feat: use nats keys

ZEISS · Dec 13, 2024 · 3da0aee · 3da0aee
1 parent eabbb7b
commit 3da0aee
Show file tree

Hide file tree

Showing 32 changed files with 359 additions and 1,040 deletions.
diff --git a/.gitignore b/.gitignore
@@ -16,6 +16,7 @@
 *.out
 dist
 tmp
+*.creds
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
@@ -195,4 +196,4 @@ fabric.properties
 # CodeStream plugin
 # https://plugins.jetbrains.com/plugin/12206-codestream
 
-# End of https://www.toptal.com/developers/gitignore/api/go,webstorm,intellij
+# End of https://www.toptal.com/developers/gitignore/api/go,webstorm,intellij
diff --git a/api/v1alpha1/common_types.go b/api/v1alpha1/common_types.go
@@ -22,9 +22,8 @@ const (
 )
 
 const (
-	SecretPrivateKeyName      = "natz.zeiss.com/nats-private-key"
+	SecretNameKey             = "natz.zeiss.com/nats-key"
 	SecretUserCredentialsName = "natz.zeiss.com/nats-user-credentials"
-	SecretSigningKeyName      = "natz.zeiss.com/nats-signing-key"
 )
 
 // SecretValueFromSource represents the source of a secret value

diff --git a/api/v1alpha1/nats_account_types.go b/api/v1alpha1/nats_account_types.go
@@ -63,12 +63,14 @@ type OperatorLimits struct {
 
 // NatsAccountSpec defines the desired state of NatsAccount
 type NatsAccountSpec struct {
+	// SignerKeyRef is the reference to the secret that contains the signing key
+	SignerKeyRef NatsKeyReference `json:"signerKeyRef,omitempty"`
 	// PrivateKey is a reference to a secret that contains the private key
-	PrivateKey NatsPrivateKeyReference `json:"privateKey,omitempty"`
+	PrivateKey NatsKeyReference `json:"privateKey,omitempty"`
 	// SigningKeys is a list of references to secrets that contain the signing keys
-	SigningKeys []NatsSigningKeyReference `json:"signingKeys,omitempty"`
+	SigningKeys []NatsKeyReference `json:"signingKeys,omitempty"`
 	// OperatorSigningKey is the reference to the operator signing key
-	OperatorSigningKey NatsSigningKeyReference `json:"operatorSigningKey,omitempty"`
+	OperatorSigningKey NatsKeyReference `json:"operatorSigningKey,omitempty"`
 	// Namespaces that are allowed for user creation.
 	// If a NatsUser is referencing this account outside of these namespaces, the operator will create an event for it saying that it's not allowed.
 	AllowUserNamespaces []string `json:"allowedUserNamespaces,omitempty"`

diff --git a/api/v1alpha1/nats_key_types.go b/api/v1alpha1/nats_key_types.go
@@ -0,0 +1,99 @@
+package v1alpha1
+
+import (
+	"github.com/nats-io/nkeys"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type NatsKeyReference struct {
+	Name      string `json:"name"`
+	Namespace string `json:"namespace,omitempty"`
+}
+
+type KeyPhase string
+
+const (
+	KeyPhaseNone         KeyPhase = ""
+	KeyPhasePending      KeyPhase = "Pending"
+	KeyPhaseCreating     KeyPhase = "Creating"
+	KeyPhaseSynchronized KeyPhase = "Synchronized"
+	KeyPhaseFailed       KeyPhase = "Failed"
+)
+
+// KeyType is a type that represents the type of the N.
+//
+// +enum
+// +kubebuilder:validation:Enum={Operator,Account,User}
+type KeyType string
+
+// NatsReference is a reference to a .
+type NatsReference struct {
+	// Name is the name of the
+	Name string `json:"name"`
+	// Namespace is the namespace of the private
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// NatsPrivateSpec defines the desired state of private
+type NatsPrivateSpec struct {
+	// Type is the type of the N.
+	Type KeyType `json:"type"`
+	// PreventDeletion is a flag that indicates if the  should be locked to prevent deletion.
+	PreventDeletion bool `json:"prevent_deletion,omitempty"`
+}
+
+// NatsPrivateStatus defines the observed state of private
+type NatsPrivateStatus struct {
+	// Conditions is an array of conditions that the private  is currently in.
+	Conditions []metav1.Condition `json:"conditions,omitempty" optional:"true"`
+	// Phase is the current phase of the private .
+	//
+	// +kubebuilder:validation:Enum={None,Pending,Creating,Synchronized,Failed}
+	Phase KeyPhase `json:"phase"`
+	// ControlPaused is a flag that indicates if the operator is paused.
+	ControlPaused bool `json:"controlPaused,omitempty" optional:"true"`
+	// LastUpdate is the timestamp of the last update.
+	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// NatsKey is the Schema for the key.
+type NatsKey struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   NatsPrivateSpec   `json:"spec,omitempty"`
+	Status NatsPrivateStatus `json:"status,omitempty"`
+}
+
+// Keys returns a pair of keys based on the type of the N.
+func (pk *NatsKey) Keys() (nkeys.KeyPair, error) {
+	var s nkeys.KeyPair
+	var err error
+
+	switch pk.Spec.Type {
+	case "Operator":
+		s, err = nkeys.CreateOperator()
+	case "Account":
+		s, err = nkeys.CreateAccount()
+	case "User":
+		s, err = nkeys.CreateUser()
+	}
+
+	return s, err
+}
+
+//+kubebuilder:object:root=true
+
+// NatsKeyList contains a list of key.
+type NatsKeyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NatsKey `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&NatsKey{}, &NatsKeyList{})
+}
diff --git a/api/v1alpha1/nats_operator_types.go b/api/v1alpha1/nats_operator_types.go
@@ -27,9 +27,11 @@ type NatsOperatorReference struct {
 }
 type NatsOperatorSpec struct {
 	// PrivateKey is a reference to a secret that contains the private key
-	PrivateKey NatsPrivateKeyReference `json:"privateKey,omitempty"`
+	PrivateKey NatsKeyReference `json:"privateKey,omitempty"`
+	// EnableSystemAccount is a flag that indicates if the system account should be created.
+	EnableSystemAccount bool `json:"enableSystemAccount,omitempty"`
 	// SigningKeys is a list of references to secrets that contain the signing keys
-	SigningKeys []NatsSigningKeyReference `json:"signingKeys,omitempty"`
+	SigningKeys []NatsKeyReference `json:"signingKeys,omitempty"`
 }
 
 type NatsOperatorStatus struct {

diff --git a/api/v1alpha1/nats_private_key_types.go b/api/v1alpha1/nats_private_key_types.go
diff --git a/api/v1alpha1/nats_signing_key_types.go b/api/v1alpha1/nats_signing_key_types.go
diff --git a/api/v1alpha1/nats_user_types.go b/api/v1alpha1/nats_user_types.go
@@ -44,9 +44,9 @@ func (p *Permission) toNats() jwt.Permission {
 // NatsUserSpec defines the desired state of NatsUser
 type NatsUserSpec struct {
 	// PrivateKey is a reference to a secret that contains the private key
-	PrivateKey NatsPrivateKeyReference `json:"privateKey,omitempty"`
-	// AccountSigningKey is a reference to a secret that contains the account signing key
-	AccountSigningKey NatsSigningKeyReference `json:"accountSigningKey,omitempty"`
+	PrivateKey NatsKeyReference `json:"privateKey,omitempty"`
+	// SignerKeyRef is a reference to a secret that contains the account signing key
+	SignerKeyRef NatsKeyReference `json:"signerKeyRef,omitempty"`
 	// Permissions define the permissions for the user
 	Permissions Permissions `json:"permissions,omitempty"`
 	// Limits define the limits for the user