StatCan · zachomedia · Jun 4, 2020 · May 7, 2020 · May 7, 2020 · May 9, 2020
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 vendor
 kubeflow-controller
 .DS_Store
+/.idea/
diff --git a/controller.go b/controller.go
@@ -22,7 +22,6 @@ import (
 	"reflect"
 	"time"
 
-	vault "github.com/hashicorp/vault/api"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -83,9 +82,7 @@ type Controller struct {
 
 	dockerConfigJSON []byte
 
-	vaultClient        *vault.Client
-	minioInstances     []string
-	kubernetesAuthPath string
+	vaultConfigurer VaultConfigurer
 
 	// workqueue is a rate limited work queue. This is used to queue work to be
 	// processed instead of performing it as soon as a change happens. This
@@ -107,7 +104,7 @@ func NewController(
 	serviceAccountInformer v1informers.ServiceAccountInformer,
 	profileInformer informers.ProfileInformer,
 	dockerConfigJSON []byte,
-	vaultClient *vault.Client, minioInstances []string, kubernetesAuthPath string) *Controller {
+	vaultConfigurer VaultConfigurer) *Controller {
 
 	// Create event broadcaster
 	// Add kubeflow-controller types to the default Kubernetes Scheme so Events can be
@@ -131,9 +128,7 @@ func NewController(
 		profilesLister:       profileInformer.Lister(),
 		profilesSynced:       profileInformer.Informer().HasSynced,
 		dockerConfigJSON:     dockerConfigJSON,
-		vaultClient:          vaultClient,
-		minioInstances:       minioInstances,
-		kubernetesAuthPath:   kubernetesAuthPath,
+		vaultConfigurer:      vaultConfigurer,
 		workqueue:            workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "Profiles"),
 		recorder:             recorder,
 	}
@@ -473,7 +468,8 @@ func (c *Controller) syncHandler(key string) error {
 	}
 
 	// Configure vault
-	err = doVaultConfiguration(c.vaultClient, profile.Name, c.minioInstances, c.kubernetesAuthPath)
+	err = c.vaultConfigurer.ConfigVaultForProfile(profile.Name, profile.Spec.Owner.Name, []string{})
+	//doVaultConfiguration(c.vaultClient, profile.Name, profile.Spec.Owner.Name, c.minioInstances, c.kubernetesAuthPath, c.oidcAuthAccessor)
 
 	// If an error occurs during Update, we'll requeue the item so we can
 	// attempt processing again later. This could have been caused by a

diff --git a/defaults.go b/defaults.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -17,6 +18,10 @@ var (
 	PodDefaults = make(map[string]NewPodDefaultFunc)
 )
 
+func cleanName(name string) string {
+	return strings.ReplaceAll(name, "_", "-")
+}
+
 // RegisterPodDefault registers a new PodDefault.
 // NOTE: The object name returned MUST match the registered name.
 func RegisterPodDefault(name string, callback NewPodDefaultFunc) error {

diff --git a/main.go b/main.go
@@ -42,6 +42,7 @@ var (
 	imagePullSecret    string
 	minioInstances     string
 	kubernetesAuthPath string
+	oidcAuthAccessor   string
 )
 
 func main() {
@@ -61,6 +62,10 @@ func main() {
 		kubernetesAuthPath = os.Getenv("KUBERNETES_AUTH_PATH")
 	}
 
+	if len(oidcAuthAccessor) == 0 {
+		oidcAuthAccessor = os.Getenv("OIDC_AUTH_ACCESSOR")
+	}
+
 	// set up signals so we handle the first shutdown signal gracefully
 	stopCh := signals.SetupSignalHandler()
 
@@ -90,13 +95,20 @@ func main() {
 		klog.Fatalf("Error initializing Vault client: %s", err)
 	}
 
-	controller := NewController(kubeClient, kubeflowClient,
+	var vaultConfigurer VaultConfigurer
+	vaultConfigurer = NewVaultConfigurer(vc,
+		kubernetesAuthPath,
+		oidcAuthAccessor,
+		strings.Split(minioInstances, ","))
+
+	controller := NewController(kubeClient,
+		kubeflowClient,
 		kubeflowInformerFactory.Kubeflow().V1alpha1().PodDefaults(),
 		kubeInformerFactory.Core().V1().Secrets(),
 		kubeInformerFactory.Core().V1().ServiceAccounts(),
 		kubeflowInformerFactory.Kubeflow().V1().Profiles(),
 		[]byte(imagePullSecret),
-		vc, strings.Split(minioInstances, ","), kubernetesAuthPath)
+		vaultConfigurer)
 
 	// notice that there is no need to run Start methods in a separate goroutine. (i.e. go kubeInformerFactory.Start(stopCh)
 	// Start method is non-blocking and runs all registered informers in a dedicated goroutine.
@@ -112,6 +124,7 @@ func init() {
 	flag.StringVar(&imagePullSecret, "image-pull-secret", "", "Encoded dockerconfigjson for the image pull secret. Ignored if empty.")
 	flag.StringVar(&minioInstances, "minio-instances", "", "MinIO instances to configure in Vault.")
 	flag.StringVar(&kubernetesAuthPath, "kubernetes-auth-path", "", "Kubernetes auth path the configure in Vault.")
+	flag.StringVar(&oidcAuthAccessor, "oidc-auth-accessor", "", "Mount accessor of the OIDC auth.")
 	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
 	flag.StringVar(&masterURL, "master", "", "The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.")
 }
diff --git a/utils.go b/utils.go
@@ -10,3 +10,46 @@ func StringArrayContains(strings []string, str string) bool {
 
 	return false
 }
+
+// Simple (if not efficient) function to determine if
+// two string arrays contain the same data
+func StringArrayEquals(a1, a2 []string) bool {
+	if a1 == nil && a2 == nil {
+		return true
+	}
+
+	if len(a1) != len(a2) {
+		return false
+	}
+
+	for _, s := range a1 {
+		if !StringArrayContains(a2, s) {
+			return false
+		}
+	}
+
+	return true
+}
+
+// returns an array of strings that are missing
+func FindMissingStrings(strings, expectedStrings []string) []string {
+	if strings == nil || len(strings) == 0 {
+		return expectedStrings
+	}
+
+	var missingStrings = make([]string, len(expectedStrings))
+
+	var numStrings = 0
+	for _, s := range expectedStrings {
+		if !StringArrayContains(strings, s) {
+			missingStrings[numStrings] = s
+			numStrings++
+		}
+	}
+
+	if numStrings > 0 {
+		return missingStrings[0:numStrings]
+	} else {
+		return nil
+	}
+}