-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
store.go
150 lines (131 loc) · 5.32 KB
/
store.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
/*
Copyright 2019 The Rook Authors. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package keyring provides methods for accessing keyrings for Ceph daemons stored securely in
// Kubernetes secrets. It also provides methods for creating keyrings with desired permissions which
// are stored persistently and a special subset of methods for the Ceph admin keyring.
package keyring
import (
"github.com/coreos/pkg/capnslog"
"github.com/pkg/errors"
"github.com/rook/rook/pkg/clusterd"
"github.com/rook/rook/pkg/daemon/ceph/client"
"github.com/rook/rook/pkg/operator/k8sutil"
apps "k8s.io/api/apps/v1"
v1 "k8s.io/api/core/v1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
var logger = capnslog.NewPackageLogger("github.com/rook/rook", "op-cfg-keyring")
const (
keyKeyName = "key"
keyringFileName = "keyring"
)
// SecretStore is a helper to store Ceph daemon keyrings as Kubernetes secrets.
type SecretStore struct {
context *clusterd.Context
namespace string
ownerRef *metav1.OwnerReference
}
// GetSecretStore returns a new SecretStore struct.
func GetSecretStore(context *clusterd.Context, namespace string, ownerRef *metav1.OwnerReference) *SecretStore {
return &SecretStore{
context: context,
namespace: namespace,
ownerRef: ownerRef,
}
}
// GetSecretStoreForDeployment returns a new SecretStore struct owned by the provided Deployment.
func GetSecretStoreForDeployment(context *clusterd.Context, d *apps.Deployment) *SecretStore {
ownerRef := &metav1.OwnerReference{
UID: d.UID,
APIVersion: "v1",
Kind: "deployment",
Name: d.GetName(),
}
return &SecretStore{
context: context,
namespace: d.GetNamespace(),
ownerRef: ownerRef,
}
}
func keySecretName(resourceName string) string {
return resourceName + "-key" // all keys named by suffixing key to the resource name
}
func keyringSecretName(resourceName string) string {
return resourceName + "-keyring" // all keyrings named by suffixing keyring to the resource name
}
// GenerateKey generates a key for a Ceph user with the given access permissions. It returns the key
// generated on success. Ceph will always return the most up-to-date key for a daemon, and the key
// usually does not change.
func (k *SecretStore) GenerateKey(user string, access []string) (string, error) {
// get-or-create-key for the user account
key, err := client.AuthGetOrCreateKey(k.context, k.namespace, user, access)
if err != nil {
logger.Infof("Error getting or creating key for %q. "+
"Attempting to update capabilities in case the user already exists. %v", user, err)
uErr := client.AuthUpdateCaps(k.context, k.namespace, user, access)
if uErr != nil {
return "", errors.Wrapf(err, "failed to get, create, or update auth key for %s", user)
}
key, uErr = client.AuthGetKey(k.context, k.namespace, user)
if uErr != nil {
return "", errors.Wrapf(err, "failed to get key after updating existing auth capabilities for %s", user)
}
}
return key, nil
}
// CreateOrUpdate creates or updates the keyring secret for the resource with the keyring specified.
// WARNING: Do not use "rook-ceph-admin" as the resource name; conflicts with the AdminStore.
func (k *SecretStore) CreateOrUpdate(resourceName string, keyring string) error {
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: keyringSecretName(resourceName),
Namespace: k.namespace,
},
StringData: map[string]string{
keyringFileName: keyring,
},
Type: k8sutil.RookType,
}
k8sutil.SetOwnerRef(&secret.ObjectMeta, k.ownerRef)
return k.CreateSecret(secret)
}
// Delete deletes the keyring secret for the resource.
func (k *SecretStore) Delete(resourceName string) error {
secretName := keyringSecretName(resourceName)
err := k.context.Clientset.CoreV1().Secrets(k.namespace).Delete(secretName, &metav1.DeleteOptions{})
if err != nil && !kerrors.IsNotFound(err) {
logger.Warningf("failed to delete keyring secret for %q. user may need to delete the resource manually. %v", secretName, err)
}
return nil
}
// CreateSecret creates or update a kubernetes secret
func (k *SecretStore) CreateSecret(secret *v1.Secret) error {
secretName := secret.ObjectMeta.Name
_, err := k.context.Clientset.CoreV1().Secrets(k.namespace).Get(secretName, metav1.GetOptions{})
if err != nil {
if kerrors.IsNotFound(err) {
logger.Debugf("creating secret for %s", secretName)
if _, err := k.context.Clientset.CoreV1().Secrets(k.namespace).Create(secret); err != nil {
return errors.Wrapf(err, "failed to create secret for %s", secretName)
}
return nil
}
return errors.Wrapf(err, "failed to get secret for %s", secretName)
}
logger.Debugf("updating secret for %s", secretName)
if _, err := k.context.Clientset.CoreV1().Secrets(k.namespace).Update(secret); err != nil {
return errors.Wrapf(err, "failed to update secret for %s", secretName)
}
return nil
}