From 52d15b8aed6cefbd94b1ff4e25865225f8f8f6aa Mon Sep 17 00:00:00 2001 From: mrudraia Date: Tue, 23 Jul 2024 11:19:21 +0530 Subject: [PATCH] Read secrets for onboarding-token validation Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia --- controllers/storagecluster/storageclient.go | 5 +- controllers/util/provider.go | 58 ++++++++++++++++--- .../ocs-operator.clusterserviceversion.yaml | 6 -- .../handlers/onboardingtokens/handler.go | 7 +-- tools/csv-merger/csv-merger.go | 13 ----- 5 files changed, 54 insertions(+), 35 deletions(-) diff --git a/controllers/storagecluster/storageclient.go b/controllers/storagecluster/storageclient.go index 19254da491..33ea945dbf 100644 --- a/controllers/storagecluster/storageclient.go +++ b/controllers/storagecluster/storageclient.go @@ -12,8 +12,7 @@ import ( ) const ( - tokenLifetimeInHours = 48 - onboardingPrivateKeyFilePath = "/etc/private-key/key" + tokenLifetimeInHours = 48 ) type storageClient struct{} @@ -31,7 +30,7 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste storageClient.Name = storagecluster.Name _, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error { if storageClient.Status.ConsumerID == "" { - token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil) + token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, nil) if err != nil { return fmt.Errorf("unable to generate onboarding token: %v", err) } diff --git a/controllers/util/provider.go b/controllers/util/provider.go index 35db1f49a2..8e17977065 100644 --- a/controllers/util/provider.go +++ b/controllers/util/provider.go @@ -1,6 +1,7 @@ package util import ( + "context" "crypto" "crypto/rand" "crypto/rsa" @@ -10,17 +11,29 @@ import ( "encoding/json" "encoding/pem" "fmt" - "os" "time" "github.com/google/uuid" "github.com/red-hat-storage/ocs-operator/v4/services" + v1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + "k8s.io/klog/v2" + + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/config" +) + +const ( + // Name of existing private key which is used ocs-operator + onboardingValidationPrivateKeySecretName = "onboarding-private-key" ) // GenerateOnboardingToken generates a token valid for a duration of "tokenLifetimeInHours". // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath". // The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster. -func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotaInGiB *uint) (string, error) { +func GenerateOnboardingToken(tokenLifetimeInHours int, storageQuotaInGiB *uint) (string, error) { tokenExpirationDate := time.Now(). Add(time.Duration(tokenLifetimeInHours) * time.Hour). Unix() @@ -46,9 +59,9 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st return "", fmt.Errorf("failed to hash onboarding token payload: %v", err) } - privateKey, err := readAndDecodePrivateKey(privateKeyPath) + privateKey, err := DecodePemKey() if err != nil { - return "", fmt.Errorf("failed to read and decode private key: %v", err) + return "", fmt.Errorf("failed to decode the private key: %v", err) } msgHashSum := msgHash.Sum(nil) @@ -64,16 +77,45 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st return fmt.Sprintf("%s.%s", encodedPayload, encodedSignature), nil } -func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) { - pemString, err := os.ReadFile(privateKeyPath) +func DecodePemKey() (*rsa.PrivateKey, error) { + klog.Info("Decoding the Pem key") + ctx := context.Background() + operatorNamespace, err := GetOperatorNamespace() + if err != nil { + return nil, fmt.Errorf("unable to get operator namespace: %v", err) + } + + privateSecret := &corev1.Secret{} + privateSecret.Name = onboardingValidationPrivateKeySecretName + privateSecret.Namespace = operatorNamespace + + cfg, err := config.GetConfig() + if err != nil { + return nil, fmt.Errorf("failed to get client config %v", err) + } + scheme := runtime.NewScheme() + if err := v1.AddToScheme(scheme); err != nil { + return nil, fmt.Errorf("failed to add scheme %v", err) + } + if err := corev1.AddToScheme(scheme); err != nil { + return nil, fmt.Errorf("ailed to add scheme %v", err) + } + + k8s, err := client.New(cfg, client.Options{Scheme: scheme}) if err != nil { - return nil, fmt.Errorf("failed to read private key: %v", err) + return nil, fmt.Errorf("failed to create client %v", err) } - Block, _ := pem.Decode(pemString) + err = k8s.Get(ctx, types.NamespacedName{Name: onboardingValidationPrivateKeySecretName, Namespace: operatorNamespace}, privateSecret) + if err != nil { + return nil, fmt.Errorf("failed to get private secret: %v", err) + } + + Block, _ := pem.Decode(privateSecret.Data["key"]) privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes) if err != nil { return nil, fmt.Errorf("failed to parse private key: %v", err) } + return privateKey, nil } diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml index 3e0765bb70..54c7313dcf 100644 --- a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml +++ b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml @@ -717,8 +717,6 @@ spec: readOnlyRootFilesystem: true runAsNonRoot: true volumeMounts: - - mountPath: /etc/private-key - name: onboarding-private-key - mountPath: /etc/tls/private name: ux-cert-secret - args: @@ -754,10 +752,6 @@ spec: operator: Equal value: "true" volumes: - - name: onboarding-private-key - secret: - optional: true - secretName: onboarding-private-key - name: ux-proxy-secret secret: secretName: ux-backend-proxy diff --git a/services/ux-backend/handlers/onboardingtokens/handler.go b/services/ux-backend/handlers/onboardingtokens/handler.go index e8f4e55b41..3cf581ef58 100644 --- a/services/ux-backend/handlers/onboardingtokens/handler.go +++ b/services/ux-backend/handlers/onboardingtokens/handler.go @@ -12,10 +12,6 @@ import ( "k8s.io/utils/ptr" ) -const ( - onboardingPrivateKeyFilePath = "/etc/private-key/key" -) - var unitToGib = map[string]uint{ "Gi": 1, "Ti": 1024, @@ -36,6 +32,7 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int // When ContentLength is 0 that means request body is empty and // storage quota is unlimited var err error + if r.ContentLength != 0 { var quota = struct { Value uint `json:"value"` @@ -57,7 +54,7 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int } storageQuotaInGiB = ptr.To(unitAsGiB * quota.Value) } - if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB); err != nil { + if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, storageQuotaInGiB); err != nil { klog.Errorf("failed to get onboardig token: %v", err) w.WriteHeader(http.StatusInternalServerError) w.Header().Set("Content-Type", handlers.ContentTypeTextPlain) diff --git a/tools/csv-merger/csv-merger.go b/tools/csv-merger/csv-merger.go index a39e88894c..8af905c7d7 100644 --- a/tools/csv-merger/csv-merger.go +++ b/tools/csv-merger/csv-merger.go @@ -644,10 +644,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { { Name: "ux-backend-server", VolumeMounts: []corev1.VolumeMount{ - { - Name: "onboarding-private-key", - MountPath: "/etc/private-key", - }, { Name: "ux-cert-secret", MountPath: "/etc/tls/private", @@ -716,15 +712,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { }, }, Volumes: []corev1.Volume{ - { - Name: "onboarding-private-key", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "onboarding-private-key", - Optional: ptr.To(true), - }, - }, - }, { Name: "ux-proxy-secret", VolumeSource: corev1.VolumeSource{