mirror of https://github.com/k3s-io/k3s
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
133 lines
3.6 KiB
133 lines
3.6 KiB
package nodepassword |
|
|
|
import ( |
|
"fmt" |
|
"os" |
|
"strings" |
|
"time" |
|
|
|
"github.com/k3s-io/k3s/pkg/authenticator/hash" |
|
"github.com/k3s-io/k3s/pkg/passwd" |
|
"github.com/k3s-io/k3s/pkg/version" |
|
"github.com/pkg/errors" |
|
coreclient "github.com/rancher/wrangler/pkg/generated/controllers/core/v1" |
|
"github.com/sirupsen/logrus" |
|
v1 "k8s.io/api/core/v1" |
|
apierrors "k8s.io/apimachinery/pkg/api/errors" |
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
|
"k8s.io/utils/pointer" |
|
) |
|
|
|
var ( |
|
// Hasher provides the algorithm for generating and verifying hashes |
|
Hasher = hash.NewSCrypt() |
|
ErrVerifyFailed = errVerifyFailed() |
|
) |
|
|
|
type passwordError struct { |
|
node string |
|
err error |
|
} |
|
|
|
func (e *passwordError) Error() string { |
|
return fmt.Sprintf("unable to verify password for node %s: %v", e.node, e.err) |
|
} |
|
|
|
func (e *passwordError) Is(target error) bool { |
|
switch target { |
|
case ErrVerifyFailed: |
|
return true |
|
} |
|
return false |
|
} |
|
|
|
func (e *passwordError) Unwrap() error { |
|
return e.err |
|
} |
|
|
|
func errVerifyFailed() error { return &passwordError{} } |
|
|
|
func getSecretName(nodeName string) string { |
|
return strings.ToLower(nodeName + ".node-password." + version.Program) |
|
} |
|
|
|
func verifyHash(secretClient coreclient.SecretController, nodeName, pass string) error { |
|
name := getSecretName(nodeName) |
|
secret, err := secretClient.Cache().Get(metav1.NamespaceSystem, name) |
|
if err != nil { |
|
return &passwordError{node: nodeName, err: err} |
|
} |
|
if hash, ok := secret.Data["hash"]; ok { |
|
if err := Hasher.VerifyHash(string(hash), pass); err != nil { |
|
return &passwordError{node: nodeName, err: err} |
|
} |
|
return nil |
|
} |
|
return &passwordError{node: nodeName, err: errors.New("password hash not found in node secret")} |
|
} |
|
|
|
// Ensure will verify a node-password secret if it exists, otherwise it will create one |
|
func Ensure(secretClient coreclient.SecretController, nodeName, pass string) error { |
|
err := verifyHash(secretClient, nodeName, pass) |
|
if apierrors.IsNotFound(err) { |
|
var hash string |
|
hash, err = Hasher.CreateHash(pass) |
|
if err != nil { |
|
return &passwordError{node: nodeName, err: err} |
|
} |
|
_, err = secretClient.Create(&v1.Secret{ |
|
ObjectMeta: metav1.ObjectMeta{ |
|
Name: getSecretName(nodeName), |
|
Namespace: metav1.NamespaceSystem, |
|
}, |
|
Immutable: pointer.Bool(true), |
|
Data: map[string][]byte{"hash": []byte(hash)}, |
|
}) |
|
} |
|
return err |
|
} |
|
|
|
// Delete will remove a node-password secret |
|
func Delete(secretClient coreclient.SecretController, nodeName string) error { |
|
return secretClient.Delete(metav1.NamespaceSystem, getSecretName(nodeName), &metav1.DeleteOptions{}) |
|
} |
|
|
|
// MigrateFile moves password file entries to secrets |
|
func MigrateFile(secretClient coreclient.SecretController, nodeClient coreclient.NodeController, passwordFile string) error { |
|
_, err := os.Stat(passwordFile) |
|
if os.IsNotExist(err) { |
|
return nil |
|
} |
|
if err != nil { |
|
return err |
|
} |
|
|
|
passwd, err := passwd.Read(passwordFile) |
|
if err != nil { |
|
return err |
|
} |
|
|
|
nodeNames := []string{} |
|
nodeList, _ := nodeClient.Cache().List(nil) |
|
for _, node := range nodeList { |
|
nodeNames = append(nodeNames, node.Name) |
|
} |
|
if len(nodeNames) == 0 { |
|
nodeNames = append(nodeNames, passwd.Users()...) |
|
} |
|
|
|
logrus.Infof("Migrating node password entries from '%s'", passwordFile) |
|
ensured := int64(0) |
|
start := time.Now() |
|
for _, nodeName := range nodeNames { |
|
if pass, ok := passwd.Pass(nodeName); ok { |
|
if err := Ensure(secretClient, nodeName, pass); err != nil { |
|
logrus.Warn(errors.Wrapf(err, "error migrating node password entry for node '%s'", nodeName)) |
|
} else { |
|
ensured++ |
|
} |
|
} |
|
} |
|
logrus.Infof("Migrated %d node password entries in %s", ensured, time.Since(start)) |
|
return os.Remove(passwordFile) |
|
}
|
|
|