-
Notifications
You must be signed in to change notification settings - Fork 71
/
revoke_all.go
86 lines (77 loc) · 2.31 KB
/
revoke_all.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
package client
import (
"context"
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/skupperproject/skupper/api/types"
"github.com/skupperproject/skupper/pkg/kube"
"github.com/skupperproject/skupper/pkg/kube/resolver"
)
func (cli *VanClient) appendRouterIngressHost(cred *types.Credential) bool {
config, err := cli.SiteConfigInspect(context.TODO(), nil)
if err == nil {
host := config.Spec.GetRouterIngressHost()
if host != "" {
cred.Hosts = append(cred.Hosts, host)
return true
}
}
return false
}
func (cli *VanClient) appendControllerIngressHost(cred *types.Credential) bool {
config, err := cli.SiteConfigInspect(context.TODO(), nil)
if err == nil {
host := config.Spec.GetControllerIngressHost()
if host != "" {
cred.Hosts = append(cred.Hosts, host)
return true
}
}
return false
}
func (cli *VanClient) regenerateSiteSecret(ctx context.Context, ca *corev1.Secret, namespace string) error {
siteServerSecret := types.Credential{
Name: types.SiteServerSecret,
Subject: types.TransportServiceName,
Hosts: []string{types.TransportServiceName + "." + namespace},
}
siteconfig, err := cli.SiteConfigInspectInNamespace(ctx, nil, namespace)
if err != nil {
return err
}
if siteconfig == nil {
return fmt.Errorf("No site found in %s", namespace)
}
rslvr, err := resolver.NewResolver(cli, namespace, &siteconfig.Spec)
if err != nil {
return err
}
hosts, err := rslvr.GetAllHosts()
if err != nil {
return err
}
siteServerSecret.Hosts = append(siteServerSecret.Hosts, hosts...)
_, err = kube.RegenerateCredentials(siteServerSecret, namespace, ca, cli.KubeClient)
if err != nil {
return err
}
return cli.restartRouter(namespace)
}
func (cli *VanClient) RevokeAccess(ctx context.Context) error {
records, err := cli.KubeClient.CoreV1().Secrets(cli.Namespace).List(ctx, metav1.ListOptions{LabelSelector: "skupper.io/type=token-claim-record"})
if err != nil {
return err
}
for _, record := range records.Items {
err = cli.KubeClient.CoreV1().Secrets(cli.Namespace).Delete(ctx, record.Name, metav1.DeleteOptions{})
if err != nil {
return err
}
}
ca, err := kube.RegenerateCertAuthority(types.SiteCaSecret, cli.Namespace, cli.KubeClient)
if err != nil {
return err
}
return cli.regenerateSiteSecret(ctx, ca, cli.Namespace)
}