Merge branch 'deployment-manager'

Author: TarradeMarc

.github/workflows/publish-deployment-manager.yaml

@@ -0,0 +1,47 @@
+name: Create and publish Docker image for Deployment manager to ghcr.io
+
+on:
+  release:
+    types: ['published']
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: SAP/deployment-manager
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    environment: ghcr:cloud-active-defense
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/[email protected]
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Extract metadata of deployment manager
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image of cdeployment manager
+        id: push
+        uses: docker/[email protected]
+        with:
+          context: ./deployment-manager
+          push: true
+          file: ./deployment-manager/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }} 

assets/controlpanel-select-app.png

@@ -3,8 +3,10 @@ POSTGRES_PASSWORD=postgres
 DB_HOST=controlpanel-db
 DB_PORT=5432
 
-# Number of minutes
-CRON_CONFIGMANAGER=60
-
 CONTROLPANEL_FRONTEND_URL=http://localhost:4200
-CONFIGMANAGER_URL=http://configmanager:3000
+DEPLOYMENT_MANAGER_URL=
+
+DEPLOYMENT_MANAGER_PASSWORD=deployment_manager
+
+ENVOY_API_KEY=F3mTzUj8nRbW4pQc7gHxN1AvD5sL6KfVZ0yPuJkE2R9qXi8MwB7lChGvTa1ZoS3Nd
+FLUENTBIT_API_KEY=A7nW2zQj9rMgP4kEmB5vDfL1sY6uHxVqJc0tKbR3wNp8oUiZhXlC2yFoGvTd9Sa8Nm

assets/controlpanel-upload-kubeconfig.png

@@ -0,0 +1,18 @@
+const ApiKey = require('../models/Api-key');
+
+const authenticate = async (req, res, next) => {
+    const key = req.headers['authorization'];
+    if (!key) {
+        return res.status(401).json({ type: 'error', code: 401, message: "You must use an API key to access this" });
+    }
+    const apiKey = await ApiKey.findOne({ where: { key }})
+    if (!apiKey) {
+        return res.status(403).json({ type: 'error', code: 403, message: "Invalid API key" });
+    }
+    if (!apiKey.permissions.includes('configmanager') && !apiKey.permissions.includes('admin')) {
+        return res.status(403).json({ type: 'error', code: 403, message: "You don't have the required permissions to access this" });
+    }
+    next();
+};
+
+module.exports = authenticate;

controlpanel/api/.env

@@ -0,0 +1,9 @@
+const { isUrl } = require('../util/index')
+const checkDeploymentManagerURL = (req, res, next) => {
+    if (!process.env.DEPLOYMENT_MANAGER_URL || !isUrl(process.env.DEPLOYMENT_MANAGER_URL)) {
+        return res.status(500).json({ type: 'error', code: 500, message: "Deployment manager URL is not configured or badly formatted, you are probably not running Cloud Active Defense in Kyma" });
+    }
+    next();
+}
+
+module.exports = checkDeploymentManagerURL;

controlpanel/api/middleware/configmanager-authentication.js

@@ -0,0 +1,18 @@
+const ApiKey = require('../models/Api-key');
+
+const authenticate = async (req, res, next) => {
+    const key = req.headers['authorization'];
+    if (!key) {
+        return res.status(401).json({ type: 'error', code: 401, message: "You must use an API key to access this" });
+    }
+    const apiKey = await ApiKey.findOne({ where: { key }})
+    if (!apiKey) {
+        return res.status(403).json({ type: 'error', code: 403, message: "Invalid API key" });
+    }
+    if (!apiKey.permissions.includes('fluentbit') && !apiKey.permissions.includes('admin')) {
+        return res.status(403).json({ type: 'error', code: 403, message: "You don't have the required permissions to access this" });
+    }
+    next();
+};
+
+module.exports = authenticate;

controlpanel/api/middleware/deployment-manager.js

@@ -0,0 +1,33 @@
+const { DataTypes } = require("sequelize")
+const sequelize = require("../config/db.config");
+const ProtectedApp = require("./ProtectedApp");
+
+const ApiKey = sequelize.define("apiKey", {
+    id: {
+        type: DataTypes.UUID,
+        defaultValue: DataTypes.UUIDV4,
+        primaryKey: true
+    },
+    key: {
+        type: DataTypes.STRING,
+        allowNull: false
+    },
+    permissions: {
+        type: DataTypes.ARRAY(DataTypes.STRING),
+        allowNull: false
+    },
+    pa_id: {
+        type: DataTypes.UUID,
+        allowNull: false,
+        references: {
+            model: ProtectedApp,
+            key: 'id'
+        },
+    },
+    expirationDate: {
+        type: DataTypes.DATE,
+        allowNull: false,
+        defaultValue: new Date(new Date().setFullYear(new Date().getFullYear() + 1))
+    }
+});
+module.exports = ApiKey;

controlpanel/api/middleware/fluentbit-authentication.js

@@ -0,0 +1,40 @@
+const { DataTypes } = require("sequelize")
+const sequelize = require("../config/db.config");
+const Sequelize = require("sequelize");
+
+const Customer = sequelize.define("customer", {
+    id: {
+        type: DataTypes.UUID,
+        defaultValue: DataTypes.UUIDV4,
+        primaryKey: true
+    },
+    name: {
+        type: DataTypes.STRING,
+        allowNull: false
+    },
+    kubeconfig: {
+        type: DataTypes.TEXT,
+        allowNull: true
+    },
+});
+
+Customer.getCustomersWithExpiredApiKeys = async () => {
+    return await Customer.findAll({
+        include: [{
+            model: sequelize.models.protectedApp,
+            as: 'protectedApps',
+            include: [{
+                model: sequelize.models.apiKey,
+                as: 'apiKeys',
+                where: {
+                    expirationDate: {
+                        [Sequelize.Op.lte]: new Date()
+                    }
+                },
+                required: true
+            }]
+        }]
+    });
+};
+
+module.exports = Customer;

controlpanel/api/models/Api-key.js

@@ -1,5 +1,6 @@
 const { DataTypes } = require("sequelize")
 const sequelize = require("../config/db.config");
+const Customer = require("./Customer");
 
 const ProtectedApp = sequelize.define("protectedApp", {
     id: {
@@ -15,5 +16,13 @@ const ProtectedApp = sequelize.define("protectedApp", {
         type: DataTypes.STRING,
         allowNull: false
     },
+    cu_id: {
+        type: DataTypes.UUID,
+        allowNull: false,
+        references: {
+            model: Customer,
+            key: 'id'
+        },
+    },
 });
 module.exports = ProtectedApp;

controlpanel/api/models/Customer.js

@@ -1,14 +1,31 @@
 const sequelize = require("../config/db.config");
+const { QueryTypes } = require("sequelize");
 const Decoy = require("./Decoy-data");
 const ProtectedApp = require("./ProtectedApp");
 const Config = require("./Config-data");
 const Logs = require("./Logs");
+const ApiKey = require("./Api-key");
+const Customer = require("./Customer");
 
 async function initializeDatabase() {
   await sequelize.sync();
 
   try {
     await sequelize.authenticate();
+    const userResult = await sequelize.query(`
+      SELECT rolname
+      FROM pg_catalog.pg_roles
+      WHERE rolname = 'deployment_manager';
+    `, { type: QueryTypes.SELECT });
+    if (userResult.length == 0) {
+      const password = process.env.DEPLOYMENT_MANAGER_PASSWORD || 'deployment_manager';
+      await sequelize.query(`
+        CREATE USER deployment_manager WITH PASSWORD :password;
+        REVOKE ALL ON DATABASE cad FROM deployment_manager;
+        GRANT CONNECT ON DATABASE cad TO deployment_manager;
+        GRANT SELECT ON TABLE customers TO deployment_manager;
+      `, { replacements: { password }});
+    }
     console.log("Database connected successfully.");
   } catch (error) {
     console.error("Unable to connect to the database...\n", error);
@@ -25,4 +42,10 @@ ProtectedApp.hasMany(Config, {foreignKey: 'pa_id', as: 'configs' });
 Logs.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApps'});
 ProtectedApp.hasMany(Logs, {foreignKey: 'pa_id', as: 'logs' });
 
+ApiKey.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedapps'});
+ProtectedApp.hasMany(ApiKey, {foreignKey: 'pa_id', as: 'apiKeys' });
+
+ProtectedApp.belongsTo(Customer, {foreignKey: 'cu_id', as: 'customers' });
+Customer.hasMany(ProtectedApp, {foreignKey: 'cu_id', as: 'protectedApps' });
+
 module.exports = { sequelize, initializeDatabase };