1
0
Fork 0
mirror of https://github.com/arangodb/kube-arangodb.git synced 2024-12-14 11:57:37 +00:00
kube-arangodb/pkg/deployment/reconcile/action_bootstrap_set_password.go

161 lines
4.6 KiB
Go

//
// DISCLAIMER
//
// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Copyright holder is ArangoDB GmbH, Cologne, Germany
//
package reconcile
import (
"context"
"crypto/rand"
"encoding/hex"
"github.com/arangodb/go-driver"
api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
"github.com/arangodb/kube-arangodb/pkg/util"
"github.com/arangodb/kube-arangodb/pkg/util/errors"
"github.com/arangodb/kube-arangodb/pkg/util/globals"
"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
)
func init() {
registerAction(api.ActionTypeBootstrapSetPassword, newBootstrapSetPasswordAction, defaultTimeout)
}
func newBootstrapSetPasswordAction(action api.Action, actionCtx ActionContext) Action {
a := &actionBootstrapSetPassword{}
a.actionImpl = newActionImplDefRef(action, actionCtx)
return a
}
type actionBootstrapSetPassword struct {
// actionImpl implement timeout and member id functions
actionImpl
actionEmptyCheckProgress
}
func (a actionBootstrapSetPassword) Start(ctx context.Context) (bool, error) {
spec := a.actionCtx.GetSpec()
if user, ok := a.action.GetParam("user"); !ok {
a.log.Warn("User param is not set in action")
return true, nil
} else {
if secret, ok := spec.Bootstrap.PasswordSecretNames[user]; !ok {
a.log.Warn("User does not exist in password hashes")
return true, nil
} else {
ctxChild, cancel := globals.GetGlobals().Timeouts().ArangoD().WithTimeout(ctx)
defer cancel()
if password, err := a.setUserPassword(ctxChild, user, secret.Get()); err != nil {
return false, err
} else {
passwordSha := util.SHA256FromString(password)
if err := a.actionCtx.WithStatusUpdate(ctx, func(s *api.DeploymentStatus) bool {
if s.SecretHashes == nil {
s.SecretHashes = &api.SecretHashes{}
}
if s.SecretHashes.Users == nil {
s.SecretHashes.Users = map[string]string{}
}
if u, ok := s.SecretHashes.Users[user]; !ok || u != passwordSha {
s.SecretHashes.Users[user] = passwordSha
return true
}
return false
}); err != nil {
return false, err
}
}
}
}
return true, nil
}
func (a actionBootstrapSetPassword) setUserPassword(ctx context.Context, user, secret string) (string, error) {
a.log.Debug("Bootstrapping user %s, secret %s", user, secret)
ctxChild, cancel := globals.GetGlobalTimeouts().ArangoD().WithTimeout(ctx)
defer cancel()
client, err := a.actionCtx.GetDatabaseClient(ctxChild)
if err != nil {
return "", errors.WithStack(err)
}
password, err := a.ensureUserPasswordSecret(ctx, user, secret)
if err != nil {
return "", errors.WithStack(err)
}
// Obtain the user
ctxChild, cancel = globals.GetGlobalTimeouts().ArangoD().WithTimeout(ctx)
defer cancel()
if u, err := client.User(ctxChild, user); err != nil {
if !driver.IsNotFound(err) {
return "", err
}
err = globals.GetGlobalTimeouts().ArangoD().RunWithTimeout(ctx, func(ctxChild context.Context) error {
_, err := client.CreateUser(ctxChild, user, &driver.UserOptions{Password: password})
return err
})
return password, errors.WithStack(err)
} else {
err = globals.GetGlobalTimeouts().ArangoD().RunWithTimeout(ctx, func(ctxChild context.Context) error {
return u.Update(ctxChild, driver.UserOptions{
Password: password,
})
})
return password, errors.WithStack(err)
}
}
func (a actionBootstrapSetPassword) ensureUserPasswordSecret(ctx context.Context, user, secret string) (string, error) {
if auth, ok := a.actionCtx.ACS().CurrentClusterCache().Secret().V1().GetSimple(secret); !ok {
// Create new one
tokenData := make([]byte, 32)
if _, err := rand.Read(tokenData); err != nil {
return "", err
}
token := hex.EncodeToString(tokenData)
owner := a.actionCtx.GetAPIObject().AsOwner()
err := k8sutil.CreateBasicAuthSecret(ctx, a.actionCtx.ACS().CurrentClusterCache().SecretsModInterface().V1(), secret, user, token, &owner)
if err != nil {
return "", err
}
return token, nil
} else {
_, pass, err := k8sutil.GetSecretAuthCredentials(auth)
if err == nil {
return pass, nil
}
return "", errors.Newf("invalid secret format in secret %s", secret)
}
}