Merge pull request #20 from middleware-labs/bhogayatakb/AGE-6

Allow reading existing API Key secret for kube agent
middleware-labs · Aug 20, 2024 · 5dcb8bf · 5dcb8bf
2 parents 2582f48 + c38a9ad
commit 5dcb8bf
Show file tree

Hide file tree

Showing 9 changed files with 170 additions and 3 deletions.
diff --git a/.github/workflows/mw-kube-agent-v2-tests.yaml b/.github/workflows/mw-kube-agent-v2-tests.yaml
@@ -0,0 +1,86 @@
+name: Helm Chart Tests
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Start Minikube
+        id: minikube
+        uses: medyagh/setup-minikube@latest
+
+      - name: Set up Kubectl
+        uses: azure/setup-kubectl@v1
+        with:
+          version: 'latest'
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+
+      - name: Install Kubernetes and Helm dependencies
+        run: |
+          sudo apt-get install -y kubectl
+          helm repo add stable https://charts.helm.sh/stable
+
+      - name: Lint Helm chart
+        run: helm lint ./charts/mw-kube-agent-v2
+
+      - name: Render Helm templates with apiKeyFromExistingSecret enabled
+        run: helm template my-release ./charts/mw-kube-agent-v2 --values ./charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-enabled.yaml > rendered-with-secret.yaml
+
+      - name: Render Helm templates with apiKeyFromExistingSecret disabled
+        run: helm template my-release ./charts/mw-kube-agent-v2 --values ./charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-disabled.yaml > rendered-no-secret.yaml
+
+      - name: Apply Helm chart with apiKeyFromExistingSecret enabled
+        run: |
+          kubectl apply -f ./charts/mw-kube-agent-v2/namespace.yaml
+          helm install my-release ./charts/mw-kube-agent-v2 --values ./charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-enabled.yaml
+
+      - name: Validate Secret with apiKeyFromExistingSecret enabled
+        run: |
+          sleep 10 # Wait for resources to be created
+          SECRET_VALUE=$(kubectl get secret middleware-secret -n mw-agent-ns -o jsonpath='{.data.api-key}' | base64 --decode)
+          echo "Secret value with apiKeyFromExistingSecret enabled: $SECRET_VALUE"
+          if [[ "$SECRET_VALUE" != "fallback-api-key" ]]; then
+            echo "Test passed for apiKeyFromExistingSecret enabled"
+          else
+            echo "Test failed for apiKeyFromExistingSecret enabled"
+            exit 1
+          fi
+
+      - name: Clean up with apiKeyFromExistingSecret enabled
+        run: |
+          helm uninstall my-release
+          kubectl delete ns mw-agent-ns
+
+      - name: Apply Helm chart with apiKeyFromExistingSecret disabled
+        run: |
+          kubectl create ns mw-agent-ns
+          helm install my-release ./charts/mw-kube-agent-v2 --values ./charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-disabled.yaml
+
+      - name: Validate Secret with apiKeyFromExistingSecret disabled
+        run: |
+          sleep 10 # Wait for resources to be created
+          SECRET_VALUE=$(kubectl get secret middleware-secret -n mw-agent-ns -o jsonpath='{.data.api-key}' | base64 --decode)
+          echo "Secret value with apiKeyFromExistingSecret disabled: $SECRET_VALUE"
+          if [[ "$SECRET_VALUE" == "fallback-api-key" ]]; then
+            echo "Test passed for apiKeyFromExistingSecret disabled"
+          else
+            echo "Test failed for apiKeyFromExistingSecret disabled"
+            exit 1
+          fi
+
+      - name: Clean up with apiKeyFromExistingSecret disabled
+        run: |
+          helm uninstall my-release
+          kubectl delete ns mw-agent-ns
diff --git a/charts/mw-kube-agent-v2/Chart.yaml b/charts/mw-kube-agent-v2/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.0.10
+version: 2.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/mw-kube-agent-v2/README.md b/charts/mw-kube-agent-v2/README.md
@@ -0,0 +1,38 @@
+## Middleware Kubernetes Agent
+
+### Installation Process
+
+Create a `middleware-values.yaml` using the content given below.
+```
+mw:
+  target: XXXXXXXXX
+  apiKey: XXXXXXXXX
+
+clusterMetadata:
+  name: my-cluster
+```
+
+Replace `XXXXXXXXX` with actual Middleware Target & API Key which you can get from your Middleware account => https://app.middleware.io
+
+```
+helm repo add middleware-labs https://helm.middleware.io
+```
+```
+helm install mw-agent middleware-labs/mw-kube-agent-v2 -f middleware-values.yaml
+```
+
+#### Use Existing Secret for API Key ( Optional )
+
+If you already have a secret named `my-custom-secret` that contains `middleware-api-key`, you can use it instead of putting your API Key in a local file.
+
+```
+mw:
+  target: XXXXXXXXX
+  apiKeyFromExistingSecret:
+    enabled: true
+    name: my-custom-secret
+    key: middleware-api-key
+
+clusterMetadata:
+  name: my-cluster
+```
diff --git a/charts/mw-kube-agent-v2/namespace.yaml b/charts/mw-kube-agent-v2/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mw-agent-ns
diff --git a/charts/mw-kube-agent-v2/templates/clusterrole.yaml b/charts/mw-kube-agent-v2/templates/clusterrole.yaml
@@ -48,4 +48,11 @@ rules:
   - apiGroups: ["rbac.authorization.k8s.io"]
     resources: ["clusterrolebindings", "clusterroles", "roles", "rolebindings", ]
     verbs: ["get", "list", "watch"]
-{{- end }}
+  {{- if .Values.mw.apiKeyFromExistingSecret.enabled }}
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+    resourceNames:
+      - {{ .Values.mw.apiKeyFromExistingSecret.name }}
+  {{- end }}
+{{- end }}
diff --git a/charts/mw-kube-agent-v2/templates/secret.yaml b/charts/mw-kube-agent-v2/templates/secret.yaml
@@ -8,4 +8,20 @@ metadata:
 type: Opaque
 
 data:
-  api-key: {{ .Values.mw.apiKey | b64enc | quote }}
+  api-key: {{- if .Values.mw.apiKeyFromExistingSecret.enabled }}
+             {{- $secretName := $.Values.mw.apiKeyFromExistingSecret.name }}
+             {{- $secretKey := $.Values.mw.apiKeyFromExistingSecret.key }}
+             {{- $namespace := $.Values.namespace.name }}
+             {{- $secret := lookup "v1" "Secret" $namespace $secretName }}
+             {{- if $secret}}
+               {{- $apiKey := index $secret.data $secretKey }}
+               {{- if $apiKey }}
+                 {{ $apiKey }}
+               {{- else }}
+                 {{- fail "Could not read MW API Key from existing secret" }}
+               {{- end }}
+             {{- end }}
+
+           {{- else }}
+             {{ .Values.mw.apiKey | toString | b64enc }}   
+           {{- end }}
diff --git a/charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-disabled.yaml b/charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-disabled.yaml
@@ -0,0 +1,6 @@
+mw:
+    apiKey: fallback-api-key
+    apiKeyFromExistingSecret:
+      enabled: false
+      name: existing-secret
+      key: existing-secret-key
diff --git a/charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-enabled.yaml b/charts/mw-kube-agent-v2/testvalues/api-key-from-existing-secret-enabled.yaml
@@ -0,0 +1,6 @@
+mw:
+  apiKey: fallback-api-key
+  apiKeyFromExistingSecret:
+    enabled: true
+    name: existing-secret
+    key: existing-secret-key
diff --git a/charts/mw-kube-agent-v2/values.yaml b/charts/mw-kube-agent-v2/values.yaml
@@ -12,6 +12,10 @@ mw:
   profilingServerUrl: "https://profiling.middleware.io"
   agentFeatures:
     infraMonitoring: true
+  apiKeyFromExistingSecret:
+    enabled: false
+    name: existing-secret
+    key: existing-secret-key
 
 clusterMetadata:
   name: "unknown"