From 7278b4f2fed6417535c1c4507ea91d22e7147275 Mon Sep 17 00:00:00 2001 From: Jan Steffen Date: Thu, 7 Jul 2022 15:25:26 +0200 Subject: [PATCH] Adjust code to make it easier to split secrets from nonsecrets Signed-off-by: Jan Steffen --- internal/k8sauthzreactor/config.go | 92 +++++++++++++++---- internal/k8sauthzreactor/test_config.yaml | 8 +- .../test_repo_one_basic_auth.yaml | 2 + .../test_repo_two_ssh_auth.yaml | 2 + 4 files changed, 80 insertions(+), 24 deletions(-) create mode 100644 internal/k8sauthzreactor/test_repo_one_basic_auth.yaml create mode 100644 internal/k8sauthzreactor/test_repo_two_ssh_auth.yaml diff --git a/internal/k8sauthzreactor/config.go b/internal/k8sauthzreactor/config.go index efa5efaca..aac04ade0 100644 --- a/internal/k8sauthzreactor/config.go +++ b/internal/k8sauthzreactor/config.go @@ -15,7 +15,9 @@ package k8sauthzreactor import ( + "encoding/base64" "fmt" + "io/ioutil" "os" "time" @@ -66,10 +68,10 @@ type GitRepository struct { AllClusters bool `yaml:"allClusters"` // Clusters is an optional field to specify a list of clusters for which the RBAC should be managed. Clusters []string `yaml:"clusters"` - // BasicAuth is an optional field to specify credentials to authenticate towards a Git repository over HTTPS using basic access authentication. - BasicAuth *GitBasicAuth `yaml:"basicAuth"` - // SSHAuth is an optional field to specify credentials to authenticate towards a Git repository over SSH. With the respective private key of the SSH key pair, and the host keys of the Git repository. - SSHAuth *GitSSHAuth `yaml:"sshAuth"` + // BasicAuthPath is an optional field to specify the file containing credentials to authenticate towards a Git repository over HTTPS using basic access authentication. + BasicAuthPath string `yaml:"basicAuthPath"` + // SSHAuthPath is an optional field to specify the file containing credentials to authenticate towards a Git repository over SSH. With the respective private key of the SSH key pair, and the host keys of the Git repository. + SSHAuthPath string `yaml:"sshAuthPath"` } // ClusterRoleMapping is a mapping from m8 roles to ClusterRole's in a K8s cluster @@ -112,6 +114,59 @@ func NewConfigFromFile(data []byte) (*GitRepoReconcilerConfig, error) { return conf, nil } +// configureBasicAuth reads the file containing the basic auth information and unmarshal's it's content into the clone options given. +func configureBasicAuth(repo *GitRepository, cloneOptions *git.CloneOptions) error { + // read file + data, err := ioutil.ReadFile(repo.BasicAuthPath) + if err != nil { + return err + } + + // unmarshal + basicAuth := &GitBasicAuth{} + err = yaml.Unmarshal(data, basicAuth) + if err != nil { + return err + } + + // set clone options auth + cloneOptions.Auth = &http.BasicAuth{ + Username: basicAuth.Username, + Password: basicAuth.Password, + } + + return nil +} + +// configureSSHAuth reads the file containing the ssh auth information and unmarshal's it's content into the clone options given. +func configureSSHAuth(repo *GitRepository, cloneOptions *git.CloneOptions) error { + // read file + data, err := ioutil.ReadFile(repo.SSHAuthPath) + if err != nil { + return err + } + + // unmarshal + sshAuth := &GitSSHAuth{} + err = yaml.Unmarshal(data, sshAuth) + if err != nil { + return err + } + + // set clone options auth + if _, err := os.Stat(sshAuth.PrivateKeyPath); err != nil { + return fmt.Errorf("read file %s failed: %w", sshAuth.PrivateKeyPath, err) + } + + publicKeys, err := ssh.NewPublicKeysFromFile("git", sshAuth.PrivateKeyPath, sshAuth.Password) + if err != nil { + return err + } + cloneOptions.Auth = publicKeys + + return nil +} + // parseCloneOptions parses the configuration using the git library to validate. func (c *GitRepoReconcilerConfig) parseCloneOptions(repo *GitRepository) error { cloneOptions := &git.CloneOptions{ @@ -120,34 +175,35 @@ func (c *GitRepoReconcilerConfig) parseCloneOptions(repo *GitRepository) error { SingleBranch: true, NoCheckout: false, Depth: 1, - CABundle: []byte(repo.CA), } - // Configure basic auth optionally - if repo.BasicAuth != nil { - cloneOptions.Auth = &http.BasicAuth{ - Username: repo.BasicAuth.Username, - Password: repo.BasicAuth.Password, + // Set CA + if len(repo.CA) != 0 { + if data, err := base64.StdEncoding.DecodeString(repo.CA); err != nil { + return err + } else { + cloneOptions.CABundle = data } } - // Configure ssh auth - if repo.SSHAuth != nil { - _, err := os.Stat(repo.SSHAuth.PrivateKeyPath) - if err != nil { - return fmt.Errorf("read file %s failed: %w", repo.SSHAuth.PrivateKeyPath, err) + // Configure basic auth optionally + if len(repo.BasicAuthPath) != 0 { + if err := configureBasicAuth(repo, cloneOptions); err != nil { + return err } + } - publicKeys, err := ssh.NewPublicKeysFromFile("git", repo.SSHAuth.PrivateKeyPath, repo.SSHAuth.Password) - if err != nil { + // Configure ssh auth + if len(repo.SSHAuthPath) != 0 { + if err := configureSSHAuth(repo, cloneOptions); err != nil { return err } - cloneOptions.Auth = publicKeys } if err := cloneOptions.Validate(); err != nil { return err } c.cloneOptions = cloneOptions + return nil } diff --git a/internal/k8sauthzreactor/test_config.yaml b/internal/k8sauthzreactor/test_config.yaml index 9568bea58..08d668c71 100644 --- a/internal/k8sauthzreactor/test_config.yaml +++ b/internal/k8sauthzreactor/test_config.yaml @@ -2,17 +2,13 @@ repositories: - url: https://monoskope.io/test1.git branch: main caCert: dGhpcy1pcy1hLWNhLWNlcnQ= - basicAuth: - username: test1 - password: testpw + basicAuthPath: test_repo_one_basic_auth.yaml allClusters: true interval: 5m - url: https://monoskope.io/test2.git branch: test interval: 5m - sshAuth: - privateKeyPath: testkey.pem - password: a25vd24taG9zdC1rZXlz + sshAuthPath: test_repo_two_ssh_auth.yaml clusters: - "dev" - "prod" diff --git a/internal/k8sauthzreactor/test_repo_one_basic_auth.yaml b/internal/k8sauthzreactor/test_repo_one_basic_auth.yaml new file mode 100644 index 000000000..9f0c5df88 --- /dev/null +++ b/internal/k8sauthzreactor/test_repo_one_basic_auth.yaml @@ -0,0 +1,2 @@ +username: test1 +password: testpw diff --git a/internal/k8sauthzreactor/test_repo_two_ssh_auth.yaml b/internal/k8sauthzreactor/test_repo_two_ssh_auth.yaml new file mode 100644 index 000000000..68c50003e --- /dev/null +++ b/internal/k8sauthzreactor/test_repo_two_ssh_auth.yaml @@ -0,0 +1,2 @@ +privateKeyPath: testkey.pem +password: a25vd24taG9zdC1rZXlz