def get_fake_ssh_path(config_dir: str, username: str) -> str: k8s_secret_name = 'git-secret' hash_of_address = compute_hash_of_k8s_env_address() fake_ssh_path = os.path.join(config_dir, f'ssh-{username}-{hash_of_address}') # If private key is already saved in config, return it if not os.path.isfile(fake_ssh_path): # If not, get key from k8s secret, save it and create fake ssh with a gathered key key_path = os.path.join(config_dir, f'.ssh-key-{username}-{hash_of_address}') private_key_secret = get_secret(namespace=username, secret_name=k8s_secret_name) private_key = bytes(private_key_secret.data['private_key'], encoding=_encoding) private_key = base64.decodebytes(private_key).decode(_encoding) with open(key_path, mode='w', encoding=_encoding) as private_key_file: private_key_file.write(private_key) os.chmod(key_path, 0o600) fake_ssh_content = f'ssh -i {key_path} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $*' with open(fake_ssh_path, mode='w', encoding=_encoding) as fake_ssh_file: fake_ssh_file.write(fake_ssh_content) os.chmod(fake_ssh_path, 0o500) return fake_ssh_path
def get_authorization_header(service_account_name: str, namespace: str): service_account = get_service_account( service_account_name=service_account_name, namespace=namespace) secret_name = service_account.secrets[0].name authorization_token = get_secret(secret_name=secret_name, namespace=namespace).data['token'] authorization_token = base64.b64decode(authorization_token).decode('utf-8') return f'Authorization: Bearer {authorization_token}'
def __init__(self, host: str, use_ssl=True, verify_certs=True, with_admin_privledges=False, headers: Dict[str, str] = None, **kwargs): hosts = host if with_admin_privledges: secret = get_secret( K8sElasticSearchClient.ES_PROXY_SECRET_NAME, "nauta") admin_token = secret.data["token"] headers = headers or {} headers["ES-Authorization"] = f"Basic ${admin_token}" super().__init__(hosts=hosts, use_ssl=use_ssl, verify_certs=verify_certs, headers=headers, **kwargs)
def _get_admin_token(self, admin_secret_name: str = ADMIN_SECRET_NAME) -> str: git_repo_manager_admin_secret = get_secret( namespace=self.namespace, secret_name=admin_secret_name) admin_token = git_repo_manager_admin_secret.data.get('token') if not admin_token: admin_token = self._create_admin_token( admin_secret=git_repo_manager_admin_secret) self._save_admin_token(admin_secret=git_repo_manager_admin_secret, token=admin_token, user_namespace=self.namespace) return f'token {admin_token}'
def get_git_private_key_path(config_dir: str, username: str) -> str: k8s_secret_name = 'git-secret' key_path = os.path.join( config_dir, f'.ssh-key-{username}-{compute_hash_of_k8s_env_address()}') # If private key is already saved in config, return it if not os.path.isfile(key_path): # If not, get key from k8s secret, save it with proper permissions private_key_secret = get_secret(namespace=username, secret_name=k8s_secret_name) private_key = bytes(private_key_secret.data['private_key'], encoding=_encoding) private_key = base64.decodebytes(private_key).decode(_encoding) with open(key_path, mode='w', encoding=_encoding) as private_key_file: private_key_file.write(private_key) os.chmod(key_path, 0o600) return key_path
def __init__(self, host: str, port: int, use_ssl=True, verify_certs=True, with_admin_privledges=False, **kwargs): hosts = [{'host': host, 'port': port}] headers: Dict[str, str] = {} if with_admin_privledges: secret = get_secret(K8sElasticSearchClient.ES_PROXY_SECRET_NAME, "nauta") admin_token = secret.data["token"] headers = {"Authorization": f"Basic ${admin_token}"} super().__init__(hosts=hosts, use_ssl=use_ssl, verify_certs=verify_certs, headers=headers, **kwargs)