From 58090a8442e3529b9d67d3dbbddffcb546a9f489 Mon Sep 17 00:00:00 2001 From: Echoz Date: Tue, 28 May 2024 14:43:30 +0200 Subject: [PATCH] Fix token generator error handling and permissions and improve logging (#29) * fix: improve error handling and logging for token generator * fix: grant token generator permissions to patch secrets --- scripts/token-generator.py | 5 ++++- templates/token-generator/role.yaml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/token-generator.py b/scripts/token-generator.py index 476d31c..7c80ca9 100644 --- a/scripts/token-generator.py +++ b/scripts/token-generator.py @@ -50,7 +50,7 @@ def getSecret(fullname): return None def updateSecret(secret): - proc = subprocess.run( + subprocess.run( [ "kubectl", "apply", @@ -58,6 +58,7 @@ def updateSecret(secret): "-", ], input=json.dumps(secret).encode(), + check=True, ) def generateTokenSet(service, globalHashSecret): @@ -103,6 +104,7 @@ def __main__(): try: globalHashSecret = b64decode(secret["data"].get("globalHashSecret")) except: + log("No global hash secret found, generating one...") globalHashSecret = secrets.token_urlsafe(SECRET_LENGTH) secret["data"]["globalHashSecret"] = b64encode(globalHashSecret) @@ -114,6 +116,7 @@ def __main__(): b64decode(secret["data"].get(f"{service}AuthTokens")), globalHashSecret ) + log(f"Token for {service} is valid.") except: log(f"Generating token for {service}...") secret["data"].update(generateTokenSet(service, globalHashSecret)) diff --git a/templates/token-generator/role.yaml b/templates/token-generator/role.yaml index c5354ac..58fed43 100644 --- a/templates/token-generator/role.yaml +++ b/templates/token-generator/role.yaml @@ -8,7 +8,7 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["create"] + verbs: ["create", "patch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get"]