...

Source file src/k8s.io/cluster-bootstrap/util/secrets/secrets.go

Documentation: k8s.io/cluster-bootstrap/util/secrets 

     1  /*
     2  Copyright 2019 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package secrets
    18  
    19  import (
    20  	"regexp"
    21  	"strings"
    22  	"time"
    23  
    24  	v1 "k8s.io/api/core/v1"
    25  	"k8s.io/apimachinery/pkg/util/sets"
    26  	"k8s.io/cluster-bootstrap/token/api"
    27  	legacyutil "k8s.io/cluster-bootstrap/token/util"
    28  	"k8s.io/klog/v2"
    29  )
    30  
    31  var (
    32  	secretNameRe = regexp.MustCompile(`^` + regexp.QuoteMeta(api.BootstrapTokenSecretPrefix) + `([a-z0-9]{6})$`)
    33  )
    34  
    35  // GetData returns the string value for the given key in the specified Secret
    36  // If there is an error or if the key doesn't exist, an empty string is returned.
    37  func GetData(secret *v1.Secret, key string) string {
    38  	if secret.Data == nil {
    39  		return ""
    40  	}
    41  	if val, ok := secret.Data[key]; ok {
    42  		return string(val)
    43  	}
    44  	return ""
    45  }
    46  
    47  // HasExpired will identify whether the secret expires
    48  func HasExpired(secret *v1.Secret, currentTime time.Time) bool {
    49  	_, expired := GetExpiration(secret, currentTime)
    50  
    51  	return expired
    52  }
    53  
    54  // GetExpiration checks if the secret expires
    55  // isExpired indicates if the secret is already expired.
    56  // timeRemaining indicates how long until it does expire.
    57  // if the secret has no expiration timestamp, returns 0, false.
    58  // if there is an error parsing the secret's expiration timestamp, returns 0, true.
    59  func GetExpiration(secret *v1.Secret, currentTime time.Time) (timeRemaining time.Duration, isExpired bool) {
    60  	expiration := GetData(secret, api.BootstrapTokenExpirationKey)
    61  	if len(expiration) == 0 {
    62  		return 0, false
    63  	}
    64  	expTime, err := time.Parse(time.RFC3339, expiration)
    65  	if err != nil {
    66  		klog.V(3).Infof("Unparseable expiration time (%s) in %s/%s Secret: %v. Treating as expired.",
    67  			expiration, secret.Namespace, secret.Name, err)
    68  		return 0, true
    69  	}
    70  
    71  	timeRemaining = expTime.Sub(currentTime)
    72  	if timeRemaining <= 0 {
    73  		klog.V(3).Infof("Expired bootstrap token in %s/%s Secret: %v",
    74  			secret.Namespace, secret.Name, expiration)
    75  		return 0, true
    76  	}
    77  	return timeRemaining, false
    78  }
    79  
    80  // ParseName parses the name of the secret to extract the secret ID.
    81  func ParseName(name string) (secretID string, ok bool) {
    82  	r := secretNameRe.FindStringSubmatch(name)
    83  	if r == nil {
    84  		return "", false
    85  	}
    86  	return r[1], true
    87  }
    88  
    89  // GetGroups loads and validates the bootstrapapi.BootstrapTokenExtraGroupsKey
    90  // key from the bootstrap token secret, returning a list of group names or an
    91  // error if any of the group names are invalid.
    92  func GetGroups(secret *v1.Secret) ([]string, error) {
    93  	// always include the default group
    94  	groups := sets.NewString(api.BootstrapDefaultGroup)
    95  
    96  	// grab any extra groups and if there are none, return just the default
    97  	extraGroupsString := GetData(secret, api.BootstrapTokenExtraGroupsKey)
    98  	if extraGroupsString == "" {
    99  		return groups.List(), nil
   100  	}
   101  
   102  	// validate the names of the extra groups
   103  	for _, group := range strings.Split(extraGroupsString, ",") {
   104  		if err := legacyutil.ValidateBootstrapGroupName(group); err != nil {
   105  			return nil, err
   106  		}
   107  		groups.Insert(group)
   108  	}
   109  
   110  	// return the result as a deduplicated, sorted list
   111  	return groups.List(), nil
   112  }
   113  

View as plain text