def get_es_conn_attrs(self,
k8s_connection: client.CoreV1Api,
debug: bool = False):
if debug:
self.es_params = {'host': 'localhost', 'port': '9200'}
else:
# Password
sec = str(
k8s_connection.read_namespaced_secret(
name="quickstart-es-elastic-user",
namespace="default").data)
password = base64.b64decode(sec.strip().split()[1]).decode("utf-8")
# Certificate
sec = k8s_connection.read_namespaced_secret(
name="quickstart-es-http-certs-public",
namespace="default").data
cert = base64.b64decode(sec["tls.crt"]).decode("utf-8")
context = create_default_context(cadata=cert)
self.es_params = {
'host': 'quickstart-es-http',
'port': '9200',
'http_auth': ('elastic', password),
'scheme': 'https',
'ssl_context': context
}
def is_secret_present(v1: CoreV1Api, name, namespace) -> bool:
"""
Check if a namespace has a secret.
:param v1: CoreV1Api
:param name:
:param namespace:
:return: bool
"""
try:
v1.read_namespaced_secret(name, namespace)
except ApiException as ex:
if ex.status == 404:
print(f"No secret '{name}' found.")
return False
return True
def is_secret_present(v1: CoreV1Api, name, namespace) -> bool:
"""
Check if a namespace has a secret.
:param v1: CoreV1Api
:param name:
:param namespace:
:return: bool
"""
try:
v1.read_namespaced_secret(name, namespace)
except ApiException as ex:
if ex.status == 404:
print(f"No secret '{name}' found.")
return False
return True
def _wait_for_token_secret(
core_api: CoreV1Api,
token_name: str,
token_namespace: str,
retries: int = 3,
interval: int = 5,
) -> typing.Union[V1Secret, None]:
new_access_token = core_api.read_namespaced_secret(
name=token_name,
namespace=token_namespace,
)
if not new_access_token.data:
logger.info(
'Access token was not yet populated with required information.')
if retries > 0:
logger.info(
f'Will sleep for {interval} seconds and try again {retries} more times.'
)
time.sleep(interval)
return _wait_for_token_secret(
core_api=core_api,
token_name=token_name,
token_namespace=token_namespace,
retries=retries - 1,
interval=interval,
)
else:
return None
return new_access_token
def ensure_node_key(hostname, node_type, kubernetes_api: client.CoreV1Api):
private_key_name = f"{hostname}-node-key"
try:
secret = kubernetes_api.read_namespaced_secret(name=private_key_name,
namespace="default")
except client.rest.ApiException as api_exception:
if api_exception.status != 404:
raise
secret = create_node_key(private_key_name, node_type, kubernetes_api)
node_key_bytes = bytearray.fromhex(
base64.b64decode(secret.data['node_key_file']).decode('utf-8'))
public_key = base64.b64decode(secret.data['public_key']).decode('utf-8')
return (node_key_bytes, public_key)
def register_admin_key(api: client.CoreV1Api):
"""
Register the admin key from the administrator secret.
:api (client.CoreV1Api) The api client to use to execute the request.
"""
namespace = utils.envvar('RATING_NAMESPACE')
secret_name = f'{namespace}-admin'
try:
secret_encoded_bytes = api.read_namespaced_secret(secret_name, namespace).data
except ApiException as exc:
raise exc
rating_admin_api_key = list(secret_encoded_bytes.keys())[0]
os.environ[rating_admin_api_key] = b64decode(
secret_encoded_bytes[rating_admin_api_key]).decode('utf-8')
def find_bearer_token(api: client.CoreV1Api,
svc_acc: str,
namespace: str = 'default') -> str:
"""Get the bearer token. Used when odin is running locally on a cluster with RBAC.
:param api: The k8s api client
:param svc_acc: The name of the service account
:param namespace: The namespace of the service account
:returns: The bearer token. Returns an empty string if not found.
"""
try:
sa = api.read_namespaced_service_account(svc_acc, namespace=namespace)
secret = api.read_namespaced_secret(sa.secrets[0].name,
namespace=namespace)
token = b64decode(secret.data['token']).decode('utf-8')
return f"bearer {token}"
except client.rest.ApiException:
return ""
def get_username_password(ref: SecretRef, api: CoreV1Api):
secret = api.read_namespaced_secret(namespace=ref.namespace,
name=ref.name,
exact=True,
export=True)
raw = None
if ref.password_ref is not None:
raw = secret.data[ref.password_ref]
elif "mongodb-root-password" in secret.data:
raw = secret.data["mongodb-root-password"]
elif "mongodb-password" in secret.data:
raw = secret.data["mongodb-password"]
elif "password" in secret.data:
raw = secret.data["passsword"]
if raw is None:
raise RuntimeError(
"Invalid secret, must have key mongodb-root-password, mongodb-password or passsword"
)
password = b64decode(raw).decode("utf-8")
raw = None
if ref.user_ref is not None:
raw = secret.data[ref.user_ref]
if "mongodb-root-user" in secret.data:
raw = secret.data["mongodb-root-user"]
elif "mongodb-user" in secret.data:
raw = secret.data["mongodb-user"]
elif "user" in secret.data:
raw = secret.data["user"]
if raw is None:
return (None, password)
# raise RuntimeError("Invalid secret, must have key mongodb-root-user, mongodb-user or user")
user = b64decode(raw).decode("utf-8")
return (user, password)
