// generateTokenIfNeeded populates the token data for the given Secret if not already set
func (e *TokensController) generateTokenIfNeeded(serviceAccount *api.ServiceAccount, secret *api.Secret) error {
if secret.Annotations == nil {
secret.Annotations = map[string]string{}
}
if secret.Data == nil {
secret.Data = map[string][]byte{}
}
caData := secret.Data[api.ServiceAccountRootCAKey]
needsCA := len(e.rootCA) > 0 && bytes.Compare(caData, e.rootCA) != 0
needsNamespace := len(secret.Data[api.ServiceAccountNamespaceKey]) == 0
tokenData := secret.Data[api.ServiceAccountTokenKey]
needsToken := len(tokenData) == 0
if !needsCA && !needsToken && !needsNamespace {
return nil
}
// Set the CA
if needsCA {
secret.Data[api.ServiceAccountRootCAKey] = e.rootCA
}
// Set the namespace
if needsNamespace {
secret.Data[api.ServiceAccountNamespaceKey] = []byte(secret.Namespace)
}
// Generate the token
if needsToken {
token, err := e.token.GenerateToken(*serviceAccount, *secret)
if err != nil {
return err
}
secret.Data[api.ServiceAccountTokenKey] = []byte(token)
}
// Set annotations
secret.Annotations[api.ServiceAccountNameKey] = serviceAccount.Name
secret.Annotations[api.ServiceAccountUIDKey] = string(serviceAccount.UID)
// Save the secret
if _, err := e.client.Core().Secrets(secret.Namespace).Update(secret); err != nil {
return err
}
return nil
}
func createAppEnvConfigSecret(secretsClient client.SecretsInterface, secretName string, env map[string]interface{}) error {
newSecret := new(api.Secret)
newSecret.Name = secretName
newSecret.Type = api.SecretTypeOpaque
newSecret.Data = make(map[string][]byte)
for k, v := range env {
newSecret.Data[k] = []byte(fmt.Sprintf("%v", v))
}
if _, err := secretsClient.Create(newSecret); err != nil {
if apierrors.IsAlreadyExists(err) {
if _, err = secretsClient.Update(newSecret); err != nil {
return err
}
return nil
}
return err
}
return nil
}
func writeSecretData(r *schema.ResourceData, s *api.Secret) {
s.Data = map[string][]byte{}
if set, _ := r.Get("data").(*schema.Set); set != nil {
for _, p := range set.List() {
m := p.(map[string]interface{})
k := m["name"].(string)
x := m["value"].(string)
s.Data[k] = []byte(x)
}
}
}
// Get is the ClusterID interface implementation
func (c clusterIDFromPersistentStorage) Get() (string, error) {
c.rwm.Lock()
defer c.rwm.Unlock()
secret, err := c.secretGetterCreator.Get(wfmSecretName)
//If we don't have the secret we shouldn't be returning error and instead a create a new one
if err != nil && !apierrors.IsNotFound(err) {
return "", err
}
// if we don't have secret data for the cluster ID we assume a new cluster
// and create a new secret
if secret.Data[clusterIDSecretKey] == nil {
newSecret := new(api.Secret)
newSecret.Name = wfmSecretName
newSecret.Data = make(map[string][]byte)
newSecret.Data[clusterIDSecretKey] = []byte(uuid.NewV4().String())
fromAPI, err := c.secretGetterCreator.Create(newSecret)
if err != nil {
return "", err
}
secret = fromAPI
}
return string(secret.Data[clusterIDSecretKey]), nil
}
func Convert_v1_Secret_To_api_Secret(in *Secret, out *api.Secret, s conversion.Scope) error {
if err := autoConvert_v1_Secret_To_api_Secret(in, out, s); err != nil {
return err
}
// StringData overwrites Data
if len(in.StringData) > 0 {
if out.Data == nil {
out.Data = map[string][]byte{}
}
for k, v := range in.StringData {
out.Data[k] = []byte(v)
}
}
return nil
}
// createSecret creates a secret containing TLS certificates for the given Ingress.
// If a secret with the same name already exists in the namespace of the
// Ingress, it's updated.
func createSecret(kubeClient clientset.Interface, ing *extensions.Ingress) (host string, rootCA, privKey []byte, err error) {
var k, c bytes.Buffer
tls := ing.Spec.TLS[0]
host = strings.Join(tls.Hosts, ",")
framework.Logf("Generating RSA cert for host %v", host)
if err = generateRSACerts(host, true, &k, &c); err != nil {
return
}
cert := c.Bytes()
key := k.Bytes()
secret := &api.Secret{
ObjectMeta: api.ObjectMeta{
Name: tls.SecretName,
},
Data: map[string][]byte{
api.TLSCertKey: cert,
api.TLSPrivateKeyKey: key,
},
}
var s *api.Secret
if s, err = kubeClient.Core().Secrets(ing.Namespace).Get(tls.SecretName); err == nil {
// TODO: Retry the update. We don't really expect anything to conflict though.
framework.Logf("Updating secret %v in ns %v with hosts %v for ingress %v", secret.Name, secret.Namespace, host, ing.Name)
s.Data = secret.Data
_, err = kubeClient.Core().Secrets(ing.Namespace).Update(s)
} else {
framework.Logf("Creating secret %v in ns %v with hosts %v for ingress %v", secret.Name, secret.Namespace, host, ing.Name)
_, err = kubeClient.Core().Secrets(ing.Namespace).Create(secret)
}
return host, cert, key, err
}
