Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 019c95b173
Branches Tags
helm-externa...
/
pkg
/
generator
/
quay
/
quay.go

quay.go 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package quay provides functionality for generating authentication tokens for Quay container registry.
    18. 

  18. package quay
    19. 

  19. 

  20. import (
    21. 

  21. 	"context"
    22. 

  22. 	b64 "encoding/base64"
    23. 

  23. 	"encoding/json"
    24. 

  24. 	"errors"
    25. 

  25. 	"fmt"
    26. 

  26. 	"io"
    27. 

  27. 	"net/http"
    28. 

  28. 	"strings"
    29. 

  29. 	"time"
    30. 

  30. 

  31. 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
    32. 

  32. 	"sigs.k8s.io/controller-runtime/pkg/client"
    33. 

  33. 	"sigs.k8s.io/yaml"
    34. 

  34. 

  35. 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
    36. 

  36. 	"github.com/external-secrets/external-secrets/pkg/esutils"
    37. 

  37. )
    38. 

  38. 

  39. // Generator implements token generation for Quay.io container registry.
    40. 

  40. type Generator struct {
    41. 

  41. 	httpClient *http.Client
    42. 

  42. }
    43. 

  43. 

  44. const (
    45. 

  45. 	defaultQuayURL = "quay.io"
    46. 

  46. 

  47. 	errNoSpec    = "no config spec provided"
    48. 

  48. 	errParseSpec = "unable to parse spec: %w"
    49. 

  49. 	errGetToken  = "unable to get authorization token: %w"
    50. 

  50. 

  51. 	httpClientTimeout = 5 * time.Second
    52. 

  52. )
    53. 

  53. 

  54. // Generate creates an authentication token for Quay container registry.
    55. 

  55. func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
    56. 

  56. 	return g.generate(
    57. 

  57. 		ctx,
    58. 

  58. 		jsonSpec,
    59. 

  59. 		kube,
    60. 

  60. 		namespace,
    61. 

  61. 	)
    62. 

  62. }
    63. 

  63. 

  64. // Cleanup performs any necessary cleanup after token generation.
    65. 

  65. func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
    66. 

  66. 	return nil
    67. 

  67. }
    68. 

  68. 

  69. func (g *Generator) generate(
    70. 

  70. 	ctx context.Context,
    71. 

  71. 	jsonSpec *apiextensions.JSON,
    72. 

  72. 	_ client.Client,
    73. 

  73. 	namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
    74. 

  74. 	if jsonSpec == nil {
    75. 

  75. 		return nil, nil, errors.New(errNoSpec)
    76. 

  76. 	}
    77. 

  77. 	res, err := parseSpec(jsonSpec.Raw)
    78. 

  78. 	if err != nil {
    79. 

  79. 		return nil, nil, fmt.Errorf(errParseSpec, err)
    80. 

  80. 	}
    81. 

  81. 

  82. 	// Fetch the service account token
    83. 

  83. 	token, err := esutils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, namespace)
    84. 

  84. 	if err != nil {
    85. 

  85. 		return nil, nil, fmt.Errorf("failed to fetch service account token: %w", err)
    86. 

  86. 	}
    87. 

  87. 	url := res.Spec.URL
    88. 

  88. 	if url == "" {
    89. 

  89. 		url = defaultQuayURL
    90. 

  90. 	}
    91. 

  91. 	url = strings.TrimPrefix(url, "https://")
    92. 

  92. 

  93. 	accessToken, err := getQuayRobotToken(ctx, token, res.Spec.RobotAccount, url, g.httpClient)
    94. 

  94. 	if err != nil {
    95. 

  95. 		return nil, nil, err
    96. 

  96. 	}
    97. 

  97. 	exp, err := esutils.ExtractJWTExpiration(accessToken)
    98. 

  98. 	if err != nil {
    99. 

  99. 		return nil, nil, err
    100. 

  100. 	}
    101. 

  101. 	return map[string][]byte{
    102. 

  102. 		"registry": []byte(url),
    103. 

  103. 		"auth":     []byte(b64.StdEncoding.EncodeToString([]byte(res.Spec.RobotAccount + ":" + accessToken))),
    104. 

  104. 		"expiry":   []byte(exp),
    105. 

  105. 	}, nil, nil
    106. 

  106. }
    107. 

  107. 

  108. // https://docs.projectquay.io/manage_quay.html#exchanging-oauth2-robot-account-token
    109. 

  109. func getQuayRobotToken(ctx context.Context, fedToken, robotAccount, url string, hc *http.Client) (string, error) {
    110. 

  110. 	if hc == nil {
    111. 

  111. 		hc = &http.Client{
    112. 

  112. 			Timeout: httpClientTimeout,
    113. 

  113. 		}
    114. 

  114. 	}
    115. 

  115. 

  116. 	req, err := http.NewRequestWithContext(ctx, "GET", "https://"+url+"/oauth2/federation/robot/token", http.NoBody)
    117. 

  117. 	if err != nil {
    118. 

  118. 		return "", err
    119. 

  119. 	}
    120. 

  120. 	req.SetBasicAuth(robotAccount, fedToken)
    121. 

  121. 	resp, err := hc.Do(req)
    122. 

  122. 	if err != nil {
    123. 

  123. 		return "", err
    124. 

  124. 	}
    125. 

  125. 	defer func() {
    126. 

  126. 		_ = resp.Body.Close()
    127. 

  127. 	}()
    128. 

  128. 

  129. 	if resp.StatusCode != 200 {
    130. 

  130. 		return "", fmt.Errorf("request failed do to unexpected status: %s", resp.Status)
    131. 

  131. 	}
    132. 

  132. 

  133. 	body, err := io.ReadAll(resp.Body)
    134. 

  134. 	if err != nil {
    135. 

  135. 		return "", err
    136. 

  136. 	}
    137. 

  137. 

  138. 	var result map[string]interface{}
    139. 

  139. 

  140. 	err = json.Unmarshal(body, &result)
    141. 

  141. 	if err != nil {
    142. 

  142. 		return "", err
    143. 

  143. 	}
    144. 

  144. 	token, ok := result["token"]
    145. 

  145. 	if !ok {
    146. 

  146. 		return "", fmt.Errorf("token not found in response")
    147. 

  147. 	}
    148. 

  148. 	tokenString, ok := token.(string)
    149. 

  149. 	if !ok {
    150. 

  150. 		return "", fmt.Errorf("error when typecasting token to string")
    151. 

  151. 	}
    152. 

  152. 	return tokenString, nil
    153. 

  153. }
    154. 

  154. 

  155. func parseSpec(data []byte) (*genv1alpha1.QuayAccessToken, error) {
    156. 

  156. 	var spec genv1alpha1.QuayAccessToken
    157. 

  157. 	err := yaml.Unmarshal(data, &spec)
    158. 

  158. 	return &spec, err
    159. 

  159. }
    160. 

  160. 

  161. func init() {
    162. 

  162. 	genv1alpha1.Register(genv1alpha1.QuayAccessTokenKind, &Generator{})
    163. 

  163. }
    164.