Read secrets for onboarding-token validation

Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com> Signed-off-by: mrudraia <mrudraia@redhat.com>
red-hat-storage · Aug 7, 2024 · c72f700 · c72f700
1 parent 138508b
commit c72f700
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 35 deletions.
diff --git a/controllers/storagecluster/storageclient.go b/controllers/storagecluster/storageclient.go
@@ -12,8 +12,7 @@ import (
 )
 
 const (
-	tokenLifetimeInHours         = 48
-	onboardingPrivateKeyFilePath = "/etc/private-key/key"
+	tokenLifetimeInHours = 48
 )
 
 type storageClient struct{}
@@ -31,7 +30,7 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste
 	storageClient.Name = storagecluster.Name
 	_, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error {
 		if storageClient.Status.ConsumerID == "" {
-			token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil)
+			token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, r.Client, nil)
 			if err != nil {
 				return fmt.Errorf("unable to generate onboarding token: %v", err)
 			}

diff --git a/controllers/util/provider.go b/controllers/util/provider.go
@@ -1,6 +1,7 @@
 package util
 
 import (
+	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
@@ -10,17 +11,26 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/red-hat-storage/ocs-operator/v4/services"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	// Name of existing private key which is used ocs-operator
+	onboardingValidationPrivateKeySecretName = "onboarding-private-key"
 )
 
 // GenerateOnboardingToken generates a token valid for a duration of "tokenLifetimeInHours".
 // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath".
 // The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster.
-func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotaInGiB *uint) (string, error) {
+func GenerateOnboardingToken(tokenLifetimeInHours int, cl client.Client, storageQuotaInGiB *uint) (string, error) {
 	tokenExpirationDate := time.Now().
 		Add(time.Duration(tokenLifetimeInHours) * time.Hour).
 		Unix()
@@ -46,9 +56,9 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st
 		return "", fmt.Errorf("failed to hash onboarding token payload: %v", err)
 	}
 
-	privateKey, err := readAndDecodePrivateKey(privateKeyPath)
+	privateKey, err := DecodePemKey(cl)
 	if err != nil {
-		return "", fmt.Errorf("failed to read and decode private key: %v", err)
+		return "", fmt.Errorf("failed to decode the private key: %v", err)
 	}
 
 	msgHashSum := msgHash.Sum(nil)
@@ -64,16 +74,28 @@ func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, st
 	return fmt.Sprintf("%s.%s", encodedPayload, encodedSignature), nil
 }
 
-func readAndDecodePrivateKey(privateKeyPath string) (*rsa.PrivateKey, error) {
-	pemString, err := os.ReadFile(privateKeyPath)
+func DecodePemKey(cl client.Client) (*rsa.PrivateKey, error) {
+	klog.Info("Decoding the Pem key")
+	ctx := context.Background()
+	operatorNamespace, err := GetOperatorNamespace()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get operator namespace: %v", err)
+	}
+
+	privateSecret := &corev1.Secret{}
+	privateSecret.Name = onboardingValidationPrivateKeySecretName
+	privateSecret.Namespace = operatorNamespace
+
+	err = cl.Get(ctx, types.NamespacedName{Name: onboardingValidationPrivateKeySecretName, Namespace: operatorNamespace}, privateSecret)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read private key: %v", err)
+		return nil, fmt.Errorf("failed to get private secret: %v", err)
 	}
 
-	Block, _ := pem.Decode(pemString)
+	Block, _ := pem.Decode(privateSecret.Data["key"])
 	privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse private key: %v", err)
 	}
+
 	return privateKey, nil
 }
diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml
@@ -717,8 +717,6 @@ spec:
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
                 volumeMounts:
-                - mountPath: /etc/private-key
-                  name: onboarding-private-key
                 - mountPath: /etc/tls/private
                   name: ux-cert-secret
               - args:
@@ -754,10 +752,6 @@ spec:
                 operator: Equal
                 value: "true"
               volumes:
-              - name: onboarding-private-key
-                secret:
-                  optional: true
-                  secretName: onboarding-private-key
               - name: ux-proxy-secret
                 secret:
                   secretName: ux-backend-proxy

diff --git a/services/ux-backend/handlers/onboardingtokens/handler.go b/services/ux-backend/handlers/onboardingtokens/handler.go
@@ -10,10 +10,7 @@ import (
 	"github.com/red-hat-storage/ocs-operator/v4/services/ux-backend/handlers"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
-)
-
-const (
-	onboardingPrivateKeyFilePath = "/etc/private-key/key"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 var unitToGib = map[string]uint{
@@ -36,6 +33,8 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int
 	// When ContentLength is 0 that means request body is empty and
 	// storage quota is unlimited
 	var err error
+	var cl client.Client
+
 	if r.ContentLength != 0 {
 		var quota = struct {
 			Value uint   `json:"value"`
@@ -57,7 +56,7 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int
 		}
 		storageQuotaInGiB = ptr.To(unitAsGiB * quota.Value)
 	}
-	if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB); err != nil {
+	if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, cl, storageQuotaInGiB); err != nil {
 		klog.Errorf("failed to get onboardig token: %v", err)
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Header().Set("Content-Type", handlers.ContentTypeTextPlain)

diff --git a/tools/csv-merger/csv-merger.go b/tools/csv-merger/csv-merger.go
@@ -644,10 +644,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 					{
 						Name: "ux-backend-server",
 						VolumeMounts: []corev1.VolumeMount{
-							{
-								Name:      "onboarding-private-key",
-								MountPath: "/etc/private-key",
-							},
 							{
 								Name:      "ux-cert-secret",
 								MountPath: "/etc/tls/private",
@@ -716,15 +712,6 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 					},
 				},
 				Volumes: []corev1.Volume{
-					{
-						Name: "onboarding-private-key",
-						VolumeSource: corev1.VolumeSource{
-							Secret: &corev1.SecretVolumeSource{
-								SecretName: "onboarding-private-key",
-								Optional:   ptr.To(true),
-							},
-						},
-					},
 					{
 						Name: "ux-proxy-secret",
 						VolumeSource: corev1.VolumeSource{