Merge pull request #372 from kube-tarian/nats-vault-token

adding nats vault token external secrets for business cluster
kube-tarian · Jan 14, 2024 · 6c95197 · 6c95197
2 parents 40e5917 + 6b5b210
commit 6c95197
Show file tree

Hide file tree

Showing 23 changed files with 20,819 additions and 10,376 deletions.
diff --git a/Makefile b/Makefile
@@ -12,6 +12,7 @@ gen-protoc:
  mkdir -p server/pkg/pb/agentpb
  mkdir -p server/pkg/pb/captenpluginspb
  mkdir -p capten/agent/internal/pb/captensdkpb
+ mkdir -p capten/common-pkg/vault-cred/vaultcredpb
 
  cd proto && protoc --go_out=../server/pkg/pb/serverpb/ --go_opt=paths=source_relative \
  --go-grpc_out=../server/pkg/pb/serverpb --go-grpc_opt=paths=source_relative \
@@ -37,6 +38,10 @@ gen-protoc:
  --go-grpc_out=../capten/agent/internal/pb/captensdkpb --go-grpc_opt=paths=source_relative \
  ./capten_sdk.proto
 
+ cd proto && protoc --go_out=../capten/common-pkg/vault-cred/vaultcredpb --go_opt=paths=source_relative \
+ --go-grpc_out=../capten/common-pkg/vault-cred/vaultcredpb --go-grpc_opt=paths=source_relative \
+ ./vault_cred.proto
+
 docker-build-server:
  # The prefix for server to changed either as server or intelops-kad-server
  docker build --platform=linux/amd64 -f dockerfiles/server/Dockerfile -t ${PREFIX}-${SERVER_APP_NAME}:${BUILD} .

diff --git a/capten/agent/internal/crossplane/cluster_claims.go b/capten/agent/internal/crossplane/cluster_claims.go
@@ -7,22 +7,21 @@ import (
  "strings"
 
  "github.com/google/uuid"
- "github.com/intelops/go-common/credentials"
  "github.com/intelops/go-common/logging"
  captenstore "github.com/kube-tarian/kad/capten/agent/internal/capten-store"
  "github.com/kube-tarian/kad/capten/agent/internal/temporalclient"
  "github.com/kube-tarian/kad/capten/agent/internal/workers"
 
  "github.com/kube-tarian/kad/capten/agent/internal/pb/captenpluginspb"
 
- "github.com/kube-tarian/kad/capten/common-pkg/credential"
  "github.com/kube-tarian/kad/capten/common-pkg/k8s"
+ managedcluster "github.com/kube-tarian/kad/capten/common-pkg/managed-cluster"
  "github.com/kube-tarian/kad/capten/model"
  "k8s.io/apimachinery/pkg/runtime/schema"
  "k8s.io/client-go/dynamic"
 )
 
-var (
+const (
  readyStatusType = "ready"
 
  clusterNotReadyStatus = "NotReady"
@@ -31,11 +30,6 @@ var (
  clusterFailedToDeleteStatus = "FailedToDelete"
  readyStatusValue = "True"
  NorReadyStatusValue = "False"
- clusterSecretName = "%s-cluster"
- kubeConfig = "kubeconfig"
- k8sEndpoint = "endpoint"
- k8sClusterCA = "clusterCA"
- managedClusterEntityName = "managedcluster"
 )
 
 var (
@@ -173,11 +167,6 @@ func (h *ClusterClaimSyncHandler) Sync() error {
 }
 
 func (h *ClusterClaimSyncHandler) updateManagedClusters(clusterCliams []model.ClusterClaim) error {
- k8sclient, err := k8s.NewK8SClient(h.log)
- if err != nil {
- return fmt.Errorf("failed to get k8s client, %v", err)
- }
-
  clusters, err := h.getManagedClusters()
  if err != nil {
  return fmt.Errorf("failed to get managed clusters from DB, %v", err)
@@ -213,23 +202,9 @@ func (h *ClusterClaimSyncHandler) updateManagedClusters(clusterCliams []model.Cl
  managedCluster.ClusterDeployStatus = clusterNotReadyStatus
  }
 
- secretName := fmt.Sprintf(clusterSecretName, clusterCliam.Spec.Id)
- resp, err := k8sclient.GetSecretData(clusterCliam.Metadata.Namespace, secretName)
- if err != nil {
- h.log.Errorf("failed to get secret %s/%s, %v", clusterCliam.Metadata.Namespace, secretName, err)
- continue
- }
-
- clusterEndpoint := resp.Data[k8sEndpoint]
- managedCluster.ClusterEndpoint = clusterEndpoint
- cred := map[string]string{}
- cred[kubeConfig] = resp.Data[kubeConfig]
- cred[k8sClusterCA] = resp.Data[k8sClusterCA]
- cred[k8sEndpoint] = clusterEndpoint
-
- err = credential.PutGenericCredential(context.TODO(), managedClusterEntityName, managedCluster.Id, cred)
+ err = managedcluster.StoreClusterAccessData(context.Background(), clusterCliam.Metadata.Namespace, managedCluster.Id)
  if err != nil {
- h.log.Errorf("failed to store credential for %s, %v", managedCluster.Id, err)
+ h.log.Errorf("failed to store cluster access data for %s, %v", managedCluster.Id, err)
  continue
  }
 
@@ -372,7 +347,7 @@ func (h *ClusterClaimSyncHandler) monitorCrossplaneWorkflow(managedCluster *capt
  }
  h.log.Infof("Successfuly deleted managed cluster record for %s. cluster Id - %s", managedCluster.ClusterName, managedCluster.Id)
 
- if err = h.deleteManagedClusterCredential(context.TODO(), managedCluster.Id); err != nil {
+ if err = managedcluster.DeleteClusterAccessData(context.Background(), managedCluster.Id); err != nil {
  h.log.Errorf("failed to delete credential for %s, %v", managedCluster.Id, err)
  return
  }
@@ -381,26 +356,6 @@ func (h *ClusterClaimSyncHandler) monitorCrossplaneWorkflow(managedCluster *capt
  h.log.Infof("Crossplane project delete %s config workflow %s completed", managedCluster.ClusterEndpoint, wkfId)
 }
 
-func (h *ClusterClaimSyncHandler) deleteManagedClusterCredential(ctx context.Context, id string) error {
- credPath := fmt.Sprintf("%s/%s/%s", credentials.GenericCredentialType, managedClusterEntityName, id)
- credAdmin, err := credentials.NewCredentialAdmin(ctx)
- if err != nil {
- h.log.Audit("security", "storecred", "failed", "system", "failed to intialize credentials client for %s", credPath)
- h.log.Errorf("failed to delete credential for %s, %v", credPath, err)
- return err
- }
-
- err = credAdmin.DeleteCredential(ctx, credentials.GenericCredentialType, managedClusterEntityName, id)
- if err != nil {
- h.log.Audit("security", "storecred", "failed", "system", "failed to store crendential for %s", credPath)
- h.log.Errorf("failed to delete credential for %s, %v", credPath, err)
- return err
- }
- h.log.Audit("security", "storecred", "success", "system", "credential stored for %s", credPath)
- h.log.Infof("deleted credential for entity %s", credPath)
- return nil
-}
-
 func (h *ClusterClaimSyncHandler) syncClusterClaimsWithDB(clusterClaims []model.ClusterClaim) error {
 
  clusters, err := h.getManagedClusters()