Merge pull request #466 from kube-tarian/business-secret-store

create app role token and cluster secret store for business cluster
kube-tarian · Apr 27, 2024 · 81ce4e9 · 81ce4e9
2 parents 6d9b0ee + fbbf117
commit 81ce4e9
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 56 deletions.
diff --git a/capten/common-pkg/k8s/external_secret.go b/capten/common-pkg/k8s/external_secret.go
@@ -57,8 +57,9 @@ type SecretStoreSpec struct {
 }
 
 type SecretKeySelector struct {
- Name string `yaml:"name,omitempty"`
- Key string `yaml:"key,omitempty"`
+ Namespace string `yaml:"namespace,omitempty"`
+ Name string `yaml:"name,omitempty"`
+ Key string `yaml:"key,omitempty"`
 }
 
 type VaultAuth struct {
@@ -88,10 +89,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa
  tokenSecretName, tokenSecretKey string) (err error) {
  secretStore := SecretStore{
  APIVersion: "external-secrets.io/v1beta1",
- Kind: "SecretStore",
+ Kind: "ClusterSecretStore",
  Metadata: ObjectMeta{
- Name: secretStoreName,
- Namespace: namespace,
+ Name: secretStoreName,
  },
  Spec: SecretStoreSpec{
  RefreshInterval: 10,
@@ -102,8 +102,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa
  Version: "v2",
  Auth: VaultAuth{
  TokenSecretRef: &SecretKeySelector{
- Key: tokenSecretKey,
- Name: tokenSecretName,
+ Key: tokenSecretKey,
+ Name: tokenSecretName,
+ Namespace: namespace,
  },
  },
  },
@@ -152,7 +153,7 @@ func (k *K8SClient) CreateOrUpdateExternalSecret(ctx context.Context, externalSe
  Template: ExternalSecretTargetTemplate{Type: secretType}},
  SecretStoreRef: SecretStoreRef{
  Name: secretStoreRefName,
- Kind: "SecretStore",
+ Kind: "ClusterSecretStore",
  },
  Data: secretKeysData,
  },

diff --git a/capten/config-worker/internal/crossplane/config_cluster_secrets.go b/capten/config-worker/internal/crossplane/config_cluster_secrets.go
@@ -13,21 +13,15 @@ var (
  vaultAppRoleTokenSecret = "approle-vault-token"
  vaultAddress = "http://vault.%s"
  cluserAppRoleName = "capten-approle-%s"
- secretStoreName = "approle-vault-store"
+ secretStoreName = "capten-vault-store"
 )
 
 func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
- clusterName, clusterID string, extSecrets []clusterExternalSecret) error {
+ clusterName, clusterID string, appRoleTokenPaths []string, extSecrets []clusterExternalSecret) error {
  logger.Infof("configure external secrets for cluster %s/%s", clusterName, clusterID)
 
- credentialPaths, namespaces := getUniqueSecretPathsAndNamespaces(extSecrets)
- if len(namespaces) == 0 {
- logger.Infof("no external secrets defined for cluster %s/%s", clusterName, clusterID)
- return nil
- }
-
  cluserAppRoleNameStr := fmt.Sprintf(cluserAppRoleName, clusterName)
- token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, credentialPaths)
+ token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, appRoleTokenPaths)
  if err != nil {
  return err
  }
@@ -38,24 +32,27 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
  return fmt.Errorf("failed to initalize k8s client, %v", err)
  }
 
+ namespace := "capten"
  vaultAddressStr := fmt.Sprintf(vaultAddress, cp.cfg.DomainName)
+ err = k8sclient.CreateNamespace(ctx, namespace)
+ if err != nil {
+ logger.Infof("failed to create namespace %s, %v", namespace, err)
+ }
 
- for _, namespace := range namespaces {
- cred := map[string][]byte{"token": []byte(token)}
- err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil)
- if err != nil {
- logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err)
- continue
- }
+ cred := map[string][]byte{"token": []byte(token)}
+ err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil)
+ if err != nil {
+ logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err)
+ }
 
- err := k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace,
- vaultAddressStr, vaultAppRoleTokenSecret, "token")
- if err != nil {
- return fmt.Errorf("failed to create cluter vault token secret, %v", err)
- }
- logger.Infof("created %s/%s on cluster cluster %s", namespace, secretStoreName, clusterName)
+ err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace,
+ vaultAddressStr, vaultAppRoleTokenSecret, "token")
+ if err != nil {
+ return fmt.Errorf("failed to create cluter vault token secret, %v", err)
  }
 
+ logger.Infof("created %s on cluster cluster %s", secretStoreName, secretStoreName, clusterName)
+
  for _, extSecret := range extSecrets {
  externalSecretName := "external-" + extSecret.SecretName
  vaultSecretData := map[string]string{}
@@ -72,25 +69,3 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
  }
  return nil
 }
-
-func getUniqueSecretPathsAndNamespaces(extSecrets []clusterExternalSecret) ([]string, []string) {
- credentialPaths := map[string]bool{}
- namspaces := map[string]bool{}
- for _, extSecret := range extSecrets {
- for _, secretData := range extSecret.VaultSecrets {
- credentialPaths[secretData.SecretPath] = true
- }
- namspaces[extSecret.Namespace] = true
- }
- return getKeysFromBoolMap(credentialPaths), getKeysFromBoolMap(namspaces)
-}
-
-func getKeysFromBoolMap(inputMap map[string]bool) []string {
- var keys []string
-
- for key := range inputMap {
- keys = append(keys, key)
- }
-
- return keys
-}
diff --git a/capten/config-worker/internal/crossplane/config_cluster_updates.go b/capten/config-worker/internal/crossplane/config_cluster_updates.go
@@ -123,6 +123,7 @@ func (cp *CrossPlaneApp) configureClusterUpdate(ctx context.Context, req *model.
  }
 
  err = cp.configureExternalSecretsOnCluster(ctx, req.ManagedClusterName, req.ManagedClusterId,
+ cp.pluginConfig.ClusterEndpointUpdates.AppRoleTokenVaultPaths,
  cp.pluginConfig.ClusterEndpointUpdates.ExternalSecrets)
  if err != nil {
  logger.Errorf("%v", errors.WithMessage(err, "failed to create cluster secrets"))

diff --git a/capten/config-worker/internal/crossplane/types.go b/capten/config-worker/internal/crossplane/types.go
@@ -12,6 +12,7 @@ type clusterUpdateConfig struct {
  DefaultAppListFile string `json:"defaultAppListFile"`
  DefaultAppValuesPath string `json:"defaultAppValuesPath"`
  ClusterDefaultAppValuesPath string `json:"clusterDefaultAppValuesPath"`
+ AppRoleTokenVaultPaths []string `json:"appRoleTokenVaultPaths"`
  ExternalSecrets []clusterExternalSecret `json:"externalSecrets"`
 }
 

diff --git a/charts/kad/Chart.yaml b/charts/kad/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.20
+version: 0.2.21
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.28.2"
+appVersion: "1.28.3"
diff --git a/charts/kad/crossplane_plugin_config.json b/charts/kad/crossplane_plugin_config.json
@@ -13,6 +13,11 @@
  "defaultAppListFile": "default-apps-templates/app_list.yaml",
  "defaultAppValuesPath": "default-apps-templates/values",
  "clusterDefaultAppValuesPath": "infra/clusters/app-configs",
+ "appRoleTokenVaultPaths":[
+ "generic/cosign/signer",
+ "generic/nats/auth-token",
+ "generic/container-registry/*"
+ ],
  "externalSecrets": [
  {
  "namespace": "observability",
@@ -33,8 +38,7 @@
  "secretPath": "generic/cosign/signer"
  }
  ]
- },
-
+ }, 
  {
  "namespace": "ml-server",
  "secretName": "regcred-ghcr",