Главная Обзор Помощь
Вход
logic855
/
helm-external-secrets
зеркало из https://github.com/external-secrets/external-secrets
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: a1722cbfaa
Ветки Метки
helm-externa...
/
e2e
/
suites
/
provider
/
cases
/
conjur
/
provider.go

provider.go 6.0 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package conjur
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"encoding/base64"
    19. 

  19. 	"strings"
    20. 

  20. 

  21. 	//nolint
    22. 

  22. 	. "github.com/onsi/ginkgo/v2"
    23. 

  23. 

  24. 	//nolint
    25. 

  25. 	. "github.com/onsi/gomega"
    26. 

  26. 	v1 "k8s.io/api/core/v1"
    27. 

  27. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    28. 

  28. 

  29. 	"github.com/cyberark/conjur-api-go/conjurapi"
    30. 

  30. 	"github.com/external-secrets/external-secrets-e2e/framework"
    31. 

  31. 	"github.com/external-secrets/external-secrets-e2e/framework/addon"
    32. 

  32. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    33. 

  33. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    34. 

  34. )
    35. 

  35. 

  36. type conjurProvider struct {
    37. 

  37. 	url       string
    38. 

  38. 	client    *conjurapi.Client
    39. 

  39. 	framework *framework.Framework
    40. 

  40. }
    41. 

  41. 

  42. const (
    43. 

  43. 	jwtK8sProviderName       = "jwt-k8s-provider"
    44. 

  44. 	jwtK8sHostIDProviderName = "jwt-k8s-hostid-provider"
    45. 

  45. )
    46. 

  46. 

  47. func newConjurProvider(f *framework.Framework) *conjurProvider {
    48. 

  48. 	prov := &conjurProvider{
    49. 

  49. 		framework: f,
    50. 

  50. 	}
    51. 

  51. 	BeforeEach(prov.BeforeEach)
    52. 

  52. 	return prov
    53. 

  53. }
    54. 

  54. 

  55. func (s *conjurProvider) CreateSecret(key string, val framework.SecretEntry) {
    56. 

  56. 	// Generate a policy file for the secret key
    57. 

  57. 	policy := createVariablePolicy(key, s.framework.Namespace.Name, val.Tags)
    58. 

  58. 

  59. 	_, err := s.client.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
    60. 

  60. 	Expect(err).ToNot(HaveOccurred())
    61. 

  61. 

  62. 	// Add the secret value
    63. 

  63. 	err = s.client.AddSecret(key, val.Value)
    64. 

  64. 	Expect(err).ToNot(HaveOccurred())
    65. 

  65. }
    66. 

  66. 

  67. func (s *conjurProvider) DeleteSecret(key string) {
    68. 

  68. 	policy := deleteVariablePolicy(key)
    69. 

  69. 	_, err := s.client.LoadPolicy(conjurapi.PolicyModePatch, "root", strings.NewReader(policy))
    70. 

  70. 

  71. 	Expect(err).ToNot(HaveOccurred())
    72. 

  72. }
    73. 

  73. 

  74. func (s *conjurProvider) BeforeEach() {
    75. 

  75. 	ns := s.framework.Namespace.Name
    76. 

  76. 	c := addon.NewConjur(ns)
    77. 

  77. 	s.framework.Install(c)
    78. 

  78. 	s.client = c.ConjurClient
    79. 

  79. 	s.url = c.ConjurURL
    80. 

  80. 

  81. 	s.CreateApiKeyStore(c, ns)
    82. 

  82. 	s.CreateJWTK8sStore(c, ns)
    83. 

  83. 	s.CreateJWTK8sHostIDStore(c, ns)
    84. 

  84. }
    85. 

  85. 

  86. func makeStore(name, ns string, c *addon.Conjur) *esv1beta1.SecretStore {
    87. 

  87. 	return &esv1beta1.SecretStore{
    88. 

  88. 		ObjectMeta: metav1.ObjectMeta{
    89. 

  89. 			Name:      name,
    90. 

  90. 			Namespace: ns,
    91. 

  91. 		},
    92. 

  92. 		Spec: esv1beta1.SecretStoreSpec{
    93. 

  93. 			Provider: &esv1beta1.SecretStoreProvider{
    94. 

  94. 				Conjur: &esv1beta1.ConjurProvider{
    95. 

  95. 					URL:      c.ConjurURL,
    96. 

  96. 					CABundle: base64.StdEncoding.EncodeToString(c.ConjurServerCA),
    97. 

  97. 				},
    98. 

  98. 			},
    99. 

  99. 		},
    100. 

  100. 	}
    101. 

  101. }
    102. 

  102. 

  103. func (s *conjurProvider) CreateApiKeyStore(c *addon.Conjur, ns string) {
    104. 

  104. 	By("creating a conjur secret")
    105. 

  105. 	conjurCreds := &v1.Secret{
    106. 

  106. 		ObjectMeta: metav1.ObjectMeta{
    107. 

  107. 			Name:      ns,
    108. 

  108. 			Namespace: ns,
    109. 

  109. 		},
    110. 

  110. 		Data: map[string][]byte{
    111. 

  111. 			"apikey":   []byte(c.AdminApiKey),
    112. 

  112. 			"username": []byte("admin"),
    113. 

  113. 		},
    114. 

  114. 	}
    115. 

  115. 	err := s.framework.CRClient.Create(context.Background(), conjurCreds)
    116. 

  116. 	Expect(err).ToNot(HaveOccurred())
    117. 

  117. 

  118. 	By("creating an secret store for conjur")
    119. 

  119. 	secretStore := makeStore(ns, ns, c)
    120. 

  120. 	secretStore.Spec.Provider.Conjur.Auth = esv1beta1.ConjurAuth{
    121. 

  121. 		APIKey: &esv1beta1.ConjurAPIKey{
    122. 

  122. 			Account: "default",
    123. 

  123. 			UserRef: &esmeta.SecretKeySelector{
    124. 

  124. 				Name: ns,
    125. 

  125. 				Key:  "username",
    126. 

  126. 			},
    127. 

  127. 			APIKeyRef: &esmeta.SecretKeySelector{
    128. 

  128. 				Name: ns,
    129. 

  129. 				Key:  "apikey",
    130. 

  130. 			},
    131. 

  131. 		},
    132. 

  132. 	}
    133. 

  133. 	err = s.framework.CRClient.Create(context.Background(), secretStore)
    134. 

  134. 	Expect(err).ToNot(HaveOccurred())
    135. 

  135. }
    136. 

  136. 

  137. func (s conjurProvider) CreateJWTK8sStore(c *addon.Conjur, ns string) {
    138. 

  138. 	// Create a service account
    139. 

  139. 	sa := &v1.ServiceAccount{
    140. 

  140. 		ObjectMeta: metav1.ObjectMeta{
    141. 

  141. 			Name:      "test-app-sa",
    142. 

  142. 			Namespace: ns,
    143. 

  143. 		},
    144. 

  144. 	}
    145. 

  145. 	err := s.framework.CRClient.Create(context.Background(), sa)
    146. 

  146. 	Expect(err).ToNot(HaveOccurred())
    147. 

  147. 

  148. 	// Add the service account to the Conjur policy with permissions to
    149. 

  149. 	// authenticate with authn-jwt
    150. 

  150. 	saName := "system:serviceaccount:" + ns + ":test-app-sa"
    151. 

  151. 	policy := createJwtHostPolicy(saName, "eso-tests")
    152. 

  152. 

  153. 	_, err = s.client.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
    154. 

  154. 	Expect(err).ToNot(HaveOccurred())
    155. 

  155. 

  156. 	// Now create a secret store that uses the service account to authenticate
    157. 

  157. 	secretStore := makeStore(jwtK8sProviderName, ns, c)
    158. 

  158. 	secretStore.Spec.Provider.Conjur.Auth = esv1beta1.ConjurAuth{
    159. 

  159. 		Jwt: &esv1beta1.ConjurJWT{
    160. 

  160. 			Account:   "default",
    161. 

  161. 			ServiceID: "eso-tests",
    162. 

  162. 			ServiceAccountRef: &esmeta.ServiceAccountSelector{
    163. 

  163. 				Name: "test-app-sa",
    164. 

  164. 				Audiences: []string{
    165. 

  165. 					c.ConjurURL,
    166. 

  166. 				},
    167. 

  167. 			},
    168. 

  168. 		},
    169. 

  169. 	}
    170. 

  170. 	err = s.framework.CRClient.Create(context.Background(), secretStore)
    171. 

  171. 	Expect(err).ToNot(HaveOccurred())
    172. 

  172. }
    173. 

  173. 

  174. func (s conjurProvider) CreateJWTK8sHostIDStore(c *addon.Conjur, ns string) {
    175. 

  175. 	// Create a service account
    176. 

  176. 	sa := &v1.ServiceAccount{
    177. 

  177. 		ObjectMeta: metav1.ObjectMeta{
    178. 

  178. 			Name:      "test-app-hostid-sa",
    179. 

  179. 			Namespace: ns,
    180. 

  180. 		},
    181. 

  181. 	}
    182. 

  182. 	err := s.framework.CRClient.Create(context.Background(), sa)
    183. 

  183. 	Expect(err).ToNot(HaveOccurred())
    184. 

  184. 

  185. 	// Add the service account to the Conjur policy with permissions to
    186. 

  186. 	// authenticate with authn-jwt
    187. 

  187. 	saName := "system:serviceaccount:" + ns + ":test-app-hostid-sa"
    188. 

  188. 	policy := createJwtHostPolicy(saName, "eso-tests-hostid")
    189. 

  189. 

  190. 	_, err = s.client.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
    191. 

  191. 	Expect(err).ToNot(HaveOccurred())
    192. 

  192. 

  193. 	// Now create a secret store that uses the service account to authenticate
    194. 

  194. 	secretStore := makeStore(jwtK8sHostIDProviderName, ns, c)
    195. 

  195. 	secretStore.Spec.Provider.Conjur.Auth = esv1beta1.ConjurAuth{
    196. 

  196. 		Jwt: &esv1beta1.ConjurJWT{
    197. 

  197. 			Account:   "default",
    198. 

  198. 			HostID:    "host/" + saName,
    199. 

  199. 			ServiceID: "eso-tests-hostid",
    200. 

  200. 			ServiceAccountRef: &esmeta.ServiceAccountSelector{
    201. 

  201. 				Name: "test-app-hostid-sa",
    202. 

  202. 				Audiences: []string{
    203. 

  203. 					c.ConjurURL,
    204. 

  204. 				},
    205. 

  205. 			},
    206. 

  206. 		},
    207. 

  207. 	}
    208. 

  208. 	err = s.framework.CRClient.Create(context.Background(), secretStore)
    209. 

  209. 	Expect(err).ToNot(HaveOccurred())
    210. 

  210. }
    211.