73 lines
1.8 KiB
Ruby
73 lines
1.8 KiB
Ruby
##
|
|
# TODO:
|
|
# Almost components in this class were copied from app/models/project_services/kubernetes_service.rb
|
|
# We should dry up those classes not to repeat the same code.
|
|
# Maybe we should have a special facility (e.g. lib/kubernetes_api) to maintain all Kubernetes API caller.
|
|
module Ci
|
|
class FetchKubernetesTokenService
|
|
attr_reader :api_url, :ca_pem, :username, :password
|
|
|
|
def initialize(api_url, ca_pem, username, password)
|
|
@api_url = api_url
|
|
@ca_pem = ca_pem
|
|
@username = username
|
|
@password = password
|
|
end
|
|
|
|
def execute
|
|
read_secrets.each do |secret|
|
|
name = secret.dig('metadata', 'name')
|
|
if /default-token/ =~ name
|
|
token_base64 = secret.dig('data', 'token')
|
|
return Base64.decode64(token_base64) if token_base64
|
|
end
|
|
end
|
|
|
|
nil
|
|
end
|
|
|
|
private
|
|
|
|
def read_secrets
|
|
kubeclient = build_kubeclient!
|
|
|
|
kubeclient.get_secrets.as_json
|
|
rescue KubeException => err
|
|
raise err unless err.error_code == 404
|
|
|
|
[]
|
|
end
|
|
|
|
def build_kubeclient!(api_path: 'api', api_version: 'v1')
|
|
raise "Incomplete settings" unless api_url && username && password
|
|
|
|
::Kubeclient::Client.new(
|
|
join_api_url(api_path),
|
|
api_version,
|
|
auth_options: { username: username, password: password },
|
|
ssl_options: kubeclient_ssl_options,
|
|
http_proxy_uri: ENV['http_proxy']
|
|
)
|
|
end
|
|
|
|
def join_api_url(api_path)
|
|
url = URI.parse(api_url)
|
|
prefix = url.path.sub(%r{/+\z}, '')
|
|
|
|
url.path = [prefix, api_path].join("/")
|
|
|
|
url.to_s
|
|
end
|
|
|
|
def kubeclient_ssl_options
|
|
opts = { verify_ssl: OpenSSL::SSL::VERIFY_PEER }
|
|
|
|
if ca_pem.present?
|
|
opts[:cert_store] = OpenSSL::X509::Store.new
|
|
opts[:cert_store].add_cert(OpenSSL::X509::Certificate.new(ca_pem))
|
|
end
|
|
|
|
opts
|
|
end
|
|
end
|
|
end
|