From ede4fe4d4bb8336410a255ffdd216afb28e6ea94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Wed, 31 Jul 2024 17:48:00 +0200 Subject: [PATCH] feat(konnect): support Secrets in KonnectAPIAuthConfiguration --- .../konnect_apiauth_configuration.yaml | 30 ++++ .../konnect/reconciler_konnectapiauth.go | 92 +++++++++- .../konnect/reconciler_konnectapiauth_test.go | 161 ++++++++++++++++++ .../reconciler_konnectapiauth_watch.go | 73 ++++++++ go.mod | 2 +- go.sum | 14 +- modules/manager/scheme/scheme.go | 9 +- 7 files changed, 366 insertions(+), 15 deletions(-) create mode 100644 config/samples/konnect_apiauth_configuration.yaml create mode 100644 controller/konnect/reconciler_konnectapiauth_test.go create mode 100644 controller/konnect/reconciler_konnectapiauth_watch.go diff --git a/config/samples/konnect_apiauth_configuration.yaml b/config/samples/konnect_apiauth_configuration.yaml new file mode 100644 index 000000000..a2bdbff9e --- /dev/null +++ b/config/samples/konnect_apiauth_configuration.yaml @@ -0,0 +1,30 @@ +kind: KonnectAPIAuthConfiguration +apiVersion: konnect.konghq.com/v1alpha1 +metadata: + name: konnect-api-auth-1 + namespace: default +spec: + type: token + token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + serverURL: eu.api.konghq.com +--- +kind: KonnectAPIAuthConfiguration +apiVersion: konnect.konghq.com/v1alpha1 +metadata: + name: konnect-api-auth-2 + namespace: default +spec: + type: secretRef + secretRef: + name: konnect-api-auth-secret + serverURL: eu.api.konghq.com +--- +kind: Secret +apiVersion: v1 +metadata: + name: konnect-api-auth-secret + namespace: default + labels: + konghq.com/credential: konnect +stringData: + token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx diff --git a/controller/konnect/reconciler_konnectapiauth.go b/controller/konnect/reconciler_konnectapiauth.go index b5322990b..c7a8c4f4f 100644 --- a/controller/konnect/reconciler_konnectapiauth.go +++ b/controller/konnect/reconciler_konnectapiauth.go @@ -6,10 +6,15 @@ import ( "time" sdkkonnectgoops "github.com/Kong/sdk-konnect-go/models/operations" + corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/handler" + "sigs.k8s.io/controller-runtime/pkg/predicate" "github.com/kong/gateway-operator/controller/pkg/log" k8sutils "github.com/kong/gateway-operator/pkg/utils/kubernetes" @@ -24,6 +29,17 @@ type KonnectAPIAuthConfigurationReconciler struct { Client client.Client } +const ( + // SecretTokenKey is the key used to store the token in the Secret. + SecretTokenKey = "token" + // SecretCredentialLabel is the label used to identify Secrets holding + // KonnectAPIAuthConfiguration tokens. + SecretCredentialLabel = "konghq.com/credential" //nolint:gosec + // SecretCredentialLabelValueKonnect is the value of the label used to + // identify Secrets holding KonnectAPIAuthConfiguration tokens. + SecretCredentialLabelValueKonnect = "konnect" +) + // NewKonnectAPIAuthConfigurationReconciler creates a new KonnectAPIAuthConfigurationReconciler. func NewKonnectAPIAuthConfigurationReconciler( sdkFactory SDKFactory, @@ -39,8 +55,26 @@ func NewKonnectAPIAuthConfigurationReconciler( // SetupWithManager sets up the controller with the Manager. func (r *KonnectAPIAuthConfigurationReconciler) SetupWithManager(mgr ctrl.Manager) error { + secretLabelPredicate, err := predicate.LabelSelectorPredicate( + metav1.LabelSelector{ + MatchLabels: map[string]string{ + SecretCredentialLabel: SecretCredentialLabelValueKonnect, + }, + }, + ) + if err != nil { + return fmt.Errorf("failed to create Secret label selector predicate: %w", err) + } + b := ctrl.NewControllerManagedBy(mgr). For(&konnectv1alpha1.KonnectAPIAuthConfiguration{}). + Watches( + &corev1.Secret{}, + handler.EnqueueRequestsFromMapFunc( + listKonnectAPIAuthConfigurationsReferencingSecret(mgr.GetClient()), + ), + builder.WithPredicates(secretLabelPredicate), + ). Named("KonnectAPIAuthConfiguration") return b.Complete(r) @@ -81,9 +115,30 @@ func (r *KonnectAPIAuthConfigurationReconciler) Reconcile( return ctrl.Result{}, nil } + token, err := getTokenFromKonnectAPIAuthConfiguration(ctx, r.Client, &apiAuth) + if err != nil { + k8sutils.SetCondition( + k8sutils.NewConditionWithGeneration( + KonnectEntityAPIAuthConfigurationValidConditionType, + metav1.ConditionFalse, + KonnectEntityAPIAuthConfigurationReasonInvalid, + err.Error(), + apiAuth.GetGeneration(), + ), + &apiAuth, + ) + if err := r.Client.Status().Update(ctx, &apiAuth); err != nil { + if k8serrors.IsConflict(err) { + return ctrl.Result{Requeue: true}, nil + } + return ctrl.Result{}, fmt.Errorf("failed to update status of %s: %w", entityTypeName, err) + } + return ctrl.Result{}, err + } + sdk := r.SDKFactory.NewKonnectSDK( "https://"+apiAuth.Spec.ServerURL, - SDKToken(apiAuth.Spec.Token), + SDKToken(token), ) // TODO(pmalek): check if api auth config has a valid status condition @@ -149,3 +204,38 @@ func (r *KonnectAPIAuthConfigurationReconciler) Reconcile( return ctrl.Result{}, nil } + +// getTokenFromKonnectAPIAuthConfiguration returns the token from the secret reference or the token field. +func getTokenFromKonnectAPIAuthConfiguration( + ctx context.Context, cl client.Client, apiAuth *konnectv1alpha1.KonnectAPIAuthConfiguration, +) (string, error) { + switch apiAuth.Spec.Type { + case konnectv1alpha1.KonnectAPIAuthTypeToken: + return apiAuth.Spec.Token, nil + case konnectv1alpha1.KonnectAPIAuthTypeSecretRef: + var secret corev1.Secret + nn := types.NamespacedName{ + Namespace: apiAuth.Spec.SecretRef.Namespace, + Name: apiAuth.Spec.SecretRef.Name, + } + if nn.Namespace == "" { + nn.Namespace = apiAuth.Namespace + } + + if err := cl.Get(ctx, nn, &secret); err != nil { + return "", fmt.Errorf("failed to get Secret %s: %w", nn, err) + } + if secret.Labels == nil || secret.Labels[SecretCredentialLabel] != SecretCredentialLabelValueKonnect { + return "", fmt.Errorf("Secret %s does not have label %s: %s", nn, SecretCredentialLabel, SecretCredentialLabelValueKonnect) + } + if secret.Data == nil { + return "", fmt.Errorf("Secret %s has no data", nn) + } + if _, ok := secret.Data[SecretTokenKey]; !ok { + return "", fmt.Errorf("Secret %s does not have key %s", nn, SecretTokenKey) + } + return string(secret.Data[SecretTokenKey]), nil + } + + return "", fmt.Errorf("unknown KonnectAPIAuthType: %s", apiAuth.Spec.Type) +} diff --git a/controller/konnect/reconciler_konnectapiauth_test.go b/controller/konnect/reconciler_konnectapiauth_test.go new file mode 100644 index 000000000..193d6d9dd --- /dev/null +++ b/controller/konnect/reconciler_konnectapiauth_test.go @@ -0,0 +1,161 @@ +package konnect + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client/fake" + + konnectv1alpha1 "github.com/kong/kubernetes-configuration/api/konnect/v1alpha1" +) + +func TestGetTokenFromKonnectAPIAuthConfiguration(t *testing.T) { + tests := []struct { + name string + apiAuth *konnectv1alpha1.KonnectAPIAuthConfiguration + secret *corev1.Secret + expectedToken string + expectedError bool + }{ + { + name: "valid Token", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeToken, + Token: "kpat_xxxxxxxxxxxx", + }, + }, + expectedToken: "kpat_xxxxxxxxxxxx", + }, + { + name: "valid Secret Reference", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "test-secret", + Namespace: "default", + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-secret", + Namespace: "default", + Labels: map[string]string{ + "konghq.com/credential": "konnect", + }, + }, + Data: map[string][]byte{ + "token": []byte("test-token"), + }, + }, + expectedToken: "test-token", + }, + { + name: "Secret is missing konghq.com/credential=konnect label", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "test-secret", + Namespace: "default", + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-secret", + Namespace: "default", + }, + Data: map[string][]byte{ + "token": []byte("test-token"), + }, + }, + expectedError: true, + }, + { + name: "missing token from referred Secret", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "test-secret", + Namespace: "default", + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-secret", + Namespace: "default", + Labels: map[string]string{ + "konghq.com/credential": "konnect", + }, + }, + Data: map[string][]byte{ + "random_key": []byte("dummy"), + }, + }, + expectedToken: "test-token", + expectedError: true, + }, + { + name: "Invalid Secret Reference", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "non-existent-secret", + Namespace: "default", + }, + }, + }, + expectedError: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + clientBuilder := fake.NewClientBuilder() + + // Create the secret in the fake client + if tt.secret != nil { + clientBuilder.WithObjects(tt.secret) + } + cl := clientBuilder.Build() + + // Call the function under test + token, err := getTokenFromKonnectAPIAuthConfiguration(context.Background(), cl, tt.apiAuth) + if tt.expectedError { + assert.NotNil(t, err) + return + } + + assert.Equal(t, tt.expectedToken, token) + }) + } +} diff --git a/controller/konnect/reconciler_konnectapiauth_watch.go b/controller/konnect/reconciler_konnectapiauth_watch.go new file mode 100644 index 000000000..1f7b58bed --- /dev/null +++ b/controller/konnect/reconciler_konnectapiauth_watch.go @@ -0,0 +1,73 @@ +package konnect + +import ( + "context" + "fmt" + "reflect" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + + operatorerrors "github.com/kong/gateway-operator/internal/errors" + + konnectv1alpha1 "github.com/kong/kubernetes-configuration/api/konnect/v1alpha1" +) + +// listKonnectAPIAuthConfigurationsReferencingSecret returns a function that lists +// KonnectAPIAuthConfiguration resources that reference the given Secret. +// This function is intended to be used as a handler for the watch on Secrets. +// NOTE: The Secret has to have the konnect.konghq.com/credential=konnect set +// so that we can efficiently watch only the relevant Secrets' changes. +func listKonnectAPIAuthConfigurationsReferencingSecret(cl client.Client) func(ctx context.Context, obj client.Object) []reconcile.Request { + return func(ctx context.Context, obj client.Object) []reconcile.Request { + logger := log.FromContext(ctx) + + secret, ok := obj.(*corev1.Secret) + if !ok { + logger.Error( + operatorerrors.ErrUnexpectedObject, + "failed to run map funcs", + "expected", "Secret", "found", reflect.TypeOf(obj), + ) + return nil + } + + var konnectAPIAuthConfigList konnectv1alpha1.KonnectAPIAuthConfigurationList + if err := cl.List(ctx, &konnectAPIAuthConfigList); err != nil { + log.FromContext(ctx).Error( + fmt.Errorf("unexpected error occurred while listing KonnectAPIAuthConfiguration resources"), + "failed to run map funcs", + "error", err.Error(), + ) + return nil + } + + var recs []reconcile.Request + for _, apiAuth := range konnectAPIAuthConfigList.Items { + if apiAuth.Spec.Type != konnectv1alpha1.KonnectAPIAuthTypeSecretRef { + continue + } + + if apiAuth.Spec.SecretRef == nil || + apiAuth.Spec.SecretRef.Name != secret.Name { + continue + } + + if (apiAuth.Spec.SecretRef.Namespace != "" && apiAuth.Spec.SecretRef.Namespace != secret.Namespace) || + (apiAuth.Spec.SecretRef.Namespace == "" && secret.Namespace != apiAuth.Namespace) { + continue + } + + recs = append(recs, reconcile.Request{ + NamespacedName: types.NamespacedName{ + Namespace: apiAuth.Namespace, + Name: apiAuth.Name, + }, + }) + } + return recs + } +} diff --git a/go.mod b/go.mod index f47820288..6071143ed 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/cloudflare/cfssl v1.6.5 github.com/go-logr/logr v1.4.2 github.com/google/uuid v1.6.0 - github.com/kong/kubernetes-configuration v0.0.0-20240801170722-d6586edd1b81 + github.com/kong/kubernetes-configuration v0.0.0-20240802130201-3233f9f923a7 github.com/kong/kubernetes-ingress-controller/v3 v3.2.3 github.com/kong/kubernetes-telemetry v0.1.4 github.com/kong/kubernetes-testing-framework v0.47.1 diff --git a/go.sum b/go.sum index cc741f92b..be3ed9cee 100644 --- a/go.sum +++ b/go.sum @@ -14,8 +14,6 @@ github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/Kong/sdk-konnect-go v0.0.0-20240723160412-999d9a987e1a h1:0mQhPVVA2/+uTVmoKrEIGf+0eTrNyr80Ssv1zGs/1Lk= -github.com/Kong/sdk-konnect-go v0.0.0-20240723160412-999d9a987e1a/go.mod h1:ipu67aQNnwDzu/LXKePG46cVqkkZnAHKWpsbhTEI8xE= github.com/Kong/sdk-konnect-go v0.0.0-20240801091928-39a27951b473 h1:vIYHnHxEcWTGPZ113NPlLvWEOWYaPRYwwpuoU2J64yY= github.com/Kong/sdk-konnect-go v0.0.0-20240801091928-39a27951b473/go.mod h1:75YzLhfnYfmCvBJgkafzVuREwBAec2/jihCW2fyn6hY= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= @@ -219,16 +217,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kong/go-kong v0.57.0 h1:e+4bHTzcO0xhFPVyGIUtlO+B4E4l14k55NH8Vjw6ORY= github.com/kong/go-kong v0.57.0/go.mod h1:gyNwyP1fzztT6sX/0/ygMQ30OiRMIQ51b2jSfstMrcU= -github.com/kong/kubernetes-configuration v0.0.0-20240726122834-c10e8297f9e6 h1:mi0P9KZSYbI1bffC+dwz0lesjHgd3AS4W/762C6qJHs= -github.com/kong/kubernetes-configuration v0.0.0-20240726122834-c10e8297f9e6/go.mod h1:kZTKzwQ68Wk2n8W8Em0RsYTL2yVNbCWU+5b9w1WU+Hs= -github.com/kong/kubernetes-configuration v0.0.0-20240731182605-13d36c4c628c h1:D+JNLhsjs3I9R4tUp9/0EknDG2DayVny20rEGj33o/w= -github.com/kong/kubernetes-configuration v0.0.0-20240731182605-13d36c4c628c/go.mod h1:kZTKzwQ68Wk2n8W8Em0RsYTL2yVNbCWU+5b9w1WU+Hs= -github.com/kong/kubernetes-configuration v0.0.0-20240801095618-0ed30e4054cb h1:GUMgT3qqNjLV1Wdl8D6fskEaN/vof/FRhRbicIkUKpg= -github.com/kong/kubernetes-configuration v0.0.0-20240801095618-0ed30e4054cb/go.mod h1:kZTKzwQ68Wk2n8W8Em0RsYTL2yVNbCWU+5b9w1WU+Hs= -github.com/kong/kubernetes-configuration v0.0.0-20240801155137-c98bf64df469 h1:wzRoAf4byqST4BvmqPne/GL56VrnsrRM3A8ePuvOyf4= -github.com/kong/kubernetes-configuration v0.0.0-20240801155137-c98bf64df469/go.mod h1:kZTKzwQ68Wk2n8W8Em0RsYTL2yVNbCWU+5b9w1WU+Hs= -github.com/kong/kubernetes-configuration v0.0.0-20240801170722-d6586edd1b81 h1:yEbqo7RdTQ7iGEA1PIpQGfO7D5EN7jj2qdPOGN9ipow= -github.com/kong/kubernetes-configuration v0.0.0-20240801170722-d6586edd1b81/go.mod h1:kZTKzwQ68Wk2n8W8Em0RsYTL2yVNbCWU+5b9w1WU+Hs= +github.com/kong/kubernetes-configuration v0.0.0-20240802130201-3233f9f923a7 h1:8jSp93vPvwEEpIBNYwzEYdWJ1lRKdxBhB8Eu4RsZXg4= +github.com/kong/kubernetes-configuration v0.0.0-20240802130201-3233f9f923a7/go.mod h1:kZTKzwQ68Wk2n8W8Em0RsYTL2yVNbCWU+5b9w1WU+Hs= github.com/kong/kubernetes-ingress-controller/v3 v3.2.3 h1:SQ/0hfceGmsvzbkCUxiJUv1ELcFRp4d6IzvYGfHct9o= github.com/kong/kubernetes-ingress-controller/v3 v3.2.3/go.mod h1:gshVZnDU2FTe/95I3vSJPsH2kyB8zR+GpUIieCyt8C4= github.com/kong/kubernetes-telemetry v0.1.4 h1:Yz7OlECxWKgNRG1wJ5imA4+H0dQEpdU9d86uhwUVpu4= diff --git a/modules/manager/scheme/scheme.go b/modules/manager/scheme/scheme.go index 8d234eaa0..f36a61f6f 100644 --- a/modules/manager/scheme/scheme.go +++ b/modules/manager/scheme/scheme.go @@ -13,18 +13,25 @@ import ( configurationv1 "github.com/kong/kubernetes-configuration/api/configuration/v1" configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1" configurationv1beta1 "github.com/kong/kubernetes-configuration/api/configuration/v1beta1" + konnectv1alpha1 "github.com/kong/kubernetes-configuration/api/konnect/v1alpha1" ) // Get returns a scheme aware of all types the manager can interact with. func Get() *runtime.Scheme { scheme := runtime.NewScheme() utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + utilruntime.Must(operatorv1alpha1.AddToScheme(scheme)) utilruntime.Must(operatorv1beta1.AddToScheme(scheme)) + utilruntime.Must(gatewayv1.Install(scheme)) utilruntime.Must(gatewayv1beta1.Install(scheme)) + utilruntime.Must(configurationv1.AddToScheme(scheme)) - utilruntime.Must(configurationv1beta1.AddToScheme(scheme)) utilruntime.Must(configurationv1alpha1.AddToScheme(scheme)) + utilruntime.Must(configurationv1beta1.AddToScheme(scheme)) + + utilruntime.Must(konnectv1alpha1.AddToScheme(scheme)) + return scheme }