Merge pull request #258 from camptocamp/cert-auth

Add CRDs for TLS certificate auth method

Author: raffaelespazzoli

Makefile

@@ -5,7 +5,7 @@ HELM_VERSION ?= v3.11.0
 KIND_VERSION ?= v0.20.0
 KUBECTL_VERSION ?= v1.27.3
 K8S_MAJOR_VERSION ?= 1.27
-KUSTOMIZE_VERSION ?= v3.8.7
+KUSTOMIZE_VERSION ?= v3.10.0
 CONTROLLER_TOOLS_VERSION ?= v0.11.1
 # Note changes to the vault version should also match image tags within the integration/vault-values.yaml and config/local-development/vault-values.yaml files
 VAULT_VERSION ?= 1.14.0
@@ -141,7 +141,7 @@ deploy-ingress: kubectl helm
 
 .PHONY: deploy-vault
 deploy-vault: kubectl helm
-	$(KUBECTL) create namespace vault --dry-run=client -o yaml | $(KUBECTL) apply -f - 
+	$(KUBECTL) create namespace vault --dry-run=client -o yaml | $(KUBECTL) apply -f -
 	$(KUBECTL) apply -f ./integration/rolebinding-admin.yaml -n vault
 	$(HELM) repo add hashicorp https://helm.releases.hashicorp.com
 	$(HELM) show chart hashicorp/vault --version $(VAULT_CHART_VERSION)
@@ -153,16 +153,16 @@ kind-setup: kind
 	$(KIND) delete cluster
 	$(KIND) create cluster --image docker.io/kindest/node:$(KUBECTL_VERSION) --config=./integration/cluster-kind.yaml
 
-.PHONY: ldap-setup 
+.PHONY: ldap-setup
 ldap-setup: kind-setup vault
 ## Deploy LDAP Instance in ldap namespace
-	$(KUBECTL) create namespace ldap 
+	$(KUBECTL) create namespace ldap
 	$(KUBECTL) apply -f ./integration/ldap -n ldap
 	$(KUBECTL) wait --for=condition=ready -n ldap pod $$($(KUBECTL) get pods -n ldap -l=app=ldap -o json | jq '.items[].metadata.name') --timeout=5m
 	$(KUBECTL) port-forward -n vault vault-0 8201:8200
 	$(KUBECTL) port-forward $$($(KUBECTL) get pods -n ldap -l=app=ldap -o json | jq '.items[].metadata.name') 8555:389 -n ldap
 	export VAULT_ADDR=http://localhost:8201
-	export VAULT_SKIP_VERIFY=true 
+	export VAULT_SKIP_VERIFY=true
 	$(KUBECTL) apply -f ./test/ldapauthengine/ldap-auth-engine-mount.yaml
 	$(KUBECTL) apply -f ./test/ldapauthengine/ldap-auth-engine-config.yaml
 ## Create new Group in LDAP
@@ -308,7 +308,7 @@ helmchart: helmchart-clean kustomize helm
 	sed -i '1s/^/{{- if .Values.enableMonitoring }}\n/' ./charts/${OPERATOR_NAME}/templates/monitoring.coreos.com_v1_servicemonitor_${OPERATOR_NAME}-controller-manager-metrics-monitor.yaml
 	echo {{- end }} >> ./charts/${OPERATOR_NAME}/templates/monitoring.coreos.com_v1_servicemonitor_${OPERATOR_NAME}-controller-manager-metrics-monitor.yaml
 	sed -i 's/name: vault-config-operator-certs/{{- if .Values.enableCertManager }}\n          name: vault-config-operator-metrics-service-cert\n          {{- else }}\n          name: vault-config-operator-certs\n          {{- end }}/' ./charts/${OPERATOR_NAME}/templates/monitoring.coreos.com_v1_servicemonitor_${OPERATOR_NAME}-controller-manager-metrics-monitor.yaml
-	$(HELM) lint ./charts/${OPERATOR_NAME}	
+	$(HELM) lint ./charts/${OPERATOR_NAME}
 
 .PHONY: helmchart-repo
 helmchart-repo: helmchart
@@ -317,7 +317,7 @@ helmchart-repo: helmchart
 	$(HELM) repo index --url ${CHART_REPO_URL} ${HELM_REPO_DEST}
 
 .PHONY: helmchart-repo-push
-helmchart-repo-push: helmchart-repo	
+helmchart-repo-push: helmchart-repo
 	git -C ${HELM_REPO_DEST} add .
 	git -C ${HELM_REPO_DEST} status
 	git -C ${HELM_REPO_DEST} commit -m "Release ${VERSION}"

PROJECT

@@ -424,7 +424,7 @@ resources:
   webhooks:
     defaulting: true
     validation: true
-    webhookVersion: v1   
+    webhookVersion: v1
 - api:
     crdVersion: v1
     namespaced: true
@@ -438,4 +438,30 @@ resources:
     defaulting: true
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: redhat.io
+  group: redhatcop
+  kind: CertAuthEngineConfig
+  path: github.com/redhat-cop/vault-config-operator/api/v1alpha1
+  version: v1alpha1
+  webhooks:
+    defaulting: true
+    validation: true
+    webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: redhat.io
+  group: redhatcop
+  kind: CertAuthEngineRole
+  path: github.com/redhat-cop/vault-config-operator/api/v1alpha1
+  version: v1alpha1
+  webhooks:
+    defaulting: true
+    validation: true
+    webhookVersion: v1
 version: "3"

api/v1alpha1/certauthengineconfig_types.go

@@ -0,0 +1,176 @@
+/*
+Copyright 2021.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/redhat-cop/vault-config-operator/api/v1alpha1/utils"
+	vaultutils "github.com/redhat-cop/vault-config-operator/api/v1alpha1/utils"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// CertAuthEngineConfigSpec defines the desired state of CertAuthEngineConfig
+type CertAuthEngineConfigSpec struct {
+	// Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.
+	// +kubebuilder:validation:Optional
+	Connection *vaultutils.VaultConnection `json:"connection,omitempty"`
+
+	// Authentication is the kube auth configuration to be used to execute this request
+	// +kubebuilder:validation:Required
+	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
+
+	// Path at which to make the configuration.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/{metadata.name}/config.
+	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
+	// +kubebuilder:validation:Required
+	Path vaultutils.Path `json:"path,omitempty"`
+
+	// The name of the object created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
+
+	// +kubebuilder:validation:Required
+	CertAuthEngineConfigInternal `json:",inline"`
+}
+
+// CertAuthEngineConfigStatus defines the observed state of CertAuthEngineConfig
+type CertAuthEngineConfigStatus struct {
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// CertAuthEngineConfig is the Schema for the certauthengineconfigs API
+type CertAuthEngineConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   CertAuthEngineConfigSpec   `json:"spec,omitempty"`
+	Status CertAuthEngineConfigStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// CertAuthEngineConfigList contains a list of CertAuthEngineConfig
+type CertAuthEngineConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CertAuthEngineConfig `json:"items"`
+}
+
+type CertAuthEngineConfigInternal struct {
+	// If set, during renewal, skips the matching of presented client identity with the client identity used during login.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default:=false
+	DisableBinding bool `json:"disableBinding,omitempty"`
+
+	// If set, metadata of the certificate including the metadata corresponding to allowedMetadataExtensions will be stored in the alias.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default:=false
+	EnableIdentityAliasMetadata bool `json:"enableIdentityAliasMetadata,omitempty"`
+
+	// The size of the OCSP response LRU cache. Note that this cache is used for all configured certificates.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default:=100
+	OCSPCacheSize int `json:"ocspCacheSize,omitempty"`
+
+	// The size of the role cache. Use -1 to disable role caching.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default:=200
+	RoleCacheSize int `json:"roleCacheSize,omitempty"`
+}
+
+func (c *CertAuthEngineConfigInternal) toMap() map[string]any {
+	payload := make(map[string]any)
+	payload["disable_binding"] = c.DisableBinding
+	payload["enable_identity_alias_metadata"] = c.EnableIdentityAliasMetadata
+	payload["ocsp_cache_size"] = c.OCSPCacheSize
+	payload["role_cache_size"] = c.RoleCacheSize
+
+	return payload
+}
+
+var _ vaultutils.VaultObject = &CertAuthEngineConfig{}
+var _ vaultutils.ConditionsAware = &CertAuthEngineConfig{}
+
+func (r *CertAuthEngineConfig) GetPath() string {
+	if r.Spec.Name != "" {
+		return vaultutils.CleansePath("auth/" + string(r.Spec.Path) + "/" + r.Spec.Name + "/config")
+	}
+
+	return vaultutils.CleansePath("auth/" + string(r.Spec.Path) + "/" + r.Name + "/config")
+}
+
+func (r *CertAuthEngineConfig) GetPayload() map[string]interface{} {
+	return r.Spec.CertAuthEngineConfigInternal.toMap()
+}
+
+// IsEquivalentToDesiredState returns wether the passed payload is equivalent to the payload that the current object would generate. When this is a engine object the tune payload will be compared
+func (r *CertAuthEngineConfig) IsEquivalentToDesiredState(payload map[string]interface{}) bool {
+	desiredState := r.Spec.CertAuthEngineConfigInternal.toMap()
+
+	return reflect.DeepEqual(desiredState, payload)
+}
+
+func (r *CertAuthEngineConfig) IsInitialized() bool {
+	return true
+}
+
+func (r *CertAuthEngineConfig) IsValid() (bool, error) {
+	return true, nil
+}
+
+func (r *CertAuthEngineConfig) IsDeletable() bool {
+	return true
+}
+
+func (r *CertAuthEngineConfig) PrepareInternalValues(context context.Context, object client.Object) error {
+	return nil
+}
+
+func (r *CertAuthEngineConfig) PrepareTLSConfig(context context.Context, object client.Object) error {
+	return nil
+}
+
+func (r *CertAuthEngineConfig) GetKubeAuthConfiguration() *utils.KubeAuthConfiguration {
+	return &r.Spec.Authentication
+}
+
+func (r *CertAuthEngineConfig) GetVaultConnection() *utils.VaultConnection {
+	return r.Spec.Connection
+}
+
+func (r *CertAuthEngineConfig) GetConditions() []metav1.Condition {
+	return r.Status.Conditions
+}
+
+func (r *CertAuthEngineConfig) SetConditions(conditions []metav1.Condition) {
+	r.Status.Conditions = conditions
+}
+
+func init() {
+	SchemeBuilder.Register(&CertAuthEngineConfig{}, &CertAuthEngineConfigList{})
+}

api/v1alpha1/certauthengineconfig_webhook.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2021.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"errors"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// log is for logging in this package.
+var certauthengineconfiglog = logf.Log.WithName("certauthengineconfig-resource")
+
+func (r *CertAuthEngineConfig) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+//+kubebuilder:webhook:path=/mutate-redhatcop-redhat-io-v1alpha1-certauthengineconfig,mutating=true,failurePolicy=fail,sideEffects=None,groups=redhatcop.redhat.io,resources=certauthengineconfigs,verbs=create;update,versions=v1alpha1,name=mcertauthengineconfig.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Defaulter = &CertAuthEngineConfig{}
+
+// Default implements webhook.Defaulter so a webhook will be registered for the type
+func (r *CertAuthEngineConfig) Default() {
+	certauthengineconfiglog.Info("default", "name", r.Name)
+}
+
+//+kubebuilder:webhook:path=/validate-redhatcop-redhat-io-v1alpha1-certauthengineconfig,mutating=false,failurePolicy=fail,sideEffects=None,groups=redhatcop.redhat.io,resources=certauthengineconfigs,verbs=create;update,versions=v1alpha1,name=vcertauthengineconfig.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Validator = &CertAuthEngineConfig{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *CertAuthEngineConfig) ValidateCreate() (admission.Warnings, error) {
+	certauthengineconfiglog.Info("validate create", "name", r.Name)
+
+	return nil, nil
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *CertAuthEngineConfig) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+	certauthengineconfiglog.Info("validate update", "name", r.Name)
+
+	if r.Spec.Path != old.(*CertAuthEngineConfig).Spec.Path {
+		return nil, errors.New("spec.path cannot be updated")
+	}
+
+	if r.Spec.Name != old.(*CertAuthEngineConfig).Spec.Name {
+		return nil, errors.New("spec.name cannot be updated")
+	}
+
+	return nil, nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *CertAuthEngineConfig) ValidateDelete() (admission.Warnings, error) {
+	certauthengineconfiglog.Info("validate delete", "name", r.Name)
+
+	return nil, nil
+}