Skip to content

Commit

Permalink
Merge pull request #466 from kube-tarian/business-secret-store
Browse files Browse the repository at this point in the history
create app role token and cluster secret store for business cluster
  • Loading branch information
vramk23 authored Apr 27, 2024
2 parents 6d9b0ee + fbbf117 commit 81ce4e9
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 56 deletions.
17 changes: 9 additions & 8 deletions capten/common-pkg/k8s/external_secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,9 @@ type SecretStoreSpec struct {
}

type SecretKeySelector struct {
Name string `yaml:"name,omitempty"`
Key string `yaml:"key,omitempty"`
Namespace string `yaml:"namespace,omitempty"`
Name string `yaml:"name,omitempty"`
Key string `yaml:"key,omitempty"`
}

type VaultAuth struct {
Expand Down Expand Up @@ -88,10 +89,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa
tokenSecretName, tokenSecretKey string) (err error) {
secretStore := SecretStore{
APIVersion: "external-secrets.io/v1beta1",
Kind: "SecretStore",
Kind: "ClusterSecretStore",
Metadata: ObjectMeta{
Name: secretStoreName,
Namespace: namespace,
Name: secretStoreName,
},
Spec: SecretStoreSpec{
RefreshInterval: 10,
Expand All @@ -102,8 +102,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa
Version: "v2",
Auth: VaultAuth{
TokenSecretRef: &SecretKeySelector{
Key: tokenSecretKey,
Name: tokenSecretName,
Key: tokenSecretKey,
Name: tokenSecretName,
Namespace: namespace,
},
},
},
Expand Down Expand Up @@ -152,7 +153,7 @@ func (k *K8SClient) CreateOrUpdateExternalSecret(ctx context.Context, externalSe
Template: ExternalSecretTargetTemplate{Type: secretType}},
SecretStoreRef: SecretStoreRef{
Name: secretStoreRefName,
Kind: "SecretStore",
Kind: "ClusterSecretStore",
},
Data: secretKeysData,
},
Expand Down
63 changes: 19 additions & 44 deletions capten/config-worker/internal/crossplane/config_cluster_secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,21 +13,15 @@ var (
vaultAppRoleTokenSecret = "approle-vault-token"
vaultAddress = "http://vault.%s"
cluserAppRoleName = "capten-approle-%s"
secretStoreName = "approle-vault-store"
secretStoreName = "capten-vault-store"
)

func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
clusterName, clusterID string, extSecrets []clusterExternalSecret) error {
clusterName, clusterID string, appRoleTokenPaths []string, extSecrets []clusterExternalSecret) error {
logger.Infof("configure external secrets for cluster %s/%s", clusterName, clusterID)

credentialPaths, namespaces := getUniqueSecretPathsAndNamespaces(extSecrets)
if len(namespaces) == 0 {
logger.Infof("no external secrets defined for cluster %s/%s", clusterName, clusterID)
return nil
}

cluserAppRoleNameStr := fmt.Sprintf(cluserAppRoleName, clusterName)
token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, credentialPaths)
token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, appRoleTokenPaths)
if err != nil {
return err
}
Expand All @@ -38,24 +32,27 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
return fmt.Errorf("failed to initalize k8s client, %v", err)
}

namespace := "capten"
vaultAddressStr := fmt.Sprintf(vaultAddress, cp.cfg.DomainName)
err = k8sclient.CreateNamespace(ctx, namespace)
if err != nil {
logger.Infof("failed to create namespace %s, %v", namespace, err)
}

for _, namespace := range namespaces {
cred := map[string][]byte{"token": []byte(token)}
err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil)
if err != nil {
logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err)
continue
}
cred := map[string][]byte{"token": []byte(token)}
err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil)
if err != nil {
logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err)
}

err := k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace,
vaultAddressStr, vaultAppRoleTokenSecret, "token")
if err != nil {
return fmt.Errorf("failed to create cluter vault token secret, %v", err)
}
logger.Infof("created %s/%s on cluster cluster %s", namespace, secretStoreName, clusterName)
err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace,
vaultAddressStr, vaultAppRoleTokenSecret, "token")
if err != nil {
return fmt.Errorf("failed to create cluter vault token secret, %v", err)
}

logger.Infof("created %s on cluster cluster %s", secretStoreName, secretStoreName, clusterName)

for _, extSecret := range extSecrets {
externalSecretName := "external-" + extSecret.SecretName
vaultSecretData := map[string]string{}
Expand All @@ -72,25 +69,3 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
}
return nil
}

func getUniqueSecretPathsAndNamespaces(extSecrets []clusterExternalSecret) ([]string, []string) {
credentialPaths := map[string]bool{}
namspaces := map[string]bool{}
for _, extSecret := range extSecrets {
for _, secretData := range extSecret.VaultSecrets {
credentialPaths[secretData.SecretPath] = true
}
namspaces[extSecret.Namespace] = true
}
return getKeysFromBoolMap(credentialPaths), getKeysFromBoolMap(namspaces)
}

func getKeysFromBoolMap(inputMap map[string]bool) []string {
var keys []string

for key := range inputMap {
keys = append(keys, key)
}

return keys
}
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ func (cp *CrossPlaneApp) configureClusterUpdate(ctx context.Context, req *model.
}

err = cp.configureExternalSecretsOnCluster(ctx, req.ManagedClusterName, req.ManagedClusterId,
cp.pluginConfig.ClusterEndpointUpdates.AppRoleTokenVaultPaths,
cp.pluginConfig.ClusterEndpointUpdates.ExternalSecrets)
if err != nil {
logger.Errorf("%v", errors.WithMessage(err, "failed to create cluster secrets"))
Expand Down
1 change: 1 addition & 0 deletions capten/config-worker/internal/crossplane/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ type clusterUpdateConfig struct {
DefaultAppListFile string `json:"defaultAppListFile"`
DefaultAppValuesPath string `json:"defaultAppValuesPath"`
ClusterDefaultAppValuesPath string `json:"clusterDefaultAppValuesPath"`
AppRoleTokenVaultPaths []string `json:"appRoleTokenVaultPaths"`
ExternalSecrets []clusterExternalSecret `json:"externalSecrets"`
}

Expand Down
4 changes: 2 additions & 2 deletions charts/kad/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.2.20
version: 0.2.21

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.28.2"
appVersion: "1.28.3"
8 changes: 6 additions & 2 deletions charts/kad/crossplane_plugin_config.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@
"defaultAppListFile": "default-apps-templates/app_list.yaml",
"defaultAppValuesPath": "default-apps-templates/values",
"clusterDefaultAppValuesPath": "infra/clusters/app-configs",
"appRoleTokenVaultPaths":[
"generic/cosign/signer",
"generic/nats/auth-token",
"generic/container-registry/*"
],
"externalSecrets": [
{
"namespace": "observability",
Expand All @@ -33,8 +38,7 @@
"secretPath": "generic/cosign/signer"
}
]
},

},
{
"namespace": "ml-server",
"secretName": "regcred-ghcr",
Expand Down

0 comments on commit 81ce4e9

Please sign in to comment.