workload_identity.go 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package secretmanager
  13. import (
  14. "bytes"
  15. "context"
  16. "encoding/json"
  17. "fmt"
  18. "io"
  19. "net/http"
  20. "time"
  21. iam "cloud.google.com/go/iam/credentials/apiv1"
  22. "cloud.google.com/go/iam/credentials/apiv1/credentialspb"
  23. secretmanager "cloud.google.com/go/secretmanager/apiv1"
  24. "github.com/googleapis/gax-go/v2"
  25. "golang.org/x/oauth2"
  26. "google.golang.org/api/option"
  27. "google.golang.org/grpc"
  28. "google.golang.org/grpc/credentials"
  29. "grpc.go4.org/credentials/oauth"
  30. authenticationv1 "k8s.io/api/authentication/v1"
  31. v1 "k8s.io/api/core/v1"
  32. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  33. "k8s.io/apimachinery/pkg/types"
  34. "k8s.io/client-go/kubernetes"
  35. clientcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
  36. kclient "sigs.k8s.io/controller-runtime/pkg/client"
  37. ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
  38. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  39. )
  40. const (
  41. gcpSAAnnotation = "iam.gke.io/gcp-service-account"
  42. errFetchPodToken = "unable to fetch pod token: %w"
  43. errFetchIBToken = "unable to fetch identitybindingtoken: %w"
  44. errGenAccessToken = "unable to generate gcp access token: %w"
  45. errNoProjectID = "unable to find ProjectID in storeSpec"
  46. )
  47. // workloadIdentity holds all clients and generators needed
  48. // to create a gcp oauth token.
  49. type workloadIdentity struct {
  50. iamClient IamClient
  51. idBindTokenGenerator idBindTokenGenerator
  52. saTokenGenerator saTokenGenerator
  53. clusterProjectID string
  54. }
  55. // interface to GCP IAM API.
  56. type IamClient interface {
  57. GenerateAccessToken(ctx context.Context, req *credentialspb.GenerateAccessTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
  58. Close() error
  59. }
  60. // interface to securetoken/identitybindingtoken API.
  61. type idBindTokenGenerator interface {
  62. Generate(context.Context, *http.Client, string, string, string) (*oauth2.Token, error)
  63. }
  64. // interface to kubernetes serviceaccount token request API.
  65. type saTokenGenerator interface {
  66. Generate(context.Context, []string, string, string) (*authenticationv1.TokenRequest, error)
  67. }
  68. func newWorkloadIdentity(ctx context.Context, projectID string) (*workloadIdentity, error) {
  69. satg, err := newSATokenGenerator()
  70. if err != nil {
  71. return nil, err
  72. }
  73. iamc, err := newIAMClient(ctx)
  74. if err != nil {
  75. return nil, err
  76. }
  77. return &workloadIdentity{
  78. iamClient: iamc,
  79. idBindTokenGenerator: newIDBindTokenGenerator(),
  80. saTokenGenerator: satg,
  81. clusterProjectID: projectID,
  82. }, nil
  83. }
  84. func (w *workloadIdentity) TokenSource(ctx context.Context, auth esv1beta1.GCPSMAuth, isClusterKind bool, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
  85. wi := auth.WorkloadIdentity
  86. if wi == nil {
  87. return nil, nil
  88. }
  89. saKey := types.NamespacedName{
  90. Name: wi.ServiceAccountRef.Name,
  91. Namespace: namespace,
  92. }
  93. // only ClusterStore is allowed to set namespace (and then it's required)
  94. if isClusterKind && wi.ServiceAccountRef.Namespace != nil {
  95. saKey.Namespace = *wi.ServiceAccountRef.Namespace
  96. }
  97. sa := &v1.ServiceAccount{}
  98. err := kube.Get(ctx, saKey, sa)
  99. if err != nil {
  100. return nil, err
  101. }
  102. idProvider := fmt.Sprintf("https://container.googleapis.com/v1/projects/%s/locations/%s/clusters/%s",
  103. w.clusterProjectID,
  104. wi.ClusterLocation,
  105. wi.ClusterName)
  106. idPool := fmt.Sprintf("%s.svc.id.goog", w.clusterProjectID)
  107. audiences := []string{idPool}
  108. if len(wi.ServiceAccountRef.Audiences) > 0 {
  109. audiences = append(audiences, wi.ServiceAccountRef.Audiences...)
  110. }
  111. gcpSA := sa.Annotations[gcpSAAnnotation]
  112. resp, err := w.saTokenGenerator.Generate(ctx, audiences, saKey.Name, saKey.Namespace)
  113. if err != nil {
  114. return nil, fmt.Errorf(errFetchPodToken, err)
  115. }
  116. idBindToken, err := w.idBindTokenGenerator.Generate(ctx, http.DefaultClient, resp.Status.Token, idPool, idProvider)
  117. if err != nil {
  118. return nil, fmt.Errorf(errFetchIBToken, err)
  119. }
  120. // If no `iam.gke.io/gcp-service-account` annotation is present the
  121. // identitybindingtoken will be used directly, allowing bindings on secrets
  122. // of the form "serviceAccount:<project>.svc.id.goog[<namespace>/<sa>]".
  123. if gcpSA == "" {
  124. return oauth2.StaticTokenSource(idBindToken), nil
  125. }
  126. gcpSAResp, err := w.iamClient.GenerateAccessToken(ctx, &credentialspb.GenerateAccessTokenRequest{
  127. Name: fmt.Sprintf("projects/-/serviceAccounts/%s", gcpSA),
  128. Scope: secretmanager.DefaultAuthScopes(),
  129. }, gax.WithGRPCOptions(grpc.PerRPCCredentials(oauth.TokenSource{TokenSource: oauth2.StaticTokenSource(idBindToken)})))
  130. if err != nil {
  131. return nil, fmt.Errorf(errGenAccessToken, err)
  132. }
  133. return oauth2.StaticTokenSource(&oauth2.Token{
  134. AccessToken: gcpSAResp.GetAccessToken(),
  135. }), nil
  136. }
  137. func (w *workloadIdentity) Close() error {
  138. if w.iamClient != nil {
  139. return w.iamClient.Close()
  140. }
  141. return nil
  142. }
  143. func newIAMClient(ctx context.Context) (IamClient, error) {
  144. iamOpts := []option.ClientOption{
  145. option.WithUserAgent("external-secrets-operator"),
  146. // tell the secretmanager library to not add transport-level ADC since
  147. // we need to override on a per call basis
  148. option.WithoutAuthentication(),
  149. // grpc oauth TokenSource credentials require transport security, so
  150. // this must be set explicitly even though TLS is used
  151. option.WithGRPCDialOption(grpc.WithTransportCredentials(credentials.NewTLS(nil))),
  152. option.WithGRPCConnectionPool(5),
  153. }
  154. return iam.NewIamCredentialsClient(ctx, iamOpts...)
  155. }
  156. type k8sSATokenGenerator struct {
  157. corev1 clientcorev1.CoreV1Interface
  158. }
  159. func (g *k8sSATokenGenerator) Generate(ctx context.Context, audiences []string, name, namespace string) (*authenticationv1.TokenRequest, error) {
  160. // Request a serviceaccount token for the pod
  161. ttl := int64((15 * time.Minute).Seconds())
  162. return g.corev1.
  163. ServiceAccounts(namespace).
  164. CreateToken(ctx, name,
  165. &authenticationv1.TokenRequest{
  166. Spec: authenticationv1.TokenRequestSpec{
  167. ExpirationSeconds: &ttl,
  168. Audiences: audiences,
  169. },
  170. },
  171. metav1.CreateOptions{},
  172. )
  173. }
  174. func newSATokenGenerator() (saTokenGenerator, error) {
  175. cfg, err := ctrlcfg.GetConfig()
  176. if err != nil {
  177. return nil, err
  178. }
  179. clientset, err := kubernetes.NewForConfig(cfg)
  180. if err != nil {
  181. return nil, err
  182. }
  183. return &k8sSATokenGenerator{
  184. corev1: clientset.CoreV1(),
  185. }, nil
  186. }
  187. // Trades the kubernetes token for an identitybindingtoken token.
  188. type gcpIDBindTokenGenerator struct {
  189. targetURL string
  190. }
  191. func newIDBindTokenGenerator() idBindTokenGenerator {
  192. return &gcpIDBindTokenGenerator{
  193. targetURL: "https://securetoken.googleapis.com/v1/identitybindingtoken",
  194. }
  195. }
  196. func (g *gcpIDBindTokenGenerator) Generate(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error) {
  197. body, err := json.Marshal(map[string]string{
  198. "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
  199. "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  200. "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
  201. "subject_token": k8sToken,
  202. "audience": fmt.Sprintf("identitynamespace:%s:%s", idPool, idProvider),
  203. "scope": "https://www.googleapis.com/auth/cloud-platform",
  204. })
  205. if err != nil {
  206. return nil, err
  207. }
  208. req, err := http.NewRequestWithContext(ctx, "POST", g.targetURL, bytes.NewBuffer(body))
  209. if err != nil {
  210. return nil, err
  211. }
  212. req.Header.Set("Content-Type", "application/json")
  213. resp, err := client.Do(req)
  214. if err != nil {
  215. return nil, err
  216. }
  217. if resp.StatusCode != http.StatusOK {
  218. return nil, fmt.Errorf("could not get idbindtoken token, status: %v", resp.StatusCode)
  219. }
  220. defer resp.Body.Close()
  221. respBody, err := io.ReadAll(resp.Body)
  222. if err != nil {
  223. return nil, err
  224. }
  225. idBindToken := &oauth2.Token{}
  226. if err := json.Unmarshal(respBody, idBindToken); err != nil {
  227. return nil, err
  228. }
  229. return idBindToken, nil
  230. }