Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

Commit

Permalink
feat: [#298] Declarative access keys support
Browse files Browse the repository at this point in the history
  • Loading branch information
B&R committed Sep 22, 2023
1 parent 8469254 commit 50d15b3
Show file tree
Hide file tree
Showing 22 changed files with 421 additions and 455 deletions.
17 changes: 16 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ run_with_local_config_storage:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE; \
export AWS_SECRET_ACCESS_KEY=wJaFuCKtnFEMI/CApItaliSM/bPxRfiCYEXAMPLEKEY; \
\
backup-repository \
./.build/backup-repository \
--db-password=postgres \
--db-user=postgres \
--db-password=postgres \
Expand All @@ -54,6 +54,21 @@ run_with_local_config_storage:
--config-local-path=$$(pwd)/docs/examples-filesystem/\
--storage-url="s3://mybucket?endpoint=localhost:9000&disableSSL=true&s3ForcePathStyle=true&region=eu-central-1"

postgres: ## Runs local PostgreSQL for running project as local binary
docker run -p 5432:5432 -d --rm --name postgres -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=postgres postgres:15.3-alpine

minio: ## Runs local Min.io for running project as local binary
docker run -d \
--name br_minio \
-p 9000:9000 \
-p 9001:9001 \
-v $$(pwd)/.build/minio:/data \
-e "MINIO_ROOT_USER=AKIAIOSFODNN7EXAMPLE" \
-e "MINIO_ROOT_PASSWORD=wJaFuCKtnFEMI/CApItaliSM/bPxRfiCYEXAMPLEKEY" \
--entrypoint /bin/sh \
quay.io/minio/minio:RELEASE.2022-02-16T00-35-27Z -c 'mkdir -p /data/mybucket && minio server /data --console-address 0.0.0.0:9001'


lint:
export GO111MODULE=on; \
golangci-lint run \
Expand Down
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Backup Repository
[![Test](https://github.com/riotkit-org/backup-repository/actions/workflows/test.yaml/badge.svg)](https://github.com/riotkit-org/backup-repository/actions/workflows/test.yaml)
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/riotkit-org)](https://artifacthub.io/packages/search?repo=riotkit-org)

Cloud-native, zero-knowledge, multi-tenant, security-first backup storage with minimal footprint.
Cloud-native, zero-knowledge, multi-tenant, compliance-strict, security-first backup storage with minimal footprint.

_TLDR; Primitive backup storage for E2E GPG-encrypted files, with multi-user, quotas, versioning, using a object storage (S3/Min.io/GCS etc.) and deployed on Kubernetes or standalone. No fancy stuff included, lightweight and stable as much as possible is the project target._

Expand All @@ -30,7 +30,7 @@ _TLDR; Primitive backup storage for E2E GPG-encrypted files, with multi-user, qu
- Kubernetes (if wanting to use Kubernetes)
- PostgreSQL
- About 128Mb ram for small scale usage (**Note**: _We use Argon2di and performing file uploads + calculations on buffers_)
- Storage provider (S3, GCS, Min.io, local filesystem, and others supported by https://gocloud.dev/howto/blob/#services)
- Storage provider (S3, GCS, Min.io, local filesystem, or others supported by https://gocloud.dev/howto/blob/#services)

**Support:**
- Any Kubernetes 1.20+
Expand Down Expand Up @@ -177,7 +177,7 @@ Domain objects should implement a logic that checks given `Actor` if it can act
```go
func (u User) CanViewMyProfile(actor User) bool {
// rbac
if actor.Spec.Roles.HasRole(security.RoleUserManager) {
if actor.GetRoles().HasRole(security.RoleUserManager) {
return true
}
Expand All @@ -190,7 +190,7 @@ func (u User) CanViewMyProfile(actor User) bool {

```go
func (c Collection) CanUploadToMe(user *users.User) bool {
if user.Spec.Roles.HasRole(security.RoleBackupUploader) {
if user.GetRoles().HasRole(security.RoleBackupUploader) {
return true
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,17 @@ spec:
passwordFromRef:
name: backup-repository-passwords
entry: admin
collectionAccessKeys:
#
# login: some-user$uploader
# password: test
#
- name: uploader
collections: ["iwa-ait"]
roles: ["backupUploader"]
# password: ""
passwordFromRef:
name: backup-repository-passwords
entry: admin_access_key_1
roles:
- collectionManager
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@ data:
# admin: admin
# to generate: `backup-repository --encode-password "admin"
admin: "JGFyZ29uMmlkJHY9MTkkbT02NTUzNix0PTEscD00JHpuVy9IT2Y4Q3RkdStvNSttYlR2REE9PSRaZlVpRGl2QWV2T2RZNndKYWJBb0FQdmM1a1hsemxDNkg2OFY2dGVmNUY0PQ=="

# to generate: `backup-repository --encode-password "admin"`
admin_access_key_1: "JGFyZ29uMmlkJHY9MTkkbT02NTUzNix0PTEscD00JERzUzlPTzFOc0JVREhvR1RmQ01wemc9PSRrcXh4bFliS3A4Um81MXZEb0FQaUdBeFhkNTgrY1ZzdERyZ3p3NG16bjFVPQ=="
4 changes: 3 additions & 1 deletion docs/examples/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,10 @@ metadata:
type: Opaque
data:
# admin: admin
# to generate: `backup-repository --encode-password "admin"
# to generate: `backup-repository --encode-password "admin"`
admin: "JGFyZ29uMmlkJHY9MTkkbT02NTUzNix0PTEscD00JHpuVy9IT2Y4Q3RkdStvNSttYlR2REE9PSRaZlVpRGl2QWV2T2RZNndKYWJBb0FQdmM1a1hsemxDNkg2OFY2dGVmNUY0PQ=="
# to generate: `backup-repository --encode-password "admin"`
admin_access_key_1: "JGFyZ29uMmlkJHY9MTkkbT02NTUzNix0PTEscD00JERzUzlPTzFOc0JVREhvR1RmQ01wemc9PSRrcXh4bFliS3A4Um81MXZEb0FQaUdBeFhkNTgrY1ZzdERyZ3p3NG16bjFVPQ=="

---
apiVersion: v1
Expand Down
12 changes: 12 additions & 0 deletions docs/examples/user.second-actor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,17 @@ spec:
passwordFromRef:
name: backup-repository-passwords
entry: admin
accessKeys:
#
# login: some-user$uploader
# password: test
#
- name: uploader
collections: ["iwa-ait"]
roles: ["backupUploader"]
# password: ""
passwordFromRef:
name: backup-repository-passwords
entry: admin_access_key_1
roles:
- collectionManager
39 changes: 21 additions & 18 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,25 @@ module github.com/riotkit-org/backup-repository
go 1.19

require (
github.com/appleboy/gin-jwt/v2 v2.8.0
github.com/appleboy/gin-jwt/v2 v2.9.1
github.com/fatih/structs v1.1.0
github.com/gin-contrib/timeout v0.0.3
github.com/gin-gonic/gin v1.7.7
github.com/gin-gonic/gin v1.8.1
github.com/google/uuid v1.3.0
github.com/jessevdk/go-flags v1.5.0
github.com/julianshen/gin-limiter v0.0.0-20161123033831-fc39b5e90fe7
github.com/labstack/gommon v0.3.1
github.com/pkg/errors v0.9.1
github.com/robfig/cron/v3 v3.0.1
github.com/sirupsen/logrus v1.8.1
github.com/stretchr/testify v1.7.1
github.com/tidwall/gjson v1.14.1
github.com/stretchr/testify v1.8.4
github.com/tidwall/gjson v1.14.3
gocloud.dev v0.25.0
golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29
golang.org/x/net v0.0.0-20220401154927-543a649e0bdd
golang.org/x/crypto v0.4.0
golang.org/x/net v0.4.0
gorm.io/driver/postgres v1.3.4
gorm.io/gorm v1.23.5
k8s.io/api v0.24.0
k8s.io/apimachinery v0.24.0
k8s.io/client-go v0.24.0
sigs.k8s.io/controller-runtime v0.12.0
Expand Down Expand Up @@ -52,11 +53,12 @@ require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/gin-contrib/sse v0.1.0 // indirect
github.com/go-logr/logr v1.2.0 // indirect
github.com/go-playground/locales v0.13.0 // indirect
github.com/go-playground/universal-translator v0.17.0 // indirect
github.com/go-playground/validator/v10 v10.4.1 // indirect
github.com/go-playground/locales v0.14.0 // indirect
github.com/go-playground/universal-translator v0.18.0 // indirect
github.com/go-playground/validator/v10 v10.11.1 // indirect
github.com/goccy/go-json v0.10.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/go-cmp v0.5.7 // indirect
Expand All @@ -77,30 +79,31 @@ require (
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/juju/ratelimit v1.0.1 // indirect
github.com/leodido/go-urn v1.2.0 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/leodido/go-urn v1.2.1 // indirect
github.com/mattn/go-isatty v0.0.16 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pelletier/go-toml/v2 v2.0.6 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
github.com/ugorji/go/codec v1.1.7 // indirect
github.com/ugorji/go/codec v1.2.7 // indirect
go.opencensus.io v0.23.0 // indirect
golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a // indirect
golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/sys v0.3.0 // indirect
golang.org/x/term v0.3.0 // indirect
golang.org/x/text v0.5.0 // indirect
golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/api v0.74.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220401170504-314d38edb7de // indirect
google.golang.org/grpc v1.45.0 // indirect
google.golang.org/protobuf v1.28.0 // indirect
google.golang.org/protobuf v1.28.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.60.1 // indirect
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
Expand Down
Loading

0 comments on commit 50d15b3

Please sign in to comment.