Extend the key repo with teh configuration logic.

Author: ensonic

src/go/cmd/token-vendor/app/tokenvendor.go

@@ -63,15 +63,8 @@ func (tv *TokenVendor) ReadPublicKey(ctx context.Context, deviceID string) (stri
 
 func (tv *TokenVendor) ConfigurePublicKey(ctx context.Context, deviceID string, opts repository.KeyOptions) error {
 	slog.Debug("Configuring public key", slog.String("DeviceID", deviceID))
-	// Extend repository with ConfigureKey method and use that instead
-	// return tv.repo.ConfigureKey(ctx, deviceID, opts)
-	key, err := tv.repo.LookupKey(ctx, deviceID)
-	if key != nil {
-		// TODO: update config from opts
-		slog.Info("Apply new opts:", "opts", opts)
-		return nil
-	}
-	return err
+	// Shall we sanity check the opts?
+	return tv.repo.ConfigureKey(ctx, deviceID, opts)
 }
 
 var (

src/go/cmd/token-vendor/repository/k8s/k8s.go

@@ -158,6 +158,35 @@ func (k *K8sRepository) PublishKey(ctx context.Context, deviceID, publicKey stri
 	return nil
 }
 
+func (k *K8sRepository) ConfigureKey(ctx context.Context, deviceID string, opts repository.KeyOptions) error {
+	obj, exists, err := k.cmInformer.GetStore().GetByKey(k.ns + "/" + deviceID)
+	if err != nil {
+		return errors.Wrapf(err, "failed to retrieve configmap %q/%q from cache", k.ns, deviceID)
+	}
+	if !exists {
+		return errors.Wrapf(repository.ErrNotFound, "failed to retrieve configmap %q/%q", k.ns, deviceID)
+	}
+	cm, ok := obj.(*corev1.ConfigMap)
+	if !ok {
+		return fmt.Errorf("unexpected object type: %T", obj)
+	}
+	if cm.ObjectMeta.Annotations == nil {
+		cm.ObjectMeta.Annotations = make(map[string]string)
+	}
+	cm.ObjectMeta.Annotations[serviceAccountAnnotation] = opts.ServiceAccount
+	cm.ObjectMeta.Annotations[serviceAccountDelegateAnnotation] = opts.ServiceAccountDelegate
+	// We do not want to override any other keys besides the public key here.
+	// createPubKeyDeviceConfig only creates a minimum configmap so updating is safe here.
+	if _, err := k.kcl.CoreV1().ConfigMaps(k.ns).Update(ctx, cm, metav1.UpdateOptions{}); err != nil {
+		return errors.Wrapf(err, "failed to update configmap %q/%q", k.ns, deviceID)
+	}
+	// Update the informer store so that LookupKey can be used immediately.
+	if err := k.cmInformer.GetStore().Update(cm); err != nil {
+		slog.Warn("failed to update informer store", slog.String("DeviceID", deviceID), ilog.Err(err))
+	}
+	return nil
+}
+
 // createPubKeyDeviceConfig creates a configmap with only the public key in it.
 //
 // This is used also during update of existing devices. Make sure no default values

src/go/cmd/token-vendor/repository/k8s/k8s_test.go

@@ -26,20 +26,21 @@ import (
 
 // Publish a key, retrieve it again and check listing of all keys.
 func TestPublishListLookup(t *testing.T) {
+	ctx := context.Background()
 	cs := fake.NewSimpleClientset()
-	kcl, err := NewK8sRepository(context.TODO(), cs, "default")
+	kcl, err := NewK8sRepository(ctx, cs, "default")
 	if err != nil {
 		t.Fatal(err)
 	}
 	const id = "testdevice"
 	const key = "testkey"
-	if err = kcl.PublishKey(context.TODO(), id, key); err != nil {
+	if err = kcl.PublishKey(ctx, id, key); err != nil {
 		t.Fatal(err)
 	}
-	if _, err = kcl.LookupKey(context.TODO(), id); err != nil {
+	if _, err = kcl.LookupKey(ctx, id); err != nil {
 		t.Fatal(err)
 	}
-	devices, err := kcl.ListAllDeviceIDs(context.TODO())
+	devices, err := kcl.ListAllDeviceIDs(ctx)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -50,20 +51,21 @@ func TestPublishListLookup(t *testing.T) {
 
 // Publish a key and override it with another one.
 func TestPublishKeyUpdate(t *testing.T) {
+	ctx := context.Background()
 	cs := fake.NewSimpleClientset()
-	kcl, err := NewK8sRepository(context.TODO(), cs, "default")
+	kcl, err := NewK8sRepository(ctx, cs, "default")
 	if err != nil {
 		t.Fatal(err)
 	}
 	const id = "testdevice"
 	const key2 = "testkey2"
-	if err = kcl.PublishKey(context.TODO(), id, "testkey"); err != nil {
+	if err = kcl.PublishKey(ctx, id, "testkey"); err != nil {
 		t.Fatal(err)
 	}
-	if err = kcl.PublishKey(context.TODO(), id, key2); err != nil {
+	if err = kcl.PublishKey(ctx, id, key2); err != nil {
 		t.Fatal(err)
 	}
-	k, err := kcl.LookupKey(context.TODO(), id)
+	k, err := kcl.LookupKey(ctx, id)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -72,18 +74,43 @@ func TestPublishKeyUpdate(t *testing.T) {
 	}
 }
 
-// Test if Lookup returns an empty key string in case the configmap is not found.
 func TestLookupDoesNotExist(t *testing.T) {
+	ctx := context.Background()
 	cs := fake.NewSimpleClientset()
-	kcl, err := NewK8sRepository(context.TODO(), cs, "default")
+	kcl, err := NewK8sRepository(ctx, cs, "default")
 	if err != nil {
 		t.Fatal(err)
 	}
-	k, err := kcl.LookupKey(context.TODO(), "testdevice")
+	k, err := kcl.LookupKey(ctx, "testdevice")
 	if !errors.Is(err, repository.ErrNotFound) {
 		t.Fatalf("LookupKey produced wrong error: got %v, want %v", err, repository.ErrNotFound)
 	}
 	if k != nil {
 		t.Fatalf("LookupKey(..) = %q, want nil", k)
 	}
 }
+
+func TestConfigure(t *testing.T) {
+	ctx := context.Background()
+	cs := fake.NewSimpleClientset()
+	kcl, err := NewK8sRepository(ctx, cs, "default")
+	if err != nil {
+		t.Fatal(err)
+	}
+	const id = "testdevice"
+	const key = "testkey"
+	if err = kcl.PublishKey(ctx, id, key); err != nil {
+		t.Fatal(err)
+	}
+	opts := repository.KeyOptions{"svc@example.com", ""}
+	if err := kcl.ConfigureKey(ctx, id, opts); err != nil {
+		t.Fatal(err)
+	}
+	k, err := kcl.LookupKey(ctx, id)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if k.SAName != "svc@example.com" {
+		t.Fatalf("LookupKey: got %q, expected %q", k.SAName, "svc@example.com")
+	}
+}

src/go/cmd/token-vendor/repository/memory/memory.go

@@ -25,10 +25,14 @@ import (
 // Used only for integration tests.
 type MemoryRepository struct {
 	keys map[string]string
+	opts map[string]repository.KeyOptions
 }
 
 func NewMemoryRepository(ctx context.Context) (*MemoryRepository, error) {
-	return &MemoryRepository{keys: map[string]string{}}, nil
+	return &MemoryRepository{
+		keys: map[string]string{},
+		opts: map[string]repository.KeyOptions{},
+	}, nil
 }
 
 func (m *MemoryRepository) PublishKey(ctx context.Context, deviceID, publicKey string) error {
@@ -44,5 +48,14 @@ func (m *MemoryRepository) LookupKey(ctx context.Context, deviceID string) (*rep
 	if !found {
 		return nil, repository.ErrNotFound
 	}
-	return &repository.Key{k, "", ""}, nil
+	opts, found := m.opts[deviceID]
+	if !found {
+		opts = repository.KeyOptions{}
+	}
+	return &repository.Key{k, opts.ServiceAccount, opts.ServiceAccountDelegate}, nil
+}
+
+func (m *MemoryRepository) ConfigureKey(ctx context.Context, deviceID string, opts repository.KeyOptions) error {
+	m.opts[deviceID] = opts
+	return nil
 }

src/go/cmd/token-vendor/repository/memory/memory_test.go

@@ -23,7 +23,7 @@ import (
 )
 
 // Test publish and lookup key
-func TestMemoryBackend(t *testing.T) {
+func TestMemoryPublishAndLookup(t *testing.T) {
 	m, err := NewMemoryRepository(context.TODO())
 	if err != nil {
 		t.Fatal(err)
@@ -63,3 +63,26 @@ func TestMemoryNotFound(t *testing.T) {
 		t.Fatalf("LookupKey: got %q, expected empty response", k)
 	}
 }
+
+// Test publish and lookup key
+func TestMemoryConfigure(t *testing.T) {
+	ctx := context.Background()
+	m, err := NewMemoryRepository(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := m.PublishKey(ctx, "a", "akey"); err != nil {
+		t.Fatal(err)
+	}
+	opts := repository.KeyOptions{"svc@example.com", ""}
+	if err := m.ConfigureKey(ctx, "a", opts); err != nil {
+		t.Fatal(err)
+	}
+	k, err := m.LookupKey(ctx, "a")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if k.SAName != "svc@example.com" {
+		t.Fatalf("LookupKey: got %q, expected %q", k.SAName, "svc@example.com")
+	}
+}

src/go/cmd/token-vendor/repository/repository.go

@@ -48,4 +48,6 @@ type PubKeyRepository interface {
 	// that the device is blocked.
 	LookupKey(ctx context.Context, deviceID string) (*Key, error)
 	PublishKey(ctx context.Context, deviceID, publicKey string) error
+	// ConfigureKey applies the given opts to the key store.
+	ConfigureKey(ctx context.Context, deviceID string, opts KeyOptions) error
 }