delete secret

Signed-off-by: Dominique Vernier <[email protected]>

Author: itdove

cmd/clusteradm.go

@@ -18,6 +18,7 @@ import (
 	"open-cluster-management.io/clusteradm/pkg/cmd/version"
 
 	acceptclusters "open-cluster-management.io/clusteradm/pkg/cmd/accept"
+	deletecmd "open-cluster-management.io/clusteradm/pkg/cmd/delete"
 	"open-cluster-management.io/clusteradm/pkg/cmd/get"
 	inithub "open-cluster-management.io/clusteradm/pkg/cmd/init"
 	joinhub "open-cluster-management.io/clusteradm/pkg/cmd/join"
@@ -65,6 +66,7 @@ func main() {
 			Message: "Registration commands:",
 			Commands: []*cobra.Command{
 				get.NewCmd(clusteradmFlags, streams),
+				deletecmd.NewCmd(clusteradmFlags, streams),
 				inithub.NewCmd(clusteradmFlags, streams),
 				joinhub.NewCmd(clusteradmFlags, streams),
 				acceptclusters.NewCmd(clusteradmFlags, streams),

pkg/cmd/delete/cmd.go

@@ -0,0 +1,21 @@
+// Copyright Contributors to the Open Cluster Management project
+package get
+
+import (
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"open-cluster-management.io/clusteradm/pkg/cmd/delete/token"
+	genericclioptionsclusteradm "open-cluster-management.io/clusteradm/pkg/genericclioptions"
+)
+
+// NewCmd provides a cobra command wrapping NewCmdImportCluster
+func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericclioptions.IOStreams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "delete",
+		Short: "delete a resource",
+	}
+
+	cmd.AddCommand(token.NewCmd(clusteradmFlags, streams))
+
+	return cmd
+}

pkg/cmd/delete/token/cmd.go

@@ -0,0 +1,47 @@
+// Copyright Contributors to the Open Cluster Management project
+package token
+
+import (
+	"fmt"
+
+	"open-cluster-management.io/clusteradm/pkg/helpers"
+
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	genericclioptionsclusteradm "open-cluster-management.io/clusteradm/pkg/genericclioptions"
+)
+
+var example = `
+# Get the bootstrap token
+%[1]s get token
+`
+
+// NewCmd ...
+func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericclioptions.IOStreams) *cobra.Command {
+	o := newOptions(clusteradmFlags, streams)
+
+	cmd := &cobra.Command{
+		Use:          "token",
+		Short:        "get the bootsrap token",
+		Example:      fmt.Sprintf(example, helpers.GetExampleHeader()),
+		SilenceUsage: true,
+		PreRun: func(c *cobra.Command, args []string) {
+			helpers.DryRunMessage(o.ClusteradmFlags.DryRun)
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			if err := o.complete(c, args); err != nil {
+				return err
+			}
+			if err := o.validate(); err != nil {
+				return err
+			}
+			if err := o.run(); err != nil {
+				return err
+			}
+
+			return nil
+		},
+	}
+
+	return cmd
+}

pkg/cmd/delete/token/exec.go

@@ -0,0 +1,92 @@
+// Copyright Contributors to the Open Cluster Management project
+package token
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"open-cluster-management.io/clusteradm/pkg/config"
+	"open-cluster-management.io/clusteradm/pkg/helpers"
+
+	"github.com/spf13/cobra"
+
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/client-go/kubernetes"
+)
+
+func (o *Options) complete(cmd *cobra.Command, args []string) (err error) {
+	return nil
+}
+
+func (o *Options) validate() error {
+	restConfig, err := o.ClusteradmFlags.KubectlFactory.ToRESTConfig()
+	if err != nil {
+		return err
+	}
+
+	apiExtensionsClient, err := apiextensionsclient.NewForConfig(restConfig)
+	if err != nil {
+		return err
+	}
+	installed, err := helpers.IsClusterManagerInstalled(apiExtensionsClient)
+	if err != nil {
+		return err
+	}
+	if !installed {
+		return fmt.Errorf("this is not a hub")
+	}
+	return err
+}
+
+func (o *Options) run() error {
+
+	kubeClient, err := o.ClusteradmFlags.KubectlFactory.KubernetesClientSet()
+	if err != nil {
+		return err
+	}
+
+	if o.ClusteradmFlags.DryRun {
+		return nil
+	}
+
+	return o.deleteToken(kubeClient)
+}
+
+func (o *Options) deleteToken(kubeClient *kubernetes.Clientset) error {
+	//Delete bootstrap token bindings
+	err := kubeClient.RbacV1().ClusterRoleBindings().Delete(context.TODO(), config.BootstrapClusterRoleBindingName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	err = kubeClient.RbacV1().ClusterRoleBindings().Delete(context.TODO(), config.BootstrapClusterRoleBindingSAName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+
+	//Delete Roles
+	err = kubeClient.RbacV1().ClusterRoles().Delete(context.TODO(), config.BootstrapClusterRoleName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+
+	//Detele bootstrap token secret
+	secret, err := helpers.GetBootstrapSecret(kubeClient)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	err = kubeClient.CoreV1().Secrets(secret.Namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	//Delete service account
+	err = kubeClient.CoreV1().ServiceAccounts(config.OpenClusterManagementNamespace).Delete(context.TODO(), config.BootstrapSAName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	//No need to delete the secret containing the token
+	//as it will be automatically deleted because the SA is deleted
+	return nil
+}

pkg/cmd/delete/token/options.go

@@ -0,0 +1,19 @@
+// Copyright Contributors to the Open Cluster Management project
+package token
+
+import (
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	genericclioptionsclusteradm "open-cluster-management.io/clusteradm/pkg/genericclioptions"
+)
+
+//Options: The structure holding all the command-line options
+type Options struct {
+	//ClusteradmFlags: The generic optiosn from the clusteradm cli-runtime.
+	ClusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags
+}
+
+func newOptions(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericclioptions.IOStreams) *Options {
+	return &Options{
+		ClusteradmFlags: clusteradmFlags,
+	}
+}

pkg/cmd/init/scenario/init/bootstrap_sa_cluster_role_binding.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cluster-bootstrap
+  name: cluster-bootstrap-sa
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

pkg/config/env.go

@@ -3,9 +3,12 @@
 package config
 
 const (
-	OpenClusterManagementNamespace = "open-cluster-management"
-	BootstrapSAName                = "cluster-bootstrap"
-	ClusterManagerName             = "cluster-manager"
-	LabelApp                       = "app"
-	BootstrapSecretPrefix          = "bootstrap-token-"
+	OpenClusterManagementNamespace    = "open-cluster-management"
+	BootstrapSAName                   = "cluster-bootstrap"
+	BootstrapClusterRoleBindingName   = "cluster-bootstrap"
+	BootstrapClusterRoleBindingSAName = "cluster-bootstrap-sa"
+	BootstrapClusterRoleName          = "system:open-cluster-management:bootstrap"
+	ClusterManagerName                = "cluster-manager"
+	LabelApp                          = "app"
+	BootstrapSecretPrefix             = "bootstrap-token-"
 )

pkg/helpers/client.go

@@ -115,37 +115,46 @@ func GetToken(kubeClient kubernetes.Interface) (string, TokenType, error) {
 	return token, ServiceAccountToken, nil
 }
 
-//GetBootstrapToken returns the service-account token in kube-system
-func GetBootstrapToken(kubeClient kubernetes.Interface) (string, error) {
+//GetBootstrapSecret returns the secret in kube-system
+func GetBootstrapSecret(kubeClient kubernetes.Interface) (*corev1.Secret, error) {
 	var bootstrapSecret *corev1.Secret
 	l, err := kubeClient.CoreV1().
 		Secrets("kube-system").
 		List(context.TODO(), metav1.ListOptions{LabelSelector: fmt.Sprintf("%v = %v", config.LabelApp, config.ClusterManagerName)})
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	for _, s := range l.Items {
 		if strings.HasPrefix(s.Name, config.BootstrapSecretPrefix) {
 			bootstrapSecret = &s
 		}
 	}
-	if bootstrapSecret != nil {
-		return fmt.Sprintf("%s.%s", string(bootstrapSecret.Data["token-id"]), string(bootstrapSecret.Data["token-secret"])), nil
+	if bootstrapSecret == nil {
+		return nil, errors.NewNotFound(schema.GroupResource{
+			Group:    corev1.GroupName,
+			Resource: "secrets"},
+			fmt.Sprintf("%s*", config.BootstrapSecretPrefix))
+
 	}
-	return "", errors.NewNotFound(schema.GroupResource{
-		Group:    corev1.GroupName,
-		Resource: "secrets"},
-		fmt.Sprintf("%s*", config.BootstrapSecretPrefix))
+	return bootstrapSecret, err
 }
 
-//GetBootstrapSecretFromSA retrieves the service-account token secret
-func GetBootstrapTokenFromSA(
-	kubeClient kubernetes.Interface) (string, error) {
+//GetBootstrapToken returns the token in kube-system
+func GetBootstrapToken(kubeClient kubernetes.Interface) (string, error) {
+	bootstrapSecret, err := GetBootstrapSecret(kubeClient)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%s.%s", string(bootstrapSecret.Data["token-id"]), string(bootstrapSecret.Data["token-secret"])), nil
+}
+
+func GetBootstrapSecretFromSA(
+	kubeClient kubernetes.Interface) (*corev1.Secret, error) {
 	sa, err := kubeClient.CoreV1().
 		ServiceAccounts(config.OpenClusterManagementNamespace).
 		Get(context.TODO(), config.BootstrapSAName, metav1.GetOptions{})
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	var secret *corev1.Secret
 	for _, objectRef := range sa.Secrets {
@@ -169,12 +178,22 @@ func GetBootstrapTokenFromSA(
 		}
 	}
 	if secret == nil {
-		return "", fmt.Errorf("secret with prefix %s and type %s not found in service account %s/%s",
+		return nil, fmt.Errorf("secret with prefix %s and type %s not found in service account %s/%s",
 			config.BootstrapSAName,
 			corev1.SecretTypeServiceAccountToken,
 			config.OpenClusterManagementNamespace,
 			config.BootstrapSAName)
 	}
+	return secret, nil
+}
+
+//GetBootstrapSecretFromSA retrieves the service-account token secret
+func GetBootstrapTokenFromSA(
+	kubeClient kubernetes.Interface) (string, error) {
+	secret, err := GetBootstrapSecretFromSA(kubeClient)
+	if err != nil {
+		return "", err
+	}
 	return string(secret.Data["token"]), nil
 }