// generateSecretsConfig generates any Secret and Volume objects, such // as SSH private keys, that are necessary for the router container. func generateSecretsConfig(cfg *RouterConfig, kClient *kclient.Client, namespace string) ([]*kapi.Secret, []kapi.Volume, []kapi.VolumeMount, error) { secrets := []*kapi.Secret{} volumes := []kapi.Volume{} mounts := []kapi.VolumeMount{} if len(cfg.ExternalHostPrivateKey) != 0 { privkeyData, err := loadKey(cfg.ExternalHostPrivateKey) if err != nil { return secrets, volumes, mounts, fmt.Errorf("error reading private key"+ " for external host: %v", err) } serviceAccount, err := kClient.ServiceAccounts(namespace).Get(cfg.ServiceAccount) if err != nil { return secrets, volumes, mounts, fmt.Errorf("error looking up"+ " service account %s: %v", cfg.ServiceAccount, err) } privkeySecret := &kapi.Secret{ ObjectMeta: kapi.ObjectMeta{ Name: privkeySecretName, Annotations: map[string]string{ kapi.ServiceAccountNameKey: serviceAccount.Name, kapi.ServiceAccountUIDKey: string(serviceAccount.UID), }, }, Data: map[string][]byte{privkeyName: privkeyData}, } secrets = append(secrets, privkeySecret) } // We need a secrets volume and mount iff we have secrets. if len(secrets) != 0 { secretsVolume := kapi.Volume{ Name: secretsVolumeName, VolumeSource: kapi.VolumeSource{ Secret: &kapi.SecretVolumeSource{ SecretName: privkeySecretName, }, }, } secretsMount := kapi.VolumeMount{ Name: secretsVolumeName, ReadOnly: true, MountPath: secretsPath, } volumes = []kapi.Volume{secretsVolume} mounts = []kapi.VolumeMount{secretsMount} } return secrets, volumes, mounts, nil }
func validateServiceAccount(c *k8sclient.Client, f *cmdutil.Factory) (Result, error) { ns, _, err := f.DefaultNamespace() if err != nil { return Failure, err } sa, err := c.ServiceAccounts(ns).Get("fabric8") if sa != nil { return Success, err } return Failure, err }
func getReferencedServiceAccountToken(c *client.Client, ns string, name string, shouldWait bool) (string, string, error) { tokenName := "" token := "" findToken := func() (bool, error) { user, err := c.ServiceAccounts(ns).Get(name) if errors.IsNotFound(err) { return false, nil } if err != nil { return false, err } for _, ref := range user.Secrets { secret, err := c.Secrets(ns).Get(ref.Name) if errors.IsNotFound(err) { continue } if err != nil { return false, err } if secret.Type != api.SecretTypeServiceAccountToken { continue } name := secret.Annotations[api.ServiceAccountNameKey] uid := secret.Annotations[api.ServiceAccountUIDKey] tokenData := secret.Data[api.ServiceAccountTokenKey] if name == user.Name && uid == string(user.UID) && len(tokenData) > 0 { tokenName = secret.Name token = string(tokenData) return true, nil } } return false, nil } if shouldWait { err := wait.Poll(time.Second, 10*time.Second, findToken) if err != nil { return "", "", err } } else { ok, err := findToken() if err != nil { return "", "", err } if !ok { return "", "", fmt.Errorf("No token found for %s/%s", ns, name) } } return tokenName, token, nil }
func getServiceAccount(c *client.Client, ns string, name string, shouldWait bool) (*api.ServiceAccount, error) { if !shouldWait { return c.ServiceAccounts(ns).Get(name) } var user *api.ServiceAccount var err error err = wait.Poll(time.Second, 10*time.Second, func() (bool, error) { user, err = c.ServiceAccounts(ns).Get(name) if errors.IsNotFound(err) { return false, nil } if err != nil { return false, err } return true, nil }) return user, err }
func WaitForServiceAccounts(client *kclient.Client, namespace string, accounts []string) error { // Ensure the service accounts needed by build pods exist in the namespace // The extra controllers tend to starve the service account controller serviceAccounts := client.ServiceAccounts(namespace) return wait.Poll(time.Second, ServiceAccountWaitTimeout, func() (bool, error) { for _, account := range accounts { if _, err := serviceAccounts.Get(account); err != nil { return false, nil } } return true, nil }) }
func addServiceAccount(c *k8sclient.Client, f *cmdutil.Factory, name string) (Result, error) { ns, _, e := f.DefaultNamespace() if e != nil { util.Fatal("No default namespace") return Failure, e } sas := c.ServiceAccounts(ns) _, err := sas.Get(name) if err != nil { sa := kapi.ServiceAccount{ ObjectMeta: kapi.ObjectMeta{ Name: name, }, } _, err = sas.Create(&sa) } r := Success if err != nil { r = Failure } return r, err }
// WaitForServiceAccounts ensures the service accounts needed by build pods exist in the namespace // The extra controllers tend to starve the service account controller func WaitForServiceAccounts(client *kclient.Client, namespace string, accounts []string) error { serviceAccounts := client.ServiceAccounts(namespace) return wait.Poll(time.Second, ServiceAccountWaitTimeout, func() (bool, error) { for _, account := range accounts { if sa, err := serviceAccounts.Get(account); err != nil { if !serviceAccountSecretsExist(client, namespace, sa) { continue } return false, nil } } return true, nil }) }
func getServiceAccountToken(client *kclient.Client, ns, name string) (string, error) { secrets, err := client.Secrets(ns).List(labels.Everything(), fields.Everything()) if err != nil { return "", err } for _, secret := range secrets.Items { if secret.Type == api.SecretTypeServiceAccountToken && secret.Annotations[api.ServiceAccountNameKey] == name { sa, err := client.ServiceAccounts(ns).Get(name) if err != nil { return "", err } for _, ref := range sa.Secrets { if ref.Name == secret.Name { return string(secret.Data[api.ServiceAccountTokenKey]), nil } } } } return "", nil }