SAP
diff --git a/‎.github/workflows/publish-deployment-manager.yaml‎
Lines changed: 47 additions & 0 deletions b/‎.github/workflows/publish-deployment-manager.yaml‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎assets/controlpanel-select-app.png‎
54.8 KB b/‎assets/controlpanel-select-app.png‎
54.8 KB
diff --git a/‎assets/controlpanel-upload-kubeconfig.png‎
55.1 KB b/‎assets/controlpanel-upload-kubeconfig.png‎
55.1 KB
diff --git a/‎controlpanel/api/.env‎
Lines changed: 6 additions & 4 deletions b/‎controlpanel/api/.env‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎controlpanel/api/middleware/configmanager-authentication.js‎
Lines changed: 18 additions & 0 deletions b/‎controlpanel/api/middleware/configmanager-authentication.js‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎controlpanel/api/middleware/deployment-manager.js‎
Lines changed: 9 additions & 0 deletions b/‎controlpanel/api/middleware/deployment-manager.js‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎controlpanel/api/middleware/fluentbit-authentication.js‎
Lines changed: 18 additions & 0 deletions b/‎controlpanel/api/middleware/fluentbit-authentication.js‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎controlpanel/api/models/Api-key.js‎
Lines changed: 33 additions & 0 deletions b/‎controlpanel/api/models/Api-key.js‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎controlpanel/api/models/Customer.js‎
Lines changed: 40 additions & 0 deletions b/‎controlpanel/api/models/Customer.js‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎controlpanel/api/models/ProtectedApp.js‎
Lines changed: 9 additions & 0 deletions b/‎controlpanel/api/models/ProtectedApp.js‎
Lines changed: 9 additions & 0 deletions
@@ -0,0 +1,47 @@
+name: Create and publish Docker image for Deployment manager to ghcr.io
+
+on:
+  release:
+    types: ['published']
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: SAP/deployment-manager
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    environment: ghcr:cloud-active-defense
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3.2.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Extract metadata of deployment manager
+        id: meta
+        uses: docker/metadata-action@v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image of cdeployment manager
+        id: push
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: ./deployment-manager
+          push: true
+          file: ./deployment-manager/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }} 
@@ -3,8 +3,10 @@ POSTGRES_USER=postgres
 DB_HOST=controlpanel-db
 DB_PORT=5432
 
-# Number of minutes
-CRON_CONFIGMANAGER=60
-
 CONTROLPANEL_FRONTEND_URL=http://localhost:4200
-CONFIGMANAGER_URL=http://configmanager:3000
+DEPLOYMENT_MANAGER_URL=
+
+***REMOVED***
+
+***REMOVED***
+***REMOVED***
@@ -0,0 +1,18 @@
+const ApiKey = require('../models/Api-key');
+
+const authenticate = async (req, res, next) => {
+    const key = req.headers['authorization'];
+    if (!key) {
+        return res.status(401).json({ type: 'error', code: 401, message: "You must use an API key to access this" });
+    }
+    const apiKey = await ApiKey.findOne({ where: { key }})
+    if (!apiKey) {
+        return res.status(403).json({ type: 'error', code: 403, message: "Invalid API key" });
+    }
+    if (!apiKey.permissions.includes('configmanager') && !apiKey.permissions.includes('admin')) {
+        return res.status(403).json({ type: 'error', code: 403, message: "You don't have the required permissions to access this" });
+    }
+    next();
+};
+
+module.exports = authenticate;
@@ -0,0 +1,9 @@
+const { isUrl } = require('../util/index')
+const checkDeploymentManagerURL = (req, res, next) => {
+    if (!process.env.DEPLOYMENT_MANAGER_URL || !isUrl(process.env.DEPLOYMENT_MANAGER_URL)) {
+        return res.status(500).json({ type: 'error', code: 500, message: "Deployment manager URL is not configured or badly formatted, you are probably not running Cloud Active Defense in Kyma" });
+    }
+    next();
+}
+
+module.exports = checkDeploymentManagerURL;
@@ -0,0 +1,18 @@
+const ApiKey = require('../models/Api-key');
+
+const authenticate = async (req, res, next) => {
+    const key = req.headers['authorization'];
+    if (!key) {
+        return res.status(401).json({ type: 'error', code: 401, message: "You must use an API key to access this" });
+    }
+    const apiKey = await ApiKey.findOne({ where: { key }})
+    if (!apiKey) {
+        return res.status(403).json({ type: 'error', code: 403, message: "Invalid API key" });
+    }
+    if (!apiKey.permissions.includes('fluentbit') && !apiKey.permissions.includes('admin')) {
+        return res.status(403).json({ type: 'error', code: 403, message: "You don't have the required permissions to access this" });
+    }
+    next();
+};
+
+module.exports = authenticate;
@@ -0,0 +1,33 @@
+const { DataTypes } = require("sequelize")
+const sequelize = require("../config/db.config");
+const ProtectedApp = require("./ProtectedApp");
+
+const ApiKey = sequelize.define("apiKey", {
+    id: {
+        type: DataTypes.UUID,
+        defaultValue: DataTypes.UUIDV4,
+        primaryKey: true
+    },
+    key: {
+        type: DataTypes.STRING,
+        allowNull: false
+    },
+    permissions: {
+        type: DataTypes.ARRAY(DataTypes.STRING),
+        allowNull: false
+    },
+    pa_id: {
+        type: DataTypes.UUID,
+        allowNull: false,
+        references: {
+            model: ProtectedApp,
+            key: 'id'
+        },
+    },
+    expirationDate: {
+        type: DataTypes.DATE,
+        allowNull: false,
+        defaultValue: new Date(new Date().setFullYear(new Date().getFullYear() + 1))
+    }
+});
+module.exports = ApiKey;
@@ -0,0 +1,40 @@
+const { DataTypes } = require("sequelize")
+const sequelize = require("../config/db.config");
+const Sequelize = require("sequelize");
+
+const Customer = sequelize.define("customer", {
+    id: {
+        type: DataTypes.UUID,
+        defaultValue: DataTypes.UUIDV4,
+        primaryKey: true
+    },
+    name: {
+        type: DataTypes.STRING,
+        allowNull: false
+    },
+    kubeconfig: {
+        type: DataTypes.TEXT,
+        allowNull: true
+    },
+});
+
+Customer.getCustomersWithExpiredApiKeys = async () => {
+    return await Customer.findAll({
+        include: [{
+            model: sequelize.models.protectedApp,
+            as: 'protectedApps',
+            include: [{
+                model: sequelize.models.apiKey,
+                as: 'apiKeys',
+                where: {
+                    expirationDate: {
+                        [Sequelize.Op.lte]: new Date()
+                    }
+                },
+                required: true
+            }]
+        }]
+    });
+};
+
+module.exports = Customer;
@@ -1,5 +1,6 @@
 const { DataTypes } = require("sequelize")
 const sequelize = require("../config/db.config");
+const Customer = require("./Customer");
 
 const ProtectedApp = sequelize.define("protectedApp", {
     id: {
@@ -15,5 +16,13 @@ const ProtectedApp = sequelize.define("protectedApp", {
         type: DataTypes.STRING,
         allowNull: false
     },
+    cu_id: {
+        type: DataTypes.UUID,
+        allowNull: false,
+        references: {
+            model: Customer,
+            key: 'id'
+        },
+    },
 });
 module.exports = ProtectedApp;