Skip to content

Commit

Permalink
More OTP work
Browse files Browse the repository at this point in the history
  • Loading branch information
stuartwdouglas committed Oct 30, 2023
1 parent 272b2ec commit dbb1840
Show file tree
Hide file tree
Showing 7 changed files with 73 additions and 32 deletions.
12 changes: 6 additions & 6 deletions cmd/otp/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"log"
"net/http"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
"time"
)

var (
Expand All @@ -22,9 +23,6 @@ const (
KeyFilePath = "/tls/tls.key"
)

func httpRequestHandler(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("Hello,World!\n"))
}
func main() {

klog.InitFlags(flag.CommandLine)
Expand All @@ -51,12 +49,14 @@ func main() {

tlsConfig := &tls.Config{
Certificates: []tls.Certificate{serverTLSCert},
MinVersion: tls.VersionTLS12,
}
logger.Info("starting HTTP server")
server := http.Server{
Addr: ":8443",
Handler: mux,
TLSConfig: tlsConfig,
Addr: ":8443",
Handler: mux,
TLSConfig: tlsConfig,
ReadHeaderTimeout: time.Second * 3,
}
defer server.Close()
log.Fatal(server.ListenAndServeTLS("", ""))
Expand Down
12 changes: 8 additions & 4 deletions cmd/otp/otp.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,23 +21,25 @@ type storekey struct {
func (s *storekey) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
body, err := io.ReadAll(request.Body)
if err != nil {
s.logger.Error(err, "failed to read request body")
s.logger.Error(err, "failed to read request body", "address", request.RemoteAddr)
writer.WriteHeader(500)
return
}
mutex.Lock()
defer mutex.Unlock()
otp, err := GenerateRandomString(20)
if err != nil {
s.logger.Error(err, "failed to generate OTP password")
s.logger.Error(err, "failed to generate OTP password", "address", request.RemoteAddr)
writer.WriteHeader(500)
return
}
globalMap[otp] = body
_, err = writer.Write([]byte(otp))
if err != nil {
s.logger.Error(err, "failed to write http response")
s.logger.Error(err, "failed to write http response", "address", request.RemoteAddr)
writer.WriteHeader(500)
} else {
s.logger.Info("stored SSH key in OTP map", "address", request.RemoteAddr)
}
}

Expand Down Expand Up @@ -73,8 +75,10 @@ func (s *otp) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
} else {
_, err := writer.Write(res)
if err != nil {
s.logger.Error(err, "failed to write http response")
s.logger.Error(err, "failed to write http response", "address", request.RemoteAddr)
writer.WriteHeader(500)
} else {
s.logger.Info("served one time password", "address", request.RemoteAddr)
}
}
}
Expand Down
8 changes: 6 additions & 2 deletions cmd/taskgen/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,13 +95,17 @@ func convertToSsh(task *pipelinev1beta1.Task) {
podmanArgs := ""

ret := `set -o verbose
mkdir -p ~/.ssh
if [ -e "/ssh/error" ]; then
#no server could be provisioned
cat /ssh/error
exit 1
elif [ -e "/ssh/otp" ]; then
curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa
else
cp /ssh/id_rsa ~/.ssh
fi
mkdir -p ~/.ssh
cp /ssh/id_rsa ~/.ssh
cat ~/.ssh/id_rsa
chmod 0400 ~/.ssh/id_rsa
export SSH_HOST=$(cat /ssh/host)
export BUILD_DIR=$(cat /ssh/user-dir)
Expand Down
63 changes: 48 additions & 15 deletions deploy/operator/provision-shared-host.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ spec:
- name: provision
image: quay.io/redhat-user-workloads/rhtap-build-tenant/multi-arch-controller/hacktask-image-multi-platform-controller:build-dfd73-1698382902@sha256:d733531a07ede2e73500c500a33cdaf78332db146ffdc23d3c1a71b253a734b6
imagePullPolicy: Always
volumeMounts:
- mountPath: /tls
name: tls
script: |
#!/bin/bash
cd /tmp
Expand Down Expand Up @@ -51,22 +54,52 @@ spec:
ssh -i /tmp/master_key -o StrictHostKeyChecking=no $SSH_HOST rm $USERNAME
chmod 0400 id_rsa
ssh -i id_rsa -o StrictHostKeyChecking=no $USERNAME@$(params.HOST) echo "test"
KEY=$(cat id_rsa | base64 -w 0)
KEY=$(cat id_rsa)
echo $KEY
HOST=$(echo $USERNAME@$(params.HOST) | base64 -w 0)
DIR=$(echo /home/$USERNAME | base64 -w 0)
cat >secret.yaml <<EOF
apiVersion: v1
data:
id_rsa: "$KEY"
host: "$HOST"
user-dir: "$DIR"
kind: Secret
metadata:
name: $(params.SECRET_NAME)
namespace: $(params.NAMESPACE)
labels:
build.appstudio.redhat.com/multi-platform-secret: "true"
type: Opaque
if [ -e "/tls/tls.crt" ]; then
OTP=$(curl --cacert /tls/tls.crt -XPOST -d "$KEY" https://multi-platform-otp-server.multi-platform-controller.svc.cluster.local/store-key | base64 -w 0)
OTP_SERVER="$(echo https://multi-platform-otp-server.multi-platform-controller.svc.cluster.local/otp | base64 -w 0)"
echo $OTP | base64 -d
cat >secret.yaml <<EOF
apiVersion: v1
data:
otp-ca: "$(cat /tls/tls.crt | base64 -w 0)"
otp: "$OTP"
otp-server: "$OTP_SERVER"
host: "$HOST"
user-dir: "$DIR"
kind: Secret
metadata:
name: $(params.SECRET_NAME)
namespace: $(params.NAMESPACE)
labels:
build.appstudio.redhat.com/multi-platform-secret: "true"
type: Opaque
EOF
else
cat >secret.yaml <<EOF
apiVersion: v1
data:
id_rsa: "$(echo $KEY | base64 -w 0)"
host: "$HOST"
user-dir: "$DIR"
kind: Secret
metadata:
name: $(params.SECRET_NAME)
namespace: $(params.NAMESPACE)
labels:
build.appstudio.redhat.com/multi-platform-secret: "true"
type: Opaque
EOF
fi
kubectl create -f secret.yaml
volumes:
- name: tls
secret:
optional: true
secretName: otp-tls-secrets
4 changes: 2 additions & 2 deletions hack/example/pipeline-multiarch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
build.appstudio.redhat.com/commit_sha: 1879fa9159b28f63265dad2cd618c3d0ffd03e79
build.appstudio.redhat.com/pipeline_name: docker-build
build.appstudio.redhat.com/target_branch: main
generateName: devfile-sample-
generateName: pipeline-multiarch-
labels:
appstudio.openshift.io/application: my-app
appstudio.openshift.io/component: devfile-sample
Expand Down Expand Up @@ -438,7 +438,7 @@ spec:
- build-container-s390x
taskRef:
kind: Task
name: buildah-multiarch
name: build-image-manifest
when:
- input: $(tasks.init.results.build)
operator: in
Expand Down
2 changes: 1 addition & 1 deletion hack/example/pipeline.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
build.appstudio.redhat.com/commit_sha: 1879fa9159b28f63265dad2cd618c3d0ffd03e79
build.appstudio.redhat.com/pipeline_name: docker-build
build.appstudio.redhat.com/target_branch: main
generateName: devfile-sample-
generateName: pipeline-
labels:
appstudio.openshift.io/application: my-app
appstudio.openshift.io/component: devfile-sample
Expand Down
4 changes: 2 additions & 2 deletions hack/example/provision-run.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ spec:
- name: NAMESPACE
value: test-jvm-namespace
- name: HOST
value: ec2-34-227-115-211.compute-1.amazonaws.com
value: 150.240.147.198
- name: USER
value: ec2-user
value: root
workspaces:
- name: ssh
secret:
Expand Down

0 comments on commit dbb1840

Please sign in to comment.