From fbbf117f9bc003ff85461455e55905cb4fd87c36 Mon Sep 17 00:00:00 2001 From: Venkatreddy KP Date: Sat, 27 Apr 2024 10:55:39 +0530 Subject: [PATCH] create app role token and cluster secret store for business cluster --- capten/common-pkg/k8s/external_secret.go | 17 ++--- .../crossplane/config_cluster_secrets.go | 63 ++++++------------- .../crossplane/config_cluster_updates.go | 1 + .../internal/crossplane/types.go | 1 + charts/kad/Chart.yaml | 4 +- charts/kad/crossplane_plugin_config.json | 8 ++- 6 files changed, 38 insertions(+), 56 deletions(-) diff --git a/capten/common-pkg/k8s/external_secret.go b/capten/common-pkg/k8s/external_secret.go index 9e17b0cf..dbc50827 100644 --- a/capten/common-pkg/k8s/external_secret.go +++ b/capten/common-pkg/k8s/external_secret.go @@ -57,8 +57,9 @@ type SecretStoreSpec struct { } type SecretKeySelector struct { - Name string `yaml:"name,omitempty"` - Key string `yaml:"key,omitempty"` + Namespace string `yaml:"namespace,omitempty"` + Name string `yaml:"name,omitempty"` + Key string `yaml:"key,omitempty"` } type VaultAuth struct { @@ -88,10 +89,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa tokenSecretName, tokenSecretKey string) (err error) { secretStore := SecretStore{ APIVersion: "external-secrets.io/v1beta1", - Kind: "SecretStore", + Kind: "ClusterSecretStore", Metadata: ObjectMeta{ - Name: secretStoreName, - Namespace: namespace, + Name: secretStoreName, }, Spec: SecretStoreSpec{ RefreshInterval: 10, @@ -102,8 +102,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa Version: "v2", Auth: VaultAuth{ TokenSecretRef: &SecretKeySelector{ - Key: tokenSecretKey, - Name: tokenSecretName, + Key: tokenSecretKey, + Name: tokenSecretName, + Namespace: namespace, }, }, }, @@ -152,7 +153,7 @@ func (k *K8SClient) CreateOrUpdateExternalSecret(ctx context.Context, externalSe Template: ExternalSecretTargetTemplate{Type: secretType}}, SecretStoreRef: SecretStoreRef{ Name: secretStoreRefName, - Kind: "SecretStore", + Kind: "ClusterSecretStore", }, Data: secretKeysData, }, diff --git a/capten/config-worker/internal/crossplane/config_cluster_secrets.go b/capten/config-worker/internal/crossplane/config_cluster_secrets.go index f41b3372..e9f1c5ff 100644 --- a/capten/config-worker/internal/crossplane/config_cluster_secrets.go +++ b/capten/config-worker/internal/crossplane/config_cluster_secrets.go @@ -13,21 +13,15 @@ var ( vaultAppRoleTokenSecret = "approle-vault-token" vaultAddress = "http://vault.%s" cluserAppRoleName = "capten-approle-%s" - secretStoreName = "approle-vault-store" + secretStoreName = "capten-vault-store" ) func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context, - clusterName, clusterID string, extSecrets []clusterExternalSecret) error { + clusterName, clusterID string, appRoleTokenPaths []string, extSecrets []clusterExternalSecret) error { logger.Infof("configure external secrets for cluster %s/%s", clusterName, clusterID) - credentialPaths, namespaces := getUniqueSecretPathsAndNamespaces(extSecrets) - if len(namespaces) == 0 { - logger.Infof("no external secrets defined for cluster %s/%s", clusterName, clusterID) - return nil - } - cluserAppRoleNameStr := fmt.Sprintf(cluserAppRoleName, clusterName) - token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, credentialPaths) + token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, appRoleTokenPaths) if err != nil { return err } @@ -38,24 +32,27 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context, return fmt.Errorf("failed to initalize k8s client, %v", err) } + namespace := "capten" vaultAddressStr := fmt.Sprintf(vaultAddress, cp.cfg.DomainName) + err = k8sclient.CreateNamespace(ctx, namespace) + if err != nil { + logger.Infof("failed to create namespace %s, %v", namespace, err) + } - for _, namespace := range namespaces { - cred := map[string][]byte{"token": []byte(token)} - err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil) - if err != nil { - logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err) - continue - } + cred := map[string][]byte{"token": []byte(token)} + err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil) + if err != nil { + logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err) + } - err := k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace, - vaultAddressStr, vaultAppRoleTokenSecret, "token") - if err != nil { - return fmt.Errorf("failed to create cluter vault token secret, %v", err) - } - logger.Infof("created %s/%s on cluster cluster %s", namespace, secretStoreName, clusterName) + err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace, + vaultAddressStr, vaultAppRoleTokenSecret, "token") + if err != nil { + return fmt.Errorf("failed to create cluter vault token secret, %v", err) } + logger.Infof("created %s on cluster cluster %s", secretStoreName, secretStoreName, clusterName) + for _, extSecret := range extSecrets { externalSecretName := "external-" + extSecret.SecretName vaultSecretData := map[string]string{} @@ -72,25 +69,3 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context, } return nil } - -func getUniqueSecretPathsAndNamespaces(extSecrets []clusterExternalSecret) ([]string, []string) { - credentialPaths := map[string]bool{} - namspaces := map[string]bool{} - for _, extSecret := range extSecrets { - for _, secretData := range extSecret.VaultSecrets { - credentialPaths[secretData.SecretPath] = true - } - namspaces[extSecret.Namespace] = true - } - return getKeysFromBoolMap(credentialPaths), getKeysFromBoolMap(namspaces) -} - -func getKeysFromBoolMap(inputMap map[string]bool) []string { - var keys []string - - for key := range inputMap { - keys = append(keys, key) - } - - return keys -} diff --git a/capten/config-worker/internal/crossplane/config_cluster_updates.go b/capten/config-worker/internal/crossplane/config_cluster_updates.go index e9a3b999..9496ed0c 100644 --- a/capten/config-worker/internal/crossplane/config_cluster_updates.go +++ b/capten/config-worker/internal/crossplane/config_cluster_updates.go @@ -123,6 +123,7 @@ func (cp *CrossPlaneApp) configureClusterUpdate(ctx context.Context, req *model. } err = cp.configureExternalSecretsOnCluster(ctx, req.ManagedClusterName, req.ManagedClusterId, + cp.pluginConfig.ClusterEndpointUpdates.AppRoleTokenVaultPaths, cp.pluginConfig.ClusterEndpointUpdates.ExternalSecrets) if err != nil { logger.Errorf("%v", errors.WithMessage(err, "failed to create cluster secrets")) diff --git a/capten/config-worker/internal/crossplane/types.go b/capten/config-worker/internal/crossplane/types.go index 3a569906..d50b21ab 100644 --- a/capten/config-worker/internal/crossplane/types.go +++ b/capten/config-worker/internal/crossplane/types.go @@ -12,6 +12,7 @@ type clusterUpdateConfig struct { DefaultAppListFile string `json:"defaultAppListFile"` DefaultAppValuesPath string `json:"defaultAppValuesPath"` ClusterDefaultAppValuesPath string `json:"clusterDefaultAppValuesPath"` + AppRoleTokenVaultPaths []string `json:"appRoleTokenVaultPaths"` ExternalSecrets []clusterExternalSecret `json:"externalSecrets"` } diff --git a/charts/kad/Chart.yaml b/charts/kad/Chart.yaml index 952dd47c..ed40bd6b 100644 --- a/charts/kad/Chart.yaml +++ b/charts/kad/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.20 +version: 0.2.21 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.28.2" +appVersion: "1.28.3" diff --git a/charts/kad/crossplane_plugin_config.json b/charts/kad/crossplane_plugin_config.json index d0c4df92..279e5878 100644 --- a/charts/kad/crossplane_plugin_config.json +++ b/charts/kad/crossplane_plugin_config.json @@ -13,6 +13,11 @@ "defaultAppListFile": "default-apps-templates/app_list.yaml", "defaultAppValuesPath": "default-apps-templates/values", "clusterDefaultAppValuesPath": "infra/clusters/app-configs", + "appRoleTokenVaultPaths":[ + "generic/cosign/signer", + "generic/nats/auth-token", + "generic/container-registry/*" + ], "externalSecrets": [ { "namespace": "observability", @@ -33,8 +38,7 @@ "secretPath": "generic/cosign/signer" } ] - }, - + }, { "namespace": "ml-server", "secretName": "regcred-ghcr",