Merge pull request #123 from rundeck-plugins/Bugfix/RUN-543-k8s-plugi…

…n-resource-model-shows-token-in-plaintext Bugfix RUN-543 Resource Model plugin Shows API Token in Plaintext
rundeck-plugins · Jan 25, 2022 · 8f0ed44 · 8f0ed44
2 parents 88ca604 + 634b4c4
commit 8f0ed44
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 32 deletions.
diff --git a/.gitignore b/.gitignore
@@ -21,4 +21,5 @@ gradle-app.setting
 # # Work around https://youtrack.jetbrains.com/issue/IDEA-116898
 # gradle/wrapper/gradle-wrapper.properties
 
-# End of https://www.gitignore.io/api/java,gradle
+# End of https://www.gitignore.io/api/java,gradle
+
diff --git a/contents/common.py b/contents/common.py
@@ -40,29 +40,13 @@ def connect():
     elif os.environ.get('RD_NODE_KUBERNETES_CONFIG_FILE'):
         config_file = os.environ.get('RD_NODE_KUBERNETES_CONFIG_FILE')
 
-    url = None
-    if os.environ.get('RD_CONFIG_URL'):
-        url = os.environ.get('RD_CONFIG_URL')
-    elif os.environ.get('RD_NODE_KUBERNETES_CLUSTER_URL'):
-        url = os.environ.get('RD_NODE_KUBERNETES_CLUSTER_URL')
-
-    verify_ssl = None
-    if os.environ.get('RD_CONFIG_VERIFY_SSL'):
-        verify_ssl = os.environ.get('RD_CONFIG_VERIFY_SSL')
-    elif os.environ.get('RD_NODE_KUBERNETES_VERIFY_SSL'):
-        verify_ssl = os.environ.get('RD_NODE_KUBERNETES_VERIFY_SSL')
-
-    ssl_ca_cert = None
-    if os.environ.get('RD_CONFIG_SSL_CA_CERT'):
-        ssl_ca_cert = os.environ.get('RD_CONFIG_SSL_CA_CERT')
-    elif os.environ.get('RD_NODE_KUBERNETES_SSL_CA_CERT'):
-        ssl_ca_cert = os.environ.get('RD_NODE_KUBERNETES_SSL_CA_CERT')
-
-    token = None
-    if os.environ.get('RD_CONFIG_TOKEN'):
-        token = os.environ.get('RD_CONFIG_TOKEN')
-    elif os.environ.get('RD_NODE_KUBERNETES_API_TOKEN'):
-        token = os.environ.get('RD_NODE_KUBERNETES_API_TOKEN')
+    verify_ssl = os.environ.get('RD_CONFIG_VERIFY_SSL')
+    ssl_ca_cert = os.environ.get('RD_CONFIG_SSL_CA_CERT')
+    url = os.environ.get('RD_CONFIG_URL')
+
+    token = os.environ.get('RD_CONFIG_TOKEN')
+    if not token:
+        token = os.environ.get('RD_CONFIG_TOKEN_STORAGE_PATH')
 
     log.debug("config file")
     log.debug(config_file)
@@ -72,8 +56,7 @@ def connect():
         log.debug("getting settings from file %s", config_file)
         config.load_kube_config(config_file=config_file)
     else:
-
-        if url:
+        if url and token:
             log.debug("getting settings from plugin configuration")
 
             configuration = Configuration()
@@ -93,7 +76,7 @@ def connect():
 
             client.Configuration.set_default(configuration)
         else:
-            log.debug("getting settings from default config file")
+            log.debug("Either URL or Token is not defined. Fall back to getting settings from default config file [$home/.kube/config]")
             config.load_kube_config()
 
 

diff --git a/contents/pods-resource-model.py b/contents/pods-resource-model.py
@@ -5,6 +5,7 @@
 import common
 import json
 import shlex
+import pprint
 
 from kubernetes import client
 
@@ -85,11 +86,9 @@ def nodeCollectData(pod, container, defaults, taglist, mappingList, boEmoticon):
             labels.append(keys + ":" + values)
 
     default_settings = {
+        # kubernetes:config_file attribute are kept to avoid breaking existing k8s jobs depend on this configuration-override hack
+        # This is just a temporary walkaround solultion and should be replaced by a layered configuration-override mechanism.  
         'kubernetes:config_file': os.environ.get('RD_CONFIG_CONFIG_FILE'),
-        'kubernetes:cluster_url': os.environ.get('RD_CONFIG_URL'),
-        'kubernetes:api_token':   os.environ.get('RD_CONFIG_TOKEN'),
-        'kubernetes:verify_ssl':  os.environ.get('RD_CONFIG_VERIFY_SSL'),
-        'kubernetes:ssl_ca_cert': os.environ.get('RD_CONFIG_SSL_CA_CERT'),
         'default:pod_id': pod.status.pod_ip,
         'default:host_id': pod.status.host_ip,
         'default:started_at': startedAt,

diff --git a/plugin.yaml b/plugin.yaml
@@ -79,11 +79,21 @@ providers:
         required: false
         renderingOptions:
           groupName: Authentication
+      - name: token_storage_path
+        type: String
+        title: "Token Storage Path"
+        required: false
+        description: "Select Kubernetes API Token From Storage Path"
+        renderingOptions:
+          groupName: Authentication
+          selectionAccessor: "STORAGE_PATH"
+          valueConversion: "STORAGE_PATH_AUTOMATIC_READ"
+          storage-path-root: "keys"
       - name: token
         type: String
         title: "Token"
         required: false
-        description: "Kubernetes API Token"
+        description: "Kubernetes API Token. Token set here will override the token from the storage path."
         renderingOptions:
           groupName: Authentication
           displayType: PASSWORD