add ingress basic-auth secret generator (#26)

* add ingress basic-auth secret generator

* add docs for basic-auth generator

* fix ci

* fix copy-and-paste

Author: hensur

.github/workflows/workflow.yml

@@ -11,18 +11,18 @@ on:
 
 env:
   KUBECONFIG: /tmp/kubeconfig
-  OPERATOR_SDK_VERSION: v0.16.0
+  OPERATOR_SDK_VERSION: v0.18.2
   IMAGE_NAME: quay.io/mittwald/kubernetes-secret-generator
 
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.13
+      - name: Set up Go 1.15
         uses: actions/setup-go@v1
         with:
-          go-version: 1.13
+          go-version: 1.15
         id: go
 
       - name: Check out code into the Go module directory
@@ -59,10 +59,10 @@ jobs:
     name: Build Image
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.13
+      - name: Set up Go 1.15
         uses: actions/setup-go@v1
         with:
-          go-version: 1.13
+          go-version: 1.15
         id: go
 
       - name: Check out code into the Go module directory
@@ -80,10 +80,10 @@ jobs:
     needs: ['test', 'build']
     if: github.ref == 'refs/heads/master'
     steps:
-      - name: Set up Go 1.13
+      - name: Set up Go 1.15
         uses: actions/setup-go@v1
         with:
-          go-version: 1.13
+          go-version: 1.15
         id: go
 
       - name: Registry Login
@@ -107,10 +107,10 @@ jobs:
     needs: ['test', 'build']
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
-      - name: Set up Go 1.13
+      - name: Set up Go 1.15
         uses: actions/setup-go@v1
         with:
-          go-version: 1.13
+          go-version: 1.15
         id: go
 
       - name: Registry Login

Makefile

@@ -34,7 +34,7 @@ fmt:
 .PHONY: kind
 kind: ## Create a kind cluster to test against
 	kind create cluster --name kind-k8s-secret-generator
-	kind get kubeconfig --internal --name kind-k8s-secret-generator | tee ${KUBECONFIG}
+	kind get kubeconfig --name kind-k8s-secret-generator | tee ${KUBECONFIG}
 
 .PHONY: build
 build:

README.md

@@ -129,6 +129,41 @@ data:
   ssh-privatekey: LS0tLS1CRUdJTi...
 ```
 
+### Ingress Basic Auth
+
+To generate Ingress Basic Auth credentials, the `secret-generator.v1.mittwald.de/type` annotation **has** to be present on the kubernetes secret object.
+
+The operator will then add three keys to the secret object.
+The ingress will interpret the `auth` key as a htpasswd entry. This entry contains the username, and the hashed generated password for the user.
+The operator also stores the username and cleartext password in the `username` and `password` keys.
+
+If a username other than `admin` is desired, it can be specified using the `secret-generator.v1.mittwald.de/basic-auth-username` annotation.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    secret-generator.v1.mittwald.de/type: basic-auth
+data: {}
+```
+
+after reconciliation:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    secret-generator.v1.mittwald.de/type: basic-auth
+    secret-generator.v1.mittwald.de/autogenerate-generated-at: "2020-04-03T14:07:47+02:00"
+type: Opaque
+data:
+  username: admin
+  password: test123
+  auth: "admin:PASSWORD_HASH"
+```
+
 ## Operational tasks
 
 -   Regenerate all automatically generated secrets:

pkg/controller/secret/secret_basic_auth.go

@@ -0,0 +1,58 @@
+package secret
+
+import (
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+// Ingress basic auth secret field
+const SecretFieldBasicAuthIngress = "auth"
+const SecretFieldBasicAuthUsername = "username"
+const SecretFieldBasicAuthPassword = "password"
+
+type BasicAuthGenerator struct {
+	log logr.Logger
+}
+
+func (bg BasicAuthGenerator) generateData(instance *corev1.Secret) (reconcile.Result, error) {
+	existingAuth := string(instance.Data[SecretFieldBasicAuthIngress])
+
+	regenerate := instance.Annotations[AnnotationSecretRegenerate] != ""
+
+	if len(existingAuth) > 0 && !regenerate {
+		return reconcile.Result{}, nil
+	}
+	delete(instance.Annotations, AnnotationSecretRegenerate)
+
+	// if no username is given, fall back to "admin"
+	username := instance.Annotations[AnnotationBasicAuthUsername]
+	if username == "" {
+		username = "admin"
+	}
+
+	length, err := secretLengthFromAnnotation(secretLength(), instance.Annotations)
+	if err != nil {
+		return reconcile.Result{}, err
+	}
+
+	password, err := generateRandomString(length)
+	if err != nil {
+		bg.log.Error(err, "could not generate new random string")
+		return reconcile.Result{RequeueAfter: time.Second * 30}, err
+	}
+
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		bg.log.Error(err, "could not hash random string")
+		return reconcile.Result{RequeueAfter: time.Second * 30}, err
+	}
+
+	instance.Data[SecretFieldBasicAuthIngress] = append([]byte(username+":"), passwordHash...)
+	instance.Data[SecretFieldBasicAuthUsername] = []byte(username)
+	instance.Data[SecretFieldBasicAuthPassword] = []byte(password)
+	return reconcile.Result{}, nil
+}

pkg/controller/secret/secret_basic_auth_test.go

@@ -0,0 +1,174 @@
+package secret
+
+import (
+	"context"
+	"github.com/imdario/mergo"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"strings"
+	"testing"
+)
+
+func newBasicAuthTestSecret(extraAnnotations map[string]string) *corev1.Secret {
+	annotations := map[string]string{
+		AnnotationSecretType: string(SecretTypeBasicAuth),
+	}
+
+	if extraAnnotations != nil {
+		if err := mergo.Merge(&annotations, extraAnnotations, mergo.WithOverride); err != nil {
+			panic(err)
+		}
+	}
+
+	s := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getSecretName(),
+			Namespace: "default",
+			Labels: map[string]string{
+				labelSecretGeneratorTest: "yes",
+			},
+			Annotations: annotations,
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{},
+	}
+
+	return s
+}
+
+// verify basic fields of the secret are present
+func verifyBasicAuthSecret(t *testing.T, in, out *corev1.Secret) {
+	if out.Annotations[AnnotationSecretType] != string(SecretTypeBasicAuth) {
+		t.Errorf("generated secret has wrong type %s on  %s annotation", out.Annotations[AnnotationSecretType], AnnotationSecretType)
+	}
+
+	_, wasGenerated := in.Annotations[AnnotationSecretAutoGeneratedAt]
+
+	auth := out.Data[SecretFieldBasicAuthIngress]
+	password := out.Data[SecretFieldBasicAuthPassword]
+
+	// check if password has been saved in clear text
+	// and has correct length (if the secret has actually been generated)
+	if !wasGenerated && (len(password) == 0 || len(password) != desiredLength(in)) {
+		t.Errorf("generated field has wrong length of %d", len(password))
+	}
+
+	// check if auth field has been generated (with separator)
+	if len(auth) == 0 || !strings.Contains(string(auth), ":") {
+		t.Errorf("auth field has wrong or no values %s", string(auth))
+	}
+
+	if _, ok := out.Annotations[AnnotationSecretAutoGeneratedAt]; !ok {
+		t.Errorf("secret has no %s annotation", AnnotationSecretAutoGeneratedAt)
+	}
+}
+
+func TestGenerateBasicAuthWithoutUsername(t *testing.T) {
+	in := newBasicAuthTestSecret(map[string]string{})
+	require.NoError(t, mgr.GetClient().Create(context.TODO(), in))
+
+	doReconcile(t, in, false)
+
+	out := &corev1.Secret{}
+	require.NoError(t, mgr.GetClient().Get(context.TODO(), client.ObjectKey{
+		Name:      in.Name,
+		Namespace: in.Namespace}, out))
+
+	verifyBasicAuthSecret(t, in, out)
+	require.Equal(t, "admin", string(out.Data[SecretFieldBasicAuthUsername]))
+}
+
+func TestGenerateBasicAuthWithUsername(t *testing.T) {
+	in := newBasicAuthTestSecret(map[string]string{
+		AnnotationBasicAuthUsername: "test123",
+	})
+	require.NoError(t, mgr.GetClient().Create(context.TODO(), in))
+
+	doReconcile(t, in, false)
+
+	out := &corev1.Secret{}
+	require.NoError(t, mgr.GetClient().Get(context.TODO(), client.ObjectKey{
+		Name:      in.Name,
+		Namespace: in.Namespace}, out))
+
+	verifyBasicAuthSecret(t, in, out)
+	require.Equal(t, "test123", string(out.Data[SecretFieldBasicAuthUsername]))
+}
+
+func TestGenerateBasicAuthRegenerate(t *testing.T) {
+	in := newBasicAuthTestSecret(map[string]string{
+		AnnotationBasicAuthUsername: "test123",
+	})
+	require.NoError(t, mgr.GetClient().Create(context.TODO(), in))
+
+	doReconcile(t, in, false)
+
+	out := &corev1.Secret{}
+	require.NoError(t, mgr.GetClient().Get(context.TODO(), client.ObjectKey{
+		Name:      in.Name,
+		Namespace: in.Namespace}, out))
+
+	verifyBasicAuthSecret(t, in, out)
+	require.Equal(t, "test123", string(out.Data[SecretFieldBasicAuthUsername]))
+	oldPassword := string(out.Data[SecretFieldBasicAuthPassword])
+	oldAuth := string(out.Data[SecretFieldBasicAuthIngress])
+
+	// force regenerate
+	out.Annotations[AnnotationSecretRegenerate] = "yes"
+	require.NoError(t, mgr.GetClient().Update(context.TODO(), out))
+
+	doReconcile(t, out, false)
+
+	outNew := &corev1.Secret{}
+	require.NoError(t, mgr.GetClient().Get(context.TODO(), client.ObjectKey{
+		Name:      in.Name,
+		Namespace: in.Namespace}, outNew))
+	newPassword := string(outNew.Data[SecretFieldBasicAuthPassword])
+	newAuth := string(outNew.Data[SecretFieldBasicAuthIngress])
+
+	if oldPassword == newPassword {
+		t.Errorf("secret has not been updated")
+	}
+
+	if oldAuth == newAuth {
+		t.Errorf("secret has not been updated")
+	}
+}
+
+func TestGenerateBasicAuthNoRegenerate(t *testing.T) {
+	in := newBasicAuthTestSecret(map[string]string{
+		AnnotationBasicAuthUsername: "test123",
+	})
+	require.NoError(t, mgr.GetClient().Create(context.TODO(), in))
+
+	doReconcile(t, in, false)
+
+	out := &corev1.Secret{}
+	require.NoError(t, mgr.GetClient().Get(context.TODO(), client.ObjectKey{
+		Name:      in.Name,
+		Namespace: in.Namespace}, out))
+
+	verifyBasicAuthSecret(t, in, out)
+	require.Equal(t, "test123", string(out.Data[SecretFieldBasicAuthUsername]))
+	oldPassword := string(out.Data[SecretFieldBasicAuthPassword])
+	oldAuth := string(out.Data[SecretFieldBasicAuthIngress])
+
+	doReconcile(t, in, false)
+
+	outNew := &corev1.Secret{}
+	require.NoError(t, mgr.GetClient().Get(context.TODO(), client.ObjectKey{
+		Name:      in.Name,
+		Namespace: in.Namespace}, outNew))
+	newPassword := string(out.Data[SecretFieldBasicAuthPassword])
+	newAuth := string(out.Data[SecretFieldBasicAuthIngress])
+
+	if oldPassword != newPassword {
+		t.Errorf("secret has been updated")
+	}
+
+	if oldAuth != newAuth {
+		t.Errorf("secret has been updated")
+	}
+}

pkg/controller/secret/secret_controller.go

@@ -125,6 +125,10 @@ func (r *ReconcileSecret) Reconcile(request reconcile.Request) (reconcile.Result
 		generator = StringGenerator{
 			log: reqLogger.WithValues("type", SecretTypeString),
 		}
+	case SecretTypeBasicAuth:
+		generator = BasicAuthGenerator{
+			log: reqLogger.WithValues("type", SecretTypeBasicAuth),
+		}
 	}
 
 	res, err := generator.generateData(desired)

pkg/controller/secret/secret_string.go

@@ -16,7 +16,7 @@ type StringGenerator struct {
 }
 
 func (pg StringGenerator) generateData(instance *corev1.Secret) (reconcile.Result, error) {
-	toGenerate := instance.Annotations[AnnotationSecretAutoGenerate] // won't generate anything if annotation is not set
+	toGenerate := instance.Annotations[AnnotationSecretAutoGenerate]
 
 	genKeys := strings.Split(toGenerate, ",")
 
@@ -55,7 +55,7 @@ func (pg StringGenerator) generateData(instance *corev1.Secret) (reconcile.Resul
 
 		value, err := generateRandomString(length)
 		if err != nil {
-			pg.log.Error(err, "could not generate new instance")
+			pg.log.Error(err, "could not generate new random string")
 			return reconcile.Result{RequeueAfter: time.Second * 30}, err
 		}
 

pkg/controller/secret/types.go

@@ -13,19 +13,22 @@ const (
 	AnnotationSecretSecure          = "secret-generator.v1.mittwald.de/secure"
 	AnnotationSecretType            = "secret-generator.v1.mittwald.de/type"
 	AnnotationSecretLength          = "secret-generator.v1.mittwald.de/length"
+	AnnotationBasicAuthUsername     = "secret-generator.v1.mittwald.de/basic-auth-username"
 )
 
 type SecretType string
 
 const (
 	SecretTypeString     SecretType = "string"
 	SecretTypeSSHKeypair SecretType = "ssh-keypair"
+	SecretTypeBasicAuth  SecretType = "basic-auth"
 )
 
 func (st SecretType) Validate() error {
 	switch st {
 	case SecretTypeString,
-		SecretTypeSSHKeypair:
+		SecretTypeSSHKeypair,
+		SecretTypeBasicAuth:
 		return nil
 	}
 	return fmt.Errorf("%s is not a valid secret type", st)