Merge pull request #712 from l1b0k/feat/secret

deprecated direct get secret
AliyunContainerService · Nov 1, 2024 · 16402ec · 16402ec
2 parents 2db47a6 + 1cb024c
commit 16402ec
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 74 deletions.
diff --git a/cmd/terway-controlplane/terway-controlplane.go b/cmd/terway-controlplane/terway-controlplane.go
@@ -151,7 +151,7 @@ func main() {
 	if string(cfg.Credential.AccessKey) != "" && string(cfg.Credential.AccessSecret) != "" {
 		providers = append(providers, credential.NewAKPairProvider(string(cfg.Credential.AccessKey), string(cfg.Credential.AccessSecret)))
 	}
-	providers = append(providers, credential.NewEncryptedCredentialProvider(cfg.CredentialPath, cfg.SecretNamespace, cfg.SecretName))
+	providers = append(providers, credential.NewEncryptedCredentialProvider(cfg.CredentialPath))
 	providers = append(providers, credential.NewMetadataProvider())
 
 	clientSet, err := credential.NewClientMgr(cfg.RegionID, providers...)

diff --git a/daemon/builder.go b/daemon/builder.go
@@ -155,7 +155,7 @@ func (b *NetworkServiceBuilder) setupAliyunClient() error {
 	if string(b.config.AccessID) != "" && string(b.config.AccessSecret) != "" {
 		providers = append(providers, credential.NewAKPairProvider(string(b.config.AccessID), string(b.config.AccessSecret)))
 	}
-	providers = append(providers, credential.NewEncryptedCredentialProvider(utils.NormalizePath(b.config.CredentialPath), "", ""))
+	providers = append(providers, credential.NewEncryptedCredentialProvider(utils.NormalizePath(b.config.CredentialPath)))
 	providers = append(providers, credential.NewMetadataProvider())
 
 	clientSet, err := credential.NewClientMgr(meta.RegionID, providers...)

diff --git a/examples/maxpods/maxpods.go b/examples/maxpods/maxpods.go
@@ -36,7 +36,7 @@ func main() {
 
 	providers := []credential.Interface{
 		credential.NewAKPairProvider(accessKeyID, accessKeySecret),
-		credential.NewEncryptedCredentialProvider(credentialPath, "", ""),
+		credential.NewEncryptedCredentialProvider(credentialPath),
 		credential.NewMetadataProvider(),
 	}
 

diff --git a/pkg/aliyun/credential/sts.go b/pkg/aliyun/credential/sts.go
@@ -1,7 +1,6 @@
 package credential
 
 import (
-	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"encoding/base64"
@@ -11,14 +10,8 @@ import (
 	"time"
 
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/util/retry"
 
-	"github.com/AliyunContainerService/terway/pkg/backoff"
 	"github.com/AliyunContainerService/terway/pkg/utils"
-	"github.com/AliyunContainerService/terway/pkg/utils/k8sclient"
 )
 
 type EncryptedCredentialInfo struct {
@@ -30,65 +23,37 @@ type EncryptedCredentialInfo struct {
 }
 
 type EncryptedCredentialProvider struct {
-	credentialPath  string
-	secretNamespace string
-	secretName      string
+	credentialPath string
 }
 
-// NewEncryptedCredentialProvider get token from file or secret. default filepath /var/addon/token-config
-func NewEncryptedCredentialProvider(credentialPath, secretNamespace, secretName string) *EncryptedCredentialProvider {
-	return &EncryptedCredentialProvider{credentialPath: credentialPath, secretNamespace: secretNamespace, secretName: secretName}
+// NewEncryptedCredentialProvider get token from file. default filepath /var/addon/token-config
+func NewEncryptedCredentialProvider(credentialPath string) *EncryptedCredentialProvider {
+	return &EncryptedCredentialProvider{credentialPath: credentialPath}
 }
 
 func (e *EncryptedCredentialProvider) Resolve() (*Credential, error) {
-	if e.credentialPath == "" && e.secretNamespace == "" && e.secretName == "" {
+	if e.credentialPath == "" {
 		return nil, nil
 	}
 	var encodeTokenCfg []byte
 	var err error
 	var akInfo EncryptedCredentialInfo
 
-	if e.credentialPath != "" {
-		log.Info("resolve encrypted credential", "path", e.credentialPath)
-		if utils.IsWindowsOS() {
-			// NB(thxCode): since os.Stat has not worked as expected,
-			// we use os.Lstat instead of os.Stat here,
-			// ref to https://github.com/microsoft/Windows-Containers/issues/97#issuecomment-887713195.
-			_, err = os.Lstat(e.credentialPath)
-		} else {
-			_, err = os.Stat(e.credentialPath)
-		}
-		if err != nil {
-			return nil, fmt.Errorf("failed to read config %s, err: %w", e.credentialPath, err)
-		}
-		encodeTokenCfg, err = os.ReadFile(e.credentialPath)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read token config, err: %w", err)
-		}
+	log.Info("resolve encrypted credential", "path", e.credentialPath)
+	if utils.IsWindowsOS() {
+		// NB(thxCode): since os.Stat has not worked as expected,
+		// we use os.Lstat instead of os.Stat here,
+		// ref to https://github.com/microsoft/Windows-Containers/issues/97#issuecomment-887713195.
+		_, err = os.Lstat(e.credentialPath)
 	} else {
-		log.Info(fmt.Sprintf("resolve secret %s/%s", e.secretNamespace, e.secretName))
-
-		var secret *corev1.Secret
-		err = retry.OnError(backoff.Backoff(backoff.WaitStsTokenReady), func(err error) bool {
-			if errors.IsNotFound(err) || errors.IsTooManyRequests(err) {
-				return true
-			}
-			return false
-		}, func() error {
-			secret, err = k8sclient.K8sClient.CoreV1().Secrets(e.secretNamespace).Get(context.Background(), e.secretName, metav1.GetOptions{})
-			if err != nil {
-				return err
-			}
-			return nil
-		})
-		if err != nil {
-			return nil, err
-		}
-		var ok bool
-		encodeTokenCfg, ok = secret.Data["addon.token.config"]
-		if !ok {
-			return nil, fmt.Errorf("token is not found in addon.network.token")
-		}
+		_, err = os.Stat(e.credentialPath)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to read config %s, err: %w", e.credentialPath, err)
+	}
+	encodeTokenCfg, err = os.ReadFile(e.credentialPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read token config, err: %w", err)
 	}
 
 	err = json.Unmarshal(encodeTokenCfg, &akInfo)

diff --git a/types/controlplane/config_default.go b/types/controlplane/config_default.go
@@ -78,13 +78,11 @@ type Config struct {
 }
 
 type Credential struct {
-	AccessKey       secret.Secret `json:"accessKey" validate:"required_with=AccessSecret"`
-	AccessSecret    secret.Secret `json:"accessSecret" validate:"required_with=AccessKey"`
-	CredentialPath  string        `json:"credentialPath"`
-	SecretNamespace string        `json:"secretNamespace" validate:"required_with=SecretName"`
-	SecretName      string        `json:"secretName" validate:"required_with=SecretNamespace"`
-	OtelEndpoint    string        `json:"otelEndpoint"`
-	OtelToken       secret.Secret `json:"otelToken"`
+	AccessKey      secret.Secret `json:"accessKey" validate:"required_with=AccessSecret"`
+	AccessSecret   secret.Secret `json:"accessSecret" validate:"required_with=AccessKey"`
+	CredentialPath string        `json:"credentialPath"`
+	OtelEndpoint   string        `json:"otelEndpoint"`
+	OtelToken      secret.Secret `json:"otelToken"`
 }
 
 type MultiIPController struct {

diff --git a/types/controlplane/config_test.go b/types/controlplane/config_test.go
@@ -63,16 +63,6 @@ func TestParseAndValidateCredential(t *testing.T) {
 				CredentialPath: "foo",
 			},
 			wantErr: true,
-		}, {
-			name: "use secret",
-			credential: Credential{
-				AccessKey:       "",
-				AccessSecret:    "",
-				CredentialPath:  "",
-				SecretNamespace: "foo",
-				SecretName:      "foo",
-			},
-			wantErr: false,
 		},
 		{
 			name: "miss all",