From 6a56e87f6d3a294ce0e8a28906cbd57df140c3b7 Mon Sep 17 00:00:00 2001 From: mrudraia Date: Tue, 23 Jul 2024 11:19:21 +0530 Subject: [PATCH] Read secrets for onboarding-token validation Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia Signed-off-by: mrudraia --- controllers/storagecluster/storageclient.go | 14 +++++-- .../storagecluster_controller.go | 2 +- controllers/util/onboardings_secrets.go | 41 +++++++++++++++++++ controllers/util/provider.go | 25 +---------- controllers/util/util.go | 2 + .../ocs-operator.clusterserviceversion.yaml | 6 --- .../handlers/onboardingtokens/handler.go | 22 ++++++---- services/ux-backend/main.go | 39 ++++++++++++++++-- tools/csv-merger/csv-merger.go | 21 ++++------ 9 files changed, 113 insertions(+), 59 deletions(-) create mode 100644 controllers/util/onboardings_secrets.go diff --git a/controllers/storagecluster/storageclient.go b/controllers/storagecluster/storageclient.go index 19254da491..86b4acf9f0 100644 --- a/controllers/storagecluster/storageclient.go +++ b/controllers/storagecluster/storageclient.go @@ -12,8 +12,8 @@ import ( ) const ( - tokenLifetimeInHours = 48 - onboardingPrivateKeyFilePath = "/etc/private-key/key" + tokenLifetimeInHours = 48 + onboardingValidationPrivateKeySecretName = "onboarding-private-key" ) type storageClient struct{} @@ -27,11 +27,17 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste return s.ensureDeleted(r, storagecluster) } + privateKey, err := util.ReadPrivateKey(r.Client) + if err != nil { + r.Log.Info("Unable to get privatekey:") + return reconcile.Result{}, nil + } + storageClient := &ocsclientv1a1.StorageClient{} storageClient.Name = storagecluster.Name - _, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error { + _, err = controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error { if storageClient.Status.ConsumerID == "" { - token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil) + token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, privateKey, nil) if err != nil { return fmt.Errorf("unable to generate onboarding token: %v", err) } diff --git a/controllers/storagecluster/storagecluster_controller.go b/controllers/storagecluster/storagecluster_controller.go index 11c6564969..1ed86d5d4f 100644 --- a/controllers/storagecluster/storagecluster_controller.go +++ b/controllers/storagecluster/storagecluster_controller.go @@ -225,7 +225,7 @@ func (r *StorageClusterReconciler) SetupWithManager(mgr ctrl.Manager) error { Owns(&appsv1.Deployment{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})). Owns(&corev1.Service{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})). Owns(&corev1.ConfigMap{}, builder.MatchEveryOwner, builder.WithPredicates(predicate.GenerationChangedPredicate{})). - Owns(&corev1.Secret{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})). + Owns(&corev1.Secret{}, builder.MatchEveryOwner, builder.WithPredicates(predicate.GenerationChangedPredicate{})). Owns(&routev1.Route{}). Owns(&templatev1.Template{}). Watches(&storagev1.StorageClass{}, enqueueStorageClusterRequest). diff --git a/controllers/util/onboardings_secrets.go b/controllers/util/onboardings_secrets.go new file mode 100644 index 0000000000..595be00831 --- /dev/null +++ b/controllers/util/onboardings_secrets.go @@ -0,0 +1,41 @@ +package util + +import ( + "context" + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "fmt" + + corev1 "k8s.io/api/core/v1" + "k8s.io/klog/v2" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +func ReadPrivateKey(cl client.Client) (*rsa.PrivateKey, error) { + klog.Info("Getting the Pem key") + ctx := context.Background() + + operatorNamespace, err := GetOperatorNamespace() + if err != nil { + return nil, fmt.Errorf("unable to get operator namespace: %v", err) + } + + privateSecret := &corev1.Secret{} + privateSecret.Name = onboardingValidationPrivateKeySecretName + privateSecret.Namespace = operatorNamespace + + err = cl.Get(ctx, client.ObjectKeyFromObject(privateSecret), privateSecret) + if err != nil { + return nil, fmt.Errorf("failed to get private secret: %v", err) + } + + Block, _ := pem.Decode(privateSecret.Data["key"]) + privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes) + + if err != nil { + return nil, fmt.Errorf("failed to parse private key: %v", err) + } + + return privateKey, nil +} diff --git a/controllers/util/provider.go b/controllers/util/provider.go index 35db1f49a2..539bc4ac78 100644 --- a/controllers/util/provider.go +++ b/controllers/util/provider.go @@ -5,12 +5,9 @@ import ( "crypto/rand" "crypto/rsa" "crypto/sha256" - "crypto/x509" "encoding/base64" "encoding/json" - "encoding/pem" "fmt" - "os" "time" "github.com/google/uuid" @@ -18,9 +15,8 @@ import ( ) // GenerateOnboardingToken generates a token valid for a duration of "tokenLifetimeInHours". -// The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath". // The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster. -func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotaInGiB *uint) (string, error) { +func GenerateOnboardingToken(tokenLifetimeInHours int, privateKey *rsa.PrivateKey, storageQuotaInGiB *uint) (string, error) { tokenExpirationDate := time.Now(). Add(time.Duration(tokenLifetimeInHours) * time.Hour). Unix() @@ -46,11 +42,6 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st return "", fmt.Errorf("failed to hash onboarding token payload: %v", err) } - privateKey, err := readAndDecodePrivateKey(privateKeyPath) - if err != nil { - return "", fmt.Errorf("failed to read and decode private key: %v", err) - } - msgHashSum := msgHash.Sum(nil) // In order to generate the signature, we provide a random number generator, // our private key, the hashing algorithm that we used, and the hash sum @@ -63,17 +54,3 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st encodedSignature := base64.StdEncoding.EncodeToString(signature) return fmt.Sprintf("%s.%s", encodedPayload, encodedSignature), nil } - -func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) { - pemString, err := os.ReadFile(privateKeyPath) - if err != nil { - return nil, fmt.Errorf("failed to read private key: %v", err) - } - - Block, _ := pem.Decode(pemString) - privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes) - if err != nil { - return nil, fmt.Errorf("failed to parse private key: %v", err) - } - return privateKey, nil -} diff --git a/controllers/util/util.go b/controllers/util/util.go index 8e12772056..2750ed7c3c 100644 --- a/controllers/util/util.go +++ b/controllers/util/util.go @@ -5,6 +5,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +const onboardingValidationPrivateKeySecretName = "onboarding-private-key" + func RemoveDuplicatesFromStringSlice(slice []string) []string { keys := make(map[string]bool) list := []string{} diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml index 3e0765bb70..54c7313dcf 100644 --- a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml +++ b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml @@ -717,8 +717,6 @@ spec: readOnlyRootFilesystem: true runAsNonRoot: true volumeMounts: - - mountPath: /etc/private-key - name: onboarding-private-key - mountPath: /etc/tls/private name: ux-cert-secret - args: @@ -754,10 +752,6 @@ spec: operator: Equal value: "true" volumes: - - name: onboarding-private-key - secret: - optional: true - secretName: onboarding-private-key - name: ux-proxy-secret secret: secretName: ux-backend-proxy diff --git a/services/ux-backend/handlers/onboardingtokens/handler.go b/services/ux-backend/handlers/onboardingtokens/handler.go index e8f4e55b41..c603f8f839 100644 --- a/services/ux-backend/handlers/onboardingtokens/handler.go +++ b/services/ux-backend/handlers/onboardingtokens/handler.go @@ -10,10 +10,7 @@ import ( "github.com/red-hat-storage/ocs-operator/v4/services/ux-backend/handlers" "k8s.io/klog/v2" "k8s.io/utils/ptr" -) - -const ( - onboardingPrivateKeyFilePath = "/etc/private-key/key" + "sigs.k8s.io/controller-runtime/pkg/client" ) var unitToGib = map[string]uint{ @@ -22,20 +19,28 @@ var unitToGib = map[string]uint{ "Pi": 1024 * 1024, } -func HandleMessage(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int) { +const onboardingValidationPrivateKeySecretName = "onboarding-private-key" + +func HandleMessage(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int, cl client.Client) { switch r.Method { case "POST": - handlePost(w, r, tokenLifetimeInHours) + handlePost(w, r, tokenLifetimeInHours, cl) default: handleUnsupportedMethod(w, r) } } -func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int) { +func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int, cl client.Client) { var storageQuotaInGiB *uint // When ContentLength is 0 that means request body is empty and // storage quota is unlimited var err error + + privateKey, err := util.ReadPrivateKey(cl) + if err != nil { + fmt.Println("Failed to get private key", err) + } + if r.ContentLength != 0 { var quota = struct { Value uint `json:"value"` @@ -57,7 +62,8 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int } storageQuotaInGiB = ptr.To(unitAsGiB * quota.Value) } - if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB); err != nil { + + if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, privateKey, storageQuotaInGiB); err != nil { klog.Errorf("failed to get onboardig token: %v", err) w.WriteHeader(http.StatusInternalServerError) w.Header().Set("Content-Type", handlers.ContentTypeTextPlain) diff --git a/services/ux-backend/main.go b/services/ux-backend/main.go index 5651379225..13f7532d15 100644 --- a/services/ux-backend/main.go +++ b/services/ux-backend/main.go @@ -7,12 +7,17 @@ import ( "os" "strconv" - "k8s.io/klog/v2" - + v1 "github.com/red-hat-storage/ocs-operator/api/v4/v1" "github.com/red-hat-storage/ocs-operator/v4/services/ux-backend/handlers/onboardingtokens" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/klog/v2" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/config" ) type serverConfig struct { + client.Client listenPort int tokenLifetimeInHours int tlsEnabled bool @@ -61,8 +66,14 @@ func main() { klog.Info("shutting down!") os.Exit(-1) } + + cl, err := newClient() + if err != nil { + klog.Exitf("failed to create client: %v", err) + } + http.HandleFunc("/onboarding-tokens", func(w http.ResponseWriter, r *http.Request) { - onboardingtokens.HandleMessage(w, r, config.tokenLifetimeInHours) + onboardingtokens.HandleMessage(w, r, config.tokenLifetimeInHours, cl) }) klog.Info("ux backend server listening on port ", config.listenPort) @@ -82,3 +93,25 @@ func main() { log.Fatal(err) } + +func newClient() (client.Client, error) { + klog.Info("Setting up k8s client") + scheme := runtime.NewScheme() + if err := v1.AddToScheme(scheme); err != nil { + return nil, err + } + if err := corev1.AddToScheme(scheme); err != nil { + return nil, err + } + + config, err := config.GetConfig() + if err != nil { + return nil, err + } + k8sClient, err := client.New(config, client.Options{Scheme: scheme}) + if err != nil { + return nil, err + } + + return k8sClient, nil +} diff --git a/tools/csv-merger/csv-merger.go b/tools/csv-merger/csv-merger.go index a39e88894c..f87b75fdad 100644 --- a/tools/csv-merger/csv-merger.go +++ b/tools/csv-merger/csv-merger.go @@ -644,10 +644,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { { Name: "ux-backend-server", VolumeMounts: []corev1.VolumeMount{ - { - Name: "onboarding-private-key", - MountPath: "/etc/private-key", - }, { Name: "ux-cert-secret", MountPath: "/etc/tls/private", @@ -674,6 +670,14 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { Name: "TLS_ENABLED", Value: os.Getenv("TLS_ENABLED"), }, + { + Name: util.OperatorNamespaceEnvVar, + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + FieldPath: "metadata.namespace", + }, + }, + }, }, SecurityContext: &corev1.SecurityContext{ RunAsNonRoot: ptr.To(true), @@ -716,15 +720,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { }, }, Volumes: []corev1.Volume{ - { - Name: "onboarding-private-key", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "onboarding-private-key", - Optional: ptr.To(true), - }, - }, - }, { Name: "ux-proxy-secret", VolumeSource: corev1.VolumeSource{