-
Notifications
You must be signed in to change notification settings - Fork 197
/
secrets.go
159 lines (134 loc) · 4.88 KB
/
secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
package kube
import (
"context"
"fmt"
"github.com/aquasecurity/starboard/pkg/docker"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
)
// NewImagePullSecret constructs a new image pull Secret with the specified
// registry server and basic authentication credentials.
func NewImagePullSecret(meta metav1.ObjectMeta, server, username, password string) (*corev1.Secret, error) {
dockerConfig, err := docker.Config{
Auths: map[string]docker.Auth{
server: {
Username: username,
Password: password,
Auth: docker.NewBasicAuth(username, password),
},
},
}.Write()
if err != nil {
return nil, err
}
return &corev1.Secret{
ObjectMeta: meta,
Type: corev1.SecretTypeDockerConfigJson,
Data: map[string][]byte{
corev1.DockerConfigJsonKey: dockerConfig,
},
}, nil
}
// MapContainerNamesToDockerAuths creates the mapping from a container name to the Docker authentication
// credentials for the specified kube.ContainerImages and image pull Secrets.
func MapContainerNamesToDockerAuths(images ContainerImages, secrets []corev1.Secret) (map[string]docker.Auth, error) {
auths, err := MapDockerRegistryServersToAuths(secrets)
if err != nil {
return nil, err
}
mapping := make(map[string]docker.Auth)
for containerName, imageRef := range images {
server, err := docker.GetServerFromImageRef(imageRef)
if err != nil {
return nil, err
}
if auth, ok := auths[server]; ok {
mapping[containerName] = auth
}
}
return mapping, nil
}
// MapDockerRegistryServersToAuths creates the mapping from a Docker registry server
// to the Docker authentication credentials for the specified slice of image pull Secrets.
func MapDockerRegistryServersToAuths(imagePullSecrets []corev1.Secret) (map[string]docker.Auth, error) {
auths := make(map[string]docker.Auth)
for _, secret := range imagePullSecrets {
dockerConfig := &docker.Config{}
err := dockerConfig.Read(secret.Data[corev1.DockerConfigJsonKey])
if err != nil {
return nil, err
}
for authKey, auth := range dockerConfig.Auths {
server, err := docker.GetServerFromDockerAuthKey(authKey)
if err != nil {
return nil, err
}
auths[server] = auth
}
}
return auths, nil
}
func AggregateImagePullSecretsData(images ContainerImages, credentials map[string]docker.Auth) map[string][]byte {
secretData := make(map[string][]byte)
for containerName := range images {
if dockerAuth, ok := credentials[containerName]; ok {
secretData[fmt.Sprintf("%s.username", containerName)] = []byte(dockerAuth.Username)
secretData[fmt.Sprintf("%s.password", containerName)] = []byte(dockerAuth.Password)
}
}
return secretData
}
const (
serviceAccountDefault = "default"
)
// SecretsReader defines methods for reading Secrets.
type SecretsReader interface {
ListByLocalObjectReferences(ctx context.Context, refs []corev1.LocalObjectReference, ns string) ([]corev1.Secret, error)
ListByServiceAccount(ctx context.Context, name string, ns string) ([]corev1.Secret, error)
ListImagePullSecretsByPodSpec(ctx context.Context, spec corev1.PodSpec, ns string) ([]corev1.Secret, error)
}
// NewSecretsReader constructs a new SecretsReader which is using the client
// package provided by the controller-runtime libraries for interacting with
// the Kubernetes API server.
func NewSecretsReader(client client.Client) SecretsReader {
return &secretsReader{client: client}
}
type secretsReader struct {
client client.Client
}
func (r *secretsReader) ListByLocalObjectReferences(ctx context.Context, refs []corev1.LocalObjectReference, ns string) ([]corev1.Secret, error) {
secrets := make([]corev1.Secret, 0)
for _, secretRef := range refs {
var secret corev1.Secret
err := r.client.Get(ctx, client.ObjectKey{Name: secretRef.Name, Namespace: ns}, &secret)
if err != nil {
return nil, fmt.Errorf("getting secret by name: %s/%s: %w", ns, secretRef.Name, err)
}
secrets = append(secrets, secret)
}
return secrets, nil
}
func (r *secretsReader) ListByServiceAccount(ctx context.Context, name string, ns string) ([]corev1.Secret, error) {
var sa corev1.ServiceAccount
err := r.client.Get(ctx, client.ObjectKey{Name: name, Namespace: ns}, &sa)
if err != nil {
return nil, fmt.Errorf("getting service account by name: %s/%s: %w", ns, name, err)
}
return r.ListByLocalObjectReferences(ctx, sa.ImagePullSecrets, ns)
}
func (r *secretsReader) ListImagePullSecretsByPodSpec(ctx context.Context, spec corev1.PodSpec, ns string) ([]corev1.Secret, error) {
secrets, err := r.ListByLocalObjectReferences(ctx, spec.ImagePullSecrets, ns)
if err != nil {
return nil, err
}
serviceAccountName := spec.ServiceAccountName
if serviceAccountName == "" {
serviceAccountName = serviceAccountDefault
}
serviceAccountSecrets, err := r.ListByServiceAccount(ctx, serviceAccountName, ns)
if err != nil {
return nil, err
}
return append(secrets, serviceAccountSecrets...), nil
}