Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for fetching sensitive parts of actions from secrets #816

Merged
merged 29 commits into from
Jul 3, 2024
Merged

Add support for fetching sensitive parts of actions from secrets #816

Changes from 1 commit
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
99c9486
Set initial TODOs.
fanicia Apr 11, 2023
229d150
Remove clear text apitoken.
fanicia Apr 21, 2023
f2a622f
Start implementing a secretMap.
fanicia Apr 21, 2023
a43fb2c
Non-working commit.
fanicia Apr 21, 2023
bc6ed0b
Almost removed cleartext token.
fanicia Apr 21, 2023
fdf185f
Fix resolveSecrets.
fanicia Apr 21, 2023
494b27a
Fix OpsGenie and HumioActionRepository.
fanicia Apr 21, 2023
e4014b8
Change TODO.
fanicia Apr 21, 2023
b0cee1d
Remove constants.
fanicia Apr 23, 2023
d910434
update examples and crd.
fanicia Apr 23, 2023
ba96107
Include namespace in lookup key.
fanicia Apr 23, 2023
4be716d
Make keyRefs required.
fanicia Apr 23, 2023
69c3a41
Merge branch 'humio:master' into ha-improve-secrets
fanicia Oct 5, 2023
04bd900
Implement non-breaking solution.
fanicia Jan 29, 2024
2663647
Improve secret helpers.
fanicia Jan 30, 2024
efbc8df
Minor improvement.
fanicia Jan 31, 2024
3372f01
Rebase to fix conflicts.
fanicia Jan 31, 2024
872f00e
Merge branch 'master' into HEAD
SaaldjorMike Jun 17, 2024
64817b1
Add secretRef to PagerDutyProperties
RayeEvtuchM1 Apr 19, 2023
50b9347
wip
SaaldjorMike Jun 25, 2024
7c36b9c
wip2
SaaldjorMike Jun 25, 2024
c2094dd
wip3
SaaldjorMike Jun 26, 2024
1fa4c3a
now it may work
SaaldjorMike Jun 26, 2024
2881825
Merge branch 'master' into mike/fanicia/ha-improve-secrets
SaaldjorMike Jun 26, 2024
36a294e
wip
SaaldjorMike Jun 27, 2024
6a9e88b
wip
SaaldjorMike Jun 27, 2024
9bd6937
wip
SaaldjorMike Jun 27, 2024
aa6c982
Update api/v1alpha1/humioaction_types.go
SaaldjorMike Jul 3, 2024
6df6132
make manifests
SaaldjorMike Jul 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Implement non-breaking solution.
  • Loading branch information
@fanicia
fanicia committed Jan 31, 2024
commit 04bd90014956146bc8d7cc3e41bbbc533f344453
19 changes: 19 additions & 0 deletions api/v1alpha1/humioaction_secret_helpers.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
package v1alpha1

import "fmt"

var HaSecrets map[string]string = make(map[string]string)

func HaHasSecret(hn *HumioAction) (string, bool) {
if secret, found := HaSecrets[fmt.Sprintf("%s-%s", hn.Namespace, hn.Name)]; found {
return secret, true
}
return "", false
}

// Call this to set the secret in the map
func SecretFromHa(hn *HumioAction, token string) {
key := fmt.Sprintf("%s-%s", hn.Namespace, hn.Name)
value := token
HaSecrets[key] = value
}
11 changes: 6 additions & 5 deletions api/v1alpha1/humioaction_types.go
View file
Original file line number Diff line number Diff line change
@@ -32,8 +32,6 @@ const (
HumioActionStateConfigError = "ConfigError"
)

var HaSecrets map[string]string

// HumioActionWebhookProperties defines the desired state of HumioActionWebhookProperties
type HumioActionWebhookProperties struct {
BodyTemplate string `json:"bodyTemplate,omitempty"`
@@ -54,13 +52,15 @@ type HumioActionEmailProperties struct {

// HumioActionRepositoryProperties defines the desired state of HumioActionRepositoryProperties
type HumioActionRepositoryProperties struct {
IngestTokenSource VarSource `json:"ingestTokenSource"`
IngestToken string `json:"ingestToken,omitempty"`
IngestTokenSource VarSource `json:"ingestTokenSource,omitempty"`
}

// HumioActionOpsGenieProperties defines the desired state of HumioActionOpsGenieProperties
type HumioActionOpsGenieProperties struct {
ApiUrl string `json:"apiUrl,omitempty"`
GenieKeySource VarSource `json:"genieKeySource"`
GenieKey string `json:"genieKey,omitempty"`
GenieKeySource VarSource `json:"genieKeySource,omitempty"`
UseProxy bool `json:"useProxy,omitempty"`
}

@@ -80,7 +80,8 @@ type HumioActionSlackProperties struct {

// HumioActionSlackPostMessageProperties defines the desired state of HumioActionSlackPostMessageProperties
type HumioActionSlackPostMessageProperties struct {
ApiTokenSource VarSource `json:"apiTokenSource"`
ApiToken string `json:"apiToken,omitempty"`
ApiTokenSource VarSource `json:"apiTokenSource,omitempty"`
Channels []string `json:"channels,omitempty"`
Fields map[string]string `json:"fields,omitempty"`
UseProxy bool `json:"useProxy,omitempty"`
12 changes: 6 additions & 6 deletions charts/humio-operator/crds/core.humio.com_humioactions.yaml
View file
Original file line number Diff line number Diff line change
@@ -66,6 +66,8 @@ spec:
description: HumioRepositoryProperties indicates this is a Humio Repository
Action, and contains the corresponding properties
properties:
ingestToken:
type: string
ingestTokenSource:
properties:
secretKeyRef:
@@ -87,8 +89,6 @@ spec:
- key
type: object
type: object
required:
- ingestTokenSource
type: object
managedClusterName:
description: ManagedClusterName refers to an object of type HumioCluster
@@ -104,6 +104,8 @@ spec:
properties:
apiUrl:
type: string
genieKey:
type: string
genieKeySource:
properties:
secretKeyRef:
@@ -127,8 +129,6 @@ spec:
type: object
useProxy:
type: boolean
required:
- genieKeySource
type: object
pagerDutyProperties:
description: PagerDutyProperties indicates this is a PagerDuty Action,
@@ -145,6 +145,8 @@ spec:
description: SlackPostMessageProperties indicates this is a Slack
Post Message Action, and contains the corresponding properties
properties:
apiToken:
type: string
apiTokenSource:
properties:
secretKeyRef:
@@ -176,8 +178,6 @@ spec:
type: object
useProxy:
type: boolean
required:
- apiTokenSource
type: object
slackProperties:
description: SlackProperties indicates this is a Slack Action, and
12 changes: 6 additions & 6 deletions config/crd/bases/core.humio.com_humioactions.yaml
View file
Original file line number Diff line number Diff line change
@@ -66,6 +66,8 @@ spec:
description: HumioRepositoryProperties indicates this is a Humio Repository
Action, and contains the corresponding properties
properties:
ingestToken:
type: string
ingestTokenSource:
properties:
secretKeyRef:
@@ -87,8 +89,6 @@ spec:
- key
type: object
type: object
required:
- ingestTokenSource
type: object
managedClusterName:
description: ManagedClusterName refers to an object of type HumioCluster
@@ -104,6 +104,8 @@ spec:
properties:
apiUrl:
type: string
genieKey:
type: string
genieKeySource:
properties:
secretKeyRef:
@@ -127,8 +129,6 @@ spec:
type: object
useProxy:
type: boolean
required:
- genieKeySource
type: object
pagerDutyProperties:
description: PagerDutyProperties indicates this is a PagerDuty Action,
@@ -145,6 +145,8 @@ spec:
description: SlackPostMessageProperties indicates this is a Slack
Post Message Action, and contains the corresponding properties
properties:
apiToken:
type: string
apiTokenSource:
properties:
secretKeyRef:
@@ -176,8 +178,6 @@ spec:
type: object
useProxy:
type: boolean
required:
- apiTokenSource
type: object
slackProperties:
description: SlackProperties indicates this is a Slack Action, and
1 change: 0 additions & 1 deletion controllers/humioaction_annotations.go
View file
Original file line number Diff line number Diff line change
@@ -32,7 +32,6 @@ func (r *HumioActionReconciler) reconcileHumioActionAnnotations(ctx context.Cont
actionCR.ObjectMeta.Annotations[k] = v
}

// TODO: Hack it here
err = r.Update(ctx, actionCR)
if err != nil {
return reconcile.Result{}, r.logErrorAndReturn(err, "failed to add ID annotation to action")
36 changes: 16 additions & 20 deletions controllers/humioaction_controller.go
View file
Original file line number Diff line number Diff line change
@@ -197,43 +197,39 @@ func (r *HumioActionReconciler) reconcileHumioAction(ctx context.Context, config

func (r *HumioActionReconciler) resolveSecrets(ctx context.Context, ha *humiov1alpha1.HumioAction) error {
var err error
var secretKey string
var secretValue string
var apiToken string

if ha.Spec.SlackPostMessageProperties != nil && ha.Spec.SlackPostMessageProperties.ApiTokenSource.SecretKeyRef != nil {
secretKey = fmt.Sprintf("%s-%s", ha.Namespace, ha.Spec.SlackPostMessageProperties.ApiTokenSource.SecretKeyRef.Name)
secretValue, err = r.resolveField(ctx, ha.Namespace, ha.Spec.SlackPostMessageProperties.ApiTokenSource)
if ha.Spec.SlackPostMessageProperties != nil {
apiToken, err = r.resolveField(ctx, ha.Namespace, ha.Spec.SlackPostMessageProperties.ApiToken, ha.Spec.SlackPostMessageProperties.ApiTokenSource)
if err != nil {
return fmt.Errorf("SlackPostMessageProperties.ApiTokenSource.%v", err)
return fmt.Errorf("slackPostMessageProperties.ApiTokenSource.%v", err)
}
}

if ha.Spec.OpsGenieProperties != nil && ha.Spec.OpsGenieProperties.GenieKeySource.SecretKeyRef != nil {
secretKey = fmt.Sprintf("%s-%s", ha.Namespace, ha.Spec.OpsGenieProperties.GenieKeySource.SecretKeyRef.Name)
secretValue, err = r.resolveField(ctx, ha.Namespace, ha.Spec.OpsGenieProperties.GenieKeySource)
if ha.Spec.OpsGenieProperties != nil {
ha.Spec.OpsGenieProperties.GenieKey, err = r.resolveField(ctx, ha.Namespace, ha.Spec.OpsGenieProperties.GenieKey, ha.Spec.OpsGenieProperties.GenieKeySource)
if err != nil {
return fmt.Errorf("opsGenieProperties.ingestTokenSource.%v", err)
}
}

if ha.Spec.HumioRepositoryProperties != nil && ha.Spec.HumioRepositoryProperties.IngestTokenSource.SecretKeyRef != nil {
secretKey = fmt.Sprintf("%s-%s", ha.Namespace, ha.Spec.HumioRepositoryProperties.IngestTokenSource.SecretKeyRef.Name)
secretValue, err = r.resolveField(ctx, ha.Namespace, ha.Spec.HumioRepositoryProperties.IngestTokenSource)
if ha.Spec.HumioRepositoryProperties != nil {
ha.Spec.HumioRepositoryProperties.IngestToken, err = r.resolveField(ctx, ha.Namespace, ha.Spec.HumioRepositoryProperties.IngestToken, ha.Spec.HumioRepositoryProperties.IngestTokenSource)
if err != nil {
return fmt.Errorf("humioRepositoryProperties.ingestTokenSource.%v", err)
}
}
// TODO: Remove the if-condition here once the pattern is complete
if humiov1alpha1.HaSecrets == nil {
humiov1alpha1.HaSecrets = make(map[string]string)
}
if secretValue != "" {
humiov1alpha1.HaSecrets[secretKey] = secretValue
}

humiov1alpha1.SecretFromHa(ha, apiToken)

return nil
}

func (r *HumioActionReconciler) resolveField(ctx context.Context, namespace string, ref humiov1alpha1.VarSource) (string, error) {
func (r *HumioActionReconciler) resolveField(ctx context.Context, namespace, value string, ref humiov1alpha1.VarSource) (string, error) {
if value != "" {
return value, nil
}

if ref.SecretKeyRef != nil {
secret, err := kubernetes.GetSecret(ctx, r, ref.SecretKeyRef.Name, namespace)
if err != nil {
2 changes: 0 additions & 2 deletions controllers/suite/common.go
View file
Original file line number Diff line number Diff line change
@@ -47,8 +47,6 @@ const (

const TestInterval = time.Second * 1

var haSecrets map[string]string

func UsingClusterBy(cluster, text string, callbacks ...func()) {
timestamp := time.Now().Format(time.RFC3339Nano)
fmt.Fprintln(GinkgoWriter, "STEP | "+timestamp+" | "+cluster+": "+text)
Loading