def get_fake_ssh_path(config_dir: str, username: str) -> str:
k8s_secret_name = 'git-secret'
hash_of_address = compute_hash_of_k8s_env_address()
fake_ssh_path = os.path.join(config_dir,
f'ssh-{username}-{hash_of_address}')
# If private key is already saved in config, return it
if not os.path.isfile(fake_ssh_path):
# If not, get key from k8s secret, save it and create fake ssh with a gathered key
key_path = os.path.join(config_dir,
f'.ssh-key-{username}-{hash_of_address}')
private_key_secret = get_secret(namespace=username,
secret_name=k8s_secret_name)
private_key = bytes(private_key_secret.data['private_key'],
encoding=_encoding)
private_key = base64.decodebytes(private_key).decode(_encoding)
with open(key_path, mode='w', encoding=_encoding) as private_key_file:
private_key_file.write(private_key)
os.chmod(key_path, 0o600)
fake_ssh_content = f'ssh -i {key_path} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $*'
with open(fake_ssh_path, mode='w',
encoding=_encoding) as fake_ssh_file:
fake_ssh_file.write(fake_ssh_content)
os.chmod(fake_ssh_path, 0o500)
return fake_ssh_path
def get_authorization_header(service_account_name: str, namespace: str):
service_account = get_service_account(
service_account_name=service_account_name, namespace=namespace)
secret_name = service_account.secrets[0].name
authorization_token = get_secret(secret_name=secret_name,
namespace=namespace).data['token']
authorization_token = base64.b64decode(authorization_token).decode('utf-8')
return f'Authorization: Bearer {authorization_token}'
def __init__(self, host: str, use_ssl=True, verify_certs=True,
with_admin_privledges=False, headers: Dict[str, str] = None,
**kwargs):
hosts = host
if with_admin_privledges:
secret = get_secret(
K8sElasticSearchClient.ES_PROXY_SECRET_NAME, "nauta")
admin_token = secret.data["token"]
headers = headers or {}
headers["ES-Authorization"] = f"Basic ${admin_token}"
super().__init__(hosts=hosts, use_ssl=use_ssl, verify_certs=verify_certs, headers=headers, **kwargs)
def _get_admin_token(self,
admin_secret_name: str = ADMIN_SECRET_NAME) -> str:
git_repo_manager_admin_secret = get_secret(
namespace=self.namespace, secret_name=admin_secret_name)
admin_token = git_repo_manager_admin_secret.data.get('token')
if not admin_token:
admin_token = self._create_admin_token(
admin_secret=git_repo_manager_admin_secret)
self._save_admin_token(admin_secret=git_repo_manager_admin_secret,
token=admin_token,
user_namespace=self.namespace)
return f'token {admin_token}'
def get_git_private_key_path(config_dir: str, username: str) -> str:
k8s_secret_name = 'git-secret'
key_path = os.path.join(
config_dir, f'.ssh-key-{username}-{compute_hash_of_k8s_env_address()}')
# If private key is already saved in config, return it
if not os.path.isfile(key_path):
# If not, get key from k8s secret, save it with proper permissions
private_key_secret = get_secret(namespace=username,
secret_name=k8s_secret_name)
private_key = bytes(private_key_secret.data['private_key'],
encoding=_encoding)
private_key = base64.decodebytes(private_key).decode(_encoding)
with open(key_path, mode='w', encoding=_encoding) as private_key_file:
private_key_file.write(private_key)
os.chmod(key_path, 0o600)
return key_path
def __init__(self,
host: str,
port: int,
use_ssl=True,
verify_certs=True,
with_admin_privledges=False,
**kwargs):
hosts = [{'host': host, 'port': port}]
headers: Dict[str, str] = {}
if with_admin_privledges:
secret = get_secret(K8sElasticSearchClient.ES_PROXY_SECRET_NAME,
"nauta")
admin_token = secret.data["token"]
headers = {"Authorization": f"Basic ${admin_token}"}
super().__init__(hosts=hosts,
use_ssl=use_ssl,
verify_certs=verify_certs,
headers=headers,
**kwargs)