diff --git a/audit-ci.json b/audit-ci.json index 876a2e1..90748fe 100644 --- a/audit-ci.json +++ b/audit-ci.json @@ -23,6 +23,7 @@ "notes": "The Request package (see above) requires tough-cookie at a vulnerable version.", "expiry": "2024-02-30" } - } ], + } + ], "skip-dev": true } diff --git a/kubernetes/ClusterSubscription/resource.yaml b/kubernetes/ClusterSubscription/resource.yaml index 582ee4f..55eaaa5 100644 --- a/kubernetes/ClusterSubscription/resource.yaml +++ b/kubernetes/ClusterSubscription/resource.yaml @@ -59,16 +59,9 @@ spec: volumeMounts: - name: razee-identity-config mountPath: /home/node/envs/razee-identity-config - - name: razee-identity-secret - mountPath: /home/node/envs/razee-identity-secret volumes: - name: razee-identity-config configMap: name: razee-identity defaultMode: 0400 optional: true - - name: razee-identity-secret - secret: - secretName: razee-identity - defaultMode: 0400 - optional: true diff --git a/src/Config.js b/src/Config.js index 3cafc4d..e925300 100644 --- a/src/Config.js +++ b/src/Config.js @@ -19,11 +19,9 @@ const chokidar = require('chokidar'); module.exports = class Config { static razeeApiPath = 'envs/razee-identity-config/RAZEE_API'; - static orgKeyPath = 'envs/razee-identity-secret/RAZEE_ORG_KEY'; static clusterIdPath = 'envs/razee-identity-config/CLUSTER_ID'; static razeeApi = process.env.RAZEE_API; - static orgKey = process.env.RAZEE_ORG_KEY; static clusterId = process.env.CLUSTER_ID; static watcher; @@ -34,12 +32,6 @@ module.exports = class Config { } } - static async readOrgKey() { - if (await fs.pathExists(this.orgKeyPath)) { - this.orgKey = ((await fs.readFile(this.orgKeyPath, 'utf8')).trim() || this.orgKey); - } - } - static async readClusterId() { if (await fs.pathExists(this.clusterIdPath)) { this.clusterId = ((await fs.readFile(this.clusterIdPath, 'utf8')).trim() || this.clusterId); @@ -48,7 +40,6 @@ module.exports = class Config { static async init() { await this.readRazeeApi(); - await this.readOrgKey(); await this.readClusterId(); } @@ -59,10 +50,6 @@ module.exports = class Config { this.readRazeeApi(); } - if (path === this.orgKeyPath) { - this.readOrgKey(); - } - if (path === this.clusterIdPath) { this.readClusterId(); } diff --git a/src/index.js b/src/index.js index 94e015b..c87ef05 100644 --- a/src/index.js +++ b/src/index.js @@ -5,6 +5,22 @@ const { getSubscriptionsByCluster } = require('../lib/queries'); const touch = require('touch'); const Config = require('./Config'); +const objectPath = require('object-path'); +const { KubeClass } = require('@razee/kubernetes-util'); +const kc = new KubeClass(); + +// Read from razee-identity secret dynamically (rather than mounting as a volume and reading from a file) to satisfy scenarios where this operator is run on a separate cluster +const getOrgKey = async () => { + const krm = await kc.getKubeResourceMeta('v1', 'Secret', 'get'); + const res = await krm.request({ uri: '/api/v1/namespaces/razeedeploy/secrets/razee-identity', json: true }); + let base64KeyData = objectPath.get(res, ['data', 'RAZEE_ORG_KEY']); + if (base64KeyData === undefined) { + throw new Error('razeedeploy/razee-identity secret does not contain RAZEE_ORG_KEY'); + } + let secret = Buffer.from(base64KeyData, 'base64'); + return secret.toString(); +}; + const razeeListener = async (razeeApi, clusterId) => { webSocketClient(razeeApi).subscribe((event) => { log.info('Received an event from razeedash-api', event); @@ -19,12 +35,23 @@ const razeeListener = async (razeeApi, clusterId) => { }; const callRazee = async (razeeApi, clusterId) => { + let orgKey; + try { + orgKey = await getOrgKey(); + } + catch(e) { + log.info(`RAZEE_ORG_KEY could not be read from the razeedeploy/razee-identity secret (falling back to env var): ${e.message}`); + orgKey = process.env.RAZEE_ORG_KEY; + } + if (!orgKey) { + throw 'RAZEE_ORG_KEY is missing'; + } // rr's on this cluster with the 'deploy.razee.io/clustersubscription' annotation const clusterResources = await getRemoteResources(clusterId); // list of razee subscriptions for this cluster - const res = await getSubscriptionsByCluster(razeeApi, Config.orgKey, clusterId).catch(() => false); + const res = await getSubscriptionsByCluster(razeeApi, orgKey, clusterId).catch(() => false); const subscriptions = (res && res.data && res.data.subscriptionsByClusterId) ? res.data.subscriptionsByClusterId : false; log.debug('razee subscriptions', { subscriptions }); @@ -32,7 +59,7 @@ const callRazee = async (razeeApi, clusterId) => { // Create remote resources // if (subscriptions && subscriptions.length > 0) { - await createRemoteResources(razeeApi, Config.orgKey, subscriptions, clusterId); + await createRemoteResources(razeeApi, orgKey, subscriptions, clusterId); log.info('finished creating remote resources'); } @@ -59,13 +86,9 @@ const callRazee = async (razeeApi, clusterId) => { async function main() { await Config.init(); - const apiKey = Config.orgKey; const razeeApi = Config.razeeApi; const clusterId = Config.clusterId; - if (!apiKey) { - throw 'RAZEE_ORG_KEY is missing'; - } if (!razeeApi) { throw 'RAZEE_API is missing'; }