feat: ensure robot secret has correct name

linode · Nov 6, 2024 · d12a67c · d12a67c
1 parent b6b435e
commit d12a67c
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/src/k8s.ts b/src/k8s.ts
@@ -48,6 +48,20 @@ export async function createSecret(name: string, namespace: string, data: Record
   console.info(`New secret ${name} has been created in the namespace ${namespace}`)
 }
 
+export async function replaceSecret(name: string, namespace: string, data: Record<string, any>): Promise<void> {
+  const b64enc = (val): string => Buffer.from(`${val}`).toString('base64')
+  const secret: V1Secret = {
+    ...new V1Secret(),
+    metadata: { ...new V1ObjectMeta(), name },
+    data: mapValues(data, b64enc) as {
+      [key: string]: string
+    },
+  }
+
+  await k8s.core().replaceNamespacedSecret(name, namespace, secret)
+  console.info(`Secret ${name} has been patched in the namespace ${namespace}`)
+}
+
 export type SecretPromise = Promise<{
   response: IncomingMessage
   body: V1Secret

diff --git a/src/operator/harbor.ts b/src/operator/harbor.ts
@@ -16,7 +16,7 @@ import {
   // eslint-disable-next-line no-unused-vars
   RobotCreated,
 } from '@linode/harbor-client-node'
-import { createBuildsK8sSecret, createK8sSecret, createSecret, getSecret } from '../k8s'
+import { createBuildsK8sSecret, createK8sSecret, createSecret, getSecret, replaceSecret } from '../k8s'
 import { doApiCall, handleErrors, waitTillAvailable } from '../utils'
 import {
   HARBOR_BASE_URL,
@@ -286,6 +286,14 @@ async function setupHarbor() {
   }
 }
 
+async function ensureSecretHasCorrectName(robotSecret: RobotSecret) {
+  const preferredRobotName = `${robotPrefix}${systemRobot.name}`
+  if (robotSecret.name !== preferredRobotName) {
+    const updatedRobotSecret = { ...robotSecret, name: preferredRobotName }
+    await replaceSecret(systemSecretName, systemNamespace, updatedRobotSecret)
+  }
+}
+
 /**
  * Get token by reading access token from kubernetes secret.
  * If the secret does not exists then create Harbor robot account and populate credentials to kubernetes secret.
@@ -298,6 +306,7 @@ async function getBearerToken(): Promise<HttpBearerAuth> {
     // not existing yet, create robot account and keep creds in secret
     robotSecret = await createSystemRobotSecret()
   } else {
+    await ensureSecretHasCorrectName(robotSecret)
     // test if secret still works
     try {
       bearerAuth.accessToken = robotSecret.secret
@@ -309,7 +318,7 @@ async function getBearerToken(): Promise<HttpBearerAuth> {
       // unauthenticated, so remove and recreate secret
       await k8sApi.deleteNamespacedSecret(systemSecretName, systemNamespace)
       // now, the next call might throw IF:
-      // - authMode oidc was already turned on and an platform admin accidentally removed the secret
+      // - authMode oidc was already turned on and a platform admin accidentally removed the secret
       // but that is very unlikely, an unresolvable problem and needs a manual db fix
       robotSecret = await createSystemRobotSecret()
     }