Pass secret path instead of web_identity_token_file

openshift · Jul 24, 2023 · 52739c6 · 52739c6
1 parent adf11bd
commit 52739c6
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 31 deletions.
diff --git a/velero-plugins/clients/mock/mock.go b/velero-plugins/clients/mock/mock.go
diff --git a/velero-plugins/imagestream/registry.go b/velero-plugins/imagestream/registry.go
@@ -2,8 +2,7 @@ package imagestream
 
 import (
 	"errors"
-	"regexp"
-	"strings"
+	"fmt"
 
 	"github.com/openshift/oadp-operator/pkg/credentials"
 
@@ -61,6 +60,12 @@ const (
 	webIdentityTokenFile = "web_identity_token_file"
 )
 
+// velero constants
+const (
+	// https://github.com/vmware-tanzu/velero/blob/5afe837f76aea4dd59b1bf2792e7802d4966f0a7/pkg/cmd/server/server.go#L110
+	defaultCredentialsDirectory = "/tmp/credentials"
+)
+
 // TODO: remove this map and just define them in each function
 // creating skeleton for provider based env var map
 var cloudProviderEnvVarMap = map[string][]corev1.EnvVar{
@@ -181,27 +186,9 @@ func getAWSRegistryEnvVars(bsl *velerov1.BackupStorageLocation) ([]corev1.EnvVar
 	}
 	// if credential is sts, then add sts specific env vars
 	if bsl.Spec.Config[enableSharedConfig] == "true" {
-		secretData, err := getSecretKeyRefData(bsl.Spec.Credential, bsl.Namespace)
-		if err != nil {
-			return nil, errors.Join(err, errors.New("error getting secret data from bsl for sts cred"))
-		}
-		// get web_identity_token_file from secret data
-		splitString := strings.Split(string(secretData), "\n")
-		RegExWebIdentity, err := regexp.Compile(webIdentityTokenFile)
-		if err != nil {
-			return nil, errors.Join(err, errors.New("error compiling regex for web_identity_token_file"))
-		}
-		tokenFilePath := "/init"
-		for _, line := range splitString {
-			if lineIsTokenFile := RegExWebIdentity.MatchString(line); lineIsTokenFile {
-				// split line by "="
-				tokenFilePath = strings.TrimSpace(strings.Split(line, "=")[1])
-				break
-			}
-		}
 		awsEnvs = append(awsEnvs, corev1.EnvVar{
 			Name:  RegistryStorageS3CredentialsConfigPathEnvVarKey,
-			Value: tokenFilePath,
+			Value: getBslSecretPath(bsl),
 		})
 	} else {
 		awsEnvs = append(awsEnvs,
@@ -227,6 +214,15 @@ func getAWSRegistryEnvVars(bsl *velerov1.BackupStorageLocation) ([]corev1.EnvVar
 	return awsEnvs, nil
 }
 
+// return path to cloud credentials secret file as defined by 
+// https://github.com/vmware-tanzu/velero/blob/5afe837f76aea4dd59b1bf2792e7802d4966f0a7/pkg/cmd/server/server.go#L334
+// https://github.com/vmware-tanzu/velero/blob/5afe837f76aea4dd59b1bf2792e7802d4966f0a7/internal/credentials/file_store.go#L50
+// https://github.com/vmware-tanzu/velero/blob/5afe837f76aea4dd59b1bf2792e7802d4966f0a7/internal/credentials/file_store.go#L72
+// This file is written by velero server on startup
+func getBslSecretPath(bsl *velerov1.BackupStorageLocation) string {
+	return fmt.Sprintf("%s/%s/%s-%s", defaultCredentialsDirectory, bsl.Namespace, bsl.Spec.Credential.LocalObjectReference.Name, bsl.Spec.Credential.Key)
+}
+
 func getAzureRegistryEnvVars(bsl *velerov1.BackupStorageLocation, azureEnvVars []corev1.EnvVar) ([]corev1.EnvVar, error) {
 
 	for i := range azureEnvVars {

diff --git a/velero-plugins/imagestream/registry_test.go b/velero-plugins/imagestream/registry_test.go
@@ -24,7 +24,6 @@ const (
 	testBslAccessKey            = "bslAccessKey"
 	testBslSecretAccessKey      = "bslSecretAccessKey"
 	testBslRoleArn              = "bslRoleArn"
-	testBslWebIdentityTokenFile = "/var/run/secrets/openshift/serviceaccount/token"
 	testSubscriptionID          = "someSubscriptionID"
 	testTenantID                = "someTenantID"
 	testClientID                = "someClientID"
@@ -116,7 +115,7 @@ var (
 	}
 	awsStsRegistrySecretData = map[string][]byte{
 		"cloud": []byte(`role_arn=testBslRoleArn
-web_identity_token_file=`+testBslWebIdentityTokenFile+`
+web_identity_token_file=/var/run/secrets/some/path
 `),
 	}
 	azureRegistrySecretData = map[string][]byte{
@@ -245,7 +244,7 @@ func Test_getAWSRegistryEnvVars(t *testing.T) {
 					Name: RegistryStorageS3SkipverifyEnvVarKey,
 				},
 				{
-					Name: RegistryStorageS3CredentialsConfigPathEnvVarKey, Value: testBslWebIdentityTokenFile,
+					Name: RegistryStorageS3CredentialsConfigPathEnvVarKey, Value: "/tmp/credentials/test-ns/cloud-credentials-sts-cloud",
 				},
 			},