refactor

spotify · May 2, 2017 · 379e3d8 · 379e3d8
1 parent b7aa94a
commit 379e3d8
Showing 1 changed file with 57 additions and 8 deletions.
diff --git a/styx-scheduler-service/src/main/java/com/spotify/styx/docker/KubernetesDockerRunner.java b/styx-scheduler-service/src/main/java/com/spotify/styx/docker/KubernetesDockerRunner.java
@@ -178,17 +178,66 @@ private void ensureServiceAccountKeySecret(WorkflowInstance workflowInstance, Ru
       LOG.info("[AUDIT] Workflow {} refers to secret {} of {}", workflowInstance.workflowId(),
           secretName, serviceAccount);
 
-      final Secret secret = client.secrets().withName(secretName).get();
-
-      if (secret != null && isValidServiceAccountKeySecret(workflowInstance, serviceAccount, secretName, secret)) {
-        return;
+      // Create service account keys and secret if necessary
+      if (!validServiceAccountKeySecretExists(workflowInstance, serviceAccount, secretName)) {
+        createServiceAccountKeySecret(serviceAccount, secretName);
+        LOG.info("[AUDIT] Secret {} created for {} referred to by workflow {}",
+            secretName, serviceAccount, workflowInstance.workflowId());
       }
+    });
+  }
 
-      createServiceAccountKeySecret(serviceAccount, secretName);
+  private boolean validServiceAccountKeySecretExists(WorkflowInstance workflowInstance, String serviceAccount,
+      String secretName) {
 
-      LOG.info("[AUDIT] Secret {} created for {} referred to by workflow {}",
-          secretName, serviceAccount, workflowInstance.workflowId());
-    });
+    final Secret secret = client.secrets().withName(secretName).get();
+
+    if (secret == null) {
+      return false;
+    }
+
+    final Map<String, String> annotations = secret.getMetadata().getAnnotations();
+    final Map<String, String> data = secret.getData();
+    final String storedServiceAccount = annotations.get(STYX_WORKFLOW_SA_SECRET_ANNOTATION);
+    if (!storedServiceAccount.equals(serviceAccount)) {
+      LOG.error("[AUDIT] Workflow service account secret name annotation mismatch for workflow {} "
+              + "on secret {}, expected {} got {}",
+          workflowInstance.workflowId(), secretName, serviceAccount, storedServiceAccount);
+      throw new RuntimeException("Service account key name annotation mismatch");
+    }
+
+    final String jsonKeyJson = data.get(STYX_WORKFLOW_SA_JSON_KEY);
+    final String p12KeyJson = data.get(STYX_WORKFLOW_SA_P12_KEY);
+    if (jsonKeyJson == null || p12KeyJson == null) {
+      return false;
+    }
+
+    final ServiceAccountKey jsonKey;
+    final ServiceAccountKey p12Key;
+    try {
+      jsonKey = Json.OBJECT_MAPPER.readValue(jsonKeyJson, ServiceAccountKey.class);
+      p12Key = Json.OBJECT_MAPPER.readValue(jsonKeyJson, ServiceAccountKey.class);
+    } catch (IOException e) {
+      LOG.error("[AUDIT] Failed to deserialize service account keys for workflow {}",
+          workflowInstance.workflowId(), e);
+      return false;
+    }
+
+    final boolean keysExist;
+    try {
+      keysExist = serviceAccountKeyManager.keyExists(serviceAccount, jsonKey.getName())
+          && serviceAccountKeyManager.keyExists(serviceAccount, p12Key.getName());
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+
+    if (!keysExist) {
+      LOG.warn("[AUDIT] One or more service account keys have been deleted for {}",
+          serviceAccount);
+      return false;
+    }
+
+    return true;
   }
 
   private void createServiceAccountKeySecret(String serviceAccount, String secretName) {