## # TODO: # Almost components in this class were copied from app/models/project_services/kubernetes_service.rb # We should dry up those classes not to repeat the same code. # Maybe we should have a special facility (e.g. lib/kubernetes_api) to maintain all Kubernetes API caller. module Ci class FetchKubernetesTokenService attr_reader :api_url, :ca_pem, :username, :password def initialize(api_url, ca_pem, username, password) @api_url = api_url @ca_pem = ca_pem @username = username @password = password end def execute read_secrets.each do |secret| name = secret.dig('metadata', 'name') if /default-token/ =~ name token_base64 = secret.dig('data', 'token') return Base64.decode64(token_base64) if token_base64 end end end private def read_secrets kubeclient = build_kubeclient! kubeclient.get_secrets.as_json rescue KubeException => err raise err unless err.error_code == 404 [] end def build_kubeclient!(api_path: 'api', api_version: 'v1') raise "Incomplete settings" unless api_url && username && password ::Kubeclient::Client.new( join_api_url(api_path), api_version, auth_options: { username: username, password: password }, ssl_options: kubeclient_ssl_options, http_proxy_uri: ENV['http_proxy'] ) end def join_api_url(api_path) url = URI.parse(api_url) prefix = url.path.sub(%r{/+\z}, '') url.path = [prefix, api_path].join("/") url.to_s end def kubeclient_ssl_options opts = { verify_ssl: OpenSSL::SSL::VERIFY_PEER } if ca_pem.present? opts[:cert_store] = OpenSSL::X509::Store.new opts[:cert_store].add_cert(OpenSSL::X509::Certificate.new(ca_pem)) end opts end end end