func (o *GetServiceAccountTokenOptions) Run() error {
serviceAccount, err := o.SAClient.Get(o.SAName)
if err != nil {
return err
}
for _, reference := range serviceAccount.Secrets {
secret, err := o.SecretsClient.Get(reference.Name)
if err != nil {
continue
}
if serviceaccounts.IsValidServiceAccountToken(serviceAccount, secret) {
token, exists := secret.Data[kapi.ServiceAccountTokenKey]
if !exists {
return fmt.Errorf("service account token %q for service account %q did not contain token data", secret.Name, serviceAccount.Name)
}
fmt.Fprintf(o.Out, string(token))
if util.IsTerminalWriter(o.Out) {
// pretty-print for a TTY
fmt.Fprintf(o.Out, "\n")
}
return nil
}
}
return fmt.Errorf("could not find a service account token for service account %q", serviceAccount.Name)
}
// Run creates a new token secret, waits for the service account token controller to fulfill it, then adds the token to the service account
func (o *NewServiceAccountTokenOptions) Run() error {
serviceAccount, err := o.SAClient.Get(o.SAName)
if err != nil {
return err
}
tokenSecret := &api.Secret{
ObjectMeta: api.ObjectMeta{
GenerateName: osautil.GetTokenSecretNamePrefix(serviceAccount),
Namespace: serviceAccount.Namespace,
Labels: o.Labels,
Annotations: map[string]string{
api.ServiceAccountNameKey: serviceAccount.Name,
},
},
Type: api.SecretTypeServiceAccountToken,
Data: map[string][]byte{},
}
persistedToken, err := o.SecretsClient.Create(tokenSecret)
if err != nil {
return err
}
// we need to wait for the service account token controller to make the new token valid
tokenSecret, err = waitForToken(persistedToken, serviceAccount, o.Timeout, o.SecretsClient)
if err != nil {
return err
}
token, exists := tokenSecret.Data[api.ServiceAccountTokenKey]
if !exists {
return fmt.Errorf("service account token %q did not contain token data", tokenSecret.Name)
}
fmt.Fprintf(o.Out, string(token))
if util.IsTerminalWriter(o.Out) {
// pretty-print for a TTY
fmt.Fprintf(o.Out, "\n")
}
return nil
}
func (o *DecryptOptions) Decrypt() error {
// Get PEM data block
var data []byte
switch {
case len(o.EncryptedFile) > 0:
if d, err := ioutil.ReadFile(o.EncryptedFile); err != nil {
return err
} else {
data = d
}
case len(o.EncryptedData) > 0:
data = o.EncryptedData
case o.EncryptedReader != nil && !util.IsTerminalReader(o.EncryptedReader):
if d, err := ioutil.ReadAll(o.EncryptedReader); err != nil {
return err
} else {
data = d
}
}
if len(data) == 0 {
return fmt.Errorf("no input data specified")
}
dataBlock, ok := pemutil.BlockFromBytes(data, configapi.StringSourceEncryptedBlockType)
if !ok {
return fmt.Errorf("input does not contain a valid PEM block of type %q", configapi.StringSourceEncryptedBlockType)
}
// Get password
keyBlock, ok, err := pemutil.BlockFromFile(o.KeyFile, configapi.StringSourceKeyBlockType)
if err != nil {
return err
}
if !ok {
return fmt.Errorf("%s does not contain a valid PEM block of type %q", o.KeyFile, configapi.StringSourceKeyBlockType)
}
if len(keyBlock.Bytes) == 0 {
return fmt.Errorf("%s does not contain a key", o.KeyFile)
}
password := keyBlock.Bytes
// Decrypt
plaintext, err := x509.DecryptPEMBlock(dataBlock, password)
if err != nil {
return err
}
// Write decrypted data
switch {
case len(o.DecryptedFile) > 0:
if err := ioutil.WriteFile(o.DecryptedFile, plaintext, os.FileMode(0600)); err != nil {
return err
}
case o.DecryptedWriter != nil:
fmt.Fprint(o.DecryptedWriter, string(plaintext))
if util.IsTerminalWriter(o.DecryptedWriter) {
fmt.Fprintln(o.DecryptedWriter)
}
}
return nil
}