func getServiceAccountPullSecret(client *kclient.Client, ns, name string) (string, error) {
secrets, err := client.Secrets(ns).List(labels.Everything(), fields.Everything())
if err != nil {
return "", err
}
for _, secret := range secrets.Items {
if secret.Type == api.SecretTypeDockercfg && secret.Annotations[api.ServiceAccountNameKey] == name {
return string(secret.Data[api.DockerConfigKey]), nil
}
}
return "", nil
}
func getReferencedServiceAccountToken(c *client.Client, ns string, name string, shouldWait bool) (string, string, error) {
tokenName := ""
token := ""
findToken := func() (bool, error) {
user, err := c.ServiceAccounts(ns).Get(name)
if errors.IsNotFound(err) {
return false, nil
}
if err != nil {
return false, err
}
for _, ref := range user.Secrets {
secret, err := c.Secrets(ns).Get(ref.Name)
if errors.IsNotFound(err) {
continue
}
if err != nil {
return false, err
}
if secret.Type != api.SecretTypeServiceAccountToken {
continue
}
name := secret.Annotations[api.ServiceAccountNameKey]
uid := secret.Annotations[api.ServiceAccountUIDKey]
tokenData := secret.Data[api.ServiceAccountTokenKey]
if name == user.Name && uid == string(user.UID) && len(tokenData) > 0 {
tokenName = secret.Name
token = string(tokenData)
return true, nil
}
}
return false, nil
}
if shouldWait {
err := wait.Poll(time.Second, 10*time.Second, findToken)
if err != nil {
return "", "", err
}
} else {
ok, err := findToken()
if err != nil {
return "", "", err
}
if !ok {
return "", "", fmt.Errorf("No token found for %s/%s", ns, name)
}
}
return tokenName, token, nil
}
func createSecret(c *k8sclient.Client, f *cmdutil.Factory, flags *flag.FlagSet, secretDataIdentifiers string, secretType string, keysNames []string) (Result, error) {
var secret = secret(secretDataIdentifiers, secretType, keysNames, flags)
ns, _, err := f.DefaultNamespace()
if err != nil {
return Failure, err
}
rs, err := c.Secrets(ns).Create(&secret)
if rs != nil {
return Success, err
}
return Failure, err
}
func getServiceAccountToken(client *kclient.Client, ns, name string) (string, error) {
secrets, err := client.Secrets(ns).List(labels.Everything(), fields.Everything())
if err != nil {
return "", err
}
for _, secret := range secrets.Items {
if secret.Type == api.SecretTypeServiceAccountToken && secret.Annotations[api.ServiceAccountNameKey] == name {
sa, err := client.ServiceAccounts(ns).Get(name)
if err != nil {
return "", err
}
for _, ref := range sa.Secrets {
if ref.Name == secret.Name {
return string(secret.Data[api.ServiceAccountTokenKey]), nil
}
}
}
}
return "", nil
}
// serviceAccountSecretsExist checks whether the given service account has at least a token and a dockercfg
// secret associated with it.
func serviceAccountSecretsExist(client *kclient.Client, namespace string, sa *kapi.ServiceAccount) bool {
foundTokenSecret := false
foundDockercfgSecret := false
for _, secret := range sa.Secrets {
ns := namespace
if len(secret.Namespace) > 0 {
ns = secret.Namespace
}
secret, err := client.Secrets(ns).Get(secret.Name)
if err == nil {
switch secret.Type {
case kapi.SecretTypeServiceAccountToken:
foundTokenSecret = true
case kapi.SecretTypeDockercfg:
foundDockercfgSecret = true
}
}
}
return foundTokenSecret && foundDockercfgSecret
}
func doServiceAccountAPIRequests(t *testing.T, c *client.Client, ns string, authenticated bool, canRead bool, canWrite bool) {
testSecret := &api.Secret{
ObjectMeta: api.ObjectMeta{Name: "testSecret"},
Data: map[string][]byte{"test": []byte("data")},
}
readOps := []testOperation{
func() error { _, err := c.Secrets(ns).List(labels.Everything(), fields.Everything()); return err },
func() error { _, err := c.Pods(ns).List(labels.Everything(), fields.Everything()); return err },
}
writeOps := []testOperation{
func() error { _, err := c.Secrets(ns).Create(testSecret); return err },
func() error { return c.Secrets(ns).Delete(testSecret.Name) },
}
for _, op := range readOps {
err := op()
unauthorizedError := errors.IsUnauthorized(err)
forbiddenError := errors.IsForbidden(err)
switch {
case !authenticated && !unauthorizedError:
t.Fatalf("expected unauthorized error, got %v", err)
case authenticated && unauthorizedError:
t.Fatalf("unexpected unauthorized error: %v", err)
case authenticated && canRead && forbiddenError:
t.Fatalf("unexpected forbidden error: %v", err)
case authenticated && !canRead && !forbiddenError:
t.Fatalf("expected forbidden error, got: %v", err)
}
}
for _, op := range writeOps {
err := op()
unauthorizedError := errors.IsUnauthorized(err)
forbiddenError := errors.IsForbidden(err)
switch {
case !authenticated && !unauthorizedError:
t.Fatalf("expected unauthorized error, got %v", err)
case authenticated && unauthorizedError:
t.Fatalf("unexpected unauthorized error: %v", err)
case authenticated && canWrite && forbiddenError:
t.Fatalf("unexpected forbidden error: %v", err)
case authenticated && !canWrite && !forbiddenError:
t.Fatalf("expected forbidden error, got: %v", err)
}
}
}
// create secrets for the server
secret := api.Secret{
TypeMeta: api.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
ObjectMeta: api.ObjectMeta{
Name: config.prefix + "-secret",
},
Data: map[string][]byte{
// from contrib/for-tests/volumes-tester/rbd/keyring
"key": []byte("AQDRrKNVbEevChAAEmRC+pW/KBVHxa0w/POILA=="),
},
}
secClient := c.Secrets(config.namespace)
defer func() {
if clean {
secClient.Delete(config.prefix + "-secret")
}
}()
if _, err := secClient.Create(&secret); err != nil {
Failf("Failed to create secrets for Ceph RBD: %v", err)
}
volume := api.VolumeSource{
RBD: &api.RBDVolumeSource{
CephMonitors: []string{serverIP},
RBDPool: "rbd",
// DoTestSecrets test secrets for one api version.
func DoTestSecrets(t *testing.T, client *client.Client, apiVersion string) {
// Make a secret object.
ns := "ns"
s := api.Secret{
ObjectMeta: api.ObjectMeta{
Name: "secret",
Namespace: ns,
},
Data: map[string][]byte{
"data": []byte("value1\n"),
},
}
if _, err := client.Secrets(s.Namespace).Create(&s); err != nil {
t.Errorf("unable to create test secret: %v", err)
}
defer deleteSecretOrErrorf(t, client, s.Namespace, s.Name)
// Template for pods that use a secret.
pod := &api.Pod{
ObjectMeta: api.ObjectMeta{
Name: "XXX",
},
Spec: api.PodSpec{
Volumes: []api.Volume{
{
Name: "secvol",
VolumeSource: api.VolumeSource{
Secret: &api.SecretVolumeSource{
SecretName: "secret",
},
},
},
},
Containers: []api.Container{
{
Name: "fake-name",
Image: "fakeimage",
VolumeMounts: []api.VolumeMount{
{
Name: "secvol",
MountPath: "/fake/path",
ReadOnly: true,
},
},
},
},
},
}
// Create a pod to consume secret.
pod.ObjectMeta.Name = "uses-secret"
if _, err := client.Pods(ns).Create(pod); err != nil {
t.Errorf("Failed to create pod: %v", err)
}
defer deletePodOrErrorf(t, client, ns, pod.Name)
// Create a pod that consumes non-existent secret.
pod.ObjectMeta.Name = "uses-non-existent-secret"
if _, err := client.Pods(ns).Create(pod); err != nil {
t.Errorf("Failed to create pod: %v", err)
}
defer deletePodOrErrorf(t, client, ns, pod.Name)
// This pod may fail to run, but we don't currently prevent this, and this
// test can't check whether the kubelet actually pulls the secret.
// Verifying contents of the volumes is out of scope for a
// apiserver<->kubelet integration test. It is covered by an e2e test.
}
func deleteSecretOrErrorf(t *testing.T, c *client.Client, ns, name string) {
if err := c.Secrets(ns).Delete(name); err != nil {
t.Errorf("unable to delete secret %v: %v", name, err)
}
}