github.com/openshift/installer@v1.4.17/pkg/asset/agent/manifests/agentpullsecret.go

package manifests

import (
	"context"
	"encoding/json"
	"fmt"
	"os"
	"path/filepath"

	"github.com/pkg/errors"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/util/validation/field"
	"sigs.k8s.io/yaml"

	"github.com/openshift/installer/pkg/asset"
	"github.com/openshift/installer/pkg/asset/agent"
	"github.com/openshift/installer/pkg/asset/agent/joiner"
	"github.com/openshift/installer/pkg/asset/agent/workflow"
	"github.com/openshift/installer/pkg/validate"
)

const (
	pullSecretKey       = ".dockerconfigjson" //nolint:gosec // not a secret despite the word
	agentPullSecretName = "pull-secret"
)

var agentPullSecretFilename = filepath.Join(clusterManifestDir, fmt.Sprintf("%s.yaml", agentPullSecretName))

// AgentPullSecret generates the pull-secret file used by the agent installer.
type AgentPullSecret struct {
	File   *asset.File
	Config *corev1.Secret
}

var _ asset.WritableAsset = (*AgentPullSecret)(nil)

// Name returns a human friendly name for the asset.
func (*AgentPullSecret) Name() string {
	return "Agent PullSecret"
}

// Dependencies returns all of the dependencies directly needed to generate
// the asset.
func (*AgentPullSecret) Dependencies() []asset.Asset {
	return []asset.Asset{
		&workflow.AgentWorkflow{},
		&joiner.ClusterInfo{},
		&agent.OptionalInstallConfig{},
	}
}

// Generate generates the AgentPullSecret manifest.
func (a *AgentPullSecret) Generate(_ context.Context, dependencies asset.Parents) error {
	agentWorkflow := &workflow.AgentWorkflow{}
	installConfig := &agent.OptionalInstallConfig{}
	clusterInfo := &joiner.ClusterInfo{}
	dependencies.Get(agentWorkflow, installConfig, clusterInfo)

	switch agentWorkflow.Workflow {
	case workflow.AgentWorkflowTypeInstall:
		if installConfig.Config != nil {
			a.generateSecret(installConfig.ClusterName(), installConfig.ClusterNamespace(), installConfig.Config.PullSecret)
		}

	case workflow.AgentWorkflowTypeAddNodes:
		a.generateSecret(clusterInfo.ClusterName, clusterInfo.Namespace, clusterInfo.PullSecret)

	default:
		return fmt.Errorf("AgentWorkflowType value not supported: %s", agentWorkflow.Workflow)
	}

	return a.finish()
}

func (a *AgentPullSecret) generateSecret(name, namespace, pullSecret string) {
	secret := &corev1.Secret{
		TypeMeta: metav1.TypeMeta{
			APIVersion: "v1",
			Kind:       "Secret",
		},
		ObjectMeta: metav1.ObjectMeta{
			Name:      getPullSecretName(name),
			Namespace: namespace,
		},
		StringData: map[string]string{
			pullSecretKey: pullSecret,
		},
	}
	a.Config = secret
}

// Files returns the files generated by the asset.
func (a *AgentPullSecret) Files() []*asset.File {
	if a.File != nil {
		return []*asset.File{a.File}
	}
	return []*asset.File{}
}

// Load returns the asset from disk.
func (a *AgentPullSecret) Load(f asset.FileFetcher) (bool, error) {
	file, err := f.FetchByName(agentPullSecretFilename)
	if err != nil {
		if os.IsNotExist(err) {
			return false, nil
		}
		return false, errors.Wrap(err, fmt.Sprintf("failed to load %s file", agentPullSecretFilename))
	}

	config := &corev1.Secret{}
	if err := yaml.UnmarshalStrict(file.Data, config); err != nil {
		return false, errors.Wrapf(err, "failed to unmarshal %s", agentPullSecretFilename)
	}

	a.Config = config
	if err = a.finish(); err != nil {
		return false, err
	}

	return true, nil
}

func (a *AgentPullSecret) finish() error {
	if a.Config == nil {
		return errors.New("missing configuration or manifest file")
	}

	if err := a.validatePullSecret().ToAggregate(); err != nil {
		return errors.Wrapf(err, "invalid PullSecret configuration")
	}

	// Normalise the JSON formatting so that we can redact the file reliably
	normal, err := normalizeDockerConfig(a.Config.StringData[pullSecretKey])
	if err != nil {
		return err
	}
	a.Config.StringData[pullSecretKey] = normal

	secretData, err := yaml.Marshal(a.Config)
	if err != nil {
		return errors.Wrap(err, "failed to marshal agent secret")
	}
	a.File = &asset.File{
		Filename: agentPullSecretFilename,
		Data:     secretData,
	}
	return nil
}

func normalizeDockerConfig(stringData string) (string, error) {
	var data map[string]interface{}
	if err := json.Unmarshal([]byte(stringData), &data); err != nil {
		return stringData, err
	}
	normal, err := json.MarshalIndent(data, "", "  ")
	if err == nil {
		stringData = string(normal)
	}
	return stringData, err
}

func (a *AgentPullSecret) validatePullSecret() field.ErrorList {
	if err := a.validateSecretIsNotEmpty(); err != nil {
		return err
	}

	fieldPath := field.NewPath("StringData")
	dockerConfig := a.Config.StringData[pullSecretKey]
	if err := validate.ImagePullSecret(dockerConfig); err != nil {
		return field.ErrorList{field.Invalid(fieldPath, dockerConfig, err.Error())}
	}

	return field.ErrorList{}
}

func (a *AgentPullSecret) validateSecretIsNotEmpty() field.ErrorList {
	var allErrs field.ErrorList

	fieldPath := field.NewPath("StringData")

	if len(a.Config.StringData) == 0 {
		allErrs = append(allErrs, field.Required(fieldPath, "the pull secret is empty"))
		return allErrs
	}

	pullSecret, ok := a.Config.StringData[pullSecretKey]
	if !ok {
		allErrs = append(allErrs, field.Required(fieldPath, "the pull secret key '.dockerconfigjson' is not defined"))
		return allErrs
	}

	if pullSecret == "" {
		allErrs = append(allErrs, field.Required(fieldPath, "the pull secret does not contain any data"))
		return allErrs
	}

	return allErrs
}

// GetPullSecretData returns the content of the pull secret.
func (a *AgentPullSecret) GetPullSecretData() string {
	return a.Config.StringData[".dockerconfigjson"]
}