smolnar82 commented on code in PR #1282:
URL: https://github.com/apache/knox/pull/1282#discussion_r3489926346


##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -92,6 +94,49 @@ saveAlias() {
   fi
 }
 
+## Helper function to load Knox aliases from labeled Kubernetes Secrets.
+loadAliasesFromK8sSecrets() {
+  local sa_token_file="/var/run/secrets/kubernetes.io/serviceaccount/token"
+  local sa_ca_file="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+  local sa_ns_file="/var/run/secrets/kubernetes.io/serviceaccount/namespace"
+  local label="${KNOX_ALIAS_LABEL:-knox.apache.org/alias=true}"
+
+  if [[ ! -r ${sa_token_file} || ! -r ${sa_ca_file} || ! -r ${sa_ns_file} ]]; 
then
+    echo "ServiceAccount token not mounted; skipping k8s-sourced Knox aliases"
+    return 0
+  fi
+
+  echo "Loading Knox aliases from labeled k8s Secrets (label: ${label}) ..."
+  local namespace token resp_file http_code secret_names
+  namespace=$(/bin/cat "${sa_ns_file}")
+  token=$(/bin/cat "${sa_token_file}")
+  resp_file=$(mktemp)
+
+  http_code=$(curl -sS \
+    --cacert "${sa_ca_file}" \
+    -H "Authorization: Bearer ${token}" \
+    -o "${resp_file}" -w "%{http_code}" \
+    
"https://kubernetes.default.svc/api/v1/namespaces/${namespace}/secrets?labelSelector=${label}";)
 || http_code="000"

Review Comment:
   nit: there's no explicit timeout on the curl call. If the k8s API is slow or 
unreachable, this could stall container startup. Adding `--max-time 10` or 
similar would make the failure path faster.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to