Read secrets for client-onboarding-token-validation #2827
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mrudraia1 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -44,7 +44,11 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste | |||
| storageClient.Name = storagecluster.Name | |||
| _, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error { | |||
| if storageClient.Status.ConsumerID == "" { | |||
| token, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil) | |||
| privateKey, err := util.GetParsedPrivateKey(r.Client, r.OperatorNamespace) | |||
There was a problem hiding this comment.
instead of OperatorNamespace we should be using storageCluster Namespace as private key pair is generated per storageCluster and it is created in the same namespace as the storageCluster
There was a problem hiding this comment.
I don't think so, could you pls expand more?
There was a problem hiding this comment.
Onboarding job is created in the same namespace as the storageCluster. The job generates the private/pub key pair in the same namespace as the storageCluster is created. If the storageCluster is created in a different namespace from operator namespace, it will fail at this condition. So it is better if we use storageCluster namespace instead of Operator namespace
There was a problem hiding this comment.
ack, changed to storagecluster namespace
| @@ -44,7 +44,11 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste | |||
| storageClient.Name = storagecluster.Name | |||
| _, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error { | |||
| if storageClient.Status.ConsumerID == "" { | |||
| token, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil) | |||
There was a problem hiding this comment.
let's remove onboardingPrivateKeyFilePath if it is not used anymore
| const onboardingValidationPrivateKeySecretName = "onboarding-private-key" | ||
|
|
There was a problem hiding this comment.
I think this is also defined in onboarding-ticket-generator, could we make sure that we are not defining at only one place
There was a problem hiding this comment.
onboardingValidationPrivateKeySecretName is used at two places >
- provider.go
- onboarding-validation-keys-generator
controllers/util/provider.go
Outdated
| pemString, err := os.ReadFile(privateKeyPath) | ||
| func GetParsedPrivateKey(cl client.Client, ns string) (*rsa.PrivateKey, error) { | ||
| klog.Info("Getting the Pem key") | ||
| ctx := context.Background() |
There was a problem hiding this comment.
Let's pass the context from outside
controllers/util/provider.go
Outdated
| func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) { | ||
| pemString, err := os.ReadFile(privateKeyPath) | ||
| func GetParsedPrivateKey(cl client.Client, ns string) (*rsa.PrivateKey, error) { | ||
| klog.Info("Getting the Pem key") |
|
|
||
| var namespace string | ||
|
|
||
| // returns namespace found in pod | ||
| func GetPodNamespace() string { | ||
| if namespace != "" { | ||
| return namespace | ||
| } | ||
| if ns := os.Getenv("OPERATOR_NAMESPACE"); ns != "" { | ||
| namespace = ns | ||
| return namespace | ||
| } | ||
| panic("Value for env var 'POD_NAMESPACE' is empty") | ||
| } |
There was a problem hiding this comment.
This function is already defined in utils let's use that
There was a problem hiding this comment.
removed the dublicate code, used fro utils
| var storageQuotaInGiB *uint | ||
| // When ContentLength is 0 that means request body is empty and | ||
| // storage quota is unlimited | ||
| var err error | ||
|
|
||
| ns := handlers.GetPodNamespace() |
There was a problem hiding this comment.
Let's pass the podNamespace from outside along with the client
| func handlePost(w http.ResponseWriter, _ *http.Request, tokenLifetimeInHours int, cl client.Client) { | ||
| var err error | ||
|
|
||
| ns := handlers.GetPodNamespace() |
There was a problem hiding this comment.
Let's pass the podNamespace from outside along with the client
services/ux-backend/main.go
Outdated
| if err := ocsv1.AddToScheme(scheme); err != nil { | ||
| return nil, err | ||
| } |
There was a problem hiding this comment.
are we fetching any resources created by ocsv1? do we need to add it to the scheme?
There was a problem hiding this comment.
client gets failed, if i did not added the ocsv1 schema, the same is followed in onboarding-validation-key-generator main.go
There was a problem hiding this comment.
the onboarding-validation-key-generator requires us to access the storageCluster hence the ocsv1 scheme is added to the client we create there. The ux-backend for now only fetches the secret. I don't think we need the ocsv1 scheme here
tools/csv-merger/csv-merger.go
Outdated
| @@ -674,6 +670,14 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { | |||
| Name: "TLS_ENABLED", | |||
| Value: os.Getenv("TLS_ENABLED"), | |||
| }, | |||
| { | |||
| Name: util.OperatorNamespaceEnvVar, | |||
There was a problem hiding this comment.
Use PodNamespaceEnvVar instead of OperatorNamespaceEnvVar
|
a suggestion, we are seeing this PR for third time, second time it's fine that you weren't able to recover GH (remember you can't create new a/c every-time though) but last time it's better if you can focus on rebasing properly. yes, GH doesn't have any issue w/ closing & opening a new PR but for reviewers it's kinda hard to relook from the start. |
mrudraia1
force-pushed
the
onboarding
branch
2 times, most recently
from
5d4bcff
to
674b54c
Compare
Signed-off-by: Mrudraia1 <[email protected]>
This PR reads the secrets instead of reading the secrets from the volume mounts.
whenever the new onboarding secrets are created, it takes more time to read the secrets from the volume mounts,
The user clicks the rotate onboarding keys, the kubernetes still uses the old public, private keys , the new keys are mounted later, So this PR will read the secrets directly from the kubernetes secrets.