refactor: break to 2 apis - decrypt and encrypt (#31)

* refactor: break to 2 apis - decrypt and encrypt * fix dockerfile + black box tests * initial commit - adding chart * fix the chart * add kamus cli * some fixes * enforce HTTPs urls * use caporal logger * fix encrypt.js * fix missing http * added cert pinning * fix CR comments
Soluto · Dec 23, 2018 · 8856c8d · 8856c8d
1 parent 0f34937
commit 8856c8d
Show file tree

Hide file tree

Showing 65 changed files with 2,299 additions and 128 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,2 +1,6 @@
 bin\
-obj\
+obj\
+cmd/
+**/bin/*
+**/obj/*
+**/vendor
diff --git a/.gitignore b/.gitignore
@@ -39,4 +39,5 @@ job/
 
 **/report.json
 **/report.json
-node_modules/
+node_modules/
+**/vendor/
diff --git a/Dockerfile b/Dockerfile
@@ -1,20 +1,26 @@
 FROM microsoft/dotnet:2.1-sdk AS build-env
 
+ARG PROJECT_NAME=decrypt-api
+
 WORKDIR /app
 
 # Copy csproj and restore as distinct layers
-COPY  ./src/Hamuste.csproj ./
-RUN dotnet restore
+COPY  ./src/$PROJECT_NAME/$PROJECT_NAME.csproj ./$PROJECT_NAME/$PROJECT_NAME.csproj
+COPY ./src/key-managment/key-managment.csproj ./key-managment/key-managment.csproj 
+RUN dotnet restore $PROJECT_NAME/$PROJECT_NAME.csproj
 
 # Copy everything else and build
-COPY  ./src ./
-RUN dotnet publish -c Release -o ./obj/Docker/publish
+COPY  ./src/$PROJECT_NAME ./$PROJECT_NAME
+COPY  ./src/key-managment ./key-managment
+RUN dotnet publish $PROJECT_NAME/$PROJECT_NAME.csproj -c Release -o ./obj/Docker/publish
 
 # Build runtime image
-FROM microsoft/dotnet:2.1-aspnetcore-runtime as release
+FROM microsoft/dotnet:2.1.6-aspnetcore-runtime as release
+ARG PROJECT_NAME=decrypt-api
+ENV PROJECT_NAME_ENV=$PROJECT_NAME
 RUN groupadd -r dotnet && useradd --no-log-init -r -g dotnet -d /home/dotnet -ms /bin/bash dotnet
 USER dotnet
 WORKDIR /home/dotnet/app
 ENV ASPNETCORE_URLS=http://+:9999
-COPY --from=build-env /app/obj/Docker/publish .
-ENTRYPOINT ["dotnet", "Hamuste.dll"]
+COPY --from=build-env /app/$PROJECT_NAME/obj/Docker/publish .
+ENTRYPOINT dotnet $PROJECT_NAME_ENV.dll
diff --git a/Hamuste.sln b/Hamuste.sln
@@ -8,10 +8,14 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "blackbox", "tests\blackbox\
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "unit", "tests\unit\unit.csproj", "{3F737829-7340-49FA-893D-4845C5F882AD}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Hamuste", "src\Hamuste.csproj", "{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}"
-EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "integration", "tests\integration\integration.csproj", "{EE33CBB2-857E-47AE-BC8E-8C9CC23488D2}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "key-managment", "src\key-managment\key-managment.csproj", "{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "decrypt-api", "src\decrypt-api\decrypt-api.csproj", "{250FAE91-D1C3-4BE2-ABCB-400882AB235D}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "encrypt-api", "src\encrypt-api\encrypt-api.csproj", "{E69C788D-77EC-4C83-842A-425978A715FD}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -82,6 +86,42 @@ Global
 		{EE33CBB2-857E-47AE-BC8E-8C9CC23488D2}.Release|x64.Build.0 = Release|Any CPU
 		{EE33CBB2-857E-47AE-BC8E-8C9CC23488D2}.Release|x86.ActiveCfg = Release|Any CPU
 		{EE33CBB2-857E-47AE-BC8E-8C9CC23488D2}.Release|x86.Build.0 = Release|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Debug|x64.Build.0 = Debug|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Debug|x86.Build.0 = Debug|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Release|Any CPU.Build.0 = Release|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Release|x64.ActiveCfg = Release|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Release|x64.Build.0 = Release|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Release|x86.ActiveCfg = Release|Any CPU
+		{30BF661E-BA0D-42CE-AA14-3EAAD47D78BD}.Release|x86.Build.0 = Release|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Debug|x64.Build.0 = Debug|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Debug|x86.Build.0 = Debug|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Release|Any CPU.Build.0 = Release|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Release|x64.ActiveCfg = Release|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Release|x64.Build.0 = Release|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Release|x86.ActiveCfg = Release|Any CPU
+		{250FAE91-D1C3-4BE2-ABCB-400882AB235D}.Release|x86.Build.0 = Release|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Debug|x64.Build.0 = Debug|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Debug|x86.Build.0 = Debug|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Release|x64.ActiveCfg = Release|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Release|x64.Build.0 = Release|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Release|x86.ActiveCfg = Release|Any CPU
+		{E69C788D-77EC-4C83-842A-425978A715FD}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+description:  An open source, git-ops, zero-trust secrets encryption and decryption solution for Kubernetes applications
+name: kamus
+version: 0.1.0
+keywords:
+  - gitops
+  - secrets
+sources:
+  - https://github.com/Soluto/Kamus
+maintainers:
+  - name: Omer Levi Hevroni
+  - name: Shai Katz
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
@@ -0,0 +1,19 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range .Values.ingress.hosts }}
+  http://{{ . }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "kamus.name" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get svc -w {{ template "kamus.name" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kamus.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "kamus.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }}
+{{- end }}
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kamus.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "appsettings.secret.json" }}
+{{ printf "{\n\t\"ActiveDirectory\": { " }}
+{{ if .Values.activeDirectory}}
+{{ printf "\t\t\"ClientSecret\": \"%s\" " .Values.activeDirectory.clientSecret }}
+{{- end -}}
+{{ if .Values.keyManagment.AES}}
+{{ printf "\"KeyManagement\": { \n\t\t\"AES\": { \"Key\": \"%s\" } }" .Values.keyManagment.AES.key }}
+{{- end -}}
+{{ printf "} \n}"}}
+{{- end }}
+
+"KeyManagement": {
+    "Provider": "AESKey",
+    "AES": {
+      "Key": "rWnWbaFutavdoeqUiVYMNJGvmjQh31qaIej/vAxJ9G0="
+    },
+    "KeyVault":  {
+      "Name": "k8spoc",
+      "KeyType": "RSA",
+      "KeyLength": "2048",
+      "MaximumDataLength": "214"
+    }
+  }
diff --git a/chart/templates/autoscaling-decryptor.yaml b/chart/templates/autoscaling-decryptor.yaml
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "kamus.name" . }}-decryptor
+  namespace: {{ .Values.team }}
+  labels:
+    app: {{ template "kamus.name" . }}
+    component: decryptor
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1beta1
+    kind: Deployment
+    name: {{ template "kamus.name" . }}-decryptor
+  minReplicas: {{ .Values.autoscale.minReplicas }}
+  maxReplicas: {{ .Values.autoscale.maxReplicas }}
+  targetCPUUtilizationPercentage: {{ .Values.autoscale.targetCPU }}
diff --git a/chart/templates/autoscaling-encryptor.yaml b/chart/templates/autoscaling-encryptor.yaml
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "kamus.name" . }}-encryptor
+  namespace: {{ .Values.team }}
+  labels:
+    app: {{ template "kamus.name" . }}
+    component: encryptor
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1beta1
+    kind: Deployment
+    name: {{ template "kamus.name" . }}-encryptor
+  minReplicas: {{ .Values.autoscale.minReplicas }}
+  maxReplicas: {{ .Values.autoscale.maxReplicas }}
+  targetCPUUtilizationPercentage: {{ .Values.autoscale.targetCPU }}
diff --git a/chart/templates/configmap-decryptor.yaml b/chart/templates/configmap-decryptor.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kamus.name" . }}-decryptor
+  namespace: {{ .Values.team }}
+data:
+  KeyManagement__Provider: {{ .Values.keyManagment.provider }}
diff --git a/chart/templates/configmap-encryptor.yaml b/chart/templates/configmap-encryptor.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kamus.name" . }}-encryptor
+  namespace: {{ .Values.team }}
+data:
+  KeyManagement__Provider: {{ .Values.keyManagment.provider }}
diff --git a/chart/templates/deployment-decryptor.yaml b/chart/templates/deployment-decryptor.yaml
@@ -0,0 +1,65 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: {{ template "kamus.name" . }}-decryptor
+  namespace: {{ .Values.team }}
+  labels:
+    app: {{ template "kamus.name" . }}
+    component: decryptor
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  strategy:
+    rollingUpdate:
+      maxUnavailable: {{ .Values.maxUnavailable }}
+  replicas: {{ .Values.replicaCount }}
+  selector:
+      matchLabels:
+        app: {{ template "kamus.name" . }}
+        release: {{ .Release.Name }}
+        component: decryptor
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "kamus.name" . }}
+        release: {{ .Release.Name }}
+        component: decryptor
+    spec:
+      serviceAccountName: {{ template "kamus.name" . }}
+      automountServiceAccountToken: true
+      containers:
+        - name: decryptor-api
+          image: {{ .Values.image.repository }}/kamus:decryptor-{{ .Values.image.version }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: secret-volume
+              mountPath: /app/secrets
+          ports:
+            - containerPort: 9999
+          livenessProbe:
+            httpGet:
+              path: /api/v1/isAlive
+              port: 9999
+          readinessProbe:
+            httpGet:
+              path: /api/v1/isAlive
+              port: 9999
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+          envFrom:
+           - configMapRef:
+              name: {{ template "kamus.name" . }}-decryptor
+        {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ toYaml .Values.imagePullSecrets }}
+        {{- end }}
+      volumes:
+        - name: secret-volume
+          secret:
+            secretName: {{ template "kamus.name" . }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}