|
| 1 | +// |
| 2 | +// DISCLAIMER |
| 3 | +// |
| 4 | +// Copyright 2024 ArangoDB GmbH, Cologne, Germany |
| 5 | +// |
| 6 | +// Licensed under the Apache License, Version 2.0 (the "License"); |
| 7 | +// you may not use this file except in compliance with the License. |
| 8 | +// You may obtain a copy of the License at |
| 9 | +// |
| 10 | +// http://www.apache.org/licenses/LICENSE-2.0 |
| 11 | +// |
| 12 | +// Unless required by applicable law or agreed to in writing, software |
| 13 | +// distributed under the License is distributed on an "AS IS" BASIS, |
| 14 | +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 15 | +// See the License for the specific language governing permissions and |
| 16 | +// limitations under the License. |
| 17 | +// |
| 18 | +// Copyright holder is ArangoDB GmbH, Cologne, Germany |
| 19 | +// |
| 20 | + |
| 21 | +package ml |
| 22 | + |
| 23 | +import ( |
| 24 | + "fmt" |
| 25 | + "strings" |
| 26 | + |
| 27 | + core "k8s.io/api/core/v1" |
| 28 | + |
| 29 | + api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1" |
| 30 | + mlApi "github.com/arangodb/kube-arangodb/pkg/apis/ml/v1alpha1" |
| 31 | + sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1" |
| 32 | +) |
| 33 | + |
| 34 | +func GetJWTAuthFileTokenPath(prefix string) string { |
| 35 | + base := "/etc/arangodb/jwt" |
| 36 | + if prefix == "" { |
| 37 | + return base |
| 38 | + } |
| 39 | + |
| 40 | + return fmt.Sprintf("%s-%s", base, prefix) |
| 41 | +} |
| 42 | + |
| 43 | +func AddJWTAuthFileToContainers(ext *mlApi.ArangoMLExtension, deployment *api.ArangoDeployment, spec *core.PodTemplateSpec, containers ...*core.Container) { |
| 44 | + authSpec := deployment.GetAcceptedSpec().Authentication |
| 45 | + if !authSpec.IsAuthenticated() { |
| 46 | + return |
| 47 | + } |
| 48 | + |
| 49 | + if ext.GetStatus().ArangoDB == nil { |
| 50 | + // not ready yet, skip for now |
| 51 | + return |
| 52 | + } |
| 53 | + |
| 54 | + mountJWTTokenSecret("", ext.GetStatus().ArangoDB.JWTTokenSecret, spec, containers...) |
| 55 | + mountJWTTokenSecret("METADATA", ext.GetStatus().MetadataService.JWTTokenSecret, spec, containers...) |
| 56 | +} |
| 57 | + |
| 58 | +// mountJWTTokenSecret is assuming that prefix contains only alphanumeric symbols and/or '-' |
| 59 | +func mountJWTTokenSecret(prefix string, secret *sharedApi.Object, spec *core.PodTemplateSpec, containers ...*core.Container) { |
| 60 | + if secret.IsEmpty() { |
| 61 | + return |
| 62 | + } |
| 63 | + |
| 64 | + mountName := "deployment-auth-jwt" |
| 65 | + if prefix != "" { |
| 66 | + mountName = fmt.Sprintf("%s-%s", mountName, strings.ToLower(prefix)) |
| 67 | + } |
| 68 | + spec.Spec.Volumes = append(spec.Spec.Volumes, core.Volume{ |
| 69 | + Name: mountName, |
| 70 | + VolumeSource: core.VolumeSource{ |
| 71 | + Secret: &core.SecretVolumeSource{ |
| 72 | + SecretName: secret.GetName(), |
| 73 | + }, |
| 74 | + }, |
| 75 | + }) |
| 76 | + |
| 77 | + for _, container := range containers { |
| 78 | + container.VolumeMounts = append(container.VolumeMounts, core.VolumeMount{ |
| 79 | + Name: mountName, |
| 80 | + ReadOnly: true, |
| 81 | + MountPath: GetJWTAuthFileTokenPath(prefix), |
| 82 | + }) |
| 83 | + } |
| 84 | +} |
0 commit comments