CLOUDP-186806: Move encryption at rest credentials to secrets (#1045)

Move encryption at rest credentials to secrets

Author: igor-karpukhin

pkg/api/v1/encryption_at_rest.go

@@ -4,6 +4,8 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util/compat"
 
 	"go.mongodb.org/atlas/mongodbatlas"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/common"
 )
 
 // EncryptionAtRest allows to specify the Encryption at Rest for AWS, Azure and GCP providers
@@ -22,6 +24,9 @@ type AwsKms struct {
 	Region              string `json:"region,omitempty"`              // The AWS region in which the AWS customer master key exists: CA_CENTRAL_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, SA_EAST_1
 	RoleID              string `json:"roleId,omitempty"`              // ID of an AWS IAM role authorized to manage an AWS customer master key.
 	Valid               *bool  `json:"valid,omitempty"`               // Specifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data.
+	// A reference to as Secret containing the AccessKeyID, SecretAccessKey, CustomerMasterKey and RoleID fields
+	// +optional
+	SecretRef common.ResourceRefNamespaced `json:"secretRef,omitempty"`
 }
 
 // AzureKeyVault specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.
@@ -35,19 +40,59 @@ type AzureKeyVault struct {
 	KeyIdentifier     string `json:"keyIdentifier,omitempty"`     // The unique identifier of a key in an Azure Key Vault.
 	Secret            string `json:"secret,omitempty"`            // The secret associated with the Azure Key Vault specified by azureKeyVault.tenantID.
 	TenantID          string `json:"tenantID,omitempty"`          // The unique identifier for an Azure AD tenant within an Azure subscription.
+	// A reference to as Secret containing the SubscriptionID, KeyVaultName, KeyIdentifier, Secret fields
+	// +optional
+	SecretRef common.ResourceRefNamespaced `json:"secretRef,omitempty"`
 }
 
 // GoogleCloudKms specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.
 type GoogleCloudKms struct {
 	Enabled              *bool  `json:"enabled,omitempty"`              // Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.
 	ServiceAccountKey    string `json:"serviceAccountKey,omitempty"`    // String-formatted JSON object containing GCP KMS credentials from your GCP account.
 	KeyVersionResourceID string `json:"keyVersionResourceID,omitempty"` // 	The Key Version Resource ID from your GCP account.
+	// A reference to as Secret containing the ServiceAccountKey, KeyVersionResourceID fields
+	// +optional
+	SecretRef common.ResourceRefNamespaced `json:"secretRef,omitempty"`
 }
 
 func (e EncryptionAtRest) ToAtlas(projectID string) (*mongodbatlas.EncryptionAtRest, error) {
 	result := &mongodbatlas.EncryptionAtRest{
 		GroupID: projectID,
 	}
+
 	err := compat.JSONCopy(result, e)
 	return result, err
 }
+
+func (a AwsKms) ToAtlas() mongodbatlas.AwsKms {
+	return mongodbatlas.AwsKms{
+		Enabled:             a.Enabled,
+		AccessKeyID:         a.AccessKeyID,
+		SecretAccessKey:     a.SecretAccessKey,
+		RoleID:              a.RoleID,
+		CustomerMasterKeyID: a.CustomerMasterKeyID,
+		Region:              a.Region,
+		Valid:               a.Valid,
+	}
+}
+
+func (g GoogleCloudKms) ToAtlas() mongodbatlas.GoogleCloudKms {
+	return mongodbatlas.GoogleCloudKms{
+		Enabled:              g.Enabled,
+		ServiceAccountKey:    g.ServiceAccountKey,
+		KeyVersionResourceID: g.KeyVersionResourceID,
+	}
+}
+
+func (az AzureKeyVault) ToAtlas() mongodbatlas.AzureKeyVault {
+	return mongodbatlas.AzureKeyVault{
+		Enabled:           az.Enabled,
+		ClientID:          az.ClientID,
+		AzureEnvironment:  az.AzureEnvironment,
+		SubscriptionID:    az.SubscriptionID,
+		ResourceGroupName: az.ResourceGroupName,
+		KeyVaultName:      az.KeyVaultName,
+		KeyIdentifier:     az.KeyIdentifier,
+		TenantID:          az.TenantID,
+	}
+}

pkg/api/v1/zz_generated.deepcopy.go

@@ -264,7 +264,7 @@ func (r *AtlasProjectReconciler) ensureProjectResources(ctx *workflow.Context, p
 	}
 	results = append(results, result)
 
-	if result = ensureEncryptionAtRest(ctx, projectID, project); result.IsOk() {
+	if result = r.ensureEncryptionAtRest(ctx, projectID, project); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.EncryptionAtRestReadyType), "")
 	}
 	results = append(results, result)

pkg/controller/atlasproject/atlasproject_controller.go

@@ -5,9 +5,15 @@ import (
 	"fmt"
 	"reflect"
 	"regexp"
+	"strings"
+
+	v1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	mdbv1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/common"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/status"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/watch"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/workflow"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util/toptr"
 
@@ -18,7 +24,12 @@ const (
 	ObjectIDRegex = "^([a-f0-9]{24})$"
 )
 
-func ensureEncryptionAtRest(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
+func (r *AtlasProjectReconciler) ensureEncryptionAtRest(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
+	if err := readEncryptionAtRestSecrets(r.Client, ctx, project.Spec.EncryptionAtRest, project.Namespace); err != nil {
+		ctx.UnsetCondition(status.EncryptionAtRestReadyType)
+		return workflow.Terminate(workflow.ProjectEncryptionAtRestReady, err.Error())
+	}
+
 	result := createOrDeleteEncryptionAtRests(ctx, projectID, project)
 	if !result.IsOk() {
 		ctx.SetConditionFromResult(status.EncryptionAtRestReadyType, result)
@@ -34,6 +45,114 @@ func ensureEncryptionAtRest(ctx *workflow.Context, projectID string, project *md
 	return workflow.OK()
 }
 
+func readEncryptionAtRestSecrets(kubeClient client.Client, service *workflow.Context, encRest *mdbv1.EncryptionAtRest, parentNs string) error {
+	if encRest == nil {
+		return nil
+	}
+
+	if encRest.AwsKms.Enabled != nil && *encRest.AwsKms.Enabled && encRest.AwsKms.SecretRef.Name != "" {
+		watchObj, err := readAndFillAWSSecret(kubeClient, parentNs, &encRest.AwsKms)
+		service.AddResourcesToWatch(*watchObj)
+		if err != nil {
+			return err
+		}
+	}
+
+	if encRest.GoogleCloudKms.Enabled != nil && *encRest.GoogleCloudKms.Enabled && encRest.GoogleCloudKms.SecretRef.Name != "" {
+		watchObj, err := readAndFillGoogleSecret(kubeClient, parentNs, &encRest.GoogleCloudKms)
+		service.AddResourcesToWatch(*watchObj)
+		if err != nil {
+			return err
+		}
+	}
+
+	if encRest.AzureKeyVault.Enabled != nil && *encRest.AzureKeyVault.Enabled && encRest.AzureKeyVault.SecretRef.Name != "" {
+		watchObj, err := readAndFillAzureSecret(kubeClient, parentNs, &encRest.AzureKeyVault)
+		service.AddResourcesToWatch(*watchObj)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func readAndFillAWSSecret(kubeClient client.Client, parentNs string, awsKms *mdbv1.AwsKms) (*watch.WatchedObject, error) {
+	fieldData, watchObj, err := readSecretData(kubeClient, awsKms.SecretRef, parentNs, "CustomerMasterKeyID", "Region", "RoleID")
+	if err != nil {
+		return watchObj, err
+	}
+
+	awsKms.CustomerMasterKeyID = fieldData["CustomerMasterKeyID"]
+	awsKms.Region = fieldData["Region"]
+	awsKms.RoleID = fieldData["RoleID"]
+
+	return watchObj, nil
+}
+
+func readAndFillGoogleSecret(kubeClient client.Client, parentNs string, gkms *mdbv1.GoogleCloudKms) (*watch.WatchedObject, error) {
+	fieldData, watchObj, err := readSecretData(kubeClient, gkms.SecretRef, parentNs, "ServiceAccountKey", "KeyVersionResourceID")
+	if err != nil {
+		return watchObj, err
+	}
+
+	gkms.ServiceAccountKey = fieldData["ServiceAccountKey"]
+	gkms.KeyVersionResourceID = fieldData["KeyVersionResourceID"]
+
+	return watchObj, nil
+}
+
+func readAndFillAzureSecret(kubeClient client.Client, parentNs string, azureVault *mdbv1.AzureKeyVault) (*watch.WatchedObject, error) {
+	fieldData, watchObj, err := readSecretData(kubeClient, azureVault.SecretRef, parentNs, "ClientID", "AzureEnvironment", "SubscriptionID", "ResourceGroupName", "KeyVaultName", "KeyIdentifier")
+	if err != nil {
+		return watchObj, err
+	}
+
+	azureVault.ClientID = fieldData["ClientID"]
+	azureVault.AzureEnvironment = fieldData["AzureEnvironment"]
+	azureVault.SubscriptionID = fieldData["SubscriptionID"]
+	azureVault.ResourceGroupName = fieldData["ResourceGroupName"]
+	azureVault.KeyVaultName = fieldData["KeyVaultName"]
+	azureVault.KeyIdentifier = fieldData["KeyIdentifier"]
+
+	return watchObj, nil
+}
+
+// Return all requested field from a secret
+func readSecretData(kubeClient client.Client, res common.ResourceRefNamespaced, parentNamespace string, fieldNames ...string) (map[string]string, *watch.WatchedObject, error) {
+	secret := &v1.Secret{}
+	var ns string
+	if res.Namespace == "" {
+		ns = parentNamespace
+	} else {
+		ns = res.Namespace
+	}
+
+	result := map[string]string{}
+
+	secretObj := client.ObjectKey{Name: res.Name, Namespace: ns}
+	obj := &watch.WatchedObject{ResourceKind: "Secret", Resource: secretObj}
+
+	if err := kubeClient.Get(context.Background(), secretObj, secret); err != nil {
+		return result, obj, err
+	}
+
+	missingFields := []string{}
+	for i := range fieldNames {
+		val, exists := secret.Data[fieldNames[i]]
+		if !exists || len(val) == 0 {
+			missingFields = append(missingFields, fieldNames[i])
+		}
+		result[fieldNames[i]] = string(val)
+	}
+
+	if len(missingFields) != 0 {
+		return result, obj, fmt.Errorf("the following fields are either missing or their values are empty: %s", strings.Join(missingFields, ", "))
+	}
+
+	return result, obj, nil
+}
+
 func createOrDeleteEncryptionAtRests(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
 	encryptionAtRestsInAtlas, err := fetchEncryptionAtRests(ctx, projectID)
 	if err != nil {
@@ -202,7 +321,7 @@ func getAwsKMS(project *mdbv1.AtlasProject) (result mongodbatlas.AwsKms) {
 		return
 	}
 
-	result = mongodbatlas.AwsKms(project.Spec.EncryptionAtRest.AwsKms)
+	result = project.Spec.EncryptionAtRest.AwsKms.ToAtlas()
 
 	if (result == mongodbatlas.AwsKms{}) {
 		result.Enabled = toptr.MakePtr(false)
@@ -223,7 +342,7 @@ func getAzureKeyVault(project *mdbv1.AtlasProject) (result mongodbatlas.AzureKey
 		return
 	}
 
-	result = mongodbatlas.AzureKeyVault(project.Spec.EncryptionAtRest.AzureKeyVault)
+	result = project.Spec.EncryptionAtRest.AzureKeyVault.ToAtlas()
 
 	if (result == mongodbatlas.AzureKeyVault{}) {
 		result.Enabled = toptr.MakePtr(false)
@@ -237,7 +356,7 @@ func getGoogleCloudKms(project *mdbv1.AtlasProject) (result mongodbatlas.GoogleC
 		return
 	}
 
-	result = mongodbatlas.GoogleCloudKms(project.Spec.EncryptionAtRest.GoogleCloudKms)
+	result = project.Spec.EncryptionAtRest.GoogleCloudKms.ToAtlas()
 
 	if (result == mongodbatlas.GoogleCloudKms{}) {
 		result.Enabled = toptr.MakePtr(false)