Switch to service account after logging into OpenShift Sandbox

datho7561 · datho7561 · commit a1b219d7b8f5 · 2024-01-25T15:34:03.000-05:00
The service account will remain authenticated for longer than 15 minutes. To try this out: 1. Log into an OpenShift Sandbox cluster using the Login workflow 2. Run `oc whoami`. You should see a reference to `pipeline`, which is the serviceaccount that's being used 3. The Application Explorer should display you as logged in and work as expected Closes redhat-developer#3838 Signed-off-by: David Thompson <davthomp@redhat.com>
diff --git a/src/openshift/cluster.ts b/src/openshift/cluster.ts
@@ -4,6 +4,11 @@
  *-----------------------------------------------------------------------------------------------*/
 
 import { KubernetesObject } from '@kubernetes/client-node';
+import { Cluster as KcuCluster, Context as KcuContext } from '@kubernetes/client-node/dist/config_types';
+import * as fs from 'fs/promises';
+import * as YAML from 'js-yaml';
+import { homedir } from 'os';
+import * as path from 'path';
 import { ExtensionContext, QuickInputButtons, QuickPickItem, QuickPickItemButtonEvent, ThemeIcon, Uri, commands, env, window, workspace } from 'vscode';
 import { CommandText } from '../base/command';
 import { CliChannel } from '../cli';
@@ -23,7 +28,6 @@ import { VsCommandError, vsCommand } from '../vscommand';
 import { OpenShiftTerminalManager } from '../webview/openshift-terminal/openShiftTerminal';
 import OpenShiftItem, { clusterRequired } from './openshiftItem';
 import fetch = require('make-fetch-happen');
-import { Cluster as KcuCluster, Context as KcuContext } from '@kubernetes/client-node/dist/config_types';
 
 export interface QuickPickItemExt extends QuickPickItem {
     name: string,
@@ -837,20 +841,22 @@ export class Cluster extends OpenShiftItem {
         } else {
             ocToken = userToken;
         }
-        return Progress.execFunctionWithProgress(`Login to the cluster: ${clusterURL}`, () =>
-            Oc.Instance.loginWithToken(clusterURL, ocToken)
-                .then(() => Cluster.loginMessage(clusterURL))
-                .catch((error) =>
-                    Promise.reject(
-                        new VsCommandError(
-                            `Failed to login to cluster '${clusterURL}' with '${Filters.filterToken(
-                                error.message,
-                            )}'!`,
-                            'Failed to login to cluster',
-                        ),
-                    ),
-                ),
-        );
+        return Progress.execFunctionWithProgress(`Login to the cluster: ${clusterURL}`, async () => {
+            try {
+                await Oc.Instance.loginWithToken(clusterURL, ocToken);
+                if (Cluster.isOpenShiftSandbox(clusterURL)) {
+                    await Cluster.installPipelineUserContext();
+                }
+                return Cluster.loginMessage(clusterURL);
+            } catch (error) {
+                throw new VsCommandError(
+                    `Failed to login to cluster '${clusterURL}' with '${Filters.filterToken(
+                        error.message,
+                    )}'!`,
+                    'Failed to login to cluster',
+                );
+            }
+        });
     }
 
     static validateLoginToken(token: string): boolean {
@@ -877,6 +883,53 @@ export class Cluster extends OpenShiftItem {
         return Cluster.tokenLogin(apiEndpointUrl, true, clipboard);
     }
 
+    static async installPipelineUserContext(): Promise<void> {
+        const SANDBOX_PIPELINE_USER_CTX = 'sandbox-pipeline-user';
+        const SANDBOX_PIPELINE_USERNAME = 'pipeline';
+        const kcu = new KubeConfigUtils();
+        const kcPath = path.join(homedir(), '.kube', 'config');
+        const kcActual = YAML.load((await fs.readFile(kcPath)).toString('utf-8')) as {
+            users: { name: string, user: { token: string } }[];
+            contexts: object[];
+            'current-context': string;
+            clusters: object[];
+        };
+
+        const secrets = await Oc.Instance.getKubernetesObjects('Secret')
+        const pipelineTokenSecret = secrets.find((secret) => secret.metadata.name.startsWith('pipeline-token')) as any;
+        const pipelineToken = Buffer.from(pipelineTokenSecret.data.token, 'base64').toString()
+
+        if (!kcu.contexts.find(ctx => ctx.name === SANDBOX_PIPELINE_USER_CTX)) {
+            const currentCtx = kcu.getCurrentContext();
+            const currentCtxObj = kcu.contexts.find(ctx => ctx.name === currentCtx);
+
+            const newContextEntry = {
+                context: {
+                    user: SANDBOX_PIPELINE_USERNAME,
+                    cluster: currentCtxObj.cluster,
+                    namespace: currentCtxObj.namespace
+                },
+                name: SANDBOX_PIPELINE_USER_CTX,
+            };
+
+            const newUserEntry = {
+                user: {
+                    token: pipelineToken
+                },
+                name: SANDBOX_PIPELINE_USERNAME,
+            };
+
+            kcActual.users.push(newUserEntry);
+            kcActual.contexts.push(newContextEntry);
+        } else {
+            const pipelineUser = kcActual.users.find(user => user.name === SANDBOX_PIPELINE_USERNAME);
+            pipelineUser.user.token = pipelineToken;
+        }
+
+        kcActual['current-context'] = SANDBOX_PIPELINE_USER_CTX;
+        await fs.writeFile(kcPath, YAML.dump(kcActual));
+    }
+
     static async loginUsingClipboardInfo(dashboardUrl: string): Promise<string | null> {
         const clipboard = await Cluster.readFromClipboard();
         if (!NameValidator.ocLoginCommandMatches(clipboard)) {
@@ -898,4 +951,9 @@ export class Cluster extends OpenShiftItem {
         await commands.executeCommand('setContext', 'isLoggedIn', true);
         return `Successfully logged in to '${clusterURL}'`;
     }
+
+    static isOpenShiftSandbox(url :string): boolean {
+        const asUrl = new URL(url);
+        return asUrl.hostname.endsWith('openshiftapps.com');
+    }
 }
