Read secrets for onboarding-token validation

Signed-off-by: mrudraia <[email protected]> Signed-off-by: mrudraia <[email protected]>
red-hat-storage · Jul 29, 2024 · 30e2f00 · 30e2f00
1 parent 7ecef44
commit 30e2f00
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 19 deletions.
diff --git a/controllers/util/provider.go b/controllers/util/provider.go
@@ -1,6 +1,7 @@
 package util
 
 import (
+	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
@@ -10,11 +11,25 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/red-hat-storage/ocs-operator/v4/services"
+	v1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+)
+
+const (
+	// Name of existing public key which is used ocs-operator
+	onboardingValidationPublicKeySecretName  = "onboarding-ticket-key"
+	onboardingValidationPrivateKeySecretName = "onboarding-private-key"
+	storageClusterName                       = "ocs-storagecluster"
 )
 
 // GenerateOnboardingToken generates a token valid for a duration of "tokenLifetimeInHours".
@@ -46,7 +61,7 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st
 		return "", fmt.Errorf("failed to hash onboarding token payload: %v", err)
 	}
 
-	privateKey, err := readAndDecodePrivateKey(privateKeyPath)
+	privateKey, err := readAndDecodePrivateKey()
 	if err != nil {
 		return "", fmt.Errorf("failed to read and decode private key: %v", err)
 	}
@@ -64,16 +79,52 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st
 	return fmt.Sprintf("%s.%s", encodedPayload, encodedSignature), nil
 }
 
-func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) {
-	pemString, err := os.ReadFile(privateKeyPath)
+func readAndDecodePrivateKey() (*rsa.PrivateKey, error) {
+	cl, err := newClient()
+	if err != nil {
+		klog.Exitf("failed to create client: %v", err)
+	}
+	ctx := context.Background()
+	operatorNamespace, err := GetOperatorNamespace()
 	if err != nil {
-		return nil, fmt.Errorf("failed to read private key: %v", err)
+		klog.Exitf("unable to get operator namespace: %v", err)
 	}
 
-	Block, _ := pem.Decode(pemString)
+	privateSecret := &corev1.Secret{}
+	privateSecret.Name = onboardingValidationPrivateKeySecretName
+	privateSecret.Namespace = operatorNamespace
+	err = cl.Get(ctx, types.NamespacedName{Name: storageClusterName, Namespace: operatorNamespace}, privateSecret)
+	if err != nil && !kerrors.IsNotFound(err) {
+		klog.Exitf("failed to get private secret: %v", err)
+	}
+
+	pubKeyBytes := privateSecret.Data["key"]
+
+	Block, _ := pem.Decode(pubKeyBytes)
 	privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse private key: %v", err)
 	}
 	return privateKey, nil
 }
+
+func newClient() (client.Client, error) {
+	klog.Info("Setting up k8s client")
+	scheme := runtime.NewScheme()
+	if err := v1.AddToScheme(scheme); err != nil {
+		return nil, err
+	}
+	if err := corev1.AddToScheme(scheme); err != nil {
+		return nil, err
+	}
+	config, err := config.GetConfig()
+	if err != nil {
+		return nil, err
+	}
+	k8sClient, err := client.New(config, client.Options{Scheme: scheme})
+	if err != nil {
+		return nil, err
+	}
+
+	return k8sClient, nil
+}
diff --git a/tools/csv-merger/csv-merger.go b/tools/csv-merger/csv-merger.go
@@ -644,10 +644,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 					{
 						Name: "ux-backend-server",
 						VolumeMounts: []corev1.VolumeMount{
-							{
-								Name:      "onboarding-private-key",
-								MountPath: "/etc/private-key",
-							},
 							{
 								Name:      "ux-cert-secret",
 								MountPath: "/etc/tls/private",
@@ -716,15 +712,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 					},
 				},
 				Volumes: []corev1.Volume{
-					{
-						Name: "onboarding-private-key",
-						VolumeSource: corev1.VolumeSource{
-							Secret: &corev1.SecretVolumeSource{
-								SecretName: "onboarding-private-key",
-								Optional:   ptr.To(true),
-							},
-						},
-					},
 					{
 						Name: "ux-proxy-secret",
 						VolumeSource: corev1.VolumeSource{