/
secret.go
159 lines (142 loc) · 4.38 KB
/
secret.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
// Copyright (c) 2021 Terminus, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package k8s
import (
"encoding/base64"
"encoding/json"
"fmt"
"strings"
apiv1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/erda-project/erda/apistructs"
"github.com/erda-project/erda/pkg/strutil"
)
// NewImageSecret create new image pull secret
// 1, create imagePullSecret of this namespace
// 2, put this secret into serviceaccount of the namespace
func (k *Kubernetes) NewImageSecret(namespace string) error {
// When the cluster is initialized, a secret to pull the mirror will be created in the default namespace
s, err := k.secret.Get("default", AliyunRegistry)
if err != nil {
return err
}
mysecret := &apiv1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: "v1",
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: s.Name,
Namespace: namespace,
},
Data: s.Data,
StringData: s.StringData,
Type: s.Type,
}
if err := k.secret.Create(mysecret); err != nil {
return err
}
return k.updateDefaultServiceAccountForImageSecret(namespace, s.Name)
}
// NewImageSecret create mew image pull secret
// 1, create imagePullSecret of this namespace
// 2, Add the secret of the image that needs to be authenticated to the secret of the namespace
// 3, put this secret into serviceaccount of the namespace
func (k *Kubernetes) NewRuntimeImageSecret(namespace string, sg *apistructs.ServiceGroup) error {
// When the cluster is initialized, a secret to pull the mirror will be created in the default namespace
s, err := k.secret.Get("default", AliyunRegistry)
if err != nil {
return err
}
var dockerConfigJson apistructs.RegistryAuthJson
if err := json.Unmarshal(s.Data[".dockerconfigjson"], &dockerConfigJson); err != nil {
return err
}
//Append the runtime secret with the username and password to the secret
for _, service := range sg.Services {
if service.ImageUsername != "" {
u := strings.Split(service.Image, "/")[0]
authString := base64.StdEncoding.EncodeToString([]byte(service.ImageUsername + ":" + service.ImagePassword))
dockerConfigJson.Auths[u] = apistructs.RegistryUserInfo{Auth: authString}
}
}
var sData []byte
if sData, err = json.Marshal(dockerConfigJson); err != nil {
return err
}
mysecret := &apiv1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: "v1",
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: s.Name,
Namespace: namespace,
},
Data: map[string][]byte{".dockerconfigjson": sData},
Type: s.Type,
}
if err := k.secret.Create(mysecret); err != nil {
return err
}
return k.updateDefaultServiceAccountForImageSecret(namespace, s.Name)
}
// CopyErdaSecrets Copy the secret under orignns namespace to dstns
func (k *Kubernetes) CopyErdaSecrets(originns, dstns string) ([]apiv1.Secret, error) {
secrets, err := k.secret.List(originns)
if err != nil {
return nil, err
}
result := []apiv1.Secret{}
for _, secret := range secrets.Items {
// ignore default token
if !strutil.HasPrefixes(secret.Name, "dice-") {
continue
}
dstsecret := &apiv1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: "v1",
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: secret.Name,
Namespace: dstns,
},
Data: secret.Data,
StringData: secret.StringData,
Type: secret.Type,
}
if err := k.secret.CreateIfNotExist(dstsecret); err != nil {
return nil, err
}
result = append(result, secret)
}
return result, nil
}
// SecretVolume
func (k *Kubernetes) SecretVolume(secret *apiv1.Secret) (apiv1.Volume, apiv1.VolumeMount) {
return apiv1.Volume{
Name: secret.Name,
VolumeSource: apiv1.VolumeSource{
Secret: &apiv1.SecretVolumeSource{
SecretName: secret.Name,
},
},
},
apiv1.VolumeMount{
Name: secret.Name,
MountPath: fmt.Sprintf("/%s", secret.Name),
ReadOnly: true,
}
}