Skip to content

Commit

Permalink
Renamed annotations
Browse files Browse the repository at this point in the history
Signed-off-by: Maksim Kiselev <[email protected]>
  • Loading branch information
trublast committed Jun 28, 2024
1 parent 5af2c9d commit 60468fd
Show file tree
Hide file tree
Showing 6 changed files with 65 additions and 221 deletions.
5 changes: 4 additions & 1 deletion docs/USAGE_RU.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,8 @@ metadata:
name: myapp1
namespace: my-namespace
annotations:
stronghold.deckhouse.io/env-from-path: secret/data/myapp
secret-store.deckhouse.io/role: "myapp"
secret-store.deckhouse.io/env-from-path: secret/data/myapp
spec:
serviceAccountName: myapp
containers:
Expand Down Expand Up @@ -121,6 +122,8 @@ apiVersion: v1
metadata:
name: myapp2
namespace: my-namespace
annotations:
secret-store.deckhouse.io/role: "myapp"
spec:
serviceAccountName: myapp
containers:
Expand Down
8 changes: 4 additions & 4 deletions images/env-injector/injector.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func NewSecretInjector(config Config, client *vault.Client, renewer SecretRenewe
}
}

var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}stronghold:.*?#*}?)}`)
var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}secret-store:.*?#*}?)}`)

func (i *SecretInjector) FetchTransitSecrets(secrets []string) (map[string][]byte, error) {
if len(i.config.TransitKeyID) == 0 {
Expand Down Expand Up @@ -204,20 +204,20 @@ func (i *SecretInjector) InjectSecretsFromVault(references map[string]string, in
}

var update bool
if strings.HasPrefix(value, ">>stronghold:") {
if strings.HasPrefix(value, ">>secret-store:") {
value = strings.TrimPrefix(value, ">>")
update = true
} else {
update = false
}

if !strings.HasPrefix(value, "stronghold:") {
if !strings.HasPrefix(value, "secret-store:") {
inject(name, value)

continue
}

valuePath := strings.TrimPrefix(value, "stronghold:")
valuePath := strings.TrimPrefix(value, "secret-store:")

// handle special case for vault:login env value
// namely pass through the VAULT_TOKEN received from the Vault login procedure
Expand Down
47 changes: 14 additions & 33 deletions images/vault-secrets-webhook/pkg/common/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,43 +23,24 @@ import (
const (
// Webhook annotations
// ref: https://bank-vaults.dev/docs/mutating-webhook/annotations/
PSPAllowPrivilegeEscalationAnnotation = "stronghold.deckhouse.io/psp-allow-privilege-escalation"
RunAsNonRootAnnotation = "stronghold.deckhouse.io/run-as-non-root"
RunAsUserAnnotation = "stronghold.deckhouse.io/run-as-user"
RunAsGroupAnnotation = "stronghold.deckhouse.io/run-as-group"
ReadOnlyRootFsAnnotation = "stronghold.deckhouse.io/readonly-root-fs"
RegistrySkipVerifyAnnotation = "stronghold.deckhouse.io/registry-skip-verify"
MutateAnnotation = "stronghold.deckhouse.io/mutate"
MutateProbesAnnotation = "stronghold.deckhouse.io/mutate-probes"

EnableJSONLogAnnotation = "stronghold.deckhouse.io/enable-json-log"
// SecretInitJSONLogAnnotation = "stronghold.deckhouse.io/secret-init-json-log"
VaultEnvImageAnnotation = "stronghold.deckhouse.io/env-injector-image"
// SecretInitImageAnnotation = "stronghold.deckhouse.io/secret-init-image"
VaultEnvImagePullPolicyAnnotation = "stronghold.deckhouse.io/env-injector-image-pull-policy"
// SecretInitImagePullPolicyAnnotation = "stronghold.deckhouse.io/secret-init-image-pull-policy"
MutateProbesAnnotation = "secret-store.deckhouse.io/mutate-probes"

EnableJSONLogAnnotation = "secret-store.deckhouse.io/enable-json-log"
// Vault annotations
VaultAddrAnnotation = "stronghold.deckhouse.io/addr"
VaultRoleAnnotation = "stronghold.deckhouse.io/role"
VaultPathAnnotation = "stronghold.deckhouse.io/auth-path"
VaultSkipVerifyAnnotation = "stronghold.deckhouse.io/tls-skip-verify"
VaultTLSSecretAnnotation = "stronghold.deckhouse.io/tls-secret"
VaultIgnoreMissingSecretsAnnotation = "stronghold.deckhouse.io/ignore-missing-secrets"
VaultClientTimeoutAnnotation = "stronghold.deckhouse.io/client-timeout"
TransitKeyIDAnnotation = "stronghold.deckhouse.io/transit-key-id"
TransitPathAnnotation = "stronghold.deckhouse.io/transit-path"
VaultAuthMethodAnnotation = "stronghold.deckhouse.io/auth-method"
TransitBatchSizeAnnotation = "stronghold.deckhouse.io/transit-batch-size"
VaultServiceaccountAnnotation = "stronghold.deckhouse.io/serviceaccount"
VaultNamespaceAnnotation = "stronghold.deckhouse.io/namespace"
ServiceAccountTokenVolumeNameAnnotation = "stronghold.deckhouse.io/service-account-token-volume-name"
LogLevelAnnotation = "stronghold.deckhouse.io/log-level"
VaultEnvPassthroughAnnotation = "stronghold.deckhouse.io/vault-env-passthrough"
VaultEnvFromPathAnnotation = "stronghold.deckhouse.io/env-from-path"
VaultAddrAnnotation = "secret-store.deckhouse.io/addr"
VaultRoleAnnotation = "secret-store.deckhouse.io/role"
VaultPathAnnotation = "secret-store.deckhouse.io/auth-path"
VaultSkipVerifyAnnotation = "secret-store.deckhouse.io/tls-skip-verify"
VaultTLSSecretAnnotation = "secret-store.deckhouse.io/tls-secret"
VaultIgnoreMissingSecretsAnnotation = "secret-store.deckhouse.io/ignore-missing-secrets"
VaultClientTimeoutAnnotation = "secret-store.deckhouse.io/client-timeout"
VaultNamespaceAnnotation = "secret-store.deckhouse.io/namespace"
ServiceAccountTokenVolumeNameAnnotation = "secret-store.deckhouse.io/service-account-token-volume-name"
LogLevelAnnotation = "secret-store.deckhouse.io/log-level"
VaultEnvFromPathAnnotation = "secret-store.deckhouse.io/env-from-path"

)

func HasVaultPrefix(value string) bool {
return strings.HasPrefix(value, "stronghold:") || strings.HasPrefix(value, ">>stronghold:")
return strings.HasPrefix(value, "secret-store:") || strings.HasPrefix(value, ">>secret-store:")
}
178 changes: 19 additions & 159 deletions images/vault-secrets-webhook/pkg/webhook/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,51 +75,16 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig

annotations := obj.GetAnnotations()

if val := annotations[common.MutateAnnotation]; val == "skip" {
vaultConfig.Skip = true

return vaultConfig
}

if val, ok := annotations[common.VaultAddrAnnotation]; ok {
vaultConfig.Addr = val
} else {
vaultConfig.Addr = viper.GetString("addr")
}

if val, ok := annotations[common.VaultRoleAnnotation]; ok {
vaultConfig.Role = val
} else {
if val := viper.GetString("role"); val != "" {
vaultConfig.Role = val
} else {
switch p := obj.(type) {
case *corev1.Pod:
vaultConfig.Role = p.Spec.ServiceAccountName
default:
vaultConfig.Role = "default"
}
}
}

if val, ok := annotations[common.VaultAuthMethodAnnotation]; ok {
vaultConfig.AuthMethod = val
} else {
vaultConfig.AuthMethod = viper.GetString("auth_method")
vaultConfig.Skip = true
return vaultConfig
}

if val, ok := annotations[common.VaultPathAnnotation]; ok {
vaultConfig.Path = val
} else {
vaultConfig.Path = viper.GetString("auth_path")
}

// TODO: Check for flag to verify we want to use namespace-local SAs instead of the vault webhook namespaces SA
if val, ok := annotations[common.VaultServiceaccountAnnotation]; ok {
vaultConfig.VaultServiceAccount = val
} else {
vaultConfig.VaultServiceAccount = viper.GetString("serviceaccount")
}
vaultConfig.Addr = viper.GetString("addr")
vaultConfig.AuthMethod = "jwt"
vaultConfig.Path = viper.GetString("auth_path")

if val, ok := annotations[common.VaultSkipVerifyAnnotation]; ok {
vaultConfig.SkipVerify, _ = strconv.ParseBool(val)
Expand All @@ -139,60 +104,23 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig
vaultConfig.ClientTimeout, _ = time.ParseDuration(viper.GetString("client_timeout"))
}

if val, ok := annotations[common.ServiceAccountTokenVolumeNameAnnotation]; ok {
vaultConfig.ServiceAccountTokenVolumeName = val
} else if viper.GetString("SERVICE_ACCOUNT_TOKEN_VOLUME_NAME") != "" {
vaultConfig.ServiceAccountTokenVolumeName = viper.GetString("SERVICE_ACCOUNT_TOKEN_VOLUME_NAME")
} else {
vaultConfig.ServiceAccountTokenVolumeName = "/var/run/secrets/kubernetes.io/serviceaccount"
}
vaultConfig.ServiceAccountTokenVolumeName = "/var/run/secrets/kubernetes.io/serviceaccount"

if val, ok := annotations[common.VaultIgnoreMissingSecretsAnnotation]; ok {
vaultConfig.IgnoreMissingSecrets = val
} else {
vaultConfig.IgnoreMissingSecrets = viper.GetString("ignore_missing_secrets")
}
if val, ok := annotations[common.VaultEnvPassthroughAnnotation]; ok {
vaultConfig.VaultEnvPassThrough = val
} else {
vaultConfig.VaultEnvPassThrough = viper.GetString("vault_env_passthrough")
}

if val, ok := annotations[common.PSPAllowPrivilegeEscalationAnnotation]; ok {
vaultConfig.PspAllowPrivilegeEscalation, _ = strconv.ParseBool(val)
} else {
vaultConfig.PspAllowPrivilegeEscalation, _ = strconv.ParseBool(viper.GetString("psp_allow_privilege_escalation"))
}
vaultConfig.PspAllowPrivilegeEscalation = false
vaultConfig.RunAsNonRoot = true

if val, ok := annotations[common.RunAsNonRootAnnotation]; ok {
vaultConfig.RunAsNonRoot, _ = strconv.ParseBool(val)
} else {
vaultConfig.RunAsNonRoot, _ = strconv.ParseBool(viper.GetString("run_as_non_root"))
}

if val, ok := annotations[common.RunAsUserAnnotation]; ok {
vaultConfig.RunAsUser, _ = strconv.ParseInt(val, 10, 64)
} else {
vaultConfig.RunAsUser, _ = strconv.ParseInt(viper.GetString("run_as_user"), 0, 64)
}

if val, ok := annotations[common.RunAsGroupAnnotation]; ok {
vaultConfig.RunAsGroup, _ = strconv.ParseInt(val, 10, 64)
} else {
vaultConfig.RunAsGroup, _ = strconv.ParseInt(viper.GetString("run_as_group"), 0, 64)
}
vaultConfig.RunAsUser = 64535
vaultConfig.RunAsGroup = 64535

if val, ok := annotations[common.ReadOnlyRootFsAnnotation]; ok {
vaultConfig.ReadOnlyRootFilesystem, _ = strconv.ParseBool(val)
} else {
vaultConfig.ReadOnlyRootFilesystem, _ = strconv.ParseBool(viper.GetString("readonly_root_fs"))
}
vaultConfig.ReadOnlyRootFilesystem = true

if val, ok := annotations[common.RegistrySkipVerifyAnnotation]; ok {
vaultConfig.RegistrySkipVerify, _ = strconv.ParseBool(val)
} else {
vaultConfig.RegistrySkipVerify, _ = strconv.ParseBool(viper.GetString("registry_skip_verify"))
}
vaultConfig.RegistrySkipVerify = true

if val, ok := annotations[common.LogLevelAnnotation]; ok {
vaultConfig.LogLevel = val
Expand All @@ -206,81 +134,31 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig
vaultConfig.EnableJSONLog = viper.GetString("enable_json_log")
}

if val, ok := annotations[common.TransitKeyIDAnnotation]; ok {
vaultConfig.TransitKeyID = val
} else {
vaultConfig.TransitKeyID = viper.GetString("transit_key_id")
}

if val, ok := annotations[common.TransitPathAnnotation]; ok {
vaultConfig.TransitPath = val
} else {
vaultConfig.TransitPath = viper.GetString("transit_path")
}

if val, ok := annotations[common.VaultEnvFromPathAnnotation]; ok {
vaultConfig.VaultEnvFromPath = val
}

if val, ok := annotations[common.VaultEnvImageAnnotation]; ok {
vaultConfig.EnvImage = val
} else {
vaultConfig.EnvImage = viper.GetString("env_injector_image")
}
vaultConfig.EnvImage = viper.GetString("env_injector_image")

vaultConfig.EnvLogServer = viper.GetString("VAULT_ENV_LOG_SERVER")

if val, ok := annotations[common.VaultEnvImagePullPolicyAnnotation]; ok {
vaultConfig.EnvImagePullPolicy = getPullPolicy(val)
} else {
vaultConfig.EnvImagePullPolicy = getPullPolicy(viper.GetString("env_injector_pull_policy"))
}

if val, ok := annotations[common.VaultNamespaceAnnotation]; ok {
vaultConfig.VaultNamespace = val
} else {
vaultConfig.VaultNamespace = viper.GetString("VAULT_NAMESPACE")
}

if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_CPU_REQUEST")); err == nil {
vaultConfig.EnvCPURequest = val
} else {
vaultConfig.EnvCPURequest = resource.MustParse("50m")
}

if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_MEMORY_REQUEST")); err == nil {
vaultConfig.EnvMemoryRequest = val
} else {
vaultConfig.EnvMemoryRequest = resource.MustParse("64Mi")
}

if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_CPU_LIMIT")); err == nil {
vaultConfig.EnvCPULimit = val
} else {
vaultConfig.EnvCPULimit = resource.MustParse("250m")
}

if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_MEMORY_LIMIT")); err == nil {
vaultConfig.EnvMemoryLimit = val
} else {
vaultConfig.EnvMemoryLimit = resource.MustParse("64Mi")
}
vaultConfig.EnvCPURequest = resource.MustParse("50m")
vaultConfig.EnvMemoryRequest = resource.MustParse("64Mi")
vaultConfig.EnvCPULimit = resource.MustParse("250m")
vaultConfig.EnvMemoryLimit = resource.MustParse("64Mi")

if val, ok := annotations[common.MutateProbesAnnotation]; ok {
vaultConfig.MutateProbes, _ = strconv.ParseBool(val)
} else {
vaultConfig.MutateProbes = false
}

if val, ok := annotations[common.TransitBatchSizeAnnotation]; ok {
batchSize, _ := strconv.ParseInt(val, 10, 32)
vaultConfig.TransitBatchSize = int(batchSize)
} else {
vaultConfig.TransitBatchSize = viper.GetInt("transit_batch_size")
}

vaultConfig.Token = viper.GetString("vault_token")

return vaultConfig
}

Expand All @@ -300,39 +178,21 @@ func getPullPolicy(pullPolicyStr string) corev1.PullPolicy {
func SetConfigDefaults() {
viper.SetDefault("env_injector_image", "trublast/env-injector:v0.0.1")
viper.SetDefault("env_injector_pull_policy", string(corev1.PullIfNotPresent))
viper.SetDefault("addr", "https://stronghold.d8-stronghold:8200")
// viper.SetDefault("addr", "https://stronghold.d8-stronghold:8200")
viper.SetDefault("tls_skip_verify", "false")
viper.SetDefault("auth_path", "kubernetes_local")
// viper.SetDefault("auth_path", "kubernetes_local")
viper.SetDefault("auth_method", "jwt")
viper.SetDefault("role", "")
viper.SetDefault("tls_secret", "")
viper.SetDefault("client_timeout", "10s")
viper.SetDefault("psp_allow_privilege_escalation", "false")
viper.SetDefault("run_as_non_root", "false")
viper.SetDefault("run_as_user", "0")
viper.SetDefault("run_as_group", "0")
viper.SetDefault("readonly_root_fs", "true")
viper.SetDefault("ignore_missing_secrets", "false")
viper.SetDefault("vault_env_passthrough", "")
viper.SetDefault("tls_cert_file", "")
viper.SetDefault("tls_private_key_file", "")
viper.SetDefault("listen_address", ":8443")
viper.SetDefault("telemetry_listen_address", "")
viper.SetDefault("transit_key_id", "")
viper.SetDefault("transit_path", "")
viper.SetDefault("transit_batch_size", 25)
viper.SetDefault("default_image_pull_secret", "")
viper.SetDefault("default_image_pull_secret_service_account", "")
viper.SetDefault("default_image_pull_secret_namespace", "")
viper.SetDefault("registry_skip_verify", "false")
viper.SetDefault("enable_json_log", "false")
viper.SetDefault("log_level", "info")
viper.SetDefault("VAULT_ENV_CPU_REQUEST", "")
viper.SetDefault("VAULT_ENV_MEMORY_REQUEST", "")
viper.SetDefault("VAULT_ENV_CPU_LIMIT", "")
viper.SetDefault("VAULT_ENV_MEMORY_LIMIT", "")
viper.SetDefault("VAULT_ENV_LOG_SERVER", "")
viper.SetDefault("VAULT_NAMESPACE", "")

viper.AutomaticEnv()
}
8 changes: 4 additions & 4 deletions images/vault-secrets-webhook/pkg/webhook/injector.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ func NewSecretInjector(config Config, client *vault.Client, renewer SecretRenewe
}
}

var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}stronghold:.*?#*}?)}`)
var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}secret-store:.*?#*}?)}`)

func (i *SecretInjector) FetchTransitSecrets(secrets []string) (map[string][]byte, error) {
if len(i.config.TransitKeyID) == 0 {
Expand Down Expand Up @@ -205,20 +205,20 @@ func (i *SecretInjector) InjectSecretsFromVault(references map[string]string, in
}

var update bool
if strings.HasPrefix(value, ">>stronghold:") {
if strings.HasPrefix(value, ">>secret-store:") {
value = strings.TrimPrefix(value, ">>")
update = true
} else {
update = false
}

if !strings.HasPrefix(value, "stronghold:") {
if !strings.HasPrefix(value, "secret-store:") {
inject(name, value)

continue
}

valuePath := strings.TrimPrefix(value, "stronghold:")
valuePath := strings.TrimPrefix(value, "secret-store:")

// handle special case for vault:login env value
// namely pass through the VAULT_TOKEN received from the Vault login procedure
Expand Down
Loading

0 comments on commit 60468fd

Please sign in to comment.