Fixed encryption at REST aws.roleID (#987)

igor-karpukhin · web-flow · commit b6390a7b671c · 2023-06-19T10:05:34.000+02:00
Fixed encryption at rest aws.roleID. Added missing permissions for DataFederations
diff --git a/Makefile b/Makefile
@@ -107,8 +107,8 @@ e2e-openshift-upgrade:
 
 .PHONY: manager
 manager: generate fmt vet ## Build manager binary
-	@echo "Building operator with version $(VERSION)"
-	 GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -o bin/manager -ldflags="-X github.com/mongodb/mongodb-atlas-kubernetes/pkg/version.Version=$(VERSION)" cmd/manager/main.go
+	@echo "Building operator with version $(VERSION); $(TARGET_OS) - $(TARGET_ARCH)}"
+	CGO_ENABLED=0 GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -o bin/manager -ldflags="-X github.com/mongodb/mongodb-atlas-kubernetes/pkg/version.Version=$(VERSION)" cmd/manager/main.go
 
 .PHONY: run
 run: generate fmt vet manifests ## Run against the configured Kubernetes cluster in ~/.kube/config
diff --git a/PROJECT b/PROJECT
@@ -61,4 +61,13 @@ resources:
   kind: AtlasTeam
   path: github.com/mongodb/mongodb-atlas-kubernetes/api/v1
   version: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: mongodb.com
+  group: atlas
+  kind: AtlasDataFederation
+  path: github.com/mongodb/mongodb-atlas-kubernetes/api/v1
+  version: v1
 version: "3"
diff --git a/config/crd/bases/atlas.mongodb.com_atlasdatafederations.yaml b/config/crd/bases/atlas.mongodb.com_atlasdatafederations.yaml
@@ -15,9 +15,15 @@ spec:
     singular: atlasdatafederation
   scope: Namespaced
   versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.name
+      name: Name
+      type: string
+    name: v1
     schema:
       openAPIV3Schema:
+        description: AtlasDataFederation is the Schema for the Atlas Data Federation
+          API
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
diff --git a/config/crd/patches/cainjection_in_atlasdatafederation.yaml b/config/crd/patches/cainjection_in_atlasdatafederation.yaml
@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: atlasdatafederations.atlas.mongodb.com
diff --git a/config/crd/patches/webhook_in_atlasdatafederations.yaml b/config/crd/patches/webhook_in_atlasdatafederations.yaml
@@ -0,0 +1,17 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: atlasdatafederations.atlas.mongodb.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhookClientConfig:
+      # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+      # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+      caBundle: Cg==
+      service:
+        namespace: system
+        name: webhook-service
+        path: /convert
diff --git a/config/samples/atlas_v1_atlasdatafederation.yaml b/config/samples/atlas_v1_atlasdatafederation.yaml
@@ -0,0 +1,27 @@
+apiVersion: atlas.mongodb.com/v1
+kind: AtlasDataFederation
+metadata:
+  name: my-data-federation
+  namespace: mongodb-atlas-system
+spec:
+  projectRef:
+    name: my-project 
+    namespace: mongodb-atlas-system
+  name: my-data-federation
+  privateEndpoints:
+    - endpointId: vpce-03f9eeaa764e32454
+      provider: AWS
+      type: DATA_LAKE
+  storage:
+    stores:
+      - name: http-test
+        provider: http
+    databases:
+      - name: test-db-1
+        collections:
+          - name: test-collection-1
+            dataSources:
+              - storeName: http-test
+                urls:
+                  - https://data.cityofnewyork.us/api/views/vfnx-vebw/rows.csv
+
diff --git a/helm-charts b/helm-charts
@@ -1 +1 @@
-Subproject commit c5797a1eeca33e586d3f9f54ce9686bbe50e67c5
+Subproject commit 50bd0ec1a6a148a63cb98e3f4d7377d111a0f1c8
diff --git a/pkg/api/v1/atlasdatafederation_types.go b/pkg/api/v1/atlasdatafederation_types.go
@@ -1,3 +1,19 @@
+/*
+Copyright 2020 MongoDB.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package v1
 
 import (
@@ -115,10 +131,7 @@ func (pe DataFederationPE) Identifier() interface{} {
 // +kubebuilder:subresource:status
 // +groupName:=atlas.mongodb.com
 
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:subresource:status
-
+// AtlasDataFederation is the Schema for the Atlas Data Federation API
 type AtlasDataFederation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
diff --git a/pkg/api/v1/atlasdatafederation_types_test.go b/pkg/api/v1/atlasdatafederation_types_test.go
diff --git a/pkg/controller/atlasproject/encryption_at_rest.go b/pkg/controller/atlasproject/encryption_at_rest.go
@@ -2,7 +2,9 @@ package atlasproject
 
 import (
 	"context"
+	"fmt"
 	"reflect"
+	"regexp"
 
 	mdbv1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/status"
@@ -12,6 +14,10 @@ import (
 	"go.mongodb.org/atlas/mongodbatlas"
 )
 
+const (
+	ObjectIDRegex = "^([a-f0-9]{24})$"
+)
+
 func ensureEncryptionAtRest(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
 	result := createOrDeleteEncryptionAtRests(ctx, projectID, project)
 	if !result.IsOk() {
@@ -67,13 +73,45 @@ func syncEncryptionAtRestsInAtlas(ctx *workflow.Context, projectID string, proje
 		GoogleCloudKms: getGoogleCloudKms(project),
 	}
 
+	if err := normalizeAwsKms(ctx, projectID, &requestBody.AwsKms); err != nil {
+		return err
+	}
+
 	if _, _, err := ctx.Client.EncryptionsAtRest.Create(context.Background(), &requestBody); err != nil { // Create() sends PATCH request
 		return err
 	}
 
 	return nil
 }
 
+func normalizeAwsKms(ctx *workflow.Context, projectID string, awsKms *mongodbatlas.AwsKms) error {
+	// verify if role ID is set as AtlasObjectID
+	matched, err := regexp.MatchString(ObjectIDRegex, awsKms.RoleID)
+	if err != nil {
+		ctx.Log.Debugf("normalizing aws kms roleID failed: %v", err)
+		return err
+	}
+	if matched {
+		return nil
+	}
+
+	// assume that role ID is set as AWS ARN
+	resp, _, err := ctx.Client.CloudProviderAccess.ListRoles(context.Background(), projectID)
+	if err != nil {
+		return err
+	}
+
+	for _, role := range resp.AWSIAMRoles {
+		if role.IAMAssumedRoleARN == awsKms.RoleID {
+			awsKms.RoleID = role.RoleID
+			return nil
+		}
+	}
+
+	ctx.Log.Debugf("no match for provided AWS RoleID ARN: '%s'. Is the CPA configured for the project?", awsKms.RoleID)
+	return fmt.Errorf("can not use '%s' aws roleID for encryption at rest. AWS ARN not configured as Cloud Provider Access", awsKms.RoleID)
+}
+
 func AtlasInSync(atlas *mongodbatlas.EncryptionAtRest, spec *mdbv1.EncryptionAtRest) (bool, error) {
 	if IsEncryptionAtlasEmpty(atlas) && IsEncryptionSpecEmpty(spec) {
 		return true, nil
diff --git a/scripts/e2e_local.sh b/scripts/e2e_local.sh
@@ -33,6 +33,8 @@ if [[ "${build}" == "true" ]]; then
     docker push "${bundle_image}"
 fi
 
+kubectl apply -f deploy/crds
+
 export MCLI_OPS_MANAGER_URL="https://cloud-qa.mongodb.com/"
 export MCLI_PUBLIC_API_KEY="${public_key}"
 export MCLI_PRIVATE_API_KEY="${private_key}"
diff --git a/test/e2e/encryption_at_rest_test.go b/test/e2e/encryption_at_rest_test.go
@@ -3,8 +3,10 @@ package e2e_test
 import (
 	"time"
 
+	"github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"go.mongodb.org/atlas/mongodbatlas"
 	"k8s.io/apimachinery/pkg/types"
 
 	v1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
@@ -20,7 +22,7 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/test/e2e/utils"
 )
 
-var _ = Describe("UserLogin", Label("encryption-at-rest"), func() {
+var _ = Describe("Encryption at REST test", Label("encryption-at-rest"), func() {
 	var testData *model.TestDataProvider
 
 	_ = BeforeEach(func() {
@@ -45,7 +47,7 @@ var _ = Describe("UserLogin", Label("encryption-at-rest"), func() {
 		})
 	})
 
-	DescribeTable("Namespaced operators working only with its own namespace with different configuration",
+	DescribeTable("Encryption at rest for AWS, GCP, Azure",
 		func(test *model.TestDataProvider, encAtRest v1.EncryptionAtRest, roles []cloudaccess.Role) {
 			testData = test
 			actions.ProjectCreationFlow(test)
@@ -182,3 +184,113 @@ func checkIfEncryptionsAreDisabled(projectID string) (areEmpty bool, err error)
 
 	return true, nil
 }
+
+var _ = Describe("Encryption at rest AWS", Label("encryption-at-rest"), func() {
+	var testData *model.TestDataProvider
+
+	_ = BeforeEach(func() {
+		checkUpEnvironment()
+		checkUpAWSEnvironment()
+	})
+
+	_ = AfterEach(func() {
+		GinkgoWriter.Write([]byte("\n"))
+		GinkgoWriter.Write([]byte("===============================================\n"))
+		GinkgoWriter.Write([]byte("Operator namespace: " + testData.Resources.Namespace + "\n"))
+		GinkgoWriter.Write([]byte("===============================================\n"))
+		if CurrentSpecReport().Failed() {
+			Expect(actions.SaveProjectsToFile(testData.Context, testData.K8SClient, testData.Resources.Namespace)).Should(Succeed())
+		}
+		By("Clean Roles", func() {
+			DeleteAllRoles(testData)
+		})
+		By("Delete Resources, Project with Cloud provider access roles", func() {
+			actions.DeleteTestDataProject(testData)
+			actions.AfterEachFinalCleanup([]model.TestDataProvider{*testData})
+		})
+	})
+
+	It("Should be able to create Encryption at REST on AWS with RoleID equal to AWS ARN", func() {
+
+		testData = model.DataProvider(
+			"encryption-at-rest-aws",
+			model.NewEmptyAtlasKeyType().UseDefaultFullAccess(),
+			40000,
+			[]func(*model.TestDataProvider){},
+		).WithProject(data.DefaultProject())
+
+		roles := []cloudaccess.Role{
+			{
+				Name: utils.RandomName(awsRoleNameBase),
+				AccessRole: v1.CloudProviderAccessRole{
+					ProviderName: "AWS",
+				},
+			},
+		}
+		userData := testData
+		encAtRest := v1.EncryptionAtRest{
+			AwsKms: v1.AwsKms{
+				Enabled: toptr.MakePtr(true),
+				Region:  "US_EAST_1",
+				Valid:   toptr.MakePtr(true),
+			},
+		}
+
+		By("Creating a project", func() {
+			actions.ProjectCreationFlow(testData)
+		})
+
+		var projectID string
+		By("Getting a project ID by name from Atlas", func() {
+			Eventually(func(g Gomega) error {
+				projectData, _, err := atlasClient.Client.Projects.GetOneProjectByName(userData.Context, userData.Project.Spec.Name)
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(projectData).NotTo(BeNil())
+				ginkgo.GinkgoLogr.Info("Project ID", projectData.ID)
+				projectID = projectData.ID
+				return nil
+			}).WithTimeout(2 * time.Minute).WithPolling(10 * time.Second).Should(Succeed())
+		})
+
+		var atlasRoles *mongodbatlas.CloudProviderAccessRoles
+		By("Add cloud access role (AWS only)", func() {
+			cloudAccessRolesFlow(userData, roles)
+		})
+
+		By("Fetching project CPAs", func() {
+			var err error
+			atlasRoles, _, err = atlasClient.Client.CloudProviderAccess.ListRoles(userData.Context, projectID)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(atlasRoles).NotTo(BeNil())
+			Expect(len(atlasRoles.AWSIAMRoles)).NotTo(BeZero())
+		})
+
+		By("Create KMS with AWS RoleID", func() {
+			Expect(userData.K8SClient.Get(userData.Context, types.NamespacedName{Name: userData.Project.Name,
+				Namespace: userData.Resources.Namespace}, userData.Project)).Should(Succeed())
+
+			Expect(len(userData.Project.Status.CloudProviderAccessRoles)).NotTo(Equal(0))
+			aRole := userData.Project.Status.CloudProviderAccessRoles[0]
+
+			fillKMSforAWS(&encAtRest, aRole.AtlasAWSAccountArn, aRole.IamAssumedRoleArn)
+			fillVaultforAzure(&encAtRest)
+			fillKMSforGCP(&encAtRest)
+
+			Expect(userData.K8SClient.Get(userData.Context, types.NamespacedName{Name: userData.Project.Name,
+				Namespace: userData.Resources.Namespace}, userData.Project)).Should(Succeed())
+			userData.Project.Spec.EncryptionAtRest = &encAtRest
+
+			var roleARNToSet string
+			for _, r := range atlasRoles.AWSIAMRoles {
+				if r.IAMAssumedRoleARN == aRole.IamAssumedRoleArn {
+					roleARNToSet = r.IAMAssumedRoleARN
+					break
+				}
+			}
+			Expect(roleARNToSet).NotTo(BeEmpty())
+			userData.Project.Spec.EncryptionAtRest.AwsKms.RoleID = roleARNToSet
+			Expect(userData.K8SClient.Update(userData.Context, userData.Project)).Should(Succeed())
+			actions.WaitForConditionsToBecomeTrue(userData, status.EncryptionAtRestReadyType, status.ReadyType)
+		})
+	})
+})
