@@ -31,11 +31,9 @@ use kube::{
3131use log:: { info, warn} ;
3232use operator:: {
3333 ControllerError , RvContextData , controller_error_policy, controller_info,
34- create_or_info_if_exists,
34+ create_or_info_if_exists, read_certificate , TLS_DIR
3535} ;
3636
37- use log:: info;
38- use operator:: { RvContextData , TLS_DIR , create_or_info_if_exists, read_certificate} ;
3937use serde:: { Serialize , Serializer } ;
4038use serde_json:: { Value :: String as JsonString , json} ;
4139use std:: collections:: BTreeMap ;
@@ -161,30 +159,53 @@ async fn get_auth_key(client: &Client) -> Result<String> {
161159 . context ( "Auth private key is not valid UTF-8" ) ?;
162160 Ok ( auth_key)
163161}
162+ async fn get_kbs_connection ( client : & Client ) -> Result < ( String , Vec < String > ) > {
163+ let tec = trusted_cluster_operator_lib:: get_trusted_execution_cluster ( client. clone ( ) ) . await ?;
164+ let secret_api: Api < Secret > = Api :: default_namespaced ( client. clone ( ) ) ;
165+
166+ if let Some ( secret_name) = & tec. spec . trustee_secret {
167+ if let Ok ( secret) = secret_api. get ( secret_name) . await {
168+ if let Some ( ca_crt) = secret. data . as_ref ( ) . and_then ( |d| d. get ( "ca.crt" ) ) {
169+ let ca_pem = String :: from_utf8 ( ca_crt. 0 . clone ( ) )
170+ . context ( "CA certificate is not valid UTF-8" ) ?;
171+ return Ok ( (
172+ format ! ( "https://{TRUSTEE_SERVICE}:{TRUSTEE_PORT}" ) ,
173+ vec ! [ ca_pem] ,
174+ ) ) ;
175+ }
176+ }
177+ }
178+
179+ Ok ( (
180+ format ! ( "http://{TRUSTEE_SERVICE}:{TRUSTEE_PORT}" ) ,
181+ vec ! [ ] ,
182+ ) )
183+ }
184+
164185pub async fn send_secret ( client : Client , id : & str ) -> Result < ( ) > {
165186 let secret_api: Api < Secret > = Api :: default_namespaced ( client. clone ( ) ) ;
166187 let auth_key = get_auth_key ( & client) . await ?;
188+ let ( url, certs) = get_kbs_connection ( & client) . await ?;
167189 let secret = secret_api. get ( id) . await ?;
168190 let secret_data = secret. data . context ( "Secret has no data" ) ?;
169191 let resource_bytes = secret_data
170192 . get ( "root" )
171193 . context ( "Secret missing root key" ) ?
172194 . 0
173195 . clone ( ) ;
174- let url = format ! ( "http://{TRUSTEE_SERVICE}:{TRUSTEE_PORT}" ) ;
175196 let path = format ! ( "default/{id}/root" ) ;
176197 info ! ( "Sending secret {id} to KBS API..." ) ;
177- kbs_client:: set_resource ( & url, auth_key, resource_bytes, & path, vec ! [ ] ) . await ?;
198+ kbs_client:: set_resource ( & url, auth_key, resource_bytes, & path, certs ) . await ?;
178199 info ! ( "Secret {id} sent successfully" ) ;
179200 Ok ( ( ) )
180201}
181202
182203pub async fn delete_secret ( client : Client , id : & str ) -> Result < ( ) > {
183204 let auth_key = get_auth_key ( & client) . await ?;
184- let url = format ! ( "http://{TRUSTEE_SERVICE}:{TRUSTEE_PORT}" ) ;
205+ let ( url, certs ) = get_kbs_connection ( & client ) . await ? ;
185206 let path = format ! ( "default/{id}/root" ) ;
186207 info ! ( "Deleting secret {id} to KBS API..." ) ;
187- kbs_client:: delete_resource ( & url, auth_key, & path, vec ! [ ] ) . await ?;
208+ kbs_client:: delete_resource ( & url, auth_key, & path, certs ) . await ?;
188209 info ! ( "Secret {id} deleted successfully" ) ;
189210 Ok ( ( ) )
190211}
@@ -244,7 +265,7 @@ async fn trustee_deployment_reconcile(
244265pub async fn launch_trustee_sync_controller ( client : Client ) {
245266 let deployments: Api < Deployment > = Api :: default_namespaced ( client. clone ( ) ) ;
246267 let watcher_config = watcher:: Config {
247- label_selector : Some ( format ! ( "app={KBS_LABEL_SELECTOR }" ) ) ,
268+ label_selector : Some ( format ! ( "app={TRUSTEE_APP_LABEL }" ) ) ,
248269 ..Default :: default ( )
249270 } ;
250271 tokio:: spawn (
0 commit comments