Features/improved secrets loading (#92)

* New code functionality complete for Issue #60

* checkpoint

* reconciler tests complete

* Checkpoint with testfixture

* Checkpoint for major test cleanup

* first pass refactor of unit tests completed

* All unit tests are functioning as inteded.

* Well, sort of... fixed now.

* final cleanup

* Added necessary mods to support new metrics changes

* updated controller-gen stuff to support build

* Removed malfunctioning test

* Updated Docker base image to go v1.23

* Minor updates per feedback

Author: quisitive-crogers

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "BW k8s Operator",
-  "image": "mcr.microsoft.com/devcontainers/go:1.21",
+  "image": "mcr.microsoft.com/devcontainers/go:1.23",
   "runArgs": ["--network=host"], // needed for kind
   "postCreateCommand": "sudo .devcontainer/postCreateCommand.sh",
   "customizations": {
@@ -22,7 +22,7 @@
     "ghcr.io/meaningful-ooo/devcontainer-features/fish:1": {
       "fisher": true
     },
-    "ghcr.io/devcontainers-contrib/features/kind:1": {}
+    "ghcr.io/devcontainers-extra/features/kind:1": {}
   },
   "secrets": {
   },
@@ -33,7 +33,8 @@
     "BWS_ACCESS_TOKEN": "${localEnv:BWS_ACCESS_TOKEN}",
     "BW_API_URL": "${localEnv:BW_API_URL}",
     "BW_IDENTITY_API_URL": "${localEnv:BW_IDENTITY_API_URL}",
-    "BW_SECRETS_MANAGER_REFRESH_INTERVAL": "${localEnv:BW_SECRETS_MANAGER_REFRESH_INTERVAL}"
+    "BW_SECRETS_MANAGER_REFRESH_INTERVAL": "${localEnv:BW_SECRETS_MANAGER_REFRESH_INTERVAL}",
+    "GOFLAGS": "-ldflags=-extldflags=-lm"
   },
   "remoteUser": "root" // needed for kind: https://github.com/kubernetes-sigs/kind/issues/3196#issuecomment-1537260166
 }

.devcontainer/postCreateCommand.sh

@@ -2,6 +2,7 @@
 apt-get update
 apt-get install -y kubernetes-client musl-tools # kubectl
 kind delete cluster --name sm-operator && kind create cluster --name sm-operator --config .devcontainer/kind-config.yaml
+go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@latest
 
 PATH="$PATH:/usr/local/go/bin" make setup
 PATH="$PATH:/usr/local/go/bin" make install

.vscode/launch.json

@@ -11,7 +11,7 @@
             "mode": "debug",
             "program": "${workspaceFolder}/cmd/main.go",
             "cwd": "${workspaceFolder}",
-            "buildFlags": ["-ldflags='-linkmode external -extldflags \"-static -Wl,-unresolved-symbols=ignore-all\"'"],
+            "buildFlags": ["-ldflags=-linkmode external -extldflags \"-static -Wl,-unresolved-symbols=ignore-all\""],
             "envFile": "${workspaceFolder}/.env",
             "env": {
                 "CC": "musl-gcc"
@@ -24,7 +24,7 @@
             "mode": "test",
             "program": "${relativeFileDirname}",
             "cwd": "${relativeFileDirname}",
-            "buildFlags": ["-ldflags='-linkmode external -extldflags \"-static -Wl,-unresolved-symbols=ignore-all\"'"],
+            "buildFlags": ["-ldflags=-linkmode external -extldflags '-static -Wl,-unresolved-symbols=ignore-all'"],
             "env": {
                 "CC": "musl-gcc"
             }

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "remote.autoForwardPortsFallback": 0
+}

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21 as builder
+FROM golang:1.23 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

Makefile

@@ -122,7 +122,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	CC=musl-gcc KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test -ldflags '-linkmode external -extldflags "-static -Wl,-unresolved-symbols=ignore-all"' ./... -coverprofile cover.out
+	CC=musl-gcc KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test -ldflags '-linkmode external -extldflags "-static -Wl,-unresolved-symbols=ignore-all"' ./... -coverprofile cover.out -coverpkg=./...
 
 ##@ Build
 
@@ -210,8 +210,8 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.0.1
-CONTROLLER_TOOLS_VERSION ?= v0.12.0
+KUSTOMIZE_VERSION ?= v5.2.1
+CONTROLLER_TOOLS_VERSION ?= v0.14.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.

README.md

@@ -164,4 +164,21 @@ Unit tests are currently found in the following files:
 
 -   cmd/suite_test.go
 
-To run the unit tests, run `make test` from the root directory of this workspace. To debug the unit tests, click on the file you would like to debug. In the `Run and Debug` tab in Visual Studio Code, change the launch configuration from "Debug" to "Test current file", and then press F5. **NOTE: Using the Visual Studio Code "Testing" tab does not currently work due to VS Code not linking the static binaries correctly.**
+To run the unit tests, run `make test` from the root directory of this workspace. To debug the unit tests, click on the file you would like to debug. In the `Run and Debug` tab in Visual Studio Code, change the launch configuration from "Debug" to "Test current file", and then press F5. 
+
+**NOTE: Using the Visual Studio Code "Testing" tab may not work OOB due to VS Code not linking the static binaries correctly.  The solution is to perform the following tasks***
+
+Update VSCode Settings for Tests:
+
+* Open VSCode settings (Ctrl+, or Cmd+,).
+* Search for go.testFlags.
+* Add the following to the go.testFlags array:
+
+```json
+
+["-ldflags=-extldflags=-lm"]
+
+```
+
+This tells the Go test runner to include the linker flag for all test commands.
+

api/v1/bitwardensecret_types.go

@@ -45,6 +45,12 @@ type BitwardenSecretSpec struct {
 	// The secret key reference for the authorization token used to connect to Secrets Manager
 	// +kubebuilder:Required
 	AuthToken AuthToken `json:"authToken"`
+	// OnlyMappedSecrets, when true, restricts the Kubernetes Secret to only include secrets specified in SecretMap.
+	// When false or unset, all secrets accessible by the machine account are included, with SecretMap applied for renaming.
+	// Defaults to true.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=true
+	OnlyMappedSecrets bool `json:"onlyMappedSecrets"`
 }
 
 type AuthToken struct {

api/v1/zz_generated.deepcopy.go

@@ -22,6 +22,7 @@ Trademark Guidelines
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"net/url"
@@ -40,6 +41,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	operatorsv1 "github.com/bitwarden/sm-kubernetes/api/v1"
@@ -63,6 +65,8 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -77,6 +81,28 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	metricsServerOptions := server.Options{
+		BindAddress:    metricsAddr,
+		SecureServing:  true,
+		TLSOpts:        tlsOpts,
+		FilterProvider: filters.WithAuthenticationAndAuthorization,
+	}
+
 	bwApiUrl, identApiUrl, statePath, refreshIntervalSeconds, err := GetSettings()
 
 	if err != nil {
@@ -86,10 +112,8 @@ func main() {
 	bwClientFactory := controller.NewBitwardenClientFactory(*bwApiUrl, *identApiUrl)
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		Metrics: server.Options{
-			BindAddress: metricsAddr,
-		},
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "479cde60.bitwarden.com",