Skip to content

Commit

Permalink
Read secrets for onboarding-token validation
Browse files Browse the repository at this point in the history
Signed-off-by: mrudraia <[email protected]>

Signed-off-by: mrudraia <[email protected]>

Signed-off-by: mrudraia <[email protected]>

Signed-off-by: mrudraia <[email protected]>

Signed-off-by: mrudraia <[email protected]>

Signed-off-by: mrudraia <[email protected]>

Signed-off-by: mrudraia <[email protected]>

Signed-off-by: mrudraia <[email protected]>
  • Loading branch information
mrudraia1 committed Aug 2, 2024
1 parent 7ecef44 commit a98859f
Show file tree
Hide file tree
Showing 5 changed files with 58 additions and 34 deletions.
5 changes: 2 additions & 3 deletions controllers/storagecluster/storageclient.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,7 @@ import (
)

const (
tokenLifetimeInHours = 48
onboardingPrivateKeyFilePath = "/etc/private-key/key"
tokenLifetimeInHours = 48
)

type storageClient struct{}
Expand All @@ -31,7 +30,7 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste
storageClient.Name = storagecluster.Name
_, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error {
if storageClient.Status.ConsumerID == "" {
token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil)
token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, nil)
if err != nil {
return fmt.Errorf("unable to generate onboarding token: %v", err)
}
Expand Down
62 changes: 55 additions & 7 deletions controllers/util/provider.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package util

import (
"context"
"crypto"
"crypto/rand"
"crypto/rsa"
Expand All @@ -10,17 +11,28 @@ import (
"encoding/json"
"encoding/pem"
"fmt"
"os"
"time"

"github.com/google/uuid"
"github.com/red-hat-storage/ocs-operator/v4/services"
v1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/klog/v2"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/config"
)

const (
// Name of existing private key which is used ocs-operator
onboardingValidationPrivateKeySecretName = "onboarding-private-key"
)

// GenerateOnboardingToken generates a token valid for a duration of "tokenLifetimeInHours".
// The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath".
// The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster.
func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotaInGiB *uint) (string, error) {
func GenerateOnboardingToken(tokenLifetimeInHours int, storageQuotaInGiB *uint) (string, error) {
tokenExpirationDate := time.Now().
Add(time.Duration(tokenLifetimeInHours) * time.Hour).
Unix()
Expand All @@ -46,7 +58,7 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st
return "", fmt.Errorf("failed to hash onboarding token payload: %v", err)
}

privateKey, err := readAndDecodePrivateKey(privateKeyPath)
privateKey, err := readAndDecodePrivateKey()
if err != nil {
return "", fmt.Errorf("failed to read and decode private key: %v", err)
}
Expand All @@ -64,16 +76,52 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st
return fmt.Sprintf("%s.%s", encodedPayload, encodedSignature), nil
}

func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) {
pemString, err := os.ReadFile(privateKeyPath)
func readAndDecodePrivateKey() (*rsa.PrivateKey, error) {
cl, err := newClient()
if err != nil {
return nil, fmt.Errorf("failed to read private key: %v", err)
klog.Exitf("failed to create client: %v", err)
}
ctx := context.Background()
operatorNamespace, err := GetOperatorNamespace()
if err != nil {
klog.Exitf("unable to get operator namespace: %v", err)
}

Block, _ := pem.Decode(pemString)
privateSecret := &corev1.Secret{}
privateSecret.Name = onboardingValidationPrivateKeySecretName
privateSecret.Namespace = operatorNamespace
err1 := cl.Get(ctx, types.NamespacedName{Name: onboardingValidationPrivateKeySecretName, Namespace: operatorNamespace}, privateSecret)
if err1 != nil {
return nil, fmt.Errorf("failed to get private secret: %v", err1)
}

Block, _ := pem.Decode(privateSecret.Data["key"])
privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse private key: %v", err)
}

return privateKey, nil
}

func newClient() (client.Client, error) {
klog.Info("Setting up k8s client")
scheme := runtime.NewScheme()
if err := v1.AddToScheme(scheme); err != nil {
return nil, err
}
if err := corev1.AddToScheme(scheme); err != nil {
return nil, err
}
config, err := config.GetConfig()
if err != nil {
return nil, err
}

k8sClient, err := client.New(config, client.Options{Scheme: scheme})
if err != nil {
return nil, err
}

return k8sClient, nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -686,8 +686,6 @@ spec:
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /etc/private-key
name: onboarding-private-key
- mountPath: /etc/tls/private
name: ux-cert-secret
- args:
Expand Down Expand Up @@ -723,10 +721,6 @@ spec:
operator: Equal
value: "true"
volumes:
- name: onboarding-private-key
secret:
optional: true
secretName: onboarding-private-key
- name: ux-proxy-secret
secret:
secretName: ux-backend-proxy
Expand Down
6 changes: 1 addition & 5 deletions services/ux-backend/handlers/onboardingtokens/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,6 @@ import (
"k8s.io/utils/ptr"
)

const (
onboardingPrivateKeyFilePath = "/etc/private-key/key"
)

var unitToGib = map[string]uint{
"Gi": 1,
"Ti": 1024,
Expand Down Expand Up @@ -57,7 +53,7 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int
}
storageQuotaInGiB = ptr.To(unitAsGiB * quota.Value)
}
if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB); err != nil {
if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, storageQuotaInGiB); err != nil {
klog.Errorf("failed to get onboardig token: %v", err)
w.WriteHeader(http.StatusInternalServerError)
w.Header().Set("Content-Type", handlers.ContentTypeTextPlain)
Expand Down
13 changes: 0 additions & 13 deletions tools/csv-merger/csv-merger.go
Original file line number Diff line number Diff line change
Expand Up @@ -644,10 +644,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
{
Name: "ux-backend-server",
VolumeMounts: []corev1.VolumeMount{
{
Name: "onboarding-private-key",
MountPath: "/etc/private-key",
},
{
Name: "ux-cert-secret",
MountPath: "/etc/tls/private",
Expand Down Expand Up @@ -716,15 +712,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
},
},
Volumes: []corev1.Volume{
{
Name: "onboarding-private-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "onboarding-private-key",
Optional: ptr.To(true),
},
},
},
{
Name: "ux-proxy-secret",
VolumeSource: corev1.VolumeSource{
Expand Down

0 comments on commit a98859f

Please sign in to comment.