diff --git a/api/v1alpha1/azureauthengineconfig_types.go b/api/v1alpha1/azureauthengineconfig_types.go index 8665049..31f8980 100644 --- a/api/v1alpha1/azureauthengineconfig_types.go +++ b/api/v1alpha1/azureauthengineconfig_types.go @@ -29,9 +29,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" ) -// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! -// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. - // AzureAuthEngineConfigSpec defines the desired state of AzureAuthEngineConfig type AzureAuthEngineConfigSpec struct { // Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR. diff --git a/api/v1alpha1/azuresecretengineconfig_types.go b/api/v1alpha1/azuresecretengineconfig_types.go new file mode 100644 index 0000000..5e5f331 --- /dev/null +++ b/api/v1alpha1/azuresecretengineconfig_types.go @@ -0,0 +1,266 @@ +/* +Copyright 2021. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "context" + "errors" + "reflect" + + vaultutils "github.com/redhat-cop/vault-config-operator/api/v1alpha1/utils" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" +) + +// AzureSecretEngineConfigSpec defines the desired state of AzureSecretEngineConfig +type AzureSecretEngineConfigSpec struct { + // Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR. + // +kubebuilder:validation:Optional + Connection *vaultutils.VaultConnection `json:"connection,omitempty"` + + // Authentication is the kube auth configuration to be used to execute this request + // +kubebuilder:validation:Required + Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"` + + // Path at which to make the configuration. + // The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}. + // The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path. + // +kubebuilder:validation:Required + Path vaultutils.Path `json:"path,omitempty"` + + // AzureCredentials consists in ClientID and ClientSecret, which can be created as Kubernetes Secret, VaultSecret or RandomSecret + // +kubebuilder:validation:Optional + AzureCredentials vaultutils.RootCredentialConfig `json:"azureCredentials,omitempty"` + + // +kubebuilder:validation:Required + AzureSEConfig `json:",inline"` +} + +// AzureSecretEngineConfigStatus defines the observed state of AzureSecretEngineConfig +type AzureSecretEngineConfigStatus struct { + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +//+kubebuilder:object:root=true +//+kubebuilder:subresource:status + +// AzureSecretEngineConfig is the Schema for the azuresecretengineconfigs API +type AzureSecretEngineConfig struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec AzureSecretEngineConfigSpec `json:"spec,omitempty"` + Status AzureSecretEngineConfigStatus `json:"status,omitempty"` +} + +//+kubebuilder:object:root=true + +// AzureSecretEngineConfigList contains a list of AzureSecretEngineConfig +type AzureSecretEngineConfigList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []AzureSecretEngineConfig `json:"items"` +} + +type AzureSEConfig struct { + + // The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable. + // +kubebuilder:validation:Required + SubscriptionID string `json:"subscriptionID"` + + // The tenant id for the Azure Active Directory organization. This value can also be provided with the AZURE_TENANT_ID environment variable. + // +kubebuilder:validation:Required + TenantID string `json:"tenantID"` + + // The client id for credentials to query the Azure APIs. + // Currently read permissions to query compute resources are required. + // This value can also be provided with the AZURE_CLIENT_ID environment variable. + // +kubebuilder:validation:Optional + // +kubebuilder:default="" + ClientID string `json:"clientID,omitempty"` + + // The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + // This value can also be provided with the AZURE_ENVIRONMENT environment variable + // +kubebuilder:validation:Optional + // +kubebuilder:default="AzurePublicCloud" + Environment string `json:"environment,omitempty"` + + // Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + // +kubebuilder:validation:Optional + // +kubebuilder:default="" + PasswordPolicy string `json:"passwordPolicy,omitempty"` + + // Specifies how long the root password is valid for in Azure when rotate-root generates a new client secret. Uses duration format strings. + // +kubebuilder:validation:Optional + // +kubebuilder:default="182d" + RootPasswordTTL string `json:"rootPasswordTTL,omitempty"` + + retrievedClientID string `json:"-"` + + retrievedClientPassword string `json:"-"` +} + +var _ vaultutils.VaultObject = &AzureSecretEngineConfig{} +var _ vaultutils.ConditionsAware = &AzureSecretEngineConfig{} + +func init() { + SchemeBuilder.Register(&AzureSecretEngineConfig{}, &AzureSecretEngineConfigList{}) +} + +func (r *AzureSecretEngineConfig) SetConditions(conditions []metav1.Condition) { + r.Status.Conditions = conditions +} + +func (d *AzureSecretEngineConfig) GetVaultConnection() *vaultutils.VaultConnection { + return d.Spec.Connection +} + +func (r *AzureSecretEngineConfig) GetConditions() []metav1.Condition { + return r.Status.Conditions +} + +func (r *AzureSecretEngineConfig) GetKubeAuthConfiguration() *vaultutils.KubeAuthConfiguration { + return &r.Spec.Authentication +} + +func (d *AzureSecretEngineConfig) GetPath() string { + return string(d.Spec.Path) + "/" + "config" +} + +func (d *AzureSecretEngineConfig) GetPayload() map[string]interface{} { + return d.Spec.toMap() +} + +func (r *AzureSecretEngineConfig) IsEquivalentToDesiredState(payload map[string]interface{}) bool { + desiredState := r.Spec.AzureSEConfig.toMap() + return reflect.DeepEqual(desiredState, payload) +} + +func (r *AzureSecretEngineConfig) IsInitialized() bool { + return true +} + +func (r *AzureSecretEngineConfig) IsValid() (bool, error) { + err := r.isValid() + return err == nil, err +} + +func (r *AzureSecretEngineConfig) isValid() error { + return r.Spec.AzureCredentials.ValidateEitherFromVaultSecretOrFromSecretOrFromRandomSecret() +} + +func (r *AzureSecretEngineConfig) PrepareInternalValues(context context.Context, object client.Object) error { + + if reflect.DeepEqual(r.Spec.AzureCredentials, vaultutils.RootCredentialConfig{PasswordKey: "clientsecret", UsernameKey: "clientid"}) { + return nil + } + + return r.setInternalCredentials(context) +} + +func (d *AzureSecretEngineConfig) PrepareTLSConfig(context context.Context, object client.Object) error { + return nil +} + +func (r *AzureSecretEngineConfig) setInternalCredentials(context context.Context) error { + log := log.FromContext(context) + kubeClient := context.Value("kubeClient").(client.Client) + if r.Spec.AzureCredentials.RandomSecret != nil { + randomSecret := &RandomSecret{} + err := kubeClient.Get(context, types.NamespacedName{ + Namespace: r.Namespace, + Name: r.Spec.AzureCredentials.RandomSecret.Name, + }, randomSecret) + if err != nil { + log.Error(err, "unable to retrieve RandomSecret", "instance", r) + return err + } + secret, exists, err := vaultutils.ReadSecret(context, randomSecret.GetPath()) + if err != nil { + return err + } + if !exists { + err = errors.New("secret not found") + log.Error(err, "unable to retrieve vault secret", "instance", r) + return err + } + r.SetClientIDAndClientSecret(r.Spec.ClientID, secret.Data[randomSecret.Spec.SecretKey].(string)) + return nil + } + if r.Spec.AzureCredentials.Secret != nil { + secret := &corev1.Secret{} + err := kubeClient.Get(context, types.NamespacedName{ + Namespace: r.Namespace, + Name: r.Spec.AzureCredentials.Secret.Name, + }, secret) + if err != nil { + log.Error(err, "unable to retrieve Secret", "instance", r) + return err + } + if r.Spec.ClientID == "" { + r.SetClientIDAndClientSecret(string(secret.Data[r.Spec.AzureCredentials.UsernameKey]), string(secret.Data[r.Spec.AzureCredentials.PasswordKey])) + } else { + r.SetClientIDAndClientSecret(r.Spec.AzureSEConfig.ClientID, string(secret.Data[r.Spec.AzureCredentials.PasswordKey])) + } + return nil + } + if r.Spec.AzureCredentials.VaultSecret != nil { + secret, exists, err := vaultutils.ReadSecret(context, string(r.Spec.AzureCredentials.VaultSecret.Path)) + if err != nil { + return err + } + if !exists { + err = errors.New("secret not found") + log.Error(err, "unable to retrieve vault secret", "instance", r) + return err + } + if r.Spec.ClientID == "" { + r.SetClientIDAndClientSecret(secret.Data[r.Spec.AzureCredentials.UsernameKey].(string), secret.Data[r.Spec.AzureCredentials.PasswordKey].(string)) + log.V(1).Info("", "clientid", secret.Data[r.Spec.AzureCredentials.UsernameKey].(string), "clientsecret", secret.Data[r.Spec.AzureCredentials.PasswordKey].(string)) + } else { + r.SetClientIDAndClientSecret(r.Spec.AzureSEConfig.ClientID, secret.Data[r.Spec.AzureCredentials.PasswordKey].(string)) + log.V(1).Info("", "clientid", r.Spec.AzureSEConfig.ClientID, "clientsecret", secret.Data[r.Spec.AzureCredentials.PasswordKey].(string)) + } + return nil + } + return errors.New("no means of retrieving a secret was specified") +} + +func (r *AzureSecretEngineConfig) SetClientIDAndClientSecret(ClientID string, ClientSecret string) { + r.Spec.AzureSEConfig.retrievedClientID = ClientID + r.Spec.AzureSEConfig.retrievedClientPassword = ClientSecret +} + +func (i *AzureSEConfig) toMap() map[string]interface{} { + payload := map[string]interface{}{} + payload["subscription_id"] = i.SubscriptionID + payload["tenant_id"] = i.TenantID + payload["client_id"] = i.retrievedClientID + payload["client_secret"] = i.retrievedClientPassword + payload["environment"] = i.Environment + payload["password_policy"] = i.PasswordPolicy + payload["root_password_ttl"] = i.RootPasswordTTL + + return payload +} diff --git a/api/v1alpha1/azuresecretengineconfig_webhook.go b/api/v1alpha1/azuresecretengineconfig_webhook.go new file mode 100644 index 0000000..697cc4f --- /dev/null +++ b/api/v1alpha1/azuresecretengineconfig_webhook.go @@ -0,0 +1,75 @@ +/* +Copyright 2021. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "errors" + + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +// log is for logging in this package. +var azuresecretengineconfiglog = logf.Log.WithName("azuresecretengineconfig-resource") + +func (r *AzureSecretEngineConfig) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(r). + Complete() +} + +//+kubebuilder:webhook:path=/mutate-redhatcop-redhat-io-v1alpha1-azuresecretengineconfig,mutating=true,failurePolicy=fail,sideEffects=None,groups=redhatcop.redhat.io,resources=azuresecretengineconfigs,verbs=create,versions=v1alpha1,name=mazuresecretengineconfig.kb.io,admissionReviewVersions=v1 + +var _ webhook.Defaulter = &AzureSecretEngineConfig{} + +// Default implements webhook.Defaulter so a webhook will be registered for the type +func (r *AzureSecretEngineConfig) Default() { + azuresecretengineconfiglog.Info("default", "name", r.Name) + +} + +//+kubebuilder:webhook:path=/validate-redhatcop-redhat-io-v1alpha1-azuresecretengineconfig,mutating=false,failurePolicy=fail,sideEffects=None,groups=redhatcop.redhat.io,resources=azuresecretengineconfigs,verbs=create;update,versions=v1alpha1,name=vazuresecretengineconfig.kb.io,admissionReviewVersions=v1 + +var _ webhook.Validator = &AzureSecretEngineConfig{} + +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type +func (r *AzureSecretEngineConfig) ValidateCreate() (admission.Warnings, error) { + azuresecretengineconfiglog.Info("validate create", "name", r.Name) + + return nil, nil +} + +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type +func (r *AzureSecretEngineConfig) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { + azuresecretengineconfiglog.Info("validate update", "name", r.Name) + + // the path cannot be updated + if r.Spec.Path != old.(*AzureSecretEngineConfig).Spec.Path { + return nil, errors.New("spec.path cannot be updated") + } + return nil, r.isValid() +} + +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type +func (r *AzureSecretEngineConfig) ValidateDelete() (admission.Warnings, error) { + azuresecretengineconfiglog.Info("validate delete", "name", r.Name) + + return nil, nil +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 299d3f9..2a68174 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -477,6 +477,125 @@ func (in *AzureRole) DeepCopy() *AzureRole { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AzureSEConfig) DeepCopyInto(out *AzureSEConfig) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSEConfig. +func (in *AzureSEConfig) DeepCopy() *AzureSEConfig { + if in == nil { + return nil + } + out := new(AzureSEConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AzureSecretEngineConfig) DeepCopyInto(out *AzureSecretEngineConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSecretEngineConfig. +func (in *AzureSecretEngineConfig) DeepCopy() *AzureSecretEngineConfig { + if in == nil { + return nil + } + out := new(AzureSecretEngineConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AzureSecretEngineConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AzureSecretEngineConfigList) DeepCopyInto(out *AzureSecretEngineConfigList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]AzureSecretEngineConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSecretEngineConfigList. +func (in *AzureSecretEngineConfigList) DeepCopy() *AzureSecretEngineConfigList { + if in == nil { + return nil + } + out := new(AzureSecretEngineConfigList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AzureSecretEngineConfigList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AzureSecretEngineConfigSpec) DeepCopyInto(out *AzureSecretEngineConfigSpec) { + *out = *in + if in.Connection != nil { + in, out := &in.Connection, &out.Connection + *out = new(utils.VaultConnection) + (*in).DeepCopyInto(*out) + } + in.Authentication.DeepCopyInto(&out.Authentication) + in.AzureCredentials.DeepCopyInto(&out.AzureCredentials) + out.AzureSEConfig = in.AzureSEConfig +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSecretEngineConfigSpec. +func (in *AzureSecretEngineConfigSpec) DeepCopy() *AzureSecretEngineConfigSpec { + if in == nil { + return nil + } + out := new(AzureSecretEngineConfigSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AzureSecretEngineConfigStatus) DeepCopyInto(out *AzureSecretEngineConfigStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSecretEngineConfigStatus. +func (in *AzureSecretEngineConfigStatus) DeepCopy() *AzureSecretEngineConfigStatus { + if in == nil { + return nil + } + out := new(AzureSecretEngineConfigStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DBSEConfig) DeepCopyInto(out *DBSEConfig) { *out = *in diff --git a/config/crd/bases/redhatcop.redhat.io_azuresecretengineconfigs.yaml b/config/crd/bases/redhatcop.redhat.io_azuresecretengineconfigs.yaml new file mode 100644 index 0000000..30457b5 --- /dev/null +++ b/config/crd/bases/redhatcop.redhat.io_azuresecretengineconfigs.yaml @@ -0,0 +1,341 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: azuresecretengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: AzureSecretEngineConfig + listKind: AzureSecretEngineConfigList + plural: azuresecretengineconfigs + singular: azuresecretengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AzureSecretEngineConfig is the Schema for the azuresecretengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureSecretEngineConfigSpec defines the desired state of + AzureSecretEngineConfig + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + azureCredentials: + description: AzureCredentials consists in ClientID and ClientSecret, + which can be created as Kubernetes Secret, VaultSecret or RandomSecret + properties: + passwordKey: + default: password + description: PasswordKey key to be used when retrieving the password, + required with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + randomSecret: + description: 'RandomSecret retrieves the credentials from the + Vault secret corresponding to this RandomSecret. This will map + the "username" and "password" keys of the secret to the username + and password of this config. All other keys will be ignored. + If the RandomSecret is refreshed the operator retrieves the + new secret from Vault and updates this configuration. Only one + of RootCredentialsFromVaultSecret or RootCredentialsFromSecret + or RootCredentialsFromRandomSecret can be specified. When using + randomSecret a username must be specified in the spec.username + password: Specifies the password to use when connecting with + the username. This value will not be returned by Vault when + performing a read upon the configuration. This is typically + used in the connection_url field via the templating directive + "{{"password"}}"".' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + secret: + description: 'Secret retrieves the credentials from a Kubernetes + secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + This will map the "username" and "password" keys of the secret + to the username and password of this config. If the kubernetes + secret is updated, this configuration will also be updated. + All other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + usernameKey: + default: username + description: UsernameKey key to be used when retrieving the username, + optional with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + vaultSecret: + description: 'VaultSecret retrieves the credentials from a Vault + secret. This will map the "username" and "password" keys of + the secret to the username and password of this config. All + other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + clientID: + default: "" + description: The client id for credentials to query the Azure APIs. + Currently read permissions to query compute resources are required. + This value can also be provided with the AZURE_CLIENT_ID environment + variable. + type: string + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + environment: + default: AzurePublicCloud + description: 'The Azure cloud environment. Valid values: AzurePublicCloud, + AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. This + value can also be provided with the AZURE_ENVIRONMENT environment + variable' + type: string + passwordPolicy: + default: "" + description: Specifies a password policy to use when creating dynamic + credentials. Defaults to generating an alphanumeric password if + not set. + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + rootPasswordTTL: + default: 182d + description: Specifies how long the root password is valid for in + Azure when rotate-root generates a new client secret. Uses duration + format strings. + type: string + subscriptionID: + description: The subscription id for the Azure Active Directory. This + value can also be provided with the AZURE_SUBSCRIPTION_ID environment + variable. + type: string + tenantID: + description: The tenant id for the Azure Active Directory organization. + This value can also be provided with the AZURE_TENANT_ID environment + variable. + type: string + required: + - subscriptionID + - tenantID + type: object + status: + description: AzureSecretEngineConfigStatus defines the observed state + of AzureSecretEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/patches/cainjection_in_azuresecretengineconfigs.yaml b/config/crd/patches/cainjection_in_azuresecretengineconfigs.yaml new file mode 100644 index 0000000..705bcd4 --- /dev/null +++ b/config/crd/patches/cainjection_in_azuresecretengineconfigs.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuresecretengineconfigs.redhatcop.redhat.io diff --git a/config/crd/patches/webhook_in_azuresecretengineconfigs.yaml b/config/crd/patches/webhook_in_azuresecretengineconfigs.yaml new file mode 100644 index 0000000..53de1d1 --- /dev/null +++ b/config/crd/patches/webhook_in_azuresecretengineconfigs.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuresecretengineconfigs.redhatcop.redhat.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/rbac/azuresecretengineconfig_editor_role.yaml b/config/rbac/azuresecretengineconfig_editor_role.yaml new file mode 100644 index 0000000..ac6dd70 --- /dev/null +++ b/config/rbac/azuresecretengineconfig_editor_role.yaml @@ -0,0 +1,31 @@ +# permissions for end users to edit azuresecretengineconfigs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: azuresecretengineconfig-editor-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: vault-config-operator + app.kubernetes.io/part-of: vault-config-operator + app.kubernetes.io/managed-by: kustomize + name: azuresecretengineconfig-editor-role +rules: +- apiGroups: + - redhatcop.redhat.io + resources: + - azuresecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - redhatcop.redhat.io + resources: + - azuresecretengineconfigs/status + verbs: + - get diff --git a/config/rbac/azuresecretengineconfig_viewer_role.yaml b/config/rbac/azuresecretengineconfig_viewer_role.yaml new file mode 100644 index 0000000..3f33bc1 --- /dev/null +++ b/config/rbac/azuresecretengineconfig_viewer_role.yaml @@ -0,0 +1,27 @@ +# permissions for end users to view azuresecretengineconfigs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: azuresecretengineconfig-viewer-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: vault-config-operator + app.kubernetes.io/part-of: vault-config-operator + app.kubernetes.io/managed-by: kustomize + name: azuresecretengineconfig-viewer-role +rules: +- apiGroups: + - redhatcop.redhat.io + resources: + - azuresecretengineconfigs + verbs: + - get + - list + - watch +- apiGroups: + - redhatcop.redhat.io + resources: + - azuresecretengineconfigs/status + verbs: + - get diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index c69a2f1..a60dff4 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -122,6 +122,32 @@ rules: - get - patch - update +- apiGroups: + - redhatcop.redhat.io + resources: + - azuresecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - redhatcop.redhat.io + resources: + - azuresecretengineconfigs/finalizers + verbs: + - update +- apiGroups: + - redhatcop.redhat.io + resources: + - azuresecretengineconfigs/status + verbs: + - get + - patch + - update - apiGroups: - redhatcop.redhat.io resources: diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index 1a5de83..f9d8e87 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -32,4 +32,5 @@ resources: - redhatcop_v1alpha1_azureauthenginerole.yaml - redhatcop_v1alpha1_gcpauthengineconfig.yaml - redhatcop_v1alpha1_gcpauthenginerole.yaml + #+kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/samples/redhatcop_v1alpha1_azuresecretengineconfig.yaml b/config/samples/redhatcop_v1alpha1_azuresecretengineconfig.yaml new file mode 100644 index 0000000..b3efcb0 --- /dev/null +++ b/config/samples/redhatcop_v1alpha1_azuresecretengineconfig.yaml @@ -0,0 +1,30 @@ +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: AzureSecretEngineConfig +metadata: + labels: + app.kubernetes.io/name: azuresecretengineconfig + app.kubernetes.io/instance: azuresecretengineconfig-sample + app.kubernetes.io/part-of: vault-config-operator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: vault-config-operator + name: azuresecretengineconfig-sample +spec: + authentication: + path: vault-admin + role: vault-admin + serviceAccount: + name: vault + connection: + address: 'https://vault.example.com' + path: azure + tenantID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" + clientID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" + subscriptionID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" + environment: "AzurePublicCloud" + passwordPolicy: "" + rootPasswordTTL: "128d" + azureCredentials: + secret: + name: aad-credentials + usernameKey: clientid + passwordKey: clientsecret \ No newline at end of file diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 2d8e5f5..1304bd5 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -675,6 +675,26 @@ webhooks: resources: - azureauthengineroles sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-redhatcop-redhat-io-v1alpha1-azuresecretengineconfig + failurePolicy: Fail + name: vazuresecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - azuresecretengineconfigs + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 diff --git a/controllers/azuresecretengineconfig_controller.go b/controllers/azuresecretengineconfig_controller.go new file mode 100644 index 0000000..8dff740 --- /dev/null +++ b/controllers/azuresecretengineconfig_controller.go @@ -0,0 +1,230 @@ +/* +Copyright 2021. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "bytes" + "context" + + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/event" + "sigs.k8s.io/controller-runtime/pkg/handler" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/predicate" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + + redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1" + "github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller" +) + +// AzureSecretEngineConfigReconciler reconciles a AzureSecretEngineConfig object +type AzureSecretEngineConfigReconciler struct { + vaultresourcecontroller.ReconcilerBase +} + +//+kubebuilder:rbac:groups=redhatcop.redhat.io,resources=azuresecretengineconfigs,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=redhatcop.redhat.io,resources=azuresecretengineconfigs/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=redhatcop.redhat.io,resources=azuresecretengineconfigs/finalizers,verbs=update +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch +//+kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=create +//+kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;patch + +// Reconcile is part of the main kubernetes reconciliation loop which aims to +// move the current state of the cluster closer to the desired state. + +// For more details, check Reconcile and its Result here: +// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.14.4/pkg/reconcile +func (r *AzureSecretEngineConfigReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + _ = log.FromContext(ctx) + + // Fetch the instance + instance := &redhatcopv1alpha1.AzureSecretEngineConfig{} + err := r.GetClient().Get(ctx, req.NamespacedName, instance) + if err != nil { + if apierrors.IsNotFound(err) { + // Request object not found, could have been deleted after reconcile request. + // Owned objects are automatically garbage collected. For additional cleanup logic use finalizers. + // Return and don't requeue + return reconcile.Result{}, nil + } + // Error reading the object - requeue the request. + return reconcile.Result{}, err + } + + ctx1, err := prepareContext(ctx, r.ReconcilerBase, instance) + if err != nil { + r.Log.Error(err, "unable to prepare context", "instance", instance) + return vaultresourcecontroller.ManageOutcome(ctx, r.ReconcilerBase, instance, err) + } + vaultResource := vaultresourcecontroller.NewVaultResource(&r.ReconcilerBase, instance) + + return vaultResource.Reconcile(ctx1, instance) +} + +// SetupWithManager sets up the controller with the Manager. +func (r *AzureSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager) error { + isBasicAuthSecret := predicate.Funcs{ + UpdateFunc: func(e event.UpdateEvent) bool { + newSecret, ok := e.ObjectNew.DeepCopyObject().(*corev1.Secret) + if !ok || newSecret.Type == "kubernetes.io/basic-auth" { + return false + } + oldSecret, ok := e.ObjectOld.DeepCopyObject().(*corev1.Secret) + if !ok { + return true + } + return bytes.Equal(oldSecret.Data["clientid"], newSecret.Data["clientid"]) || bytes.Equal(oldSecret.Data["clientsecret"], newSecret.Data["clientsecret"]) + }, + CreateFunc: func(e event.CreateEvent) bool { + newSecret, ok := e.Object.DeepCopyObject().(*corev1.Secret) + if !ok || newSecret.Type == "kubernetes.io/basic-auth" { + return false + } + return true + }, + DeleteFunc: func(e event.DeleteEvent) bool { + return false + }, + + GenericFunc: func(e event.GenericEvent) bool { + return false + }, + } + + isUpdatedRandomSecret := predicate.Funcs{ + UpdateFunc: func(e event.UpdateEvent) bool { + newSecret, ok := e.ObjectNew.DeepCopyObject().(*redhatcopv1alpha1.RandomSecret) + if !ok { + return false + } + oldSecret, ok := e.ObjectOld.DeepCopyObject().(*redhatcopv1alpha1.RandomSecret) + if !ok { + return true + } + + if newSecret.Status.LastVaultSecretUpdate != nil { + if oldSecret.Status.LastVaultSecretUpdate != nil { + return !newSecret.Status.LastVaultSecretUpdate.Time.Equal(oldSecret.Status.LastVaultSecretUpdate.Time) + } + return true + } + return false + }, + CreateFunc: func(e event.CreateEvent) bool { + return true + }, + DeleteFunc: func(e event.DeleteEvent) bool { + return false + }, + + GenericFunc: func(e event.GenericEvent) bool { + return false + }, + } + + return ctrl.NewControllerManagedBy(mgr). + For(&redhatcopv1alpha1.AzureSecretEngineConfig{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})). + Watches(&corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + Kind: "Secret", + }, + }, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, a client.Object) []reconcile.Request { + res := []reconcile.Request{} + s := a.(*corev1.Secret) + dbsecs, err := r.findApplicableASEForSecret(ctx, s) + if err != nil { + r.Log.Error(err, "unable to find applicable AzureSecretEngine for namespace", "namespace", s.Name) + return []reconcile.Request{} + } + for _, dbsec := range dbsecs { + res = append(res, reconcile.Request{ + NamespacedName: types.NamespacedName{ + Name: dbsec.GetName(), + Namespace: dbsec.GetNamespace(), + }, + }) + } + return res + }), builder.WithPredicates(isBasicAuthSecret)). + Watches(&redhatcopv1alpha1.RandomSecret{ + TypeMeta: metav1.TypeMeta{ + Kind: "RandomSecret", + }, + }, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, a client.Object) []reconcile.Request { + res := []reconcile.Request{} + rs := a.(*redhatcopv1alpha1.RandomSecret) + dbsecs, err := r.findApplicableASEForRandomSecret(ctx, rs) + if err != nil { + r.Log.Error(err, "unable to find applicable AzureSecretEngine for namespace", "namespace", rs.Name) + return []reconcile.Request{} + } + for _, dbsec := range dbsecs { + res = append(res, reconcile.Request{ + NamespacedName: types.NamespacedName{ + Name: dbsec.GetName(), + Namespace: dbsec.GetNamespace(), + }, + }) + } + return res + }), builder.WithPredicates(isUpdatedRandomSecret)). + Complete(r) + +} + + +func (r *AzureSecretEngineConfigReconciler) findApplicableASEForSecret(ctx context.Context, secret *corev1.Secret) ([]redhatcopv1alpha1.AzureSecretEngineConfig, error) { + result := []redhatcopv1alpha1.AzureSecretEngineConfig{} + vrl := &redhatcopv1alpha1.AzureSecretEngineConfigList{} + err := r.GetClient().List(ctx, vrl, &client.ListOptions{ + Namespace: secret.Namespace, + }) + if err != nil { + r.Log.Error(err, "unable to retrieve the list of AzureSecretEngineConfig") + return nil, err + } + for _, vr := range vrl.Items { + if vr.Spec.AzureCredentials.Secret != nil && vr.Spec.AzureCredentials.Secret.Name == secret.Name { + result = append(result, vr) + } + } + return result, nil +} + +func (r *AzureSecretEngineConfigReconciler) findApplicableASEForRandomSecret(ctx context.Context, randomSecret *redhatcopv1alpha1.RandomSecret) ([]redhatcopv1alpha1.AzureSecretEngineConfig, error) { + result := []redhatcopv1alpha1.AzureSecretEngineConfig{} + vrl := &redhatcopv1alpha1.AzureSecretEngineConfigList{} + err := r.GetClient().List(ctx, vrl, &client.ListOptions{ + Namespace: randomSecret.Namespace, + }) + if err != nil { + r.Log.Error(err, "unable to retrieve the list of AzureSecretEngineConfig") + return nil, err + } + for _, vr := range vrl.Items { + if vr.Spec.AzureCredentials.RandomSecret != nil && vr.Spec.AzureCredentials.RandomSecret.Name == randomSecret.Name { + result = append(result, vr) + } + } + return result, nil +} diff --git a/docs/secret-engines.md b/docs/secret-engines.md index 95030fd..185471a 100644 --- a/docs/secret-engines.md +++ b/docs/secret-engines.md @@ -16,6 +16,7 @@ - [PKISecretEngineRole](#pkisecretenginerole) - [KubernetesSecretEngineConfig](#kubernetessecretengineconfig) - [KubernetesSecretEngineRole](#kubernetessecretenginerole) + - [AzureSecretEngineConfig] (#azuresecretengineconfig) ## SecretEngineMount @@ -597,3 +598,90 @@ vault write kubese-test/roles/kubese-default-edit \ kubernetes_role_name="ClusterRole" \ nameTemplate="vault-sa-{{random 10 | lowercase}}" \ ``` + + +## AzureSecretEngineConfig + +The `AzureSecretEngineConfig` CRD allows a user to create an Azure Secret Engine configuration. + +```yaml +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: AzureSecretEngineConfig +metadata: + labels: + app.kubernetes.io/name: azuresecretengineconfig + app.kubernetes.io/instance: azuresecretengineconfig-sample + app.kubernetes.io/part-of: vault-config-operator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: vault-config-operator + name: azuresecretengineconfig-sample +spec: + authentication: + path: vault-admin + role: vault-admin + serviceAccount: + name: vault + connection: + address: 'https://vault.example.com' + path: azure + tenantID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" + clientID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" + subscriptionID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" + environment: "AzurePublicCloud" + passwordPolicy: "" + rootPasswordTTL: "128d" + azureCredentials: + secret: + name: aad-credentials + usernameKey: clientid + passwordKey: clientsecret +``` + +The `subscriptionID` field - The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable. + +The `tenantID` field - The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable. + +The `clientID` field - The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable. See authentication for more details. + +The `environment` field - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT environment variable. If not specified, Vault will use Azure Public Cloud. + +The `passwordPolicy` field - Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + +The `rootPasswordTTL` field - Specifies how long the root password is valid for in Azure when rotate-root generates a new client secret. Uses duration format strings. + + The `azureCredentials` field - The OAuth Client Secret from the provider for OIDC roles. + The OIDCClientSecret and possibly the OIDCClientID can be retrived a three different ways : + +1. From a Kubernetes secret, specifying the `azureCredentials` field as follows: +```yaml + azureCredentials: + secret: + name: aad-credentials + usernameKey: clientid + passwordKey: clientsecret +``` +The secret must be of [basic auth type](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + +Example Secret : +```bash +kubectl create secret generic aad-credentials --from-literal=clientid="123456-1234-1234-1234-123456789" --from-literal=clientsecret="saffsfsdfsfsdgsdgsdgsdgghdfhdhdgsjgjgjfj" -n vault-admin +``` +If the secret is updated this connection will also be updated. + +2. From a [Vault secret](https://developer.hashicorp.com/vault/docs/secrets/kv), specifying the `azureCredentials` field as follows : +```yaml + azureCredentials: + vaultSecret: + path: secret/foo + usernameKey: clientid + passwordKey: clientsecret +``` +3. From a [RandomSecret](secret-management.md#RandomSecret), specifying the `azureCredentials` field as follows : +```yaml + azureCredentials: + randomSecret: + name: aad-credentials + usernameKey: clientid + passwordKey: clientsecret +``` +When the RandomSecret generates a new secret, this connection will also be updated. diff --git a/main.go b/main.go index f05b632..a67539f 100644 --- a/main.go +++ b/main.go @@ -205,6 +205,11 @@ func main() { os.Exit(1) } + if err = (&controllers.AzureSecretEngineConfigReconciler{ReconcilerBase: vaultresourcecontroller.NewFromManager(mgr, "AzureSecretEngineConfig")}).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "AzureSecretEngineConfig") + os.Exit(1) + } + if err = (&controllers.QuaySecretEngineConfigReconciler{ReconcilerBase: vaultresourcecontroller.NewFromManager(mgr, "QuaySecretEngineConfig")}).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "QuaySecretEngineConfig") os.Exit(1) @@ -297,6 +302,7 @@ func main() { setupLog.Error(err, "unable to create webhook", "webhook", "AzureAuthEngineRole") os.Exit(1) } + if err = (&redhatcopv1alpha1.GCPAuthEngineConfig{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "GCPAuthEngineConfig") os.Exit(1) @@ -305,6 +311,7 @@ func main() { setupLog.Error(err, "unable to create webhook", "webhook", "GCPAuthEngineRole") os.Exit(1) } + if err = (&redhatcopv1alpha1.VaultSecret{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "VaultSecret") os.Exit(1) @@ -326,7 +333,10 @@ func main() { setupLog.Error(err, "unable to create webhook", "webhook", "GitHubSecretEngineRole") os.Exit(1) } - + if err = (&redhatcopv1alpha1.AzureSecretEngineConfig{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "AzureSecretEngineConfig") + os.Exit(1) + } if err = (&redhatcopv1alpha1.PKISecretEngineConfig{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "PKISecretEngineConfig") os.Exit(1)