kyma-project · kyma-bot · Sep 2, 2024 · Aug 14, 2024 · Aug 19, 2024 · Aug 19, 2024
@@ -28,7 +28,6 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ma
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /project_workspace/manager .
-COPY  converter_config.json .
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]
@@ -94,6 +94,9 @@ const (
 	ConditionReasonKubernetesAPIErr     = RuntimeConditionReason("KubernetesErr")
 	ConditionReasonSerializationError   = RuntimeConditionReason("SerializationErr")
 	ConditionReasonDeleted              = RuntimeConditionReason("Deleted")
+
+	ConditionReasonAdministratorsConfigured = RuntimeConditionReason("AdministratorsConfigured")
+	ConditionReasonAuditLogConfigured       = RuntimeConditionReason("AuditLogConfigured")
 )
 
 //+kubebuilder:object:root=true

@@ -236,6 +236,5 @@ func initGardenerClients(kubeconfigPath string, namespace string) (client.Client
 	if err != nil {
 		return nil, nil, nil, errors.Wrap(err, "failed to register Gardener schema")
 	}
-
 	return gardenerClient, shootClient, dynamicKubeconfigAPI, nil
 }
@@ -0,0 +1,305 @@
+package auditlogging
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/go-logr/logr"
+	"os"
+
+	gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1"
+	"github.com/pkg/errors"
+	v12 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	auditlogSecretReference = "auditlog-credentials"
+	auditlogExtensionType   = "shoot-auditlog-service"
+)
+
+//go:generate mockery --name=AuditLogging
+type AuditLogging interface {
+	Enable(ctx context.Context, shoot *gardener.Shoot) (bool, error)
+}
+
+//go:generate mockery --name=auditLogConfigurator
+type auditLogConfigurator interface {
+	canEnableAuditLogsForShoot(seedName string) bool
+	getTenantConfigPath() string
+	getPolicyConfigMapName() string
+	getSeedObj(ctx context.Context, seedKey types.NamespacedName) (gardener.Seed, error)
+	getLogInstance() logr.Logger
+	updateShoot(ctx context.Context, shoot *gardener.Shoot) error
+	getConfigFromFile() (data map[string]map[string]AuditLogData, err error)
+}
+
+type AuditLog struct {
+	auditLogConfigurator
+}
+
+type auditLogConfig struct {
+	tenantConfigPath    string
+	policyConfigMapName string
+	client              client.Client
+	log                 logr.Logger
+}
+
+type AuditLogData struct {
+	TenantID   string `json:"tenantID"`
+	ServiceURL string `json:"serviceURL"`
+	SecretName string `json:"secretName"`
+}
+
+type AuditlogExtensionConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Type is the type of auditlog service provider.
+	Type string `json:"type"`
+	// TenantID is the id of the tenant.
+	TenantID string `json:"tenantID"`
+	// ServiceURL is the URL of the auditlog service.
+	ServiceURL string `json:"serviceURL"`
+	// SecretReferenceName is the name of the reference for the secret containing the auditlog service credentials.
+	SecretReferenceName string `json:"secretReferenceName"`
+}
+
+func NewAuditLogging(auditLogTenantConfigPath, auditLogPolicyConfigMapName string, k8s client.Client, log logr.Logger) AuditLogging {
+	return &AuditLog{
+		auditLogConfigurator: newAuditLogConfigurator(auditLogTenantConfigPath, auditLogPolicyConfigMapName, k8s, log),
+	}
+}
+
+func newAuditLogConfigurator(auditLogTenantConfigPath, auditLogPolicyConfigMapName string, k8s client.Client, log logr.Logger) auditLogConfigurator {
+	return &auditLogConfig{
+		tenantConfigPath:    auditLogTenantConfigPath,
+		policyConfigMapName: auditLogPolicyConfigMapName,
+		client:              k8s,
+		log:                 log,
+	}
+}
+
+func (a *auditLogConfig) canEnableAuditLogsForShoot(seedName string) bool {
+	return seedName != "" && a.tenantConfigPath != ""
+}
+
+func (a *auditLogConfig) getTenantConfigPath() string {
+	return a.tenantConfigPath
+}
+
+func (a *auditLogConfig) getPolicyConfigMapName() string {
+	return a.policyConfigMapName
+}
+
+func (a *auditLogConfig) getSeedObj(ctx context.Context, seedKey types.NamespacedName) (gardener.Seed, error) {
+	var seed gardener.Seed
+	if err := a.client.Get(ctx, seedKey, &seed); err != nil {
+		return gardener.Seed{}, err
+	}
+	return seed, nil
+}
+
+func (al *AuditLog) Enable(ctx context.Context, shoot *gardener.Shoot) (bool, error) {
+	log := al.getLogInstance()
+	seedName := getSeedName(*shoot)
+
+	if !al.canEnableAuditLogsForShoot(seedName) {
+		log.Info("Seed name or Tenant config path is empty while configuring Audit Logs on shoot: " + shoot.Name)
+		return false, nil
+	}
+
+	auditConfigFromFile, err := al.getConfigFromFile()
+	if err != nil {
+		return false, errors.Wrap(err, "Cannot get Audit Log config from file")
+	}
+
+	configureAuditPolicy(shoot, al.getPolicyConfigMapName())
+
+	seedKey := types.NamespacedName{Name: seedName, Namespace: ""}
+	seed, err := al.getSeedObj(ctx, seedKey)
+	if err != nil {
+		return false, errors.Wrap(err, "Cannot get Gardener Seed object")
+	}
+
+	annotated, err := enableAuditLogs(shoot, auditConfigFromFile, seed.Spec.Provider.Type)
+
+	if err != nil {
+		return false, errors.Wrap(err, "Error during enabling Audit Logs on shoot: "+shoot.Name)
+	}
+
+	if annotated {
+		if err = al.updateShoot(ctx, shoot); err != nil {
+			return false, errors.Wrap(err, "Cannot update shoot")
+		}
+	}
+
+	return true, nil
+}
+
+func enableAuditLogs(shoot *gardener.Shoot, auditConfigFromFile map[string]map[string]AuditLogData, providerType string) (bool, error) {
+	providerConfig := auditConfigFromFile[providerType]
+	if providerConfig == nil {
+		return false, fmt.Errorf("cannot find config for provider %s", providerType)
+	}
+
+	auditID := shoot.Spec.Region
+	if auditID == "" {
+		return false, errors.New("shoot has no region set")
+	}
+
+	tenant, ok := providerConfig[auditID]
+	if !ok {
+		return false, fmt.Errorf("auditlog config for region %s, provider %s is empty", auditID, providerType)
+	}
+
+	changedExt, err := configureExtension(shoot, tenant)
+	changedSec := configureSecret(shoot, tenant)
+
+	return changedExt || changedSec, err
+}
+
+func configureExtension(shoot *gardener.Shoot, config AuditLogData) (changed bool, err error) {
+	changed = false
+	const (
+		extensionKind    = "AuditlogConfig"
+		extensionVersion = "service.auditlog.extensions.gardener.cloud/v1alpha1"
+		extensionType    = "standard"
+	)
+
+	ext := findExtension(shoot)
+	if ext != nil {
+		cfg := AuditlogExtensionConfig{}
+		err = json.Unmarshal(ext.ProviderConfig.Raw, &cfg)
+		if err != nil {
+			return
+		}
+
+		if cfg.Kind == extensionKind &&
+			cfg.Type == extensionType &&
+			cfg.TenantID == config.TenantID &&
+			cfg.ServiceURL == config.ServiceURL &&
+			cfg.SecretReferenceName == auditlogSecretReference {
+			return false, nil
+		}
+	} else {
+		shoot.Spec.Extensions = append(shoot.Spec.Extensions, gardener.Extension{
+			Type: auditlogExtensionType,
+		})
+		ext = &shoot.Spec.Extensions[len(shoot.Spec.Extensions)-1]
+	}
+
+	changed = true
+
+	cfg := AuditlogExtensionConfig{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       extensionKind,
+			APIVersion: extensionVersion,
+		},
+		Type:                extensionType,
+		TenantID:            config.TenantID,
+		ServiceURL:          config.ServiceURL,
+		SecretReferenceName: auditlogSecretReference,
+	}
+
+	ext.ProviderConfig = &runtime.RawExtension{}
+	ext.ProviderConfig.Raw, err = json.Marshal(cfg)
+
+	return
+}
+
+func findExtension(shoot *gardener.Shoot) *gardener.Extension {
+	for i, e := range shoot.Spec.Extensions {
+		if e.Type == auditlogExtensionType {
+			return &shoot.Spec.Extensions[i]
+		}
+	}
+
+	return nil
+}
+
+func findSecret(shoot *gardener.Shoot) *gardener.NamedResourceReference {
+	for i, e := range shoot.Spec.Resources {
+		if e.Name == auditlogSecretReference {
+			return &shoot.Spec.Resources[i]
+		}
+	}
+
+	return nil
+}
+
+func configureSecret(shoot *gardener.Shoot, config AuditLogData) (changed bool) {
+	changed = false
+
+	sec := findSecret(shoot)
+	if sec != nil {
+		if sec.Name == auditlogSecretReference &&
+			sec.ResourceRef.APIVersion == "v1" &&
+			sec.ResourceRef.Kind == "Secret" &&
+			sec.ResourceRef.Name == config.SecretName {
+			return
+		}
+	} else {
+		shoot.Spec.Resources = append(shoot.Spec.Resources, gardener.NamedResourceReference{})
+		sec = &shoot.Spec.Resources[len(shoot.Spec.Resources)-1]
+	}
+
+	changed = true
+
+	sec.Name = auditlogSecretReference
+	sec.ResourceRef.APIVersion = "v1"
+	sec.ResourceRef.Kind = "Secret"
+	sec.ResourceRef.Name = config.SecretName
+
+	return
+}
+
+func (a *auditLogConfig) getConfigFromFile() (data map[string]map[string]AuditLogData, err error) {
+	file, err := os.Open(a.tenantConfigPath)
+
+	if err != nil {
+		return nil, err
+	}
+
+	defer func(file *os.File) {
+		_ = file.Close()
+	}(file)
+
+	if err := json.NewDecoder(file).Decode(&data); err != nil {
+		return nil, err
+	}
+	return data, nil
+}
+
+func getSeedName(shoot gardener.Shoot) string {
+	if shoot.Spec.SeedName != nil {
+		return *shoot.Spec.SeedName
+	}
+	return ""
+}
+
+func configureAuditPolicy(shoot *gardener.Shoot, policyConfigMapName string) {
+	if shoot.Spec.Kubernetes.KubeAPIServer == nil {
+		shoot.Spec.Kubernetes.KubeAPIServer = &gardener.KubeAPIServerConfig{}
+	}
+
+	shoot.Spec.Kubernetes.KubeAPIServer.AuditConfig = newAuditPolicyConfig(policyConfigMapName)
+}
+
+func newAuditPolicyConfig(policyConfigMapName string) *gardener.AuditConfig {
+	return &gardener.AuditConfig{
+		AuditPolicy: &gardener.AuditPolicy{
+			ConfigMapRef: &v12.ObjectReference{Name: policyConfigMapName},
+		},
+	}
+}
+
+func (a *auditLogConfig) updateShoot(ctx context.Context, shoot *gardener.Shoot) error {
+	return a.client.Update(ctx, shoot)
+}
+
+func (a *auditLogConfig) getLogInstance() logr.Logger {
+	return a.log
+}
diff --git a/internal/auditlogging/auditlogging_test.go b/internal/auditlogging/auditlogging_test.go
@@ -0,0 +1 @@
+package auditlogging
@@ -10,6 +10,7 @@ import (
 
 	"github.com/go-logr/logr"
 	imv1 "github.com/kyma-project/infrastructure-manager/api/v1"
+	"github.com/kyma-project/infrastructure-manager/internal/auditlogging"
 	"github.com/kyma-project/infrastructure-manager/internal/gardener/shoot"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -62,6 +63,7 @@ type fsm struct {
 	log            logr.Logger
 	K8s
 	RCCfg
+	auditlogging.AuditLogging
 }
 
 func (m *fsm) Run(ctx context.Context, v imv1.Runtime) (ctrl.Result, error) {
@@ -105,5 +107,6 @@ func NewFsm(log logr.Logger, cfg RCCfg, k8s K8s) Fsm {
 		RCCfg:          cfg,
 		log:            log,
 		K8s:            k8s,
+		AuditLogging:   auditlogging.NewAuditLogging(cfg.AuditLog.TenantConfigPath, cfg.AuditLog.PolicyConfigMapName, k8s.ShootClient, log),
 	}
 }
@@ -51,12 +51,7 @@ func sFnApplyClusterRoleBindings(ctx context.Context, m *fsm, s *systemState) (s
 		}
 	}
 
-	s.instance.UpdateStateReady(
-		imv1.ConditionTypeRuntimeConfigured,
-		imv1.ConditionReasonConfigurationCompleted,
-		"kubeconfig admin access updated",
-	)
-	return updateStatusAndStop()
+	return switchState(sFnConfigureAuditLog)
 }
 
 //nolint:gochecknoglobals