Read secrets for client-onboarding-token-validation

[mrudraia1]

This PR reads the secrets instead of reading the secrets from the volume mounts.
whenever the new onboarding secrets are created, it takes more time to read the secrets from the volume mounts,
The user clicks the rotate onboarding keys, the kubernetes still uses the old public, private keys , the new keys are mounted later, So this PR will read the secrets directly from the kubernetes secrets.

[leelavg]

a suggestion, we are seeing this PR for third time, second time it's fine that you weren't able to recover GH (remember you can't create new a/c every-time though) but last time it's better if you can focus on rebasing properly.

yes, GH doesn't have any issue w/ closing & opening a new PR but for reviewers it's kinda hard to relook from the start.

[mrudraia1]

I have tested this PR, with the latest 4.18 build. I could see the keys getting exchanged when the rotate signing key is clicked in storageclient page.

[leelavg]

I have tested this PR, with the latest 4.18 build. I could see the keys getting exchanged when the rotate signing key is clicked in storageclient page.

• ack, only minor comments now. @nb-ohad possible for a final review?

[nb-ohad]

Why do we need a MatchEveryOwner here? Isn't StorageCluster the controller owner of the secret we want to watch?

[mrudraia1]

controller owner reference set to secrets, ack

[nb-ohad]

This comment was not addressed as tall! You are matching by controller ownership, it does not make sense to match every owner

[mrudraia1]

Owner reference were set during creation of secrets in on-boarding job, when the rotate signing key is clicked the re-consiliation is not happening, The onboarding-token needs to be created which is failing.

Any suggestion for this issue.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mrudraia1
Once this PR has been reviewed and has the lgtm label, please ask for approval from nb-ohad. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

infra issue
/test images

[nb-ohad]

This comment was not addressed as tall! You are matching by controller ownership, it does not make sense to match every owner

[nb-ohad]

You don't need this check: Maps in golang, even when not initialized, support the key access operator.

Suggested change

if privateSecret.Data != nil {

[nb-ohad]

I would prefer, from code readability and extensibility concerns, if we first handle error conditions and only at the end have the return that is not erroneous. This way you don't need nested returns and extending the function in the future with more checks become easier

Suggested change

	if privateSecretKey, ok := privateSecret.Data["key"]; ok {
	Block, _ := pem.Decode(privateSecretKey)
	privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse private key: %v", err)
	}
	return privateKey, nil
	}
	}
	return privateKey, nil
	return nil, fmt.Errorf("No data found in secret")
	privateSecretKey, ok := privateSecret.Data["key"];
	if !ok {
	return nil, fmt.Errorf("No data found in secret")
	}
	Block, _ := pem.Decode(privateSecretKey)
	privateKey, err := x509.ParsePKCS1PrivateKey(Block.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse private key: %v", err)
	}
	return privateKey, nil

[nb-ohad]

This line is too long, please split over multi-lines

Suggested change

	if onboardingToken, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, privateKey, storageQuotaInGiB, storageCluster.UID); err != nil {
	if onboardingToken, err := util.GenerateClientOnboardingToken(
	tokenLifetimeInHours,
	privateKey,
	storageQuotaInGiB,
	storageCluster.UID,
	); err != nil {

[nb-ohad]

Line too long, see last comment for breaking into multi lines

[nb-ohad]

1. You should not use a TODO context but a background context
2. If there is a need to create a context for handling a request it should be created at the topmost level of the request handling and passed down

[nb-ohad]

You should not use the same context for main and for specific request handling. Each request should initialize its own background context that will be used during the entire request.

[nb-ohad]

Same as last comment