Merge pull request #466 from kube-tarian/business-secret-store

create app role token and cluster secret store for business cluster

Author: vramk23

capten/common-pkg/k8s/external_secret.go

@@ -57,8 +57,9 @@ type SecretStoreSpec struct {
 }
 
 type SecretKeySelector struct {
-	Name string `yaml:"name,omitempty"`
-	Key  string `yaml:"key,omitempty"`
+	Namespace string `yaml:"namespace,omitempty"`
+	Name      string `yaml:"name,omitempty"`
+	Key       string `yaml:"key,omitempty"`
 }
 
 type VaultAuth struct {
@@ -88,10 +89,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa
 	tokenSecretName, tokenSecretKey string) (err error) {
 	secretStore := SecretStore{
 		APIVersion: "external-secrets.io/v1beta1",
-		Kind:       "SecretStore",
+		Kind:       "ClusterSecretStore",
 		Metadata: ObjectMeta{
-			Name:      secretStoreName,
-			Namespace: namespace,
+			Name: secretStoreName,
 		},
 		Spec: SecretStoreSpec{
 			RefreshInterval: 10,
@@ -102,8 +102,9 @@ func (k *K8SClient) CreateOrUpdateSecretStore(ctx context.Context, secretStoreNa
 					Version: "v2",
 					Auth: VaultAuth{
 						TokenSecretRef: &SecretKeySelector{
-							Key:  tokenSecretKey,
-							Name: tokenSecretName,
+							Key:       tokenSecretKey,
+							Name:      tokenSecretName,
+							Namespace: namespace,
 						},
 					},
 				},
@@ -152,7 +153,7 @@ func (k *K8SClient) CreateOrUpdateExternalSecret(ctx context.Context, externalSe
 				Template: ExternalSecretTargetTemplate{Type: secretType}},
 			SecretStoreRef: SecretStoreRef{
 				Name: secretStoreRefName,
-				Kind: "SecretStore",
+				Kind: "ClusterSecretStore",
 			},
 			Data: secretKeysData,
 		},

capten/config-worker/internal/crossplane/config_cluster_secrets.go

@@ -13,21 +13,15 @@ var (
 	vaultAppRoleTokenSecret = "approle-vault-token"
 	vaultAddress            = "http://vault.%s"
 	cluserAppRoleName       = "capten-approle-%s"
-	secretStoreName         = "approle-vault-store"
+	secretStoreName         = "capten-vault-store"
 )
 
 func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
-	clusterName, clusterID string, extSecrets []clusterExternalSecret) error {
+	clusterName, clusterID string, appRoleTokenPaths []string, extSecrets []clusterExternalSecret) error {
 	logger.Infof("configure external secrets for cluster %s/%s", clusterName, clusterID)
 
-	credentialPaths, namespaces := getUniqueSecretPathsAndNamespaces(extSecrets)
-	if len(namespaces) == 0 {
-		logger.Infof("no external secrets defined for cluster %s/%s", clusterName, clusterID)
-		return nil
-	}
-
 	cluserAppRoleNameStr := fmt.Sprintf(cluserAppRoleName, clusterName)
-	token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, credentialPaths)
+	token, err := vaultcred.GetAppRoleToken(cluserAppRoleNameStr, appRoleTokenPaths)
 	if err != nil {
 		return err
 	}
@@ -38,24 +32,27 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
 		return fmt.Errorf("failed to initalize k8s client, %v", err)
 	}
 
+	namespace := "capten"
 	vaultAddressStr := fmt.Sprintf(vaultAddress, cp.cfg.DomainName)
+	err = k8sclient.CreateNamespace(ctx, namespace)
+	if err != nil {
+		logger.Infof("failed to create namespace %s, %v", namespace, err)
+	}
 
-	for _, namespace := range namespaces {
-		cred := map[string][]byte{"token": []byte(token)}
-		err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil)
-		if err != nil {
-			logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err)
-			continue
-		}
+	cred := map[string][]byte{"token": []byte(token)}
+	err = k8sclient.CreateOrUpdateSecret(ctx, namespace, vaultAppRoleTokenSecret, v1.SecretTypeOpaque, cred, nil)
+	if err != nil {
+		logger.Infof("failed to create cluter vault token secret %s/%s, %v", namespace, vaultAppRoleTokenSecret, err)
+	}
 
-		err := k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace,
-			vaultAddressStr, vaultAppRoleTokenSecret, "token")
-		if err != nil {
-			return fmt.Errorf("failed to create cluter vault token secret, %v", err)
-		}
-		logger.Infof("created %s/%s on cluster cluster %s", namespace, secretStoreName, clusterName)
+	err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, namespace,
+		vaultAddressStr, vaultAppRoleTokenSecret, "token")
+	if err != nil {
+		return fmt.Errorf("failed to create cluter vault token secret, %v", err)
 	}
 
+	logger.Infof("created %s on cluster cluster %s", secretStoreName, secretStoreName, clusterName)
+
 	for _, extSecret := range extSecrets {
 		externalSecretName := "external-" + extSecret.SecretName
 		vaultSecretData := map[string]string{}
@@ -72,25 +69,3 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
 	}
 	return nil
 }
-
-func getUniqueSecretPathsAndNamespaces(extSecrets []clusterExternalSecret) ([]string, []string) {
-	credentialPaths := map[string]bool{}
-	namspaces := map[string]bool{}
-	for _, extSecret := range extSecrets {
-		for _, secretData := range extSecret.VaultSecrets {
-			credentialPaths[secretData.SecretPath] = true
-		}
-		namspaces[extSecret.Namespace] = true
-	}
-	return getKeysFromBoolMap(credentialPaths), getKeysFromBoolMap(namspaces)
-}
-
-func getKeysFromBoolMap(inputMap map[string]bool) []string {
-	var keys []string
-
-	for key := range inputMap {
-		keys = append(keys, key)
-	}
-
-	return keys
-}

capten/config-worker/internal/crossplane/config_cluster_updates.go

@@ -123,6 +123,7 @@ func (cp *CrossPlaneApp) configureClusterUpdate(ctx context.Context, req *model.
 	}
 
 	err = cp.configureExternalSecretsOnCluster(ctx, req.ManagedClusterName, req.ManagedClusterId,
+		cp.pluginConfig.ClusterEndpointUpdates.AppRoleTokenVaultPaths,
 		cp.pluginConfig.ClusterEndpointUpdates.ExternalSecrets)
 	if err != nil {
 		logger.Errorf("%v", errors.WithMessage(err, "failed to create cluster secrets"))

capten/config-worker/internal/crossplane/types.go

@@ -12,6 +12,7 @@ type clusterUpdateConfig struct {
 	DefaultAppListFile          string                  `json:"defaultAppListFile"`
 	DefaultAppValuesPath        string                  `json:"defaultAppValuesPath"`
 	ClusterDefaultAppValuesPath string                  `json:"clusterDefaultAppValuesPath"`
+	AppRoleTokenVaultPaths      []string                `json:"appRoleTokenVaultPaths"`
 	ExternalSecrets             []clusterExternalSecret `json:"externalSecrets"`
 }
 

charts/kad/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.20
+version: 0.2.21
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.28.2"
+appVersion: "1.28.3"

charts/kad/crossplane_plugin_config.json

@@ -13,6 +13,11 @@
     "defaultAppListFile": "default-apps-templates/app_list.yaml",
     "defaultAppValuesPath": "default-apps-templates/values",
     "clusterDefaultAppValuesPath": "infra/clusters/app-configs",
+    "appRoleTokenVaultPaths":[
+      "generic/cosign/signer",
+      "generic/nats/auth-token",
+      "generic/container-registry/*"
+    ],
     "externalSecrets": [
       {
       "namespace": "observability",
@@ -33,8 +38,7 @@
           "secretPath": "generic/cosign/signer"
       }
       ]
-      },
-      
+      },      
       {
       "namespace": "ml-server",
       "secretName": "regcred-ghcr",