github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(k8s/user): remove username part from service account (#4147)

pull/4152/head
Anthony Lapenna 2020-08-04 16:01:15 +12:00 committed by GitHub
parent bd7d7dcef5
commit 909e1ef02c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/http/proxy/factory/kubernetes/token.go
View File

@ -45,7 +45,7 @@ func (manager *tokenManager) getAdminServiceAccountToken() string {
return manager.adminToken return manager.adminToken
} }
func (manager *tokenManager) getUserServiceAccountToken(userID int, username string) (string, error) { func (manager *tokenManager) getUserServiceAccountToken(userID int) (string, error) {
manager.mutex.Lock() manager.mutex.Lock()
defer manager.mutex.Unlock() defer manager.mutex.Unlock()
@ -61,12 +61,12 @@ func (manager *tokenManager) getUserServiceAccountToken(userID int, username str
teamIds = append(teamIds, int(membership.TeamID)) teamIds = append(teamIds, int(membership.TeamID))
} }
err = manager.kubecli.SetupUserServiceAccount(userID, username, teamIds) err = manager.kubecli.SetupUserServiceAccount(userID, teamIds)
if err != nil { if err != nil {
return "", err return "", err
} }
serviceAccountToken, err := manager.kubecli.GetServiceAccountBearerToken(userID, username) serviceAccountToken, err := manager.kubecli.GetServiceAccountBearerToken(userID)
if err != nil { if err != nil {
return "", err return "", err
} }

6
api/http/proxy/factory/kubernetes/transport.go
View File

@ -59,7 +59,7 @@ func (transport *localTransport) RoundTrip(request *http.Request) (*http.Respons
if tokenData.Role == portainer.AdministratorRole { if tokenData.Role == portainer.AdministratorRole {
token = transport.tokenManager.getAdminServiceAccountToken() token = transport.tokenManager.getAdminServiceAccountToken()
} else { } else {
token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID), tokenData.Username) token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID))
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -94,7 +94,7 @@ func (transport *agentTransport) RoundTrip(request *http.Request) (*http.Respons
if tokenData.Role == portainer.AdministratorRole { if tokenData.Role == portainer.AdministratorRole {
token = transport.tokenManager.getAdminServiceAccountToken() token = transport.tokenManager.getAdminServiceAccountToken()
} else { } else {
token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID), tokenData.Username) token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID))
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -136,7 +136,7 @@ func (transport *edgeTransport) RoundTrip(request *http.Request) (*http.Response
if tokenData.Role == portainer.AdministratorRole { if tokenData.Role == portainer.AdministratorRole {
token = transport.tokenManager.getAdminServiceAccountToken() token = transport.tokenManager.getAdminServiceAccountToken()
} else { } else {
token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID), tokenData.Username) token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID))
if err != nil { if err != nil {
return nil, err return nil, err
} }

4
api/kubernetes/cli/naming.go
View File

@ -13,8 +13,8 @@ const (
portainerConfigMapAccessPoliciesKey = "NamespaceAccessPolicies" portainerConfigMapAccessPoliciesKey = "NamespaceAccessPolicies"
) )
func userServiceAccountName(userID int, username string) string { func userServiceAccountName(userID int) string {
return fmt.Sprintf("%s-%d-%s", portainerUserServiceAccountPrefix, userID, username) return fmt.Sprintf("%s-%d", portainerUserServiceAccountPrefix, userID)
} }
func userServiceAccountTokenSecretName(serviceAccountName string) string { func userServiceAccountTokenSecretName(serviceAccountName string) string {

8
api/kubernetes/cli/service_account.go
View File

@ -8,8 +8,8 @@ import (
) )
// GetServiceAccountBearerToken returns the ServiceAccountToken associated to the specified user. // GetServiceAccountBearerToken returns the ServiceAccountToken associated to the specified user.
func (kcl *KubeClient) GetServiceAccountBearerToken(userID int, username string) (string, error) { func (kcl *KubeClient) GetServiceAccountBearerToken(userID int) (string, error) {
serviceAccountName := userServiceAccountName(userID, username) serviceAccountName := userServiceAccountName(userID)
return kcl.getServiceAccountToken(serviceAccountName) return kcl.getServiceAccountToken(serviceAccountName)
} }
@ -17,8 +17,8 @@ func (kcl *KubeClient) GetServiceAccountBearerToken(userID int, username string)
// SetupUserServiceAccount will make sure that all the required resources are created inside the Kubernetes // SetupUserServiceAccount will make sure that all the required resources are created inside the Kubernetes
// cluster before creating a ServiceAccount and a ServiceAccountToken for the specified Portainer user. // cluster before creating a ServiceAccount and a ServiceAccountToken for the specified Portainer user.
//It will also create required default RoleBinding and ClusterRoleBinding rules. //It will also create required default RoleBinding and ClusterRoleBinding rules.
func (kcl *KubeClient) SetupUserServiceAccount(userID int, username string, teamIDs []int) error { func (kcl *KubeClient) SetupUserServiceAccount(userID int, teamIDs []int) error {
serviceAccountName := userServiceAccountName(userID, username) serviceAccountName := userServiceAccountName(userID)
err := kcl.ensureRequiredResourcesExist() err := kcl.ensureRequiredResourcesExist()
if err != nil { if err != nil {

4
api/portainer.go
View File

@ -961,8 +961,8 @@ type (
// KubeClient represents a service used to query a Kubernetes environment // KubeClient represents a service used to query a Kubernetes environment
KubeClient interface { KubeClient interface {
SetupUserServiceAccount(userID int, username string, teamIDs []int) error SetupUserServiceAccount(userID int, teamIDs []int) error
GetServiceAccountBearerToken(userID int, username string) (string, error) GetServiceAccountBearerToken(userID int) (string, error)
StartExecProcess(namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error StartExecProcess(namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error
} }