("https://%s", apiServer), + TLSClientConfig: *tls, + BearerTokenFile: apiServerTokenFile, + }, nil +} + func IsAuthorizedFor(restConfig *rest.Config, gvr schema.GroupVersionResource, namespace string) (bool, error) { client, err := dynamic.NewForConfig(restConfig) if err != nil { diff --git a/pkg/syncer/broker/config.go b/pkg/syncer/broker/config.go index 6a9a0c51..158908c3 100644 --- a/pkg/syncer/broker/config.go +++ b/pkg/syncer/broker/config.go @@ -33,6 +33,7 @@ type brokerSpecification struct { RemoteNamespace string Insecure bool `default:"false"` Ca string + Secret string } const brokerConfigPrefix = "broker_k8s" @@ -61,3 +62,7 @@ func EnvironmentVariable(setting string) string { panic(fmt.Sprintf("unknown Broker setting %s", setting)) } + +func SecretPath(secretName string) string { + return fmt.Sprintf("/run/secrets/submariner.io/%s", secretName) +} diff --git a/pkg/syncer/broker/syncer.go b/pkg/syncer/broker/syncer.go index c2fcdee5..8c8dea58 100644 --- a/pkg/syncer/broker/syncer.go +++ b/pkg/syncer/broker/syncer.go @@ -20,6 +20,7 @@ package broker import ( "fmt" + "path/filepath" "reflect" "time" @@ -268,8 +269,14 @@ func createBrokerClient(config *SyncerConfig) error { config.BrokerNamespace = spec.RemoteNamespace - config.BrokerRestConfig, authorized, err = resource.GetAuthorizedRestConfig(spec.APIServer, spec.APIServerToken, spec.Ca, - &rest.TLSClientConfig{Insecure: spec.Insecure}, *gvr, spec.RemoteNamespace) + if spec.Secret != "" { + config.BrokerRestConfig, authorized, err = resource.GetAuthorizedRestConfigFromFiles(spec.APIServer, + filepath.Join(SecretPath(spec.Secret), "token"), filepath.Join(SecretPath(spec.Secret), "ca.crt"), + &rest.TLSClientConfig{Insecure: spec.Insecure}, *gvr, spec.RemoteNamespace) + } else { + config.BrokerRestConfig, authorized, err = resource.GetAuthorizedRestConfigFromData(spec.APIServer, spec.APIServerToken, spec.Ca, + &rest.TLSClientConfig{Insecure: spec.Insecure}, *gvr, spec.RemoteNamespace) + } } if !authorized {