/** * Find the first secret in the given secrets with the given name */ public static Secret findSecretWithName(List<Secret> secrets, String sname) { return secrets.stream().filter(s -> s.getMetadata().getName().equals(sname)).findFirst().orElse(null); }
private String serviceAccount(Secret secret) { return secret.getMetadata().getAnnotations().get(STYX_WORKFLOW_SA_ID_ANNOTATION); }
private String secretEpoch(Secret secret) { return secret.getMetadata().getAnnotations().get(STYX_WORKFLOW_SA_EPOCH_ANNOTATION); }
static X509Certificate cert(Secret secret, String key) { if (secret == null || secret.getData() == null || secret.getData().get(key) == null) { return null; } Base64.Decoder decoder = Base64.getDecoder(); byte[] bytes = decoder.decode(secret.getData().get(key)); try { return x509Certificate(bytes); } catch (CertificateException e) { throw new RuntimeException("Certificate in data." + key.replace(".", "\\.") + " of Secret " + secret.getMetadata().getName(), e); } }
public String getServiceaccountToken(String name, String namespace) { return new String(Base64.getDecoder().decode(client.secrets().inNamespace(namespace).list().getItems().stream() .filter(secret -> secret.getMetadata().getName().contains(name + "-token")).collect(Collectors.toList()) .get(0).getData().get("token")), StandardCharsets.UTF_8); } }
private void deleteSecret(Secret secret) { LOG.info("[AUDIT] Deleting service account {} secret {}", serviceAccount(secret), secret.getMetadata().getName()); try { client.secrets().delete(secret); } catch (KubernetesClientException e) { if (e.getCode() == 404) { LOG.debug("Couldn't find secret to delete {}", secret.getMetadata().getName()); } else { LOG.warn("[AUDIT] Failed to delete secret {}", secret.getMetadata().getName()); throw e; } } }
public void initCaSecrets(List<Secret> secrets) { for (Secret secret: secrets) { String name = secret.getMetadata().getName(); if (KafkaCluster.brokersSecretName(clusterName).equals(name)) { brokersSecret = secret; } else if (EntityOperator.secretName(clusterName).equals(name)) { entityOperatorSecret = secret; } else if (TopicOperator.secretName(clusterName).equals(name)) { topicOperatorSecret = secret; } else if (ZookeeperCluster.nodesSecretName(clusterName).equals(name)) { zkNodesSecret = secret; } else if (ClusterOperator.secretName(clusterName).equals(name)) { clusterOperatorSecret = secret; } } }
reason = "CA certificate secret " + caCertSecretName + " is missing or lacking data." + CA_CRT.replace(".", "\\."); renewalType = RenewalType.RENEW_CERT; } else if (this.caCertSecret.getMetadata() != null && Annotations.booleanAnnotation(this.caCertSecret, ANNO_STRIMZI_IO_FORCE_RENEW, false)) { reason = "CA certificate secret " + caCertSecretName + " is annotated with " + ANNO_STRIMZI_IO_FORCE_RENEW; renewalType = RenewalType.RENEW_CERT; } else if (this.caKeySecret.getMetadata() != null && Annotations.booleanAnnotation(this.caKeySecret, ANNO_STRIMZI_IO_FORCE_REPLACE, false)) { reason = "CA key secret " + caKeySecretName + " is annotated with " + ANNO_STRIMZI_IO_FORCE_REPLACE;
private Map.Entry<String, String> allocateUser(HasMetadata deployment) { Secret usernamePoolSecret = kubeClient().secrets().withName(usernamePoolSecretName).get(); Secret consumedUsersSecret = kubeClient().secrets().withName(consumedUsersSecretName).get(); Map<String, String> usernamePool = decodeMap(usernamePoolSecret.getData().get("username-pool")); Collection<String> consumedUsernames = decodeList(consumedUsersSecret.getData().get("consumed-usernames")); // How much of the pool is used userPoolAvailable = ((usernamePool.size() - consumedUsernames.size()) * 100) / usernamePool.size(); // Remove all consumed usernames consumedUsernames.forEach(k -> usernamePool.remove(k)); if (usernamePool.isEmpty()) { throw new IllegalStateException("Username pool is exhausted. Please check Secret " + usernamePoolSecretName + " and " + consumedUsersSecretName); } // Take first element Map.Entry<String, String> pair = usernamePool.entrySet().iterator().next(); consumedUsernames.add(pair.getKey()); Secret updatedSecret = new SecretBuilder() .withNewMetadata() .withAnnotations(consumedUsersSecret.getMetadata().getAnnotations()) .withLabels(consumedUsersSecret.getMetadata().getLabels()) .withName(consumedUsersSecret.getMetadata().getName()) .endMetadata() .withData(null) .withStringData(Collections.singletonMap("consumed-usernames", consumedUsernames.stream().collect(Collectors.joining("\n")))).build(); // TODO handle failure case kubeClient().secrets().createOrReplace(updatedSecret); return pair; }
private static EntityPatcher<Secret> secretPatcher() { return (KubernetesClient client, String namespace, Secret newObj, Secret oldObj) -> { if (UserConfigurationCompare.configEqual(newObj, oldObj)) { return oldObj; } DoneableSecret entity = client.secrets() .inNamespace(namespace) .withName(oldObj.getMetadata().getName()) .edit(); if (!UserConfigurationCompare.configEqual(newObj.getMetadata(), oldObj.getMetadata())) { entity.withMetadata(newObj.getMetadata()); } if(!UserConfigurationCompare.configEqual(newObj.getData(), oldObj.getData())) { entity.withData(newObj.getData()); } if(!UserConfigurationCompare.configEqual(newObj.getStringData(), oldObj.getStringData())) { entity.withStringData(newObj.getStringData()); } return entity.done(); }; }
private String getOrCreateSecret(String workflowId, String serviceAccount, long epoch, String secretName) throws IOException { // Check that the service account exists final boolean serviceAccountExists = keyManager.serviceAccountExists(serviceAccount); if (!serviceAccountExists) { LOG.warn("[AUDIT] Workflow {} refers to non-existent service account {}", workflowId, serviceAccount); throw new InvalidExecutionException("Referenced service account " + serviceAccount + " was not found"); } // Check for existing secret final Secret existingSecret = client.secrets().withName(secretName).get(); if (existingSecret != null) { final Map<String, String> annotations = existingSecret.getMetadata().getAnnotations(); final String jsonKeyName = annotations.get(STYX_WORKFLOW_SA_JSON_KEY_NAME_ANNOTATION); final String p12KeyName = annotations.get(STYX_WORKFLOW_SA_P12_KEY_NAME_ANNOTATION); if (keyExists(jsonKeyName) && keyExists(p12KeyName)) { return secretName; } LOG.info("[AUDIT] Service account keys have been deleted for {}, recreating", serviceAccount); // Delete secret and any lingering key before creating new keys keyManager.deleteKey(jsonKeyName); keyManager.deleteKey(p12KeyName); deleteSecret(existingSecret); } // Create service account keys and secret createKeysAndSecret(workflowId, serviceAccount, epoch, secretName); return secretName; }
@Override Secret applyResource(Secret original, Secret current) { return client .secrets() .inNamespace(getNamespace()) .withName(current.getMetadata().getName()) .edit() .withMetadata(current.getMetadata()) .withData(current.getData()) .withStringData(current.getStringData()) .withType(current.getType()) .done(); }
log.info("Creating cert secret {} with certBundle input", secret.getMetadata().getName()); client.secrets().inNamespace(namespace).createOrReplace(secret); } else if (!data.equals(existing.getData())) { log.info("Replacing cert secret {} with certBundle input", secret.getMetadata().getName()); client.secrets().inNamespace(namespace).withName(endpointInfo.getCertSpec().getSecretName()).patch(secret);
public SecretBuilder( SecretFluent<?> fluent , Secret instance ){ this.fluent = fluent; fluent.withApiVersion(instance.getApiVersion()); fluent.withData(instance.getData()); fluent.withKind(instance.getKind()); fluent.withMetadata(instance.getMetadata()); fluent.withType(instance.getType()); } public SecretBuilder( Secret instance ){
public SecretBuilder( Secret instance ){ this.fluent = this; this.withApiVersion(instance.getApiVersion()); this.withData(instance.getData()); this.withKind(instance.getKind()); this.withMetadata(instance.getMetadata()); this.withType(instance.getType()); }
public SecretBuilder( SecretFluent<?> fluent , Secret instance ){ this.fluent = fluent; fluent.withApiVersion(instance.getApiVersion()); fluent.withData(instance.getData()); fluent.withKind(instance.getKind()); fluent.withMetadata(instance.getMetadata()); fluent.withType(instance.getType()); } public SecretBuilder( Secret instance ){
public SecretBuilder( Secret instance ){ this.fluent = this; this.withApiVersion(instance.getApiVersion()); this.withData(instance.getData()); this.withKind(instance.getKind()); this.withMetadata(instance.getMetadata()); this.withType(instance.getType()); }
public SecretBuilder(SecretFluent<?> fluent,Secret instance,Boolean validationEnabled){ this.fluent = fluent; fluent.withApiVersion(instance.getApiVersion()); fluent.withData(instance.getData()); fluent.withKind(instance.getKind()); fluent.withMetadata(instance.getMetadata()); fluent.withStringData(instance.getStringData()); fluent.withType(instance.getType()); this.validationEnabled = validationEnabled; } public SecretBuilder(Secret instance){
public SecretBuilder(Secret instance,Boolean validationEnabled){ this.fluent = this; this.withApiVersion(instance.getApiVersion()); this.withData(instance.getData()); this.withKind(instance.getKind()); this.withMetadata(instance.getMetadata()); this.withStringData(instance.getStringData()); this.withType(instance.getType()); this.validationEnabled = validationEnabled; }
public SecretFluentImpl(Secret instance){ this.withApiVersion(instance.getApiVersion()); this.withData(instance.getData()); this.withKind(instance.getKind()); this.withMetadata(instance.getMetadata()); this.withStringData(instance.getStringData()); this.withType(instance.getType()); }