mirror of
https://github.com/arangodb/kube-arangodb.git
synced 2024-12-14 11:57:37 +00:00
161 lines
4.6 KiB
Go
161 lines
4.6 KiB
Go
//
|
|
// DISCLAIMER
|
|
//
|
|
// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//
|
|
// Copyright holder is ArangoDB GmbH, Cologne, Germany
|
|
//
|
|
|
|
package reconcile
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
|
|
"github.com/arangodb/go-driver"
|
|
|
|
api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
|
|
"github.com/arangodb/kube-arangodb/pkg/util"
|
|
"github.com/arangodb/kube-arangodb/pkg/util/errors"
|
|
"github.com/arangodb/kube-arangodb/pkg/util/globals"
|
|
"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
|
|
)
|
|
|
|
func init() {
|
|
registerAction(api.ActionTypeBootstrapSetPassword, newBootstrapSetPasswordAction, defaultTimeout)
|
|
}
|
|
|
|
func newBootstrapSetPasswordAction(action api.Action, actionCtx ActionContext) Action {
|
|
a := &actionBootstrapSetPassword{}
|
|
|
|
a.actionImpl = newActionImplDefRef(action, actionCtx)
|
|
|
|
return a
|
|
}
|
|
|
|
type actionBootstrapSetPassword struct {
|
|
// actionImpl implement timeout and member id functions
|
|
actionImpl
|
|
|
|
actionEmptyCheckProgress
|
|
}
|
|
|
|
func (a actionBootstrapSetPassword) Start(ctx context.Context) (bool, error) {
|
|
spec := a.actionCtx.GetSpec()
|
|
|
|
if user, ok := a.action.GetParam("user"); !ok {
|
|
a.log.Warn("User param is not set in action")
|
|
return true, nil
|
|
} else {
|
|
if secret, ok := spec.Bootstrap.PasswordSecretNames[user]; !ok {
|
|
a.log.Warn("User does not exist in password hashes")
|
|
return true, nil
|
|
} else {
|
|
ctxChild, cancel := globals.GetGlobals().Timeouts().ArangoD().WithTimeout(ctx)
|
|
defer cancel()
|
|
|
|
if password, err := a.setUserPassword(ctxChild, user, secret.Get()); err != nil {
|
|
return false, err
|
|
} else {
|
|
passwordSha := util.SHA256FromString(password)
|
|
|
|
if err := a.actionCtx.WithStatusUpdate(ctx, func(s *api.DeploymentStatus) bool {
|
|
if s.SecretHashes == nil {
|
|
s.SecretHashes = &api.SecretHashes{}
|
|
}
|
|
|
|
if s.SecretHashes.Users == nil {
|
|
s.SecretHashes.Users = map[string]string{}
|
|
}
|
|
|
|
if u, ok := s.SecretHashes.Users[user]; !ok || u != passwordSha {
|
|
s.SecretHashes.Users[user] = passwordSha
|
|
return true
|
|
}
|
|
return false
|
|
}); err != nil {
|
|
return false, err
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
func (a actionBootstrapSetPassword) setUserPassword(ctx context.Context, user, secret string) (string, error) {
|
|
a.log.Debug("Bootstrapping user %s, secret %s", user, secret)
|
|
|
|
ctxChild, cancel := globals.GetGlobalTimeouts().ArangoD().WithTimeout(ctx)
|
|
defer cancel()
|
|
client, err := a.actionCtx.GetDatabaseClient(ctxChild)
|
|
if err != nil {
|
|
return "", errors.WithStack(err)
|
|
}
|
|
|
|
password, err := a.ensureUserPasswordSecret(ctx, user, secret)
|
|
if err != nil {
|
|
return "", errors.WithStack(err)
|
|
}
|
|
|
|
// Obtain the user
|
|
ctxChild, cancel = globals.GetGlobalTimeouts().ArangoD().WithTimeout(ctx)
|
|
defer cancel()
|
|
if u, err := client.User(ctxChild, user); err != nil {
|
|
if !driver.IsNotFound(err) {
|
|
return "", err
|
|
}
|
|
|
|
err = globals.GetGlobalTimeouts().ArangoD().RunWithTimeout(ctx, func(ctxChild context.Context) error {
|
|
_, err := client.CreateUser(ctxChild, user, &driver.UserOptions{Password: password})
|
|
return err
|
|
})
|
|
|
|
return password, errors.WithStack(err)
|
|
} else {
|
|
err = globals.GetGlobalTimeouts().ArangoD().RunWithTimeout(ctx, func(ctxChild context.Context) error {
|
|
return u.Update(ctxChild, driver.UserOptions{
|
|
Password: password,
|
|
})
|
|
})
|
|
|
|
return password, errors.WithStack(err)
|
|
}
|
|
}
|
|
|
|
func (a actionBootstrapSetPassword) ensureUserPasswordSecret(ctx context.Context, user, secret string) (string, error) {
|
|
if auth, ok := a.actionCtx.ACS().CurrentClusterCache().Secret().V1().GetSimple(secret); !ok {
|
|
// Create new one
|
|
tokenData := make([]byte, 32)
|
|
if _, err := rand.Read(tokenData); err != nil {
|
|
return "", err
|
|
}
|
|
token := hex.EncodeToString(tokenData)
|
|
owner := a.actionCtx.GetAPIObject().AsOwner()
|
|
|
|
err := k8sutil.CreateBasicAuthSecret(ctx, a.actionCtx.ACS().CurrentClusterCache().SecretsModInterface().V1(), secret, user, token, &owner)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return token, nil
|
|
} else {
|
|
_, pass, err := k8sutil.GetSecretAuthCredentials(auth)
|
|
if err == nil {
|
|
return pass, nil
|
|
}
|
|
return "", errors.Newf("invalid secret format in secret %s", secret)
|
|
}
|
|
}
|