From 52326451055ff07ecc4738fa062b756bf5c3e27c Mon Sep 17 00:00:00 2001 From: Shifna12Zarnaz Date: Wed, 19 Jul 2023 21:45:16 +0530 Subject: [PATCH 1/6] Added Generic creds --- config/config.go | 2 +- examples/cred-sync-secert.yaml | 9 +++++---- internal/job/vault-cred-sync.go | 19 ++++++++----------- 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/config/config.go b/config/config.go index 0c4d2fe9..db1ed67b 100644 --- a/config/config.go +++ b/config/config.go @@ -25,7 +25,7 @@ type VaultEnv struct { VaultSecretTokenKeyName string `envconfig:"VAULT_SECRET_TOKEN_KEY_NAME" default:"root-token"` VaultSecretUnSealKeyPrefix string `envconfig:"VAULT_SECRET_UNSEAL_KEY_PREFIX" default:"unsealkey"` VaultToken string `envconfig:"VAULT_TOKEN"` - VaultCredSyncSecretName string `envconfig:"VAULT_CRED_SYNC_SECRET_NAME" default:"vault-cred-sync-data1"` + VaultCredSyncSecretName string `envconfig:"VAULT_CRED_SYNC_SECRET_NAME" default:"vault-cred-sync-data"` } func FetchConfiguration() (Configuration, error) { diff --git a/examples/cred-sync-secert.yaml b/examples/cred-sync-secert.yaml index 14a19501..cea89ab3 100644 --- a/examples/cred-sync-secert.yaml +++ b/examples/cred-sync-secert.yaml @@ -4,12 +4,13 @@ data: SERVICE-CRED-1: e2VudGl0eU5hbWU6ZGIsIHVzZXJOYW1lOnRlc3R1c2VyLHBhc3N3b3JkOnRlc3Rwd2R9Cg== # CERTS-: `echo '{"entityName":"customer-client", "certIndetifier":"capten1","caCert":"LS0tLS1CRUdJTiB", "cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS", "key":"LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBL"}' | base64 -w 0` CERTS-1: eyJlbnRpdHlOYW1lIjoiY3VzdG9tZXItY2xpZW50IiwgImNlcnRJbmRldGlmaWVyIjoiY2FwdGVuMSIsImNhQ2VydCI6IkxTMHRMUzFDUlVkSlRpQiIsICJjZXJ0IjogIkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTIiwgImtleSI6IkxTMHRMUzFDUlVkSlRpQlNVMEVnVUZKSlZrRlVSU0JMIn0K - #GENERIC-: `echo '{"credentialType":"cluster","entityName":"astra", "credIndetifier":"authToken", "clusterId": "b7f1640e-5488-4fc4-9230-10f58e195e1a", "token":"AstraCS:dQOUGyLDrxBsLJUPbdRqzwDs:ce353d87f144c46d740b4889caa840c0325aa0f8bb20eef891c9eefba055132b"}' | base64 -w 0` - #GENERIC-1: eyJjcmVkZW50aWFsVHlwZSI6ImNsdXN0ZXIiLCJlbnRpdHlOYW1lIjoiYXN0cmEiLCAiY2VydEluZGV0aWZpZXIiOiJhdXRoVG9rZW4iLCAiY2x1c3RlcklkIjogImI3ZjE2NDBlLTU0ODgtNGZjNC05MjMwLTEwZjU4ZTE5NWUxYSIsICJ0b2tlbiI6IkFzdHJhQ1M6ZFFPVUd5TERyeEJzTEpVUGJkUnF6d0RzOmNlMzUzZDg3ZjE0NGM0NmQ3NDBiNDg4OWNhYTg0MGMwMzI1YWEwZjhiYjIwZWVmODkxYzllZWZiYTA1NTEzMmIifQo= - GENERIC-1: eyJjcmVkZW50aWFsVHlwZSI6ImNsdXN0ZXIiLCJlbnRpdHlOYW1lIjoiYXN0cmEiLCAiY3JlZEluZGV0aWZpZXIiOiJhdXRoVG9rZW4iLCAiY3JlZGVudGlhbCI6eyJjbHVzdGVySWQiOiAiYjdmMTY0MGUtNTQ4OC00ZmM0LTkyMzAtMTBmNThlMTk1ZTFhIiwgInRva2VuIjoiQXN0cmFDUzpkUU9VR3lMRHJ4QnNMSlVQYmRScXp3RHM6Y2UzNTNkODdmMTQ0YzQ2ZDc0MGI0ODg5Y2FhODQwYzAzMjVhYTBmOGJiMjBlZWY4OTFjOWVlZmJhMDU1MTMyYiJ9fQo= + + #GENERIC-1: `echo '{"credentialType":"cluster","entityName":"astra", "credIndetifier":"authToken", "credential":{"clusterId": "b7f1640e-5488-4fc4-9230-10f58e195e1a","token":"AstraCS:dQOUGyLDrxBsLJUPbdRqzwDs:ce353d87f144c46d740b4889caa840c0325aa0f8bb20eef891c9eefba055132b"}}' | base64 -w 0` + GENERIC-1: eyJjcmVkZW50aWFsVHlwZSI6ImNsdXN0ZXIiLCJlbnRpdHlOYW1lIjoiYXN0cmEiLCAiY3JlZEluZGV0aWZpZXIiOiJhdXRoVG9rZW4iLCAiY3JlZGVudGlhbCI6eyJjbHVzdGVySWQiOiAiYjdmMTY0MGUtNTQ4OC00ZmM0LTkyMzAtMTBmNThlMTk1ZTFhIiwidG9rZW4iOiJBc3RyYUNTOmRRT1VHeUxEcnhCc0xKVVBiZFJxendEczpjZTM1M2Q4N2YxNDRjNDZkNzQwYjQ4ODljYWE4NDBjMDMyNWFhMGY4YmIyMGVlZjg5MWM5ZWVmYmEwNTUxMzJiIn19Cg== + kind: Secret metadata: - name: vault-cred-sync-data1 + name: vault-cred-sync-data namespace: "ml-server" type: Opaque # \ No newline at end of file diff --git a/internal/job/vault-cred-sync.go b/internal/job/vault-cred-sync.go index 763b746e..92098c38 100644 --- a/internal/job/vault-cred-sync.go +++ b/internal/job/vault-cred-sync.go @@ -40,12 +40,10 @@ type ServiceCredentail struct { AdditionalData map[string]string `json:"additionalData"` } type GenericCredential struct { - CredentialType string `json:"credentialType"` - EntityName string `json:"entityName"` - CredIndentifier string `json:"credIndetifier"` - // ClusterId string `json:"clusterId"` - // Token string `json:"token"` - Credential map[string]string `json:"credential"` + CredentialType string `json:"credentialType"` + EntityName string `json:"entityName"` + CredIndentifier string `json:"credIndetifier"` + Credential map[string]string `json:"credential"` } type VaultCredSync struct { log logging.Logger @@ -84,7 +82,7 @@ func (v *VaultCredSync) Run() { v.log.Debugf("failed to read sync secret, %s", err) return } - v.log.Debugf("found %d secret values to synch", len(secretValues)) + v.log.Debugf("found %d secret values to sync", len(secretValues)) vc, err := client.NewVaultClientForVaultToken(v.log, v.conf) if err != nil { @@ -111,9 +109,10 @@ func (v *VaultCredSync) Run() { v.log.Errorf("%s", err) continue } + } else { + v.log.Infof("credentail type %s not supported", key) } - // add one more else if for generic credential... } v.log.Debug("vault credential sync job completed") } @@ -179,8 +178,7 @@ func (v *VaultCredSync) storeGenericCredential(ctx context.Context, vc *client.V return errors.WithMessagef(err, "credential attributes are emty for %s secret data", secretIdentifier) } cred := map[string]string{} - // cred := map[string]string{genericCredentialClusterIdKey: genericCredData.ClusterId, - // genericCredentialTokenKey: genericCredentialTokenKey} + for key, val := range genericCredData.Credential { cred[key] = val } @@ -193,5 +191,4 @@ func (v *VaultCredSync) storeGenericCredential(ctx context.Context, vc *client.V v.log.Infof("stored sync credential for %s:%s", genericCredData.EntityName, genericCredData.CredIndentifier) return nil - //return nil } From d6207d6f48ebe821066d386294b6047711dd0824 Mon Sep 17 00:00:00 2001 From: Shifna12Zarnaz Date: Thu, 20 Jul 2023 21:42:39 +0530 Subject: [PATCH 2/6] Added clusterread and write policy --- charts/vault-cred/values.yaml | 4 ++-- internal/job/vault-cred-sync.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/vault-cred/values.yaml b/charts/vault-cred/values.yaml index a816e0e5..adc54c0a 100644 --- a/charts/vault-cred/values.yaml +++ b/charts/vault-cred/values.yaml @@ -100,7 +100,7 @@ vaultPolicies: data: policyName: vault-policy-cluster-admin policyData: | - path "secret/data/cluster/*" { + path "secret/data/generic/*" { capabilities = ["create","read","update","delete","list"] } path "auth/kubernetes/login" { @@ -111,7 +111,7 @@ vaultPolicies: data: policyName: vault-policy-cluster-read policyData: | - path "secret/data/cluster/*" { + path "secret/data/generic/*" { capabilities = ["read"] } path "auth/kubernetes/login" { diff --git a/internal/job/vault-cred-sync.go b/internal/job/vault-cred-sync.go index 92098c38..4733248e 100644 --- a/internal/job/vault-cred-sync.go +++ b/internal/job/vault-cred-sync.go @@ -19,8 +19,8 @@ const ( caDataKey = "ca.pem" certDataKey = "cert.crt" keyDataKey = "key.key" - genericCredentialClusterIdKey = "clusterId" - genericCredentialTokenKey = "token" +// genericCredentialClusterIdKey = "clusterId" +// genericCredentialTokenKey = "token" serviceCredentialUserNameKey = "userName" serviceCredentialPasswordKey = "password" ) From 596bbc8fb8c80613d3a81f520ba8723c7def2559 Mon Sep 17 00:00:00 2001 From: Shifna12Zarnaz Date: Fri, 21 Jul 2023 10:59:41 +0530 Subject: [PATCH 3/6] Changed generic to cluster-cred --- charts/vault-cred/values.yaml | 4 ++-- examples/cred-sync-secert.yaml | 4 ++-- internal/job/vault-cred-sync.go | 20 ++++++++++---------- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/charts/vault-cred/values.yaml b/charts/vault-cred/values.yaml index adc54c0a..d1c3953d 100644 --- a/charts/vault-cred/values.yaml +++ b/charts/vault-cred/values.yaml @@ -100,7 +100,7 @@ vaultPolicies: data: policyName: vault-policy-cluster-admin policyData: | - path "secret/data/generic/*" { + path "secret/data/cluster-cred/*" { capabilities = ["create","read","update","delete","list"] } path "auth/kubernetes/login" { @@ -111,7 +111,7 @@ vaultPolicies: data: policyName: vault-policy-cluster-read policyData: | - path "secret/data/generic/*" { + path "secret/data/cluster-cred/*" { capabilities = ["read"] } path "auth/kubernetes/login" { diff --git a/examples/cred-sync-secert.yaml b/examples/cred-sync-secert.yaml index cea89ab3..8c5c944f 100644 --- a/examples/cred-sync-secert.yaml +++ b/examples/cred-sync-secert.yaml @@ -4,9 +4,9 @@ data: SERVICE-CRED-1: e2VudGl0eU5hbWU6ZGIsIHVzZXJOYW1lOnRlc3R1c2VyLHBhc3N3b3JkOnRlc3Rwd2R9Cg== # CERTS-: `echo '{"entityName":"customer-client", "certIndetifier":"capten1","caCert":"LS0tLS1CRUdJTiB", "cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS", "key":"LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBL"}' | base64 -w 0` CERTS-1: eyJlbnRpdHlOYW1lIjoiY3VzdG9tZXItY2xpZW50IiwgImNlcnRJbmRldGlmaWVyIjoiY2FwdGVuMSIsImNhQ2VydCI6IkxTMHRMUzFDUlVkSlRpQiIsICJjZXJ0IjogIkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTIiwgImtleSI6IkxTMHRMUzFDUlVkSlRpQlNVMEVnVUZKSlZrRlVSU0JMIn0K + CLUSTER-CRED-1: eyJjcmVkZW50aWFsVHlwZSI6ImNsdXN0ZXItY3JlZCIsImVudGl0eU5hbWUiOiJhc3RyYSIsICJjcmVkSW5kZXRpZmllciI6ImF1dGhUb2tlbiIsICJjcmVkZW50aWFsIjp7ImNsdXN0ZXJJZCI6ICJiN2YxNjQwZS01NDg4LTRmYzQtOTIzMC0xMGY1OGUxOTVlMWEiLCJ0b2tlbiI6IkFzdHJhQ1M6ZFFPVUd5TERyeEJzTEpVUGJkUnF6d0RzOmNlMzUzZDg3ZjE0NGM0NmQ3NDBiNDg4OWNhYTg0MGMwMzI1YWEwZjhiYjIwZWVmODkxYzllZWZiYTA1NTEzMmIifX0K + #GENERIC-1: `echo '{"credentialType":"cluster-cred","entityName":"astra", "credIndetifier":"authToken", "credential":{"clusterId": "b7f1640e-5488-4fc4-9230-10f58e195e1a","token":"AstraCS:dQOUGyLDrxBsLJUPbdRqzwDs:ce353d87f144c46d740b4889caa840c0325aa0f8bb20eef891c9eefba055132b"}}' | base64 -w 0` - #GENERIC-1: `echo '{"credentialType":"cluster","entityName":"astra", "credIndetifier":"authToken", "credential":{"clusterId": "b7f1640e-5488-4fc4-9230-10f58e195e1a","token":"AstraCS:dQOUGyLDrxBsLJUPbdRqzwDs:ce353d87f144c46d740b4889caa840c0325aa0f8bb20eef891c9eefba055132b"}}' | base64 -w 0` - GENERIC-1: eyJjcmVkZW50aWFsVHlwZSI6ImNsdXN0ZXIiLCJlbnRpdHlOYW1lIjoiYXN0cmEiLCAiY3JlZEluZGV0aWZpZXIiOiJhdXRoVG9rZW4iLCAiY3JlZGVudGlhbCI6eyJjbHVzdGVySWQiOiAiYjdmMTY0MGUtNTQ4OC00ZmM0LTkyMzAtMTBmNThlMTk1ZTFhIiwidG9rZW4iOiJBc3RyYUNTOmRRT1VHeUxEcnhCc0xKVVBiZFJxendEczpjZTM1M2Q4N2YxNDRjNDZkNzQwYjQ4ODljYWE4NDBjMDMyNWFhMGY4YmIyMGVlZjg5MWM5ZWVmYmEwNTUxMzJiIn19Cg== kind: Secret metadata: diff --git a/internal/job/vault-cred-sync.go b/internal/job/vault-cred-sync.go index 4733248e..37f13525 100644 --- a/internal/job/vault-cred-sync.go +++ b/internal/job/vault-cred-sync.go @@ -13,16 +13,16 @@ import ( ) const ( - serviceCredSecretKeyPrefix = "SERVICE-CRED" - certSecretKeyPrefix = "CERTS" - genericSecretKeyPrefix = "GENERIC" - caDataKey = "ca.pem" - certDataKey = "cert.crt" - keyDataKey = "key.key" -// genericCredentialClusterIdKey = "clusterId" -// genericCredentialTokenKey = "token" - serviceCredentialUserNameKey = "userName" - serviceCredentialPasswordKey = "password" + serviceCredSecretKeyPrefix = "SERVICE-CRED" + certSecretKeyPrefix = "CERTS" + genericSecretKeyPrefix = "CLUSTER-CRED" + caDataKey = "ca.pem" + certDataKey = "cert.crt" + keyDataKey = "key.key" + // genericCredentialClusterIdKey = "clusterId" + // genericCredentialTokenKey = "token" + serviceCredentialUserNameKey = "userName" + serviceCredentialPasswordKey = "password" ) type CertificateData struct { From cbf7f27f64d624c06b0b73c936fdf9bf159a2474 Mon Sep 17 00:00:00 2001 From: Shifna12Zarnaz Date: Thu, 3 Aug 2023 17:04:29 +0530 Subject: [PATCH 4/6] Added informer pkg --- internal/client/inform-change.go | 32 ++++++++++++++++++++ internal/client/k8s.go | 5 +++- server/server.go | 51 +++++++++++++++++++++++++++++++- 3 files changed, 86 insertions(+), 2 deletions(-) create mode 100644 internal/client/inform-change.go diff --git a/internal/client/inform-change.go b/internal/client/inform-change.go new file mode 100644 index 00000000..b3abf9ef --- /dev/null +++ b/internal/client/inform-change.go @@ -0,0 +1,32 @@ +package client + +import ( + "time" + + "k8s.io/client-go/informers" + "k8s.io/client-go/tools/cache" +) + +type AddObjectFunc func(obj interface{}) +type UpdateObjectFunc func(oldObj, newObj interface{}) +type DeleteObjectFunc func(obj interface{}) + +func (k *K8SClient) RegisterConfigMapChangeHandler(addFunc AddObjectFunc, + updateFn UpdateObjectFunc, deleteFunc DeleteObjectFunc) { + informerFactory := informers.NewSharedInformerFactory(k.client, time.Second*30) + configMapInformer := informerFactory.Core().V1().ConfigMaps().Informer() + configMapInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: addFunc, + UpdateFunc: updateFn, + DeleteFunc: deleteFunc, + }) + k.configMapInformer = configMapInformer +} + +func (k *K8SClient) StartObjectChangeInformer() { + stopCh := make(chan struct{}) + defer close(stopCh) + go k.informerFactory.Start(stopCh) + k.informerFactory.WaitForCacheSync(stopCh) + <-stopCh +} diff --git a/internal/client/k8s.go b/internal/client/k8s.go index ecf4764d..255b1336 100644 --- a/internal/client/k8s.go +++ b/internal/client/k8s.go @@ -4,7 +4,7 @@ import ( "context" "strings" "time" - + "k8s.io/client-go/tools/cache" "github.com/intelops/go-common/logging" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" @@ -12,11 +12,14 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" + "k8s.io/client-go/informers" ) type K8SClient struct { client *kubernetes.Clientset log logging.Logger + configMapInformer cache.SharedIndexInformer + informerFactory informers.SharedInformerFactory } type ConfigMapData struct { diff --git a/server/server.go b/server/server.go index 685f4cec..836da17d 100644 --- a/server/server.go +++ b/server/server.go @@ -7,7 +7,12 @@ import ( "os/signal" "syscall" + v1 "k8s.io/api/core/v1" + "k8s.io/client-go/util/workqueue" + + "github.com/intelops/vault-cred/internal/client" "github.com/intelops/vault-cred/internal/job" + "github.com/intelops/go-common/logging" "github.com/intelops/vault-cred/config" @@ -52,10 +57,11 @@ func Start() { s := initScheduler(log, cfg) s.Start() - + startConfigMapChangeHandler(log) signals := make(chan os.Signal, 1) signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM) <-signals + s.Stop() grpcServer.Stop() @@ -100,3 +106,46 @@ func initScheduler(log logging.Logger, cfg config.Configuration) (s *job.Schedul } return } +func startConfigMapChangeHandler(log logging.Logger) { + k8sClient,_:=client.NewK8SClient(log) + //k8sClient, _ := k8s.NewK8SClient(log) + workQueue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()) + + addFunc := func(obj interface{}) { + configMap := obj.(*v1.ConfigMap) + fmt.Printf("ConfigMap added: %s\n", configMap.Name) + workQueue.Add(configMap.Name) + } + + updateFunc := func(oldObj, newObj interface{}) { + newConfigMap := newObj.(*v1.ConfigMap) + fmt.Printf("ConfigMap updated: %s\n", newConfigMap.Name) + workQueue.Add(newConfigMap.Name) + } + + deleteFunc := func(obj interface{}) { + configMap := obj.(*v1.ConfigMap) + fmt.Printf("ConfigMap deleted: %s\n", configMap.Name) + workQueue.Add(configMap.Name) + } + + k8sClient.RegisterConfigMapChangeHandler(addFunc, updateFunc, deleteFunc) + go k8sClient.StartObjectChangeInformer() + go processEvents(workQueue) +} +func processEvents(workQueue workqueue.RateLimitingInterface) { + for { + // Retrieve an item from the work queue + item, shutdown := workQueue.Get() + if shutdown { + return + } + + // Handle the item (perform your desired actions here) + configMapName := item.(string) + fmt.Printf("Processing event for ConfigMap: %s\n", configMapName) + + // Mark the item as processed + workQueue.Done(item) + } +} From 97f325b5a7cdd512ce2665b6a7d405c6e492cf47 Mon Sep 17 00:00:00 2001 From: Shifna12Zarnaz Date: Thu, 3 Aug 2023 20:22:16 +0530 Subject: [PATCH 5/6] Added informer pkg --- server/server.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server/server.go b/server/server.go index 836da17d..24e62716 100644 --- a/server/server.go +++ b/server/server.go @@ -55,15 +55,15 @@ func Start() { } }() - s := initScheduler(log, cfg) - s.Start() + //s := initScheduler(log, cfg) + //s.Start() startConfigMapChangeHandler(log) signals := make(chan os.Signal, 1) signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM) <-signals - s.Stop() + //s.Stop() grpcServer.Stop() log.Debug("exiting vault-cred server") } From 08ead904e079f1c386cac51938d28a5e79dca672 Mon Sep 17 00:00:00 2001 From: Shifna12Zarnaz Date: Fri, 4 Aug 2023 11:34:07 +0530 Subject: [PATCH 6/6] Added informer pkg --- server/server.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/server/server.go b/server/server.go index 24e62716..439062ce 100644 --- a/server/server.go +++ b/server/server.go @@ -12,7 +12,6 @@ import ( "github.com/intelops/vault-cred/internal/client" "github.com/intelops/vault-cred/internal/job" - "github.com/intelops/go-common/logging" "github.com/intelops/vault-cred/config" @@ -57,11 +56,10 @@ func Start() { //s := initScheduler(log, cfg) //s.Start() - startConfigMapChangeHandler(log) + startConfigMapChangeHandler(log) signals := make(chan os.Signal, 1) signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM) <-signals - //s.Stop() grpcServer.Stop() @@ -107,7 +105,14 @@ func initScheduler(log logging.Logger, cfg config.Configuration) (s *job.Schedul return } func startConfigMapChangeHandler(log logging.Logger) { - k8sClient,_:=client.NewK8SClient(log) + k8sClient, err := client.NewK8SClient(log) + if k8sClient == nil { + log.Errorf("K8sClient", k8sClient) + } + + if err != nil { + log.Errorf("Error while connecting to k8s", k8sClient) + } //k8sClient, _ := k8s.NewK8SClient(log) workQueue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())