From 8beb5ed7b53537e616de1c4fb5175e0e7595b478 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 10 Jul 2019 11:11:52 +0300 Subject: [PATCH 01/44] added support for binary data in kamus secret --- .../HostedServices/V1AlphaController.cs | 26 ++++++++++++++++--- src/crd-controller/Models/KamusSecret.cs | 1 + tests/crd-controller/FlowTest.cs | 4 ++- tests/crd-controller/crd-controller.csproj | 3 +++ tests/crd-controller/key.crt | 0 tests/crd-controller/tls-KamusSecret.yaml | 2 ++ 6 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 tests/crd-controller/key.crt diff --git a/src/crd-controller/HostedServices/V1AlphaController.cs b/src/crd-controller/HostedServices/V1AlphaController.cs index 914eef1a0..947240b0d 100644 --- a/src/crd-controller/HostedServices/V1AlphaController.cs +++ b/src/crd-controller/HostedServices/V1AlphaController.cs @@ -125,7 +125,8 @@ private async Task CreateSecret(KamusSecret kamusSecret) var serviceAccount = kamusSecret.ServiceAccount; var id = $"{@namespace}:{serviceAccount}"; - var decryptedItems = new Dictionary(); + var decryptedStrings = new Dictionary(); + var decryptedBinaries = new Dictionary(); mLogger.Debug("Starting decrypting KamusSecret items. KamusSecret {name} in namespace {namespace}", kamusSecret.Metadata.Name, @@ -137,7 +138,25 @@ private async Task CreateSecret(KamusSecret kamusSecret) { var decrypted = await mKeyManagement.Decrypt(value, id); - decryptedItems.Add(key, decrypted); + decryptedStrings.Add(key, decrypted); + } + catch (Exception e) + { + mLogger.Error(e, + "Failed to decrypt KamusSecret key {key}. KamusSecret {name} in namespace {namespace}", + key, + kamusSecret.Metadata.Name, + @namespace); + } + } + + foreach (var (key, value) in kamusSecret.BinaryData) + { + try + { + var decrypted = await mKeyManagement.Decrypt(value, id); + + decryptedBinaries.Add(key, Convert.FromBase64String(decrypted)); } catch (Exception e) { @@ -162,7 +181,8 @@ private async Task CreateSecret(KamusSecret kamusSecret) NamespaceProperty = @namespace }, Type = kamusSecret.Type, - StringData = decryptedItems + StringData = decryptedStrings, + Data = decryptedBinaries }; } diff --git a/src/crd-controller/Models/KamusSecret.cs b/src/crd-controller/Models/KamusSecret.cs index 822c6588d..5d4d360b4 100644 --- a/src/crd-controller/Models/KamusSecret.cs +++ b/src/crd-controller/Models/KamusSecret.cs @@ -7,6 +7,7 @@ namespace CustomResourceDescriptorController.Models public class KamusSecret : KubernetesObject { public Dictionary Data { get; set; } + public Dictionary BinaryData { get; set; } public string Type { get; set; } public V1ObjectMeta Metadata { get; set; } public string ServiceAccount { get; set; } diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index d028b0e21..55ce175bb 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -1,5 +1,6 @@ using System; using System.Diagnostics; +using System.IO; using System.Reactive.Linq; using System.Reactive.Subjects; using System.Text; @@ -48,7 +49,8 @@ public async Task CreateKamusSecret_SecretCreated() Assert.Equal("TlsSecret", v1Secret.Type); Assert.True(v1Secret.Data.ContainsKey("key")); - Assert.Equal("hello", Encoding.UTF8.GetString(v1Secret.Data["key"])); + Assert.True(v1Secret.Data.ContainsKey("key3")); + Assert.Equal(File.ReadAllText("key.crt"), Encoding.UTF8.GetString(v1Secret.Data["key"])); } [Fact] diff --git a/tests/crd-controller/crd-controller.csproj b/tests/crd-controller/crd-controller.csproj index e3e21884e..250a9e29c 100644 --- a/tests/crd-controller/crd-controller.csproj +++ b/tests/crd-controller/crd-controller.csproj @@ -31,6 +31,9 @@ PreserveNewest + + PreserveNewest + diff --git a/tests/crd-controller/key.crt b/tests/crd-controller/key.crt new file mode 100644 index 000000000..e69de29bb diff --git a/tests/crd-controller/tls-KamusSecret.yaml b/tests/crd-controller/tls-KamusSecret.yaml index 4b50ba4b4..cfa02a676 100644 --- a/tests/crd-controller/tls-KamusSecret.yaml +++ b/tests/crd-controller/tls-KamusSecret.yaml @@ -5,4 +5,6 @@ metadata: type: TlsSecret data: key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== +binaryData: + key3: 5SRnC8HJ6gJEOCpgby3ZSQ==:LUfzADu23z1l9CWFXzR71/Ua74IxI12Ehn18d5hnqA+C40D6o1qfaaOLuPzwPYILwsViZvg7FymTB9c/1vLlwnqQJfRXNNKg07cTD5tGoufKrQrgMpOHcEKsq/k3jwQ5MSyU99npBmPFkCZ93uE1b6llSbBkzp80cBQB+Peb7WtyfG4WoOn15hy7Eb71tcdNcRLd1r5pWaPWEIlMnVB8TERCfCpTUakXmuM5mvq5PTOp/OfRGpbqG3VRf/iDHSpSOqiNKhq6eiOWvG+WTCVqjpMv4iQiMlTCcJT31ayUHxafx1bg8EX5SuMVc0sHT7wwX4BBMDUCQ8i7qXHNS5gGAl6LXHC2fhfsK/PAJVDZ18PS/ISDuzAs/iV3zffqqLCZxy5qFDyBq5hdjE2deLhH40pL1G9i7fto40ikftdqKLFaa7pxc0A88bvQihkDuPj9gtAmXt7k+hnUXlPdP5VuoKGhfJUMaEDIwTxUekzcCPDPas9XrmLWyN27BFs6Z+s/kDL+8ZGHP4yyeJyxZV0Gxf0k7RY65GyFzkvcZElq8aI8sSSc9D4Li5OilpXb0M5/s+oZj0QCwwFR2+rNTc4vm1l5s2vRmNMHZ/mQEy1qSJbEvA65U6axYoRcjQIEnvth+sZHy1E3CNBW7LRvUMf2KCy6qX+rjV/i6krAVyohAOLCfWtS+Wi3ulkefoFbKLNVLVaDVP15s4c+dqsDAzscl3HtQHRlhkOlr9hAEsX7qQlRue2S8apDp4SN8umpaTFgZy7u03yTWE64fGYyubKYRYo38D0wTOI7Z9+47m/z52rk6214A3mxoTY8Mm4bmCyxcPwGMnKXdx8x9FN56mpdFifcQLx1HffkGM/F5Hj6/xUUaquHWnWnh3keQjm1gdE0eE5YLB/EZggczj5HiahTgd3IZ/oUd8a2bGo+VToTRimOczz8je4WN3+4px2KXRs+qgaTUTUZ/m1AT90PewOKVhHfWEZKmU9063xqBjtytMyFQxZkFvQqwZNmDYmkWMrqdkC2u5/yjm1Dc1OUEy6ImnxuStCB4j+8B7gXPBg+x/nSbY8vjhbnyhmXQ37m54rFN3Jqgr0XMg5c9h2eMs2oMw/1nGFxZqzxa9VdjsG4sPcfEAECmjgnqaKVY/d7tUoXEKYQWVcoetL5zQxo4Vg9BTFaIO+npwW0Dmc5ED0ShqfKVdUkN+jx5sm16Ik6SR+xvpgh8g4YmA5GmlhLUZuSPn7jTLYmt+1e9ZpvQnNRrSW9hzmpW5FCA2i7hr83x9NmW2S7iPQ979to+i1Ak8f8B1s95bJcgkzEv9kHyd+a6kroM2AXXq0Ra2xXSNYryAS+TESYs7VPzsXeGXzmcRYIwEPqA8Kh3/8b6oNdNzY1+PHavk9Op6jTWnlsGOnRMi1WzC4nFDa9V5lvEFtBT4c1dhNnUVuecBy7yeo2LopYsY6+7rKlWFHCSfC4srZtv7CIRIO6zNAao+Cl6g9O5d+1Yu4/fI9XJMMMqJZZBUl7TGwgGTZhoWol9H5ppgShrV6nYbq2Ekyw2y0I8f96NGRrzeX9AiApoCM/qfC42NP3zEvewdgtzPlo8O0izf76R8ggc/c1rcaQwnMB1FHfPIYup10oVTJvoH2mHSVRCrCuKRQqqB/uCVIglgDjA/jnK68+yoUBD+pwOy3xiyVkQBTmxpnGURMzqXxTypP2YOXHFISnuyTElr7JRNoaK7Oep2hhiXO+jlKEXHe3jeWOKlOW8gpPKKd2rxBrrX+IeaJx7EWKdxkCbackd7cpaeRLVQV8WCUIb91HeMUqz1DEALky+lsfXOr5VwaiikRcJzrlwJkIarNSoM2644Qf5Gyo87z3kmnHyHTqKerC5VrRSgEcH2Z3Ag4Skdf5qMnYC3jm90jp2hhZzq4pMcgGhambiUb1 serviceAccount: some-sa \ No newline at end of file From d52a1263f02188e155fc9ac949d7c57b0f085b02 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 10 Jul 2019 11:14:51 +0300 Subject: [PATCH 02/44] documentaion --- site/content/docs/user/crd.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/site/content/docs/user/crd.md b/site/content/docs/user/crd.md index 1d604e606..a1b12b0a0 100644 --- a/site/content/docs/user/crd.md +++ b/site/content/docs/user/crd.md @@ -49,6 +49,25 @@ default-token-m6whl kubernetes.io/service-account-token my-tls-secret TlsSecret 1 5s ``` +## Binary data support +In case you need to create secret that contains binary data (e.g. private keys), you can use the same flow. +Encrypt the data (after encoding it using base64 encoding), and create KamusSecret in the following format: + +``` +apiVersion: "soluto.com/v1alpha1" +kind: KamusSecret +metadata: + name: my-tls-secret //This will be the name of the secret + namespace: default //The secret and KamusSecret live in this namespace +type: TlsSecret //The type of the secret that will be created +binaryData: //Put here all the encrypted data, that will be stored (decrypted) on the secret data + key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== +serviceAccount: some-sa //The service account used for encrypting the data +``` + +You can have both `data` and `binaryData` in the same KamusSecret object, the created secret will contain both. +Just ensure that the keys are uniques - you cannot have the same key in `data` and `binaryData`. + ## Known limitation This is the alpha release of this feature, so not all functionality is supported. The current known issues: From d5ef1b85c73a41fe087a6dea6c2745c398fe83f1 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 10 Jul 2019 11:25:57 +0300 Subject: [PATCH 03/44] fix the tests --- tests/crd-controller/FlowTest.cs | 2 +- tests/crd-controller/key.crt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index 55ce175bb..91aacee4d 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -50,7 +50,7 @@ public async Task CreateKamusSecret_SecretCreated() Assert.Equal("TlsSecret", v1Secret.Type); Assert.True(v1Secret.Data.ContainsKey("key")); Assert.True(v1Secret.Data.ContainsKey("key3")); - Assert.Equal(File.ReadAllText("key.crt"), Encoding.UTF8.GetString(v1Secret.Data["key"])); + Assert.Equal(File.ReadAllText("key.crt"), Encoding.UTF8.GetString(v1Secret.Data["key3"])); } [Fact] diff --git a/tests/crd-controller/key.crt b/tests/crd-controller/key.crt index e69de29bb..494151126 100644 --- a/tests/crd-controller/key.crt +++ b/tests/crd-controller/key.crt @@ -0,0 +1 @@ +LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2ekNDQWRPZ0F3SUJBZ0lKQUxuTDR4QmZueVNRTUEwR0NTcUdTSWIzRFFFQkJRVUFNQmN4RlRBVEJnTlYKQkFNTURHRmtiV2x6YzJsdmJsOWpZVEFnRncweE9UQTJNekF3TlRRd016WmFHQTh5TWprek1EUXhOREExTkRBegpObG93RmpFVU1CSUdBMVVFQXd3TGIzQmhMbTl3WVM1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQy91Y0Q0eW4vMmdrSEF0U0cvc0MvanBrTVpqNCtZRnI0dEE3c3FGbkhBaVQ0ZmVaQTUKaXdHaW1uMENwVEJIenNxU1NDUGZRM1ZsUVlRVjhkWmJoRmw2NTFOOUhuNzJDbnZXdXl3R0hQaG5BNHZoTmZ6agpYa3pWemMyMzR4eDRuVVVTZG8rM3dqNUwxbzgrb1I3akZuZUFzb1hkVTk1a3BHMEhHZENYbDFIQy83Y29UUVl6Cms4aXJxaUlHZmlRa1RXd213Q3lDOHBuN3lheG9HVWZvOFdWNXhOaWxVaDcxYWNLNkVFc0psQnA0RldWbEh6bXYKakljdEVKYlA0dXRYQTJ3SHJSeXFaYzZiaUVVeXozbmFvUVRSZUdOMWJpNkY0TUFVeCs5UjNHdXhJMy9Ud2JQdApYMlc5aHh1dUNxcmMrODdHSmcyQy94d2I1dHNFb2I3RmNhYW5BZ01CQUFHak9UQTNNQWtHQTFVZEV3UUNNQUF3CkN3WURWUjBQQkFRREFnWGdNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01DQmdnckJnRUZCUWNEQVRBTkJna3EKaGtpRzl3MEJBUVVGQUFPQ0FRRUFWSFVFNlZ2c1lmd0luamRtZ3BxWnlhTUdTQ016c29JbkQrTVdaMjdPNVA0VApDTWpNbUJoUXBVWERhU1JYS3AvOG1aVE1zU3lEMDFYdEo4NkphTElUcGlzVVJ0ZHNUakNCMDdCZFFVdnBUUDdZCitZRkxHakhaVmNySmlxd0ZZbE5ZRVpWYzJnRk9MVVB6eFh1YmlWbkdTODBrSENia0tRTm1RcDFlWHhSMGRxYlYKK281Wk9lKzNqUThJbzJ1TzltZUJwWi9BM0ZBam04bHZBWmdpdGdORjlERmxCZjJoR2xQMndSbURhakh1RG9sWQpIOERaa3dub3hpOFhGb0Jnekl3MXhQZ2RVSDc5eHE1NzdsSUxwZWpLZUdpVmMzeXBhYUJUR0NXTElHMjN1a2pKCkh5dHFXUHMxUFVGb3E4aXRuOTBlcGJpcUtzOEs1TmhsVmE1SWQzTVlzQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file From acc14a5af25942e105d24ee7236a2e127a53d066 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 10 Jul 2019 11:38:05 +0300 Subject: [PATCH 04/44] fix the tests build --- tests/crd-controller/key.crt | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/tests/crd-controller/key.crt b/tests/crd-controller/key.crt index 494151126..e55b2de40 100644 --- a/tests/crd-controller/key.crt +++ b/tests/crd-controller/key.crt @@ -1 +1,18 @@ -LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2ekNDQWRPZ0F3SUJBZ0lKQUxuTDR4QmZueVNRTUEwR0NTcUdTSWIzRFFFQkJRVUFNQmN4RlRBVEJnTlYKQkFNTURHRmtiV2x6YzJsdmJsOWpZVEFnRncweE9UQTJNekF3TlRRd016WmFHQTh5TWprek1EUXhOREExTkRBegpObG93RmpFVU1CSUdBMVVFQXd3TGIzQmhMbTl3WVM1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQy91Y0Q0eW4vMmdrSEF0U0cvc0MvanBrTVpqNCtZRnI0dEE3c3FGbkhBaVQ0ZmVaQTUKaXdHaW1uMENwVEJIenNxU1NDUGZRM1ZsUVlRVjhkWmJoRmw2NTFOOUhuNzJDbnZXdXl3R0hQaG5BNHZoTmZ6agpYa3pWemMyMzR4eDRuVVVTZG8rM3dqNUwxbzgrb1I3akZuZUFzb1hkVTk1a3BHMEhHZENYbDFIQy83Y29UUVl6Cms4aXJxaUlHZmlRa1RXd213Q3lDOHBuN3lheG9HVWZvOFdWNXhOaWxVaDcxYWNLNkVFc0psQnA0RldWbEh6bXYKakljdEVKYlA0dXRYQTJ3SHJSeXFaYzZiaUVVeXozbmFvUVRSZUdOMWJpNkY0TUFVeCs5UjNHdXhJMy9Ud2JQdApYMlc5aHh1dUNxcmMrODdHSmcyQy94d2I1dHNFb2I3RmNhYW5BZ01CQUFHak9UQTNNQWtHQTFVZEV3UUNNQUF3CkN3WURWUjBQQkFRREFnWGdNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01DQmdnckJnRUZCUWNEQVRBTkJna3EKaGtpRzl3MEJBUVVGQUFPQ0FRRUFWSFVFNlZ2c1lmd0luamRtZ3BxWnlhTUdTQ016c29JbkQrTVdaMjdPNVA0VApDTWpNbUJoUXBVWERhU1JYS3AvOG1aVE1zU3lEMDFYdEo4NkphTElUcGlzVVJ0ZHNUakNCMDdCZFFVdnBUUDdZCitZRkxHakhaVmNySmlxd0ZZbE5ZRVpWYzJnRk9MVVB6eFh1YmlWbkdTODBrSENia0tRTm1RcDFlWHhSMGRxYlYKK281Wk9lKzNqUThJbzJ1TzltZUJwWi9BM0ZBam04bHZBWmdpdGdORjlERmxCZjJoR2xQMndSbURhakh1RG9sWQpIOERaa3dub3hpOFhGb0Jnekl3MXhQZ2RVSDc5eHE1NzdsSUxwZWpLZUdpVmMzeXBhYUJUR0NXTElHMjN1a2pKCkh5dHFXUHMxUFVGb3E4aXRuOTBlcGJpcUtzOEs1TmhsVmE1SWQzTVlzQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIJALnL4xBfnySQMA0GCSqGSIb3DQEBBQUAMBcxFTATBgNV +BAMMDGFkbWlzc2lvbl9jYTAgFw0xOTA2MzAwNTQwMzZaGA8yMjkzMDQxNDA1NDAz +NlowFjEUMBIGA1UEAwwLb3BhLm9wYS5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC/ucD4yn/2gkHAtSG/sC/jpkMZj4+YFr4tA7sqFnHAiT4feZA5 +iwGimn0CpTBHzsqSSCPfQ3VlQYQV8dZbhFl651N9Hn72CnvWuywGHPhnA4vhNfzj +XkzVzc234xx4nUUSdo+3wj5L1o8+oR7jFneAsoXdU95kpG0HGdCXl1HC/7coTQYz +k8irqiIGfiQkTWwmwCyC8pn7yaxoGUfo8WV5xNilUh71acK6EEsJlBp4FWVlHzmv +jIctEJbP4utXA2wHrRyqZc6biEUyz3naoQTReGN1bi6F4MAUx+9R3GuxI3/TwbPt +X2W9hxuuCqrc+87GJg2C/xwb5tsEob7FcaanAgMBAAGjOTA3MAkGA1UdEwQCMAAw +CwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkq +hkiG9w0BAQUFAAOCAQEAVHUE6VvsYfwInjdmgpqZyaMGSCMzsoInD+MWZ27O5P4T +CMjMmBhQpUXDaSRXKp/8mZTMsSyD01XtJ86JaLITpisURtdsTjCB07BdQUvpTP7Y ++YFLGjHZVcrJiqwFYlNYEZVc2gFOLUPzxXubiVnGS80kHCbkKQNmQp1eXxR0dqbV ++o5ZOe+3jQ8Io2uO9meBpZ/A3FAjm8lvAZgitgNF9DFlBf2hGlP2wRmDajHuDolY +H8DZkwnoxi8XFoBgzIw1xPgdUH79xq577lILpejKeGiVc3ypaaBTGCWLIG23ukjJ +HytqWPs1PUFoq8itn90epbiqKs8K5NhlVa5Id3MYsA== +-----END CERTIFICATE----- \ No newline at end of file From 3a6c748eadfed1a90ba39847363eb569dff837e5 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 10 Jul 2019 11:48:26 +0300 Subject: [PATCH 05/44] try to fix the test --- tests/crd-controller/key.crt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/key.crt b/tests/crd-controller/key.crt index e55b2de40..6215efba4 100644 --- a/tests/crd-controller/key.crt +++ b/tests/crd-controller/key.crt @@ -15,4 +15,4 @@ CMjMmBhQpUXDaSRXKp/8mZTMsSyD01XtJ86JaLITpisURtdsTjCB07BdQUvpTP7Y +o5ZOe+3jQ8Io2uO9meBpZ/A3FAjm8lvAZgitgNF9DFlBf2hGlP2wRmDajHuDolY H8DZkwnoxi8XFoBgzIw1xPgdUH79xq577lILpejKeGiVc3ypaaBTGCWLIG23ukjJ HytqWPs1PUFoq8itn90epbiqKs8K5NhlVa5Id3MYsA== ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE----- From 9a7a9f72a6c289d1a5b560f2d6532a7bf774478c Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 10 Jul 2019 12:58:17 +0300 Subject: [PATCH 06/44] fix the tests --- .../HostedServices/V1AlphaController.cs | 72 ++++++++++--------- 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/src/crd-controller/HostedServices/V1AlphaController.cs b/src/crd-controller/HostedServices/V1AlphaController.cs index 947240b0d..19ede9238 100644 --- a/src/crd-controller/HostedServices/V1AlphaController.cs +++ b/src/crd-controller/HostedServices/V1AlphaController.cs @@ -1,5 +1,6 @@ using System; using System.Collections.Generic; +using System.Linq; using System.Reactive.Linq; using System.Threading; using System.Threading.Tasks; @@ -9,7 +10,6 @@ using Kamus.KeyManagement; using CustomResourceDescriptorController.Extensions; using Microsoft.AspNetCore.JsonPatch; -using Microsoft.CodeAnalysis; using Microsoft.Extensions.Hosting; using Serilog; @@ -125,54 +125,25 @@ private async Task CreateSecret(KamusSecret kamusSecret) var serviceAccount = kamusSecret.ServiceAccount; var id = $"{@namespace}:{serviceAccount}"; - var decryptedStrings = new Dictionary(); - var decryptedBinaries = new Dictionary(); + mLogger.Debug("Starting decrypting KamusSecret items. KamusSecret {name} in namespace {namespace}", kamusSecret.Metadata.Name, @namespace); - foreach (var (key, value) in kamusSecret.Data) - { - try - { - var decrypted = await mKeyManagement.Decrypt(value, id); - - decryptedStrings.Add(key, decrypted); - } - catch (Exception e) - { - mLogger.Error(e, + Action errorHandler = (e, key) => mLogger.Error(e, "Failed to decrypt KamusSecret key {key}. KamusSecret {name} in namespace {namespace}", key, kamusSecret.Metadata.Name, @namespace); - } - } - - foreach (var (key, value) in kamusSecret.BinaryData) - { - try - { - var decrypted = await mKeyManagement.Decrypt(value, id); - - decryptedBinaries.Add(key, Convert.FromBase64String(decrypted)); - } - catch (Exception e) - { - mLogger.Error(e, - "Failed to decrypt KamusSecret key {key}. KamusSecret {name} in namespace {namespace}", - key, - kamusSecret.Metadata.Name, - @namespace); - } - } + + var decryptedStrings = await DecryptItems(kamusSecret.Data, id, errorHandler, x => x); + var decryptedBinaries = await DecryptItems(kamusSecret.BinaryData, id, errorHandler, Convert.FromBase64String); mLogger.Debug("KamusSecret items decrypted successfully. KamusSecret {name} in namespace {namespace}", kamusSecret.Metadata.Name, @namespace); - return new V1Secret { Metadata = new V1ObjectMeta @@ -186,6 +157,37 @@ private async Task CreateSecret(KamusSecret kamusSecret) }; } + private async Task> DecryptItems( + Dictionary source, + string serviceAccountId, + Action errorHandler, + Func mapper) + { + var result = new Dictionary(); + + if (source == null) + { + return result; + } + + foreach (var (key, value) in source) + { + try + { + var decrypted = await mKeyManagement.Decrypt(value, serviceAccountId); + + result.Add(key, mapper(decrypted)); + } + catch (Exception e) + { + errorHandler(e, key); + } + } + + return result; + } + + private async Task HandleAdd(KamusSecret kamusSecret, bool isUpdate = false) { var secret = await CreateSecret(kamusSecret); From eb7ef35f67eb9f50ab9b23e6210542f09234917d Mon Sep 17 00:00:00 2001 From: omerlh Date: Sun, 14 Jul 2019 21:57:22 +0300 Subject: [PATCH 07/44] rename to encodedData --- site/content/docs/user/crd.md | 6 +++--- src/crd-controller/HostedServices/V1AlphaController.cs | 2 +- src/crd-controller/Models/KamusSecret.cs | 2 +- tests/crd-controller/tls-KamusSecret.yaml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/site/content/docs/user/crd.md b/site/content/docs/user/crd.md index a1b12b0a0..603836b2c 100644 --- a/site/content/docs/user/crd.md +++ b/site/content/docs/user/crd.md @@ -60,13 +60,13 @@ metadata: name: my-tls-secret //This will be the name of the secret namespace: default //The secret and KamusSecret live in this namespace type: TlsSecret //The type of the secret that will be created -binaryData: //Put here all the encrypted data, that will be stored (decrypted) on the secret data +encodedData: //Put here all the encrypted data, that will be stored (decrypted) on the secret data. The encrypt data has to be base64 encoded. key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== serviceAccount: some-sa //The service account used for encrypting the data ``` -You can have both `data` and `binaryData` in the same KamusSecret object, the created secret will contain both. -Just ensure that the keys are uniques - you cannot have the same key in `data` and `binaryData`. +You can have both `data` and `encodedData` in the same KamusSecret object, the created secret will contain both. +Just ensure that the keys are uniques - you cannot have the same key in `data` and `encodedData`. ## Known limitation This is the alpha release of this feature, so not all functionality is supported. diff --git a/src/crd-controller/HostedServices/V1AlphaController.cs b/src/crd-controller/HostedServices/V1AlphaController.cs index 19ede9238..cf2bedaf7 100644 --- a/src/crd-controller/HostedServices/V1AlphaController.cs +++ b/src/crd-controller/HostedServices/V1AlphaController.cs @@ -138,7 +138,7 @@ private async Task CreateSecret(KamusSecret kamusSecret) @namespace); var decryptedStrings = await DecryptItems(kamusSecret.Data, id, errorHandler, x => x); - var decryptedBinaries = await DecryptItems(kamusSecret.BinaryData, id, errorHandler, Convert.FromBase64String); + var decryptedBinaries = await DecryptItems(kamusSecret.EncodedData, id, errorHandler, Convert.FromBase64String); mLogger.Debug("KamusSecret items decrypted successfully. KamusSecret {name} in namespace {namespace}", kamusSecret.Metadata.Name, diff --git a/src/crd-controller/Models/KamusSecret.cs b/src/crd-controller/Models/KamusSecret.cs index 5d4d360b4..26c10dfb5 100644 --- a/src/crd-controller/Models/KamusSecret.cs +++ b/src/crd-controller/Models/KamusSecret.cs @@ -7,7 +7,7 @@ namespace CustomResourceDescriptorController.Models public class KamusSecret : KubernetesObject { public Dictionary Data { get; set; } - public Dictionary BinaryData { get; set; } + public Dictionary EncodedData { get; set; } public string Type { get; set; } public V1ObjectMeta Metadata { get; set; } public string ServiceAccount { get; set; } diff --git a/tests/crd-controller/tls-KamusSecret.yaml b/tests/crd-controller/tls-KamusSecret.yaml index cfa02a676..4c705595f 100644 --- a/tests/crd-controller/tls-KamusSecret.yaml +++ b/tests/crd-controller/tls-KamusSecret.yaml @@ -5,6 +5,6 @@ metadata: type: TlsSecret data: key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== -binaryData: +encodedData: key3: 5SRnC8HJ6gJEOCpgby3ZSQ==:LUfzADu23z1l9CWFXzR71/Ua74IxI12Ehn18d5hnqA+C40D6o1qfaaOLuPzwPYILwsViZvg7FymTB9c/1vLlwnqQJfRXNNKg07cTD5tGoufKrQrgMpOHcEKsq/k3jwQ5MSyU99npBmPFkCZ93uE1b6llSbBkzp80cBQB+Peb7WtyfG4WoOn15hy7Eb71tcdNcRLd1r5pWaPWEIlMnVB8TERCfCpTUakXmuM5mvq5PTOp/OfRGpbqG3VRf/iDHSpSOqiNKhq6eiOWvG+WTCVqjpMv4iQiMlTCcJT31ayUHxafx1bg8EX5SuMVc0sHT7wwX4BBMDUCQ8i7qXHNS5gGAl6LXHC2fhfsK/PAJVDZ18PS/ISDuzAs/iV3zffqqLCZxy5qFDyBq5hdjE2deLhH40pL1G9i7fto40ikftdqKLFaa7pxc0A88bvQihkDuPj9gtAmXt7k+hnUXlPdP5VuoKGhfJUMaEDIwTxUekzcCPDPas9XrmLWyN27BFs6Z+s/kDL+8ZGHP4yyeJyxZV0Gxf0k7RY65GyFzkvcZElq8aI8sSSc9D4Li5OilpXb0M5/s+oZj0QCwwFR2+rNTc4vm1l5s2vRmNMHZ/mQEy1qSJbEvA65U6axYoRcjQIEnvth+sZHy1E3CNBW7LRvUMf2KCy6qX+rjV/i6krAVyohAOLCfWtS+Wi3ulkefoFbKLNVLVaDVP15s4c+dqsDAzscl3HtQHRlhkOlr9hAEsX7qQlRue2S8apDp4SN8umpaTFgZy7u03yTWE64fGYyubKYRYo38D0wTOI7Z9+47m/z52rk6214A3mxoTY8Mm4bmCyxcPwGMnKXdx8x9FN56mpdFifcQLx1HffkGM/F5Hj6/xUUaquHWnWnh3keQjm1gdE0eE5YLB/EZggczj5HiahTgd3IZ/oUd8a2bGo+VToTRimOczz8je4WN3+4px2KXRs+qgaTUTUZ/m1AT90PewOKVhHfWEZKmU9063xqBjtytMyFQxZkFvQqwZNmDYmkWMrqdkC2u5/yjm1Dc1OUEy6ImnxuStCB4j+8B7gXPBg+x/nSbY8vjhbnyhmXQ37m54rFN3Jqgr0XMg5c9h2eMs2oMw/1nGFxZqzxa9VdjsG4sPcfEAECmjgnqaKVY/d7tUoXEKYQWVcoetL5zQxo4Vg9BTFaIO+npwW0Dmc5ED0ShqfKVdUkN+jx5sm16Ik6SR+xvpgh8g4YmA5GmlhLUZuSPn7jTLYmt+1e9ZpvQnNRrSW9hzmpW5FCA2i7hr83x9NmW2S7iPQ979to+i1Ak8f8B1s95bJcgkzEv9kHyd+a6kroM2AXXq0Ra2xXSNYryAS+TESYs7VPzsXeGXzmcRYIwEPqA8Kh3/8b6oNdNzY1+PHavk9Op6jTWnlsGOnRMi1WzC4nFDa9V5lvEFtBT4c1dhNnUVuecBy7yeo2LopYsY6+7rKlWFHCSfC4srZtv7CIRIO6zNAao+Cl6g9O5d+1Yu4/fI9XJMMMqJZZBUl7TGwgGTZhoWol9H5ppgShrV6nYbq2Ekyw2y0I8f96NGRrzeX9AiApoCM/qfC42NP3zEvewdgtzPlo8O0izf76R8ggc/c1rcaQwnMB1FHfPIYup10oVTJvoH2mHSVRCrCuKRQqqB/uCVIglgDjA/jnK68+yoUBD+pwOy3xiyVkQBTmxpnGURMzqXxTypP2YOXHFISnuyTElr7JRNoaK7Oep2hhiXO+jlKEXHe3jeWOKlOW8gpPKKd2rxBrrX+IeaJx7EWKdxkCbackd7cpaeRLVQV8WCUIb91HeMUqz1DEALky+lsfXOr5VwaiikRcJzrlwJkIarNSoM2644Qf5Gyo87z3kmnHyHTqKerC5VrRSgEcH2Z3Ag4Skdf5qMnYC3jm90jp2hhZzq4pMcgGhambiUb1 serviceAccount: some-sa \ No newline at end of file From 88579090b931d9cceae63231dca5f65827451c55 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 24 Jul 2019 21:36:27 +0300 Subject: [PATCH 08/44] refactor - add v1alpha2 which is compatible with k8s secrets --- .../HostedServices/V1Alpha1Controller.cs | 178 ++++++++++++++++++ ...phaController.cs => V1Alpha2Controller.cs} | 74 ++------ .../Models/{ => V1Alpha1}/KamusSecret.cs | 2 +- .../Models/V1Alpha2/KamusSecret.cs | 17 ++ src/crd-controller/Startup.cs | 3 +- src/crd-controller/crd-controller.csproj | 2 + .../utils/KeyManagementExtensions.cs | 42 +++++ .../utils/KubernetesExtensions.cs | 39 ++++ tests/crd-controller/FlowTest.cs | 52 ++++- tests/crd-controller/crd.yaml | 10 +- .../tls-KamusSecretV1Alpha2.yaml | 10 + .../updated-tls-KamusSecretV1Alpha2.yaml | 8 + "tests/crd-controller/\302\247.yaml" | 8 + 13 files changed, 373 insertions(+), 72 deletions(-) create mode 100644 src/crd-controller/HostedServices/V1Alpha1Controller.cs rename src/crd-controller/HostedServices/{V1AlphaController.cs => V1Alpha2Controller.cs} (72%) rename src/crd-controller/Models/{ => V1Alpha1}/KamusSecret.cs (88%) create mode 100644 src/crd-controller/Models/V1Alpha2/KamusSecret.cs create mode 100644 src/crd-controller/utils/KeyManagementExtensions.cs create mode 100644 src/crd-controller/utils/KubernetesExtensions.cs create mode 100644 tests/crd-controller/tls-KamusSecretV1Alpha2.yaml create mode 100644 tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml create mode 100644 "tests/crd-controller/\302\247.yaml" diff --git a/src/crd-controller/HostedServices/V1Alpha1Controller.cs b/src/crd-controller/HostedServices/V1Alpha1Controller.cs new file mode 100644 index 000000000..7fa68f3b0 --- /dev/null +++ b/src/crd-controller/HostedServices/V1Alpha1Controller.cs @@ -0,0 +1,178 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Reactive.Linq; +using System.Threading; +using System.Threading.Tasks; +using CustomResourceDescriptorController.Models.V1Alpha1; +using k8s; +using k8s.Models; +using Kamus.KeyManagement; +using CustomResourceDescriptorController.Extensions; +using Microsoft.AspNetCore.JsonPatch; +using Microsoft.Extensions.Hosting; +using Serilog; +using CustomResourceDescriptorController.utils; + +namespace CustomResourceDescriptorController.HostedServices +{ + public class V1Alpha1Controller : IHostedService + { + private readonly IKubernetes mKubernetes; + private readonly IKeyManagement mKeyManagement; + private IDisposable mSubscription; + private readonly ILogger mAuditLogger = Log.ForContext().AsAudit(); + private readonly ILogger mLogger = Log.ForContext(); + + public V1Alpha1Controller(IKubernetes kubernetes, IKeyManagement keyManagement) + { + this.mKubernetes = kubernetes; + this.mKeyManagement = keyManagement; + } + + public Task StopAsync(CancellationToken cancellationToken) + { + mSubscription.Dispose(); + return Task.CompletedTask; + } + + public Task StartAsync(CancellationToken token) + { + mSubscription = + mKubernetes.ObserveClusterCustomObject( + "soluto.com", + "v1alpha1", + "kamussecrets", + token) + .SelectMany(x => + Observable.FromAsync(async () => await HandleEvent(x.Item1, x.Item2)) + ) + .Subscribe( + onNext: t => { }, + onError: e => + { + mLogger.Error(e, "Unexpected error occured while watching KamusSecret events"); + Environment.Exit(1); + }, + onCompleted: () => + { + mLogger.Information("Watching KamusSecret events completed, terminating process"); + Environment.Exit(0); + }); + + mLogger.Information("Starting watch for KamusSecret V1Alpha1 events"); + + return Task.CompletedTask; + } + + private async Task HandleEvent(WatchEventType @event, KamusSecret kamusSecret) + { + try + { + mLogger.Information("Handling event of type {type}. KamusSecret {name} in namespace {namespace}", + @event.ToString(), + kamusSecret.Metadata.Name, + kamusSecret.Metadata.NamespaceProperty ?? "default"); + + switch (@event) + { + case WatchEventType.Added: + await HandleAdd(kamusSecret); + return; + + case WatchEventType.Deleted: + await HandleDelete(kamusSecret); + return; + + case WatchEventType.Modified: + await HandleModify(kamusSecret); + return; + default: + mLogger.Warning( + "Event of type {type} is not supported. KamusSecret {name} in namespace {namespace}", + @event.ToString(), + kamusSecret.Metadata.Name, + kamusSecret.Metadata.NamespaceProperty ?? "default"); + return; + + } + } + catch (Exception e) + { + mLogger.Error(e, + "Error while handling KamusSecret event of type {eventType}, for KamusSecret {name} on namespace {namespace}", + @event.ToString(), + kamusSecret.Metadata.Name, + kamusSecret.Metadata.NamespaceProperty ?? "default"); + } + } + + private async Task CreateSecret(KamusSecret kamusSecret) + { + var @namespace = kamusSecret.Metadata.NamespaceProperty ?? "default"; + var serviceAccount = kamusSecret.ServiceAccount; + var id = $"{@namespace}:{serviceAccount}"; + + mLogger.Debug("Starting decrypting KamusSecret items. KamusSecret {name} in namespace {namespace}", + kamusSecret.Metadata.Name, + @namespace); + + Action errorHandler = (e, key) => mLogger.Error(e, + "Failed to decrypt KamusSecret key {key}. KamusSecret {name} in namespace {namespace}", + key, + kamusSecret.Metadata.Name, + @namespace); + + var decryptedStrings = await mKeyManagement.DecryptItems(kamusSecret.Data, id, errorHandler, x => x); + + mLogger.Debug("KamusSecret items decrypted successfully. KamusSecret {name} in namespace {namespace}", + kamusSecret.Metadata.Name, + @namespace); + + return new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = kamusSecret.Metadata.Name, + NamespaceProperty = @namespace + }, + Type = kamusSecret.Type, + StringData = decryptedStrings + }; + } + + private async Task HandleAdd(KamusSecret kamusSecret, bool isUpdate = false) + { + var secret = await CreateSecret(kamusSecret); + var createdSecret = + await mKubernetes.CreateNamespacedSecretAsync(secret, secret.Metadata.NamespaceProperty); + + mAuditLogger.Information("Created a secret from KamusSecret {name} in namespace {namespace} successfully.", + kamusSecret.Metadata.Name, + secret.Metadata.NamespaceProperty); + } + + private async Task HandleModify(KamusSecret kamusSecret) + { + var secret = await CreateSecret(kamusSecret); + var secretPatch = new JsonPatchDocument(); + secretPatch.Replace(e => e.StringData, secret.StringData); + var createdSecret = await mKubernetes.PatchNamespacedSecretAsync( + new V1Patch(secretPatch), + kamusSecret.Metadata.Name, + secret.Metadata.NamespaceProperty + ); + + mAuditLogger.Information("Updated a secret from KamusSecret {name} in namespace {namespace} successfully.", + kamusSecret.Metadata.Name, + secret.Metadata.NamespaceProperty); + } + + private async Task HandleDelete(KamusSecret kamusSecret) + { + var @namespace = kamusSecret.Metadata.NamespaceProperty ?? "default"; + + await mKubernetes.DeleteNamespacedSecretAsync(kamusSecret.Metadata.Name, @namespace); + } + } +} diff --git a/src/crd-controller/HostedServices/V1AlphaController.cs b/src/crd-controller/HostedServices/V1Alpha2Controller.cs similarity index 72% rename from src/crd-controller/HostedServices/V1AlphaController.cs rename to src/crd-controller/HostedServices/V1Alpha2Controller.cs index cf2bedaf7..3c41716e2 100644 --- a/src/crd-controller/HostedServices/V1AlphaController.cs +++ b/src/crd-controller/HostedServices/V1Alpha2Controller.cs @@ -4,7 +4,7 @@ using System.Reactive.Linq; using System.Threading; using System.Threading.Tasks; -using CustomResourceDescriptorController.Models; +using CustomResourceDescriptorController.Models.V1Alpha1; using k8s; using k8s.Models; using Kamus.KeyManagement; @@ -12,10 +12,11 @@ using Microsoft.AspNetCore.JsonPatch; using Microsoft.Extensions.Hosting; using Serilog; +using CustomResourceDescriptorController.utils; namespace CustomResourceDescriptorController.HostedServices { - public class V1AlphaController : IHostedService + public class V1Alpha2Controller : IHostedService { private readonly IKubernetes mKubernetes; private readonly IKeyManagement mKeyManagement; @@ -23,7 +24,7 @@ public class V1AlphaController : IHostedService private readonly ILogger mAuditLogger = Log.ForContext().AsAudit(); private readonly ILogger mLogger = Log.ForContext(); - public V1AlphaController(IKubernetes kubernetes, IKeyManagement keyManagement) + public V1Alpha2Controller(IKubernetes kubernetes, IKeyManagement keyManagement) { this.mKubernetes = kubernetes; this.mKeyManagement = keyManagement; @@ -37,25 +38,11 @@ public Task StopAsync(CancellationToken cancellationToken) public Task StartAsync(CancellationToken token) { - mSubscription = Observable.FromAsync(async () => - { - var result = await mKubernetes.ListClusterCustomObjectWithHttpMessagesAsync( - "soluto.com", - "v1alpha1", - "kamussecrets", - watch: true, - timeoutSeconds: (int) TimeSpan.FromMinutes(60).TotalSeconds, cancellationToken: token); - var subject = new System.Reactive.Subjects.Subject<(WatchEventType, KamusSecret)>(); - - var watcher = result.Watch( - onEvent: (@type, @event) => subject.OnNext((@type, @event)), - onError: e => subject.OnError(e), - onClosed: () => subject.OnCompleted()); - return subject; - }) - .SelectMany(x => x) - .Select(t => (t.Item1, t.Item2 as KamusSecret)) - .Where(t => t.Item2 != null) + mSubscription = mKubernetes.ObserveClusterCustomObject( + "soluto.com", + "v2alpha1", + "kamussecrets", + token) .SelectMany(x => Observable.FromAsync(async () => await HandleEvent(x.Item1, x.Item2)) ) @@ -72,7 +59,7 @@ public Task StartAsync(CancellationToken token) Environment.Exit(0); }); - mLogger.Information("Starting watch for KamusSecret V1Alpha events"); + mLogger.Information("Starting watch for KamusSecret V1Alpha2 events"); return Task.CompletedTask; } @@ -125,8 +112,6 @@ private async Task CreateSecret(KamusSecret kamusSecret) var serviceAccount = kamusSecret.ServiceAccount; var id = $"{@namespace}:{serviceAccount}"; - - mLogger.Debug("Starting decrypting KamusSecret items. KamusSecret {name} in namespace {namespace}", kamusSecret.Metadata.Name, @namespace); @@ -137,8 +122,8 @@ private async Task CreateSecret(KamusSecret kamusSecret) kamusSecret.Metadata.Name, @namespace); - var decryptedStrings = await DecryptItems(kamusSecret.Data, id, errorHandler, x => x); - var decryptedBinaries = await DecryptItems(kamusSecret.EncodedData, id, errorHandler, Convert.FromBase64String); + var decryptedData = await mKeyManagement.DecryptItems(kamusSecret.Data, id, errorHandler, Convert.FromBase64String); + var decryptedStringData = await mKeyManagement.DecryptItems(kamusSecret.StringData, id, errorHandler, x => x); mLogger.Debug("KamusSecret items decrypted successfully. KamusSecret {name} in namespace {namespace}", kamusSecret.Metadata.Name, @@ -152,42 +137,11 @@ private async Task CreateSecret(KamusSecret kamusSecret) NamespaceProperty = @namespace }, Type = kamusSecret.Type, - StringData = decryptedStrings, - Data = decryptedBinaries + StringData = decryptedStringData, + Data = decryptedData }; } - private async Task> DecryptItems( - Dictionary source, - string serviceAccountId, - Action errorHandler, - Func mapper) - { - var result = new Dictionary(); - - if (source == null) - { - return result; - } - - foreach (var (key, value) in source) - { - try - { - var decrypted = await mKeyManagement.Decrypt(value, serviceAccountId); - - result.Add(key, mapper(decrypted)); - } - catch (Exception e) - { - errorHandler(e, key); - } - } - - return result; - } - - private async Task HandleAdd(KamusSecret kamusSecret, bool isUpdate = false) { var secret = await CreateSecret(kamusSecret); diff --git a/src/crd-controller/Models/KamusSecret.cs b/src/crd-controller/Models/V1Alpha1/KamusSecret.cs similarity index 88% rename from src/crd-controller/Models/KamusSecret.cs rename to src/crd-controller/Models/V1Alpha1/KamusSecret.cs index 26c10dfb5..bd57c8cf1 100644 --- a/src/crd-controller/Models/KamusSecret.cs +++ b/src/crd-controller/Models/V1Alpha1/KamusSecret.cs @@ -2,7 +2,7 @@ using k8s; using k8s.Models; -namespace CustomResourceDescriptorController.Models +namespace CustomResourceDescriptorController.Models.V1Alpha1 { public class KamusSecret : KubernetesObject { diff --git a/src/crd-controller/Models/V1Alpha2/KamusSecret.cs b/src/crd-controller/Models/V1Alpha2/KamusSecret.cs new file mode 100644 index 000000000..348fd84d9 --- /dev/null +++ b/src/crd-controller/Models/V1Alpha2/KamusSecret.cs @@ -0,0 +1,17 @@ +using System.Collections.Generic; +using k8s; +using k8s.Models; + +namespace CustomResourceDescriptorController.Models.V1Alpha2 +{ + public class KamusSecret : KubernetesObject + { + public Dictionary Data { get; set; } + public Dictionary StringData { get; set; } + public string Type { get; set; } + public V1ObjectMeta Metadata { get; set; } + public string ServiceAccount { get; set; } + + public string Status { get; set; } + } +} diff --git a/src/crd-controller/Startup.cs b/src/crd-controller/Startup.cs index c0b720ea6..ee9c1f2a7 100644 --- a/src/crd-controller/Startup.cs +++ b/src/crd-controller/Startup.cs @@ -57,7 +57,8 @@ public void ConfigureServices (IServiceCollection services) { } ); - services.AddHostedService(); + services.AddHostedService(); + services.AddHostedService(); services.AddHealthChecks() .AddCheck("permisssions check"); diff --git a/src/crd-controller/crd-controller.csproj b/src/crd-controller/crd-controller.csproj index adc63ebdb..9f0b58f4d 100644 --- a/src/crd-controller/crd-controller.csproj +++ b/src/crd-controller/crd-controller.csproj @@ -15,6 +15,8 @@ + + diff --git a/src/crd-controller/utils/KeyManagementExtensions.cs b/src/crd-controller/utils/KeyManagementExtensions.cs new file mode 100644 index 000000000..e315d5250 --- /dev/null +++ b/src/crd-controller/utils/KeyManagementExtensions.cs @@ -0,0 +1,42 @@ +using System; +using System.Collections.Generic; +using System.Threading.Tasks; +using Kamus.KeyManagement; + +namespace CustomResourceDescriptorController.utils +{ + public static class KeyManagementExtensions + { + public async static Task> DecryptItems( + this IKeyManagement keyManagement, + Dictionary source, + string serviceAccountId, + Action errorHandler, + Func mapper) + { + var result = new Dictionary(); + + if (source == null) + { + return result; + } + + foreach (var (key, value) in source) + { + try + { + var decrypted = await keyManagement.Decrypt(value, serviceAccountId); + + result.Add(key, mapper(decrypted)); + } + catch (Exception e) + { + errorHandler(e, key); + } + } + + return result; + } + + } +} diff --git a/src/crd-controller/utils/KubernetesExtensions.cs b/src/crd-controller/utils/KubernetesExtensions.cs new file mode 100644 index 000000000..b95fe7c71 --- /dev/null +++ b/src/crd-controller/utils/KubernetesExtensions.cs @@ -0,0 +1,39 @@ +using System; +using System.Reactive.Linq; +using System.Threading; +using k8s; + +namespace CustomResourceDescriptorController.utils +{ + public static class KubernetesExtensions + { + public static IObservable<(WatchEventType, TCRD)> ObserveClusterCustomObject( + this IKubernetes kubernetes, + string group, + string version, + string plural, + CancellationToken cancelationToken + ) where TCRD : class + { + return Observable.FromAsync(async () => + { + var result = await kubernetes.ListClusterCustomObjectWithHttpMessagesAsync( + "soluto.com", + "v1alpha1", + "kamussecrets", + watch: true, + timeoutSeconds: (int)TimeSpan.FromMinutes(60).TotalSeconds, cancellationToken: cancelationToken); + var subject = new System.Reactive.Subjects.Subject<(WatchEventType, TCRD)>(); + + var watcher = result.Watch( + onEvent: (@type, @event) => subject.OnNext((@type, @event)), + onError: e => subject.OnError(e), + onClosed: () => subject.OnCompleted()); + return subject; + }) + .SelectMany(x => x) + .Select(t => (t.Item1, t.Item2 as TCRD)) + .Where(t => t.Item2 != null) + } + } +} diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index 91aacee4d..852a2a9bf 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -22,7 +22,7 @@ public FlowTest(ITestOutputHelper testOutputHelper) } [Fact] - public async Task CreateKamusSecret_SecretCreated() + public async Task CreateKamusSecretV1Alpha1_SecretCreated() { Cleanup(); await DeployController(); @@ -44,6 +44,36 @@ public async Task CreateKamusSecret_SecretCreated() mTestOutputHelper.WriteLine("Waiting for secret creation"); + var (_, v1Secret) = await subject + .Where(t => t.Item1 == WatchEventType.Added && t.Item2.Metadata.Name == "my-tls-secret").Timeout(TimeSpan.FromSeconds(30)).FirstAsync(); + + Assert.Equal("TlsSecret", v1Secret.Type); + Assert.True(v1Secret.Data.ContainsKey("key")); + } + + [Fact] + public async Task CreateKamusSecretV1Alpha2_SecretCreated() + { + Cleanup(); + await DeployController(); + var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); + + var result = await kubernetes.ListNamespacedSecretWithHttpMessagesAsync( + "default", + watch: true + ); + + var subject = new ReplaySubject<(WatchEventType, V1Secret)>(); + + result.Watch( + onEvent: (@type, @event) => subject.OnNext((@type, @event)), + onError: e => subject.OnError(e), + onClosed: () => subject.OnCompleted()); + + RunKubectlCommand("apply -f tls-KamusSecretV1Alpha2.yaml"); + + mTestOutputHelper.WriteLine("Waiting for secret creation"); + var (_, v1Secret) = await subject .Where(t => t.Item1 == WatchEventType.Added && t.Item2.Metadata.Name == "my-tls-secret").Timeout(TimeSpan.FromSeconds(30)).FirstAsync(); @@ -52,9 +82,11 @@ public async Task CreateKamusSecret_SecretCreated() Assert.True(v1Secret.Data.ContainsKey("key3")); Assert.Equal(File.ReadAllText("key.crt"), Encoding.UTF8.GetString(v1Secret.Data["key3"])); } - - [Fact] - public async Task UpdateKamusSecret_SecretUpdated() + + [Theory] + [InlineData("updated-tls-KamusSecret.yaml")] + [InlineData("updated-tls-KamusSecret-V1Alpha2.yaml")] + public async Task UpdateKamusSecret_SecretUpdated(string fileName) { Cleanup(); @@ -77,7 +109,7 @@ public async Task UpdateKamusSecret_SecretUpdated() onError: e => subject.OnError(e), onClosed: () => subject.OnCompleted()); - RunKubectlCommand("apply -f updated-tls-KamusSecret.yaml"); + RunKubectlCommand($"apply -f ${fileName}"); mTestOutputHelper.WriteLine("Waiting for secret update"); @@ -90,15 +122,17 @@ public async Task UpdateKamusSecret_SecretUpdated() Assert.Equal("modified_hello", Encoding.UTF8.GetString(v1Secret.Data["key"])); } - [Fact] - public async Task DeleteKamusSecret_SecretDeleted() + [Theory] + [InlineData("tls-KamusSecret.yaml")] + [InlineData("tls-KamusSecretV1Alpha2.yaml")] + public async Task DeleteKamusSecret_SecretDeleted(string fileName) { Cleanup(); await DeployController(); RunKubectlCommand("apply -f tls-Secret.yaml"); - RunKubectlCommand("apply -f tls-KamusSecret.yaml"); + RunKubectlCommand($"apply -f ${fileName}"); var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); @@ -114,7 +148,7 @@ public async Task DeleteKamusSecret_SecretDeleted() onError: e => subject.OnError(e), onClosed: () => subject.OnCompleted()); - RunKubectlCommand("delete -f tls-KamusSecret.yaml"); + RunKubectlCommand($"delete -f ${fileName}"); mTestOutputHelper.WriteLine("Waiting for secret deletion"); diff --git a/tests/crd-controller/crd.yaml b/tests/crd-controller/crd.yaml index a0939457d..4c11239f8 100644 --- a/tests/crd-controller/crd.yaml +++ b/tests/crd-controller/crd.yaml @@ -7,7 +7,15 @@ spec: # group name to use for REST API: /apis// group: soluto.com # version name to use for REST API: /apis// - version: v1alpha1 + versions: + - name: v1alpha1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + - name: v1alpha2 + served: true + storage: true # either Namespaced or Cluster scope: Namespaced names: diff --git a/tests/crd-controller/tls-KamusSecretV1Alpha2.yaml b/tests/crd-controller/tls-KamusSecretV1Alpha2.yaml new file mode 100644 index 000000000..a2f0b9610 --- /dev/null +++ b/tests/crd-controller/tls-KamusSecretV1Alpha2.yaml @@ -0,0 +1,10 @@ +apiVersion: "soluto.com/v1alpha2" +kind: KamusSecret +metadata: + name: my-tls-secret +type: TlsSecret +stringData: + key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== +data: + key3: 5SRnC8HJ6gJEOCpgby3ZSQ==:LUfzADu23z1l9CWFXzR71/Ua74IxI12Ehn18d5hnqA+C40D6o1qfaaOLuPzwPYILwsViZvg7FymTB9c/1vLlwnqQJfRXNNKg07cTD5tGoufKrQrgMpOHcEKsq/k3jwQ5MSyU99npBmPFkCZ93uE1b6llSbBkzp80cBQB+Peb7WtyfG4WoOn15hy7Eb71tcdNcRLd1r5pWaPWEIlMnVB8TERCfCpTUakXmuM5mvq5PTOp/OfRGpbqG3VRf/iDHSpSOqiNKhq6eiOWvG+WTCVqjpMv4iQiMlTCcJT31ayUHxafx1bg8EX5SuMVc0sHT7wwX4BBMDUCQ8i7qXHNS5gGAl6LXHC2fhfsK/PAJVDZ18PS/ISDuzAs/iV3zffqqLCZxy5qFDyBq5hdjE2deLhH40pL1G9i7fto40ikftdqKLFaa7pxc0A88bvQihkDuPj9gtAmXt7k+hnUXlPdP5VuoKGhfJUMaEDIwTxUekzcCPDPas9XrmLWyN27BFs6Z+s/kDL+8ZGHP4yyeJyxZV0Gxf0k7RY65GyFzkvcZElq8aI8sSSc9D4Li5OilpXb0M5/s+oZj0QCwwFR2+rNTc4vm1l5s2vRmNMHZ/mQEy1qSJbEvA65U6axYoRcjQIEnvth+sZHy1E3CNBW7LRvUMf2KCy6qX+rjV/i6krAVyohAOLCfWtS+Wi3ulkefoFbKLNVLVaDVP15s4c+dqsDAzscl3HtQHRlhkOlr9hAEsX7qQlRue2S8apDp4SN8umpaTFgZy7u03yTWE64fGYyubKYRYo38D0wTOI7Z9+47m/z52rk6214A3mxoTY8Mm4bmCyxcPwGMnKXdx8x9FN56mpdFifcQLx1HffkGM/F5Hj6/xUUaquHWnWnh3keQjm1gdE0eE5YLB/EZggczj5HiahTgd3IZ/oUd8a2bGo+VToTRimOczz8je4WN3+4px2KXRs+qgaTUTUZ/m1AT90PewOKVhHfWEZKmU9063xqBjtytMyFQxZkFvQqwZNmDYmkWMrqdkC2u5/yjm1Dc1OUEy6ImnxuStCB4j+8B7gXPBg+x/nSbY8vjhbnyhmXQ37m54rFN3Jqgr0XMg5c9h2eMs2oMw/1nGFxZqzxa9VdjsG4sPcfEAECmjgnqaKVY/d7tUoXEKYQWVcoetL5zQxo4Vg9BTFaIO+npwW0Dmc5ED0ShqfKVdUkN+jx5sm16Ik6SR+xvpgh8g4YmA5GmlhLUZuSPn7jTLYmt+1e9ZpvQnNRrSW9hzmpW5FCA2i7hr83x9NmW2S7iPQ979to+i1Ak8f8B1s95bJcgkzEv9kHyd+a6kroM2AXXq0Ra2xXSNYryAS+TESYs7VPzsXeGXzmcRYIwEPqA8Kh3/8b6oNdNzY1+PHavk9Op6jTWnlsGOnRMi1WzC4nFDa9V5lvEFtBT4c1dhNnUVuecBy7yeo2LopYsY6+7rKlWFHCSfC4srZtv7CIRIO6zNAao+Cl6g9O5d+1Yu4/fI9XJMMMqJZZBUl7TGwgGTZhoWol9H5ppgShrV6nYbq2Ekyw2y0I8f96NGRrzeX9AiApoCM/qfC42NP3zEvewdgtzPlo8O0izf76R8ggc/c1rcaQwnMB1FHfPIYup10oVTJvoH2mHSVRCrCuKRQqqB/uCVIglgDjA/jnK68+yoUBD+pwOy3xiyVkQBTmxpnGURMzqXxTypP2YOXHFISnuyTElr7JRNoaK7Oep2hhiXO+jlKEXHe3jeWOKlOW8gpPKKd2rxBrrX+IeaJx7EWKdxkCbackd7cpaeRLVQV8WCUIb91HeMUqz1DEALky+lsfXOr5VwaiikRcJzrlwJkIarNSoM2644Qf5Gyo87z3kmnHyHTqKerC5VrRSgEcH2Z3Ag4Skdf5qMnYC3jm90jp2hhZzq4pMcgGhambiUb1 +serviceAccount: some-sa \ No newline at end of file diff --git a/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml b/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml new file mode 100644 index 000000000..6fb00c53b --- /dev/null +++ b/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml @@ -0,0 +1,8 @@ +apiVersion: "soluto.com/v1alpha2" +kind: KamusSecret +metadata: + name: my-tls-secret +type: TlsSecret +data: + key: fX+zM9o709PGkitf0f7PNg==:1iLWChg0N5+SwysTXvLSCw== +serviceAccount: some-sa \ No newline at end of file diff --git "a/tests/crd-controller/\302\247.yaml" "b/tests/crd-controller/\302\247.yaml" new file mode 100644 index 000000000..602cf9422 --- /dev/null +++ "b/tests/crd-controller/\302\247.yaml" @@ -0,0 +1,8 @@ +apiVersion: "soluto.com/v1alpha1" +kind: KamusSecret +metadata: + name: my-tls-secret +type: TlsSecret +data: + key: fX+zM9o709PGkitf0f7PNg==:1iLWChg0N5+SwysTXvLSCw== +serviceAccount: some-sa \ No newline at end of file From 711f80513db3207e3329b910a4f83a89d5abb23e Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 24 Jul 2019 21:46:02 +0300 Subject: [PATCH 09/44] update docs --- site/content/docs/user/crd.md | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/site/content/docs/user/crd.md b/site/content/docs/user/crd.md index 603836b2c..424ac4a89 100644 --- a/site/content/docs/user/crd.md +++ b/site/content/docs/user/crd.md @@ -14,6 +14,9 @@ Using KamusSecret allows to use Kamus with applications that requires native Kub ## Usage KamusSecret works very similary to regular secret encryption flow with Kamus. +The encrypted data is represented in a format that is identical to regular [Kubernetes Secrets]. +Kamus will create an identical secret with the decrypted content. + To encrypt the data, start by deciding to which namespace and which service account you're encrypting it. The service account does not have to exist or used by the pod consuming the secret. It just used for expressing who can consume this encrypted secret. @@ -27,14 +30,16 @@ kamus-cli encrypt ``` Now that you have the data encrypted, create a KamusSecret object, using the following manifest: ``` -apiVersion: "soluto.com/v1alpha1" +apiVersion: "soluto.com/v1alpha2" kind: KamusSecret metadata: name: my-tls-secret //This will be the name of the secret namespace: default //The secret and KamusSecret live in this namespace type: TlsSecret //The type of the secret that will be created -data: //Put here all the encrypted data, that will be stored (decrypted) on the secret data +stringData: //Put here all the encrypted data, that will be stored (decrypted) on the secret data key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== +data: //Put here base64 encoded data (usually, binary data like private keys in der format) + key2: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== serviceAccount: some-sa //The service account used for encrypting the data ``` And finally, create the KamusSecret using: @@ -49,27 +54,16 @@ default-token-m6whl kubernetes.io/service-account-token my-tls-secret TlsSecret 1 5s ``` -## Binary data support -In case you need to create secret that contains binary data (e.g. private keys), you can use the same flow. -Encrypt the data (after encoding it using base64 encoding), and create KamusSecret in the following format: - -``` -apiVersion: "soluto.com/v1alpha1" -kind: KamusSecret -metadata: - name: my-tls-secret //This will be the name of the secret - namespace: default //The secret and KamusSecret live in this namespace -type: TlsSecret //The type of the secret that will be created -encodedData: //Put here all the encrypted data, that will be stored (decrypted) on the secret data. The encrypt data has to be base64 encoded. - key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== -serviceAccount: some-sa //The service account used for encrypting the data -``` +## Migrating from previous version +To migrate from `v1alpha1` to `v1alpha2` all you need to do is: -You can have both `data` and `encodedData` in the same KamusSecret object, the created secret will contain both. -Just ensure that the keys are uniques - you cannot have the same key in `data` and `encodedData`. +* Change the key `data` to `stringData` +* Change the `apiVersion` to `"soluto.com/v1alpha2"` ## Known limitation This is the alpha release of this feature, so not all functionality is supported. The current known issues: * There is no validation - so if you forgot to add mandatory keys to the KamusSecret objects, it will not be created properly. + +[kubernetes secrets]: (https://kubernetes.io/docs/concepts/configuration/secret/) From fd1dddee9205779f99cf3e97501aea8ec23c9a5a Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 24 Jul 2019 21:47:36 +0300 Subject: [PATCH 10/44] fix the build --- src/crd-controller/HostedServices/V1Alpha1Controller.cs | 5 ++--- src/crd-controller/HostedServices/V1Alpha2Controller.cs | 7 +++---- src/crd-controller/utils/KubernetesExtensions.cs | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/src/crd-controller/HostedServices/V1Alpha1Controller.cs b/src/crd-controller/HostedServices/V1Alpha1Controller.cs index 7fa68f3b0..d551e1c34 100644 --- a/src/crd-controller/HostedServices/V1Alpha1Controller.cs +++ b/src/crd-controller/HostedServices/V1Alpha1Controller.cs @@ -1,5 +1,4 @@ using System; -using System.Collections.Generic; using System.Linq; using System.Reactive.Linq; using System.Threading; @@ -21,8 +20,8 @@ public class V1Alpha1Controller : IHostedService private readonly IKubernetes mKubernetes; private readonly IKeyManagement mKeyManagement; private IDisposable mSubscription; - private readonly ILogger mAuditLogger = Log.ForContext().AsAudit(); - private readonly ILogger mLogger = Log.ForContext(); + private readonly ILogger mAuditLogger = Log.ForContext().AsAudit(); + private readonly ILogger mLogger = Log.ForContext(); public V1Alpha1Controller(IKubernetes kubernetes, IKeyManagement keyManagement) { diff --git a/src/crd-controller/HostedServices/V1Alpha2Controller.cs b/src/crd-controller/HostedServices/V1Alpha2Controller.cs index 3c41716e2..012011af9 100644 --- a/src/crd-controller/HostedServices/V1Alpha2Controller.cs +++ b/src/crd-controller/HostedServices/V1Alpha2Controller.cs @@ -1,10 +1,9 @@ using System; -using System.Collections.Generic; using System.Linq; using System.Reactive.Linq; using System.Threading; using System.Threading.Tasks; -using CustomResourceDescriptorController.Models.V1Alpha1; +using CustomResourceDescriptorController.Models.V1Alpha2; using k8s; using k8s.Models; using Kamus.KeyManagement; @@ -21,8 +20,8 @@ public class V1Alpha2Controller : IHostedService private readonly IKubernetes mKubernetes; private readonly IKeyManagement mKeyManagement; private IDisposable mSubscription; - private readonly ILogger mAuditLogger = Log.ForContext().AsAudit(); - private readonly ILogger mLogger = Log.ForContext(); + private readonly ILogger mAuditLogger = Log.ForContext().AsAudit(); + private readonly ILogger mLogger = Log.ForContext(); public V1Alpha2Controller(IKubernetes kubernetes, IKeyManagement keyManagement) { diff --git a/src/crd-controller/utils/KubernetesExtensions.cs b/src/crd-controller/utils/KubernetesExtensions.cs index b95fe7c71..409311d15 100644 --- a/src/crd-controller/utils/KubernetesExtensions.cs +++ b/src/crd-controller/utils/KubernetesExtensions.cs @@ -33,7 +33,7 @@ CancellationToken cancelationToken }) .SelectMany(x => x) .Select(t => (t.Item1, t.Item2 as TCRD)) - .Where(t => t.Item2 != null) + .Where(t => t.Item2 != null); } } } From 23479fa1aff8c398cc4f046c0c64ea94b53d7d3f Mon Sep 17 00:00:00 2001 From: omerlh Date: Thu, 25 Jul 2019 09:31:44 +0300 Subject: [PATCH 11/44] try to fix the tests --- tests/crd-controller/crd.yaml | 2 +- "tests/crd-controller/\302\247.yaml" | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) delete mode 100644 "tests/crd-controller/\302\247.yaml" diff --git a/tests/crd-controller/crd.yaml b/tests/crd-controller/crd.yaml index 4c11239f8..7d49309a6 100644 --- a/tests/crd-controller/crd.yaml +++ b/tests/crd-controller/crd.yaml @@ -15,7 +15,7 @@ spec: storage: true - name: v1alpha2 served: true - storage: true + storage: false # either Namespaced or Cluster scope: Namespaced names: diff --git "a/tests/crd-controller/\302\247.yaml" "b/tests/crd-controller/\302\247.yaml" deleted file mode 100644 index 602cf9422..000000000 --- "a/tests/crd-controller/\302\247.yaml" +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: "soluto.com/v1alpha1" -kind: KamusSecret -metadata: - name: my-tls-secret -type: TlsSecret -data: - key: fX+zM9o709PGkitf0f7PNg==:1iLWChg0N5+SwysTXvLSCw== -serviceAccount: some-sa \ No newline at end of file From a78de1da52532a9eaae033f8ff40b94b13f4ef5d Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 29 Jul 2019 14:38:55 +0300 Subject: [PATCH 12/44] fix the tests --- tests/crd-controller/FlowTest.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index 852a2a9bf..f5948f01b 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -109,7 +109,7 @@ public async Task UpdateKamusSecret_SecretUpdated(string fileName) onError: e => subject.OnError(e), onClosed: () => subject.OnCompleted()); - RunKubectlCommand($"apply -f ${fileName}"); + RunKubectlCommand($"apply -f {fileName}"); mTestOutputHelper.WriteLine("Waiting for secret update"); @@ -132,7 +132,7 @@ public async Task DeleteKamusSecret_SecretDeleted(string fileName) await DeployController(); RunKubectlCommand("apply -f tls-Secret.yaml"); - RunKubectlCommand($"apply -f ${fileName}"); + RunKubectlCommand($"apply -f {fileName}"); var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); @@ -148,7 +148,7 @@ public async Task DeleteKamusSecret_SecretDeleted(string fileName) onError: e => subject.OnError(e), onClosed: () => subject.OnCompleted()); - RunKubectlCommand($"delete -f ${fileName}"); + RunKubectlCommand($"delete -f {fileName}"); mTestOutputHelper.WriteLine("Waiting for secret deletion"); From 4a07f881a81dcb0083aa83dc2bdccb771eab03b3 Mon Sep 17 00:00:00 2001 From: omerlh Date: Thu, 1 Aug 2019 08:31:37 +0300 Subject: [PATCH 13/44] store only v2 --- tests/crd-controller/crd.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/crd-controller/crd.yaml b/tests/crd-controller/crd.yaml index 7d49309a6..115365785 100644 --- a/tests/crd-controller/crd.yaml +++ b/tests/crd-controller/crd.yaml @@ -12,10 +12,10 @@ spec: # Each version can be enabled/disabled by Served flag. served: true # One and only one version must be marked as the storage version. - storage: true + storage: false - name: v1alpha2 served: true - storage: false + storage: true # either Namespaced or Cluster scope: Namespaced names: From 044f613eab01fee62b3173dca4c6b64c34d91d58 Mon Sep 17 00:00:00 2001 From: omerlh Date: Thu, 1 Aug 2019 08:34:00 +0300 Subject: [PATCH 14/44] try to fix the tests --- tests/crd-controller/FlowTest.cs | 2 +- tests/crd-controller/crd-controller.csproj | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index f5948f01b..c56963ffd 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -85,7 +85,7 @@ public async Task CreateKamusSecretV1Alpha2_SecretCreated() [Theory] [InlineData("updated-tls-KamusSecret.yaml")] - [InlineData("updated-tls-KamusSecret-V1Alpha2.yaml")] + [InlineData("updated-tls-KamusSecretV1Alpha2.yaml")] public async Task UpdateKamusSecret_SecretUpdated(string fileName) { Cleanup(); diff --git a/tests/crd-controller/crd-controller.csproj b/tests/crd-controller/crd-controller.csproj index 250a9e29c..448d3b381 100644 --- a/tests/crd-controller/crd-controller.csproj +++ b/tests/crd-controller/crd-controller.csproj @@ -25,9 +25,15 @@ PreserveNewest + + PreserveNewest + PreserveNewest + + PreserveNewest + PreserveNewest From cf88bc409753720c695e0158813a46d1b48c46ba Mon Sep 17 00:00:00 2001 From: omerlh Date: Sun, 4 Aug 2019 09:01:03 +0300 Subject: [PATCH 15/44] try to fix the tests --- src/crd-controller/HostedServices/V1Alpha2Controller.cs | 2 +- src/crd-controller/Models/V1Alpha1/KamusSecret.cs | 1 - src/crd-controller/utils/KubernetesExtensions.cs | 6 +++--- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/crd-controller/HostedServices/V1Alpha2Controller.cs b/src/crd-controller/HostedServices/V1Alpha2Controller.cs index 012011af9..4416103f4 100644 --- a/src/crd-controller/HostedServices/V1Alpha2Controller.cs +++ b/src/crd-controller/HostedServices/V1Alpha2Controller.cs @@ -39,7 +39,7 @@ public Task StartAsync(CancellationToken token) { mSubscription = mKubernetes.ObserveClusterCustomObject( "soluto.com", - "v2alpha1", + "v1alpha2", "kamussecrets", token) .SelectMany(x => diff --git a/src/crd-controller/Models/V1Alpha1/KamusSecret.cs b/src/crd-controller/Models/V1Alpha1/KamusSecret.cs index bd57c8cf1..b33c22acb 100644 --- a/src/crd-controller/Models/V1Alpha1/KamusSecret.cs +++ b/src/crd-controller/Models/V1Alpha1/KamusSecret.cs @@ -7,7 +7,6 @@ namespace CustomResourceDescriptorController.Models.V1Alpha1 public class KamusSecret : KubernetesObject { public Dictionary Data { get; set; } - public Dictionary EncodedData { get; set; } public string Type { get; set; } public V1ObjectMeta Metadata { get; set; } public string ServiceAccount { get; set; } diff --git a/src/crd-controller/utils/KubernetesExtensions.cs b/src/crd-controller/utils/KubernetesExtensions.cs index 409311d15..ac11644a7 100644 --- a/src/crd-controller/utils/KubernetesExtensions.cs +++ b/src/crd-controller/utils/KubernetesExtensions.cs @@ -18,9 +18,9 @@ CancellationToken cancelationToken return Observable.FromAsync(async () => { var result = await kubernetes.ListClusterCustomObjectWithHttpMessagesAsync( - "soluto.com", - "v1alpha1", - "kamussecrets", + group, + version, + plural, watch: true, timeoutSeconds: (int)TimeSpan.FromMinutes(60).TotalSeconds, cancellationToken: cancelationToken); var subject = new System.Reactive.Subjects.Subject<(WatchEventType, TCRD)>(); From 23dcb54930b01604157e7097e5d5dafec00646bb Mon Sep 17 00:00:00 2001 From: omerlh Date: Sun, 4 Aug 2019 09:02:20 +0300 Subject: [PATCH 16/44] clean up --- ...KubernetesClientConfigurationExtensions.cs | 61 ------------------- 1 file changed, 61 deletions(-) delete mode 100644 src/crd-controller/utils/KubernetesClientConfigurationExtensions.cs diff --git a/src/crd-controller/utils/KubernetesClientConfigurationExtensions.cs b/src/crd-controller/utils/KubernetesClientConfigurationExtensions.cs deleted file mode 100644 index 80de5e933..000000000 --- a/src/crd-controller/utils/KubernetesClientConfigurationExtensions.cs +++ /dev/null @@ -1,61 +0,0 @@ -using System; -using System.IO; -using System.Runtime.InteropServices; -using k8s; - -namespace crdcontroller.Extensions -{ - /// - /// Temporary until a new k8s client is released with this code - /// - public static class KubernetesClientConfigurationExtensions - { - private static readonly string KubeConfigDefaultLocation = - RuntimeInformation.IsOSPlatform(OSPlatform.Windows) - ? Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), @".kube\config") - : Path.Combine(Environment.GetEnvironmentVariable("HOME"), ".kube/config"); - - private const string ServiceAccountPath = "/var/run/secrets/kubernetes.io/serviceaccount/"; - private const string ServiceAccountTokenKeyFileName = "token"; - private const string ServiceAccountRootCAKeyFileName = "ca.crt"; - - public static Boolean IsInCluster() - { - var host = Environment.GetEnvironmentVariable("KUBERNETES_SERVICE_HOST"); - var port = Environment.GetEnvironmentVariable("KUBERNETES_SERVICE_PORT"); - if (string.IsNullOrWhiteSpace(host) || string.IsNullOrWhiteSpace(port)) - { - return false; - } - var tokenPath = Path.Combine(ServiceAccountPath, ServiceAccountTokenKeyFileName); - if (!File.Exists(tokenPath)) - { - return false; - } - var certPath = Path.Combine(ServiceAccountPath, ServiceAccountRootCAKeyFileName); - return File.Exists(certPath); - } - - public static KubernetesClientConfiguration BuildDefaultConfig() - { - var kubeconfig = Environment.GetEnvironmentVariable("KUBECONFIG"); - if (kubeconfig != null) - { - return KubernetesClientConfiguration.BuildConfigFromConfigFile(kubeconfigPath: kubeconfig); - } - if (File.Exists(KubeConfigDefaultLocation)) - { - return KubernetesClientConfiguration.BuildConfigFromConfigFile(kubeconfigPath: KubeConfigDefaultLocation); - } - if (IsInCluster()) - { - return KubernetesClientConfiguration.InClusterConfig(); - } - var config = new KubernetesClientConfiguration - { - Host = "http://localhost:8080" - }; - return config; - } - } -} From 0ba3ba64a37e951beca44377aaa8af2bd1be84f4 Mon Sep 17 00:00:00 2001 From: omerlh Date: Thu, 8 Aug 2019 17:48:26 +0300 Subject: [PATCH 17/44] try to fix the build --- tests/crd-controller/FlowTest.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index c56963ffd..68b59f3c9 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -78,7 +78,7 @@ public async Task CreateKamusSecretV1Alpha2_SecretCreated() .Where(t => t.Item1 == WatchEventType.Added && t.Item2.Metadata.Name == "my-tls-secret").Timeout(TimeSpan.FromSeconds(30)).FirstAsync(); Assert.Equal("TlsSecret", v1Secret.Type); - Assert.True(v1Secret.Data.ContainsKey("key")); + Assert.True(v1Secret.StringData.ContainsKey("key")); Assert.True(v1Secret.Data.ContainsKey("key3")); Assert.Equal(File.ReadAllText("key.crt"), Encoding.UTF8.GetString(v1Secret.Data["key3"])); } From f7f471da33a60465aa3368e54701cbf869e42295 Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 08:17:55 -0400 Subject: [PATCH 18/44] added support for conversation webhook --- Dockerfile | 4 +- certificate.pfx | Bin 0 -> 3981 bytes .../ConversionWebhookController.cs | 96 ++++++++++++++++++ .../HostedServices/V1Alpha1Controller.cs | 5 +- .../HostedServices/V1Alpha2Controller.cs | 5 +- src/crd-controller/Models/ConversionReview.cs | 11 ++ .../Models/ConversionReviewRequest.cs | 16 +++ .../Models/ConversionReviewResponse.cs | 16 +++ src/crd-controller/Startup.cs | 2 +- tests/crd-controller/crd.yaml | 34 +++++++ tests/crd-controller/deployment.yaml | 23 +++++ 11 files changed, 208 insertions(+), 4 deletions(-) create mode 100644 certificate.pfx create mode 100644 src/crd-controller/Controllers/ConversionWebhookController.cs create mode 100644 src/crd-controller/Models/ConversionReview.cs create mode 100644 src/crd-controller/Models/ConversionReviewRequest.cs create mode 100644 src/crd-controller/Models/ConversionReviewResponse.cs diff --git a/Dockerfile b/Dockerfile index 1b5d783af..6b54532d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,9 +21,11 @@ ENV PROJECT_NAME_ENV=$PROJECT_NAME RUN addgroup dotnet && \ adduser -D -G dotnet -h /home/dotnet dotnet && \ apk add --update --no-cahce libc6-compat - + USER dotnet WORKDIR /home/dotnet/app ENV ASPNETCORE_URLS=http://+:9999 COPY --from=build-env /app/$PROJECT_NAME/obj/Docker/publish . +COPY --chown=dotnet:dotnet certificate.pfx /home/dotnet/https/aspnetapp.pfx + ENTRYPOINT dotnet $PROJECT_NAME_ENV.dll diff --git a/certificate.pfx b/certificate.pfx new file mode 100644 index 0000000000000000000000000000000000000000..3a7eacf43fd367bb2a4b95d3ae340c7bf4c07a1e GIT binary patch literal 3981 zcmY+GWl$81w};t<1(wbQrAxXNL_+BXK|oeIq*GWxnuUGo?iQBr5SNs0DG6!mmX=0Y zukXyg_kZt)GiT=c%{d>R`3WIOqksTxAtb3bE|@1=HT;GcfCoS!No8@6q|g6iaUmq= z-G3rn6cS|d7nuM7SbvxPe-eNYJubn2e;@+j3X$O81Mq##%36~uE2h%LFE4Q01S~XpLAt)sJIed zWzlLc{s|!ZB!(vC$(j)>x7+U$_pW_zExo2{Dh&dNzP@V!!Rl*-T^Rxw4~a@~u!kFN z6&e)?1LD|CwNJl3zk!tj>*EB^*mbvK2kF$t@7US@xXUTP*)cR#v|v1N2!0+Xg4M}2 zE!V^}@XwmtHUCZiE6Fm6B)EilOI@~&&QF$%d#t@gio2=(8{uG93o>B4(-4l_L|Uc2+B7oQ(Q#r(`Y z-g5G6l@C@6a#OR8!9S0Di;d!{E}q?b*kMOZu%YcPDahl_New#XA{nCQcr7YYZlCBL z*KqzgALL2US$wQYEA=P~Sla&O1k&RF(Iw2)7*I%*{9LoW`Blp0)ecD%$b6+XF|Xx~ z&x7F{J`1&njj8LXd%4Vb2&;nPVS*qzt*z!pg21McVR2auo93KWejv&d;!K%ff#ct# z9cTk%ojujl1V4}vr^pqw9t5m#JE&`_C`ib*=scG0{XYaO6$%v2-gqx$qHOOS?&V&Gk@}UN2`eLT+;nXNF?qwC z3p71e_xudaFQaJLLye9O^s5(zHZ)E!EnX`Uh9(Z{`hip`^dTm3qme@GBeg5uvvQZW zb6UsVMeoSt_`PnF#9U`+#GGN%9x9~galL#USAf~k?u4YxTgw~qq@Q#Y}~r!o^O|EM%NNr?i6e_l(lUzMg` zlr?2dU>Q6frBZOFydge$GR}CNTg6_HcU!@5Q#|0V7=FE)5rZ_su+Td5We=iItn0w5EIIzd@k;Khrz~^|DfsQ zpih2jk;uy2?*zpyS?cvsPdwb4rit`@;tucIuOHKIG;e!+B0p#_t zlCcu=k^QkN-&70QskS#<4TO@0GgZ_zXRbM_@$XZQDC8F;q&cO|=uM>e5SEC>jzRAb zvIRX722QJ#e0l5G(eGb6(leoo>6Hv5HyYGTc&1CG!&1JK=N4vTv3|AAj<)kV+8^I< z9!mK1vupMc&uZVP|6m`fAaIQYy*4^H0X`J0=*YUn&zh9>B~_9#@-BKJ2%T#K zqd1-`K0-T~TvGSnR+vuKT&I4@J&0s16Y(7c(7fO=GgME9qQk!4HKJOX{mQC5Fi+KG z3V)nn%$#TAi@0nEi&mcWaO#iczJxHI0bA|^LZUD$B+o7y_}1^MT)=x_-AZ#5>?~~h zUsRDfwrR%BW1nFq2)Tv&Zl?(Sz}s5n^&f#i*{|u}1jI&$ih;jwuT-HjA8R#d;Zt`Y zWp8UU{xTR~tuR|Wm75V04w(3?EENpg4 zLfjATFwG#7w{n=0UV+l_JzEj*_P_<rhMAau^e-a7rGwU4) zX}ct)Qyussw^;m5Don&VZRa3ni&0jaS5Y0p!I<9=tUfAB!es11nV5dQEXONFb@2v% z=}{4|CwnhmNAJs?O9VP9YBLY}CGAKCN5A$ifk>HtKKYu>aDCyf%Ui9t9o1lcf(lK- z61@X)LzRF4r_Up5_#49$=kkW$G)wgBo|Tk&Q_*k%qqSmItW)~&^OuylzEq*VvXyRm zZ>Cd3qL%$u!;f0h4Fy|^448k8m#+v7oi@b`GV7e}9V@30!>)oY*?k4kH>lJ)`D^fQOOAasrx zTE7P`5DLo^tJZSZs;>B?I~Qvw6dOJ^6Z5pT*@qyo36pBiTLk~vIIlXghI!e%s9DF9ilCqywh-ht z5l*nk;r{-$iC5Cg)7m7B+VX)0F&BGAV+j7<86Ni*qHvRbj__n``rfqYw?}mihWE6i za^gT-vI9o7h+X)?UFhe}0^6ECsW)d=_jCG=<$Owx`hD5t_U^Z@We!mv3|_3hc24aU%U z7GeCT1gxb3wfe_{oEctwo$#-NM`Lhq>W*F63sd1f*_)hl2?xZ{N|)$u3erhQ#*4~Z z!jS{n>q%w~>35{B5tHm5oC$I8B~7w3;eQ$;um_cJ0@!pZ7Q|qbRFPv^0by@~O7|@r zwW(3>3c&scBan<)dxi3jc@@?E?@{-&%8fP#z53Py4mA%62^8YPSut-gt)kTX zXGW!36a9xR)$gYEBH?_6e9aITjbT_`{f9@~O`|fo@sRvik=jCp=?1JJR5Sxq;;t)i z&1c_s7gDZivP89HZ`>zqD{LMROt6{)AG%p5!y0sAS+PEcG_qyTGc*X;4Be5p1;4gX zjeGprMupsSCxEv`Tpq2G6BLbND>#YV4}+FbdojFvcGjq3D#9?YrgQ9K3@8r|U*bQJ z8lJ-@uYSBis=C(zmlEK3vx$r_{1Dog?LjZ2Si4Q@y^8azgEsTjOg~{;(pKwTsw0aF zTUYQ9k(;QmGzAvazix)R)Py(`?JZo9fjc@sv|=j%F>4*y*>mv++WjZ8@KG@7tUg@WTpE1>foi=Cg32onnI5Uz- z%S&6oqKa5x;FjIE>d0)Ulr>wp<5Bh<{YBEyQV{m_c8A@|`Wopqq@9Ux?8pZ+4<+PYUGRQRwXbMa|Ns97?qW8bACC7&Jm7u%^b0rP&T%G5qDGIyn51I zCy1-Fle3>GXf>?*jRF7}VUyUaR!Fl7G>pdM&Nlv|RfkJkAH(69lfqDv`ysDFm_vx| zf7=$*_+3CR5H!MO^&UZ f^z#SvbLSC+dR4*&c{uo@tLcHF5fUE%wzU5OP3C#~ literal 0 HcmV?d00001 diff --git a/src/crd-controller/Controllers/ConversionWebhookController.cs b/src/crd-controller/Controllers/ConversionWebhookController.cs new file mode 100644 index 000000000..9a1b3d2a1 --- /dev/null +++ b/src/crd-controller/Controllers/ConversionWebhookController.cs @@ -0,0 +1,96 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using CustomResourceDescriptorController.Models; +using k8s.Models; +using Microsoft.AspNetCore.Mvc; +using Newtonsoft.Json.Linq; + +namespace CustomResourceDescriptorController.Controllers +{ + public class ConversionWebhookController : Controller + { + [HttpPost] + [Route("/api/v1/conversion-webhook")] + public ActionResult Convert([FromBody]ConversionReview conversionReview) + { + var response = new ConversionReviewResponse + { + UID = conversionReview.Request.UID, + ConvertedObjects = conversionReview.Request.Objects.Select(o => Convert(o, conversionReview.Request.DesiredAPIVersion)).ToArray(), + Result = new V1Status + { + Status = "Success" + } + }; + + return new ConversionReview + { + Kind = conversionReview.Kind, + ApiVersion = conversionReview.ApiVersion, + Response = response + }; + } + + private object Convert(JObject source, string desiredApiVersion) + { + var apiVersion = source.Value("apiVersion"); + + switch (desiredApiVersion) + { + case "soluto.com/v1alpha1": + switch (apiVersion) + { + case "soluto.com/v1alpha2": + var sourceKamusSecret = source.ToObject(); + return new Models.V1Alpha1.KamusSecret + { + Data = sourceKamusSecret.StringData, + ServiceAccount = sourceKamusSecret.ServiceAccount, + Metadata = sourceKamusSecret.Metadata, + Kind = "KamusSecret", + Type = sourceKamusSecret.Type, + ApiVersion = desiredApiVersion + }; + + default: + Console.WriteLine("Oh no!"); + Console.WriteLine(apiVersion); + return null; + } + + + case "soluto.com/v1alpha2": + + switch (apiVersion) + { + case "soluto.com/v1alpha1": + var sourceKamusSecret = source.ToObject(); + return new Models.V1Alpha2.KamusSecret + { + StringData = sourceKamusSecret.Data, + ServiceAccount = sourceKamusSecret.ServiceAccount, + Metadata = sourceKamusSecret.Metadata, + Kind = "KamusSecret", + Type = sourceKamusSecret.Type, + ApiVersion = desiredApiVersion + }; + + default: + Console.WriteLine("Oh no!"); + Console.WriteLine(apiVersion); + return null; + + } + + default: + Console.WriteLine("Oh no!"); + Console.WriteLine(apiVersion); + return null; + } + + } + } + + +} diff --git a/src/crd-controller/HostedServices/V1Alpha1Controller.cs b/src/crd-controller/HostedServices/V1Alpha1Controller.cs index d551e1c34..d7b993c85 100644 --- a/src/crd-controller/HostedServices/V1Alpha1Controller.cs +++ b/src/crd-controller/HostedServices/V1Alpha1Controller.cs @@ -31,7 +31,10 @@ public V1Alpha1Controller(IKubernetes kubernetes, IKeyManagement keyManagement) public Task StopAsync(CancellationToken cancellationToken) { - mSubscription.Dispose(); + if (mSubscription != null) + { + mSubscription.Dispose(); + } return Task.CompletedTask; } diff --git a/src/crd-controller/HostedServices/V1Alpha2Controller.cs b/src/crd-controller/HostedServices/V1Alpha2Controller.cs index 4416103f4..e2e99bd31 100644 --- a/src/crd-controller/HostedServices/V1Alpha2Controller.cs +++ b/src/crd-controller/HostedServices/V1Alpha2Controller.cs @@ -31,7 +31,10 @@ public V1Alpha2Controller(IKubernetes kubernetes, IKeyManagement keyManagement) public Task StopAsync(CancellationToken cancellationToken) { - mSubscription.Dispose(); + if (mSubscription != null) + { + mSubscription.Dispose(); + } return Task.CompletedTask; } diff --git a/src/crd-controller/Models/ConversionReview.cs b/src/crd-controller/Models/ConversionReview.cs new file mode 100644 index 000000000..0935f3141 --- /dev/null +++ b/src/crd-controller/Models/ConversionReview.cs @@ -0,0 +1,11 @@ +using System; +namespace CustomResourceDescriptorController.Models +{ + public class ConversionReview + { + public string Kind { get; set; } + public string ApiVersion { get; set; } + public ConversionReviewRequest Request { get; set; } + public ConversionReviewResponse Response { get; set; } + } +} diff --git a/src/crd-controller/Models/ConversionReviewRequest.cs b/src/crd-controller/Models/ConversionReviewRequest.cs new file mode 100644 index 000000000..59589ecdf --- /dev/null +++ b/src/crd-controller/Models/ConversionReviewRequest.cs @@ -0,0 +1,16 @@ +using System; +using k8s; +using Newtonsoft.Json; +using Newtonsoft.Json.Linq; + +namespace CustomResourceDescriptorController.Models +{ + public class ConversionReviewRequest + { + [JsonProperty(PropertyName = "uid")] + public string UID { get; set; } + + public string DesiredAPIVersion { get; set; } + public JObject[] Objects { get; set; } + } +} \ No newline at end of file diff --git a/src/crd-controller/Models/ConversionReviewResponse.cs b/src/crd-controller/Models/ConversionReviewResponse.cs new file mode 100644 index 000000000..fdf2ad53b --- /dev/null +++ b/src/crd-controller/Models/ConversionReviewResponse.cs @@ -0,0 +1,16 @@ +using System; +using k8s.Models; +using Newtonsoft.Json; + +namespace CustomResourceDescriptorController.Models +{ + public class ConversionReviewResponse + { + [JsonProperty(PropertyName = "uid")] + public string UID { get; set; } + + public object[] ConvertedObjects { get; set; } + + public V1Status Result { get; set; } + } +} diff --git a/src/crd-controller/Startup.cs b/src/crd-controller/Startup.cs index ee9c1f2a7..1a07a1faa 100644 --- a/src/crd-controller/Startup.cs +++ b/src/crd-controller/Startup.cs @@ -57,7 +57,7 @@ public void ConfigureServices (IServiceCollection services) { } ); - services.AddHostedService(); + // services.AddHostedService(); services.AddHostedService(); services.AddHealthChecks() diff --git a/tests/crd-controller/crd.yaml b/tests/crd-controller/crd.yaml index 115365785..da02de012 100644 --- a/tests/crd-controller/crd.yaml +++ b/tests/crd-controller/crd.yaml @@ -4,6 +4,7 @@ metadata: # name must match the spec fields below, and be in the form: . name: kamussecrets.soluto.com spec: + preserveUnknownFields: false # group name to use for REST API: /apis// group: soluto.com # version name to use for REST API: /apis// @@ -13,9 +14,34 @@ spec: served: true # One and only one version must be marked as the storage version. storage: false + schema: + openAPIV3Schema: + type: object + properties: + data: + type: object + additionalProperties: true + serviceAccount: + type: string + type: + type: string - name: v1alpha2 served: true storage: true + schema: + openAPIV3Schema: + type: object + properties: + data: + type: object + additionalProperties: true + stringData: + type: object + additionalProperties: true + serviceAccount: + type: string + type: + type: string # either Namespaced or Cluster scope: Namespaced names: @@ -28,4 +54,12 @@ spec: # shortNames allow shorter string to match your resource on the CLI shortNames: - ks + conversion: + strategy: Webhook + webhookClientConfig: + service: + namespace: default + name: kamus-controller + path: /api/v1/conversion-webhook + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUV5RENDQXJBQ0NRRElnR3V4VUZkYWFUQU5CZ2txaGtpRzl3MEJBUXNGQURBbU1TUXdJZ1lEVlFRRERCdHIKWVcxMWN5MWtaV055ZVhCMGIzSXVaR1ZtWVhWc2RDNXpkbU13SGhjTk1Ua3dPREE0TVRReE56RTFXaGNOTWpBdwpPREEzTVRReE56RTFXakFtTVNRd0lnWURWUVFEREJ0cllXMTFjeTFrWldOeWVYQjBiM0l1WkdWbVlYVnNkQzV6CmRtTXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDd09xSEFuWWdzblhYQkNkODUKVlNjUDhUa3V5UjRQTERSWG4vV21icWMxQVkwV3UvMkRtRktLSU84a1Rrc1d4dUpwbklBVFlFTUVXN2JWaDVKNQpXTGhmNC84RFVxWXZuTndNK2k1Z3hmK25BM2l5N09zN24zZks1SU1BaU00YTJiU3NqU2oyU3NqTmJEZVJDTE1CCjNhMThPM1dsV2RNWTh1ZGs4dlB1L1BTOHhMYTZONldaZ1p4dVZETEhkYXkwaWVBR1pjTkZqVFl6U1pqa1VHSnAKblJkRTNUUlkwSkI0eE1wOG1DMGNJWGZUaEU0R1I0L0xLbU1NR3FQckhDM1ErUjZ5enZuWkNVYVpOanA2VGwvagpHKzV3TVNQRzFYU1g0anpZOFFxQjRRaDZzL2NZYVNyZEI5aStqQzltYlYwU0tjOVU4U1kyQzNkcDZML3ZZckliCnZKNTJZZWl6ZUtjSWFEVS9wQlBpQ3JzdXhwb0Q4YWRzMEhmUWZsY2Z1YlRhcGdWYkZYTVk4WW16UEpjaDRGMEoKSVQxWUd4QkZwYVhERlMrQmRWU2JtOFptdWhsVEdiVlJGQ2hjNHdhTW4wSkFYTDRtZVlITXRPcmtyNTUzdFNVWAovY1ZZY2FhcW13V2NFS3ZqVDZRa3dWMkN0OFd0Y3FnVTViaVlxaUsrRWlVNHBhZXI2OXlhY25EVW03dUREbDdDCm5VQitWY0pRNFpYOC9RbXVjOXBUY2xlVFBVVUNCRnNZaHZYYVVOWjRpNVpXQXZQQjJCaFRnZ3BuNEo0OHlpczgKRzlWZENMcEpiVEZXWTk1WmV2aXhWWXdCeEVrdmxOamxPT3o4Z29Xb0RUOGhsdUoxM1h5bUx0Tml3TFcvcHVwbQpCMFpJRmR1V05GSFJQWDF0cHZxUUhZMlhYUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ2NEN1hlCkNrN0lXaklzeElQUkpzS24wOVdlZ0UxbllmdXA3d1FmVGJZdjdvOVh2NWZKVGRCc3ZDdEVITWJuVDFxTmNGY1cKMnJvN0hCcVFyc2E4TnE3VGhyNnJrSHhabmd6bXUrMVFRamdrVTYxQTJNclVadS95UVk3TjJFbFBmWTlOcnhQeApGblpGalRqeDkxc081Y3BYbWgwaTBmcmo1QlNlb0poYndNOEVOa0ZqT3I4cVdvZWpQa2xoaGFaL1duZ243RGxNClI4WUtEMmFldVZJclptN05mdHNpZ3ZCSWttYTlrUDc2KzlRWjY3VDhZR2hOSVFqbmlIRzRkZWxlRDhibWxBamUKVE9iMGlxZlBFU3h3T2l0eUNwcEFoUERzcWVXRStUMHRBSXp3MTgxUmp2QTVyNmlTOEorVlk0N3lHRjRoVFYxTAoyZk1ST3hEVzdGYTJPblVxeFg4MkJHOHhpMVY2RGU2ekE0NlpnbjRzc2V4RmZDTW8rd3hLei9ISG1Cd3Yvb1BlCkkyZEo1UTR5Z0N4REZpcU5CbGRTZkNpU0RkdVZUdkFMWENsUjJwK1hnRnVJQ1BTdXFhamZySTdlTjVZVElFTHEKclVNdEJNMFNPVlhTM21sbHVkWDZkaDNUeWIzSXdVSVZVbENyRUFhVlF6YXdBYTlsUm1JQXZvdGRMME5VY0FpTAprUk5KZmFiNTZxSFE2SURkYm1tMGdVVUoxL3IrVzRGQ3c2dmkvL1JpbG16NEpHTW56d2dac21kZjF0YnJPUlA4CjRSWGdpQ2VLZjEydFY1akJFZmpaMDVzTUZITWRaY1lPK0JXYjZkVFRGWE1BcU81NmVMV3JScVluUVp4UlNLaEoKYzVZaFEyUUxrN0hIdG5KOFVQSmYzZlh2czQrK0lCZ3J2Q0o0bWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== \ No newline at end of file diff --git a/tests/crd-controller/deployment.yaml b/tests/crd-controller/deployment.yaml index b2bc9dbd5..af21b1b81 100644 --- a/tests/crd-controller/deployment.yaml +++ b/tests/crd-controller/deployment.yaml @@ -29,6 +29,29 @@ roleRef: name: kamus-crd apiGroup: rbac.authorization.k8s.io --- +apiVersion: v1 +kind: Service +metadata: + name: kamus-controller + annotations: + prometheus.io/scrape: "true" + + labels: + app: kamus + component: crd-controller + chart: kamus-0.3.0 + heritage: Tiller +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: 8888 + protocol: TCP + name: http-kamus-controller + selector: + app: kamus + component: crd-controller +-- apiVersion: apps/v1 kind: Deployment metadata: From a83e92eb8ff4d74f52638d48785aee5004b4df10 Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 08:18:19 -0400 Subject: [PATCH 19/44] revert test changes --- tests/crd-controller/FlowTest.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index 68b59f3c9..c56963ffd 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -78,7 +78,7 @@ public async Task CreateKamusSecretV1Alpha2_SecretCreated() .Where(t => t.Item1 == WatchEventType.Added && t.Item2.Metadata.Name == "my-tls-secret").Timeout(TimeSpan.FromSeconds(30)).FirstAsync(); Assert.Equal("TlsSecret", v1Secret.Type); - Assert.True(v1Secret.StringData.ContainsKey("key")); + Assert.True(v1Secret.Data.ContainsKey("key")); Assert.True(v1Secret.Data.ContainsKey("key3")); Assert.Equal(File.ReadAllText("key.crt"), Encoding.UTF8.GetString(v1Secret.Data["key3"])); } From 5fc07018f338a33712323ba3330a8727f8cca594 Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 08:46:04 -0400 Subject: [PATCH 20/44] try to fix the build --- tests/crd-controller/deployment.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tests/crd-controller/deployment.yaml b/tests/crd-controller/deployment.yaml index af21b1b81..2a70944df 100644 --- a/tests/crd-controller/deployment.yaml +++ b/tests/crd-controller/deployment.yaml @@ -32,10 +32,7 @@ roleRef: apiVersion: v1 kind: Service metadata: - name: kamus-controller - annotations: - prometheus.io/scrape: "true" - + name: kamus-controller labels: app: kamus component: crd-controller @@ -51,7 +48,7 @@ spec: selector: app: kamus component: crd-controller --- +--- apiVersion: apps/v1 kind: Deployment metadata: From ae6ccaea85c75edc3ef5a2a3f49a3ef3ad48553a Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 09:00:09 -0400 Subject: [PATCH 21/44] remove encodedData --- tests/crd-controller/tls-KamusSecret.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/crd-controller/tls-KamusSecret.yaml b/tests/crd-controller/tls-KamusSecret.yaml index 4c705595f..4b50ba4b4 100644 --- a/tests/crd-controller/tls-KamusSecret.yaml +++ b/tests/crd-controller/tls-KamusSecret.yaml @@ -5,6 +5,4 @@ metadata: type: TlsSecret data: key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== -encodedData: - key3: 5SRnC8HJ6gJEOCpgby3ZSQ==:LUfzADu23z1l9CWFXzR71/Ua74IxI12Ehn18d5hnqA+C40D6o1qfaaOLuPzwPYILwsViZvg7FymTB9c/1vLlwnqQJfRXNNKg07cTD5tGoufKrQrgMpOHcEKsq/k3jwQ5MSyU99npBmPFkCZ93uE1b6llSbBkzp80cBQB+Peb7WtyfG4WoOn15hy7Eb71tcdNcRLd1r5pWaPWEIlMnVB8TERCfCpTUakXmuM5mvq5PTOp/OfRGpbqG3VRf/iDHSpSOqiNKhq6eiOWvG+WTCVqjpMv4iQiMlTCcJT31ayUHxafx1bg8EX5SuMVc0sHT7wwX4BBMDUCQ8i7qXHNS5gGAl6LXHC2fhfsK/PAJVDZ18PS/ISDuzAs/iV3zffqqLCZxy5qFDyBq5hdjE2deLhH40pL1G9i7fto40ikftdqKLFaa7pxc0A88bvQihkDuPj9gtAmXt7k+hnUXlPdP5VuoKGhfJUMaEDIwTxUekzcCPDPas9XrmLWyN27BFs6Z+s/kDL+8ZGHP4yyeJyxZV0Gxf0k7RY65GyFzkvcZElq8aI8sSSc9D4Li5OilpXb0M5/s+oZj0QCwwFR2+rNTc4vm1l5s2vRmNMHZ/mQEy1qSJbEvA65U6axYoRcjQIEnvth+sZHy1E3CNBW7LRvUMf2KCy6qX+rjV/i6krAVyohAOLCfWtS+Wi3ulkefoFbKLNVLVaDVP15s4c+dqsDAzscl3HtQHRlhkOlr9hAEsX7qQlRue2S8apDp4SN8umpaTFgZy7u03yTWE64fGYyubKYRYo38D0wTOI7Z9+47m/z52rk6214A3mxoTY8Mm4bmCyxcPwGMnKXdx8x9FN56mpdFifcQLx1HffkGM/F5Hj6/xUUaquHWnWnh3keQjm1gdE0eE5YLB/EZggczj5HiahTgd3IZ/oUd8a2bGo+VToTRimOczz8je4WN3+4px2KXRs+qgaTUTUZ/m1AT90PewOKVhHfWEZKmU9063xqBjtytMyFQxZkFvQqwZNmDYmkWMrqdkC2u5/yjm1Dc1OUEy6ImnxuStCB4j+8B7gXPBg+x/nSbY8vjhbnyhmXQ37m54rFN3Jqgr0XMg5c9h2eMs2oMw/1nGFxZqzxa9VdjsG4sPcfEAECmjgnqaKVY/d7tUoXEKYQWVcoetL5zQxo4Vg9BTFaIO+npwW0Dmc5ED0ShqfKVdUkN+jx5sm16Ik6SR+xvpgh8g4YmA5GmlhLUZuSPn7jTLYmt+1e9ZpvQnNRrSW9hzmpW5FCA2i7hr83x9NmW2S7iPQ979to+i1Ak8f8B1s95bJcgkzEv9kHyd+a6kroM2AXXq0Ra2xXSNYryAS+TESYs7VPzsXeGXzmcRYIwEPqA8Kh3/8b6oNdNzY1+PHavk9Op6jTWnlsGOnRMi1WzC4nFDa9V5lvEFtBT4c1dhNnUVuecBy7yeo2LopYsY6+7rKlWFHCSfC4srZtv7CIRIO6zNAao+Cl6g9O5d+1Yu4/fI9XJMMMqJZZBUl7TGwgGTZhoWol9H5ppgShrV6nYbq2Ekyw2y0I8f96NGRrzeX9AiApoCM/qfC42NP3zEvewdgtzPlo8O0izf76R8ggc/c1rcaQwnMB1FHfPIYup10oVTJvoH2mHSVRCrCuKRQqqB/uCVIglgDjA/jnK68+yoUBD+pwOy3xiyVkQBTmxpnGURMzqXxTypP2YOXHFISnuyTElr7JRNoaK7Oep2hhiXO+jlKEXHe3jeWOKlOW8gpPKKd2rxBrrX+IeaJx7EWKdxkCbackd7cpaeRLVQV8WCUIb91HeMUqz1DEALky+lsfXOr5VwaiikRcJzrlwJkIarNSoM2644Qf5Gyo87z3kmnHyHTqKerC5VrRSgEcH2Z3Ag4Skdf5qMnYC3jm90jp2hhZzq4pMcgGhambiUb1 serviceAccount: some-sa \ No newline at end of file From a0fe6a7491435f3d1f9c418989ba9eaba889d1f6 Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 09:25:07 -0400 Subject: [PATCH 22/44] force https for the controller --- tests/crd-controller/deployment.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/crd-controller/deployment.yaml b/tests/crd-controller/deployment.yaml index 2a70944df..8f45b2bd2 100644 --- a/tests/crd-controller/deployment.yaml +++ b/tests/crd-controller/deployment.yaml @@ -73,6 +73,13 @@ spec: - name: controller image: crd-controller imagePullPolicy: IfNotPresent + env: + - name: ASPNETCORE_URLS + value: "http://+:9999;https://+:8888" + - name: ASPNETCORE_Kestrel__Certificates__Default__Path + value: "/home/dotnet/https/aspnetapp.pfx" + - name: ASPNETCORE_Kestrel__Certificates__Default__Password + value: "" livenessProbe: httpGet: path: /healthz From 65151c33b6030bb3677d6d4c967240b4b46b7508 Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 13:22:56 -0400 Subject: [PATCH 23/44] temporary - just make it work --- tests/crd-controller/crd.yaml | 2 +- tests/crd-controller/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/crd-controller/crd.yaml b/tests/crd-controller/crd.yaml index da02de012..8f5788212 100644 --- a/tests/crd-controller/crd.yaml +++ b/tests/crd-controller/crd.yaml @@ -59,7 +59,7 @@ spec: webhookClientConfig: service: namespace: default - name: kamus-controller + name: kamus-decryptor path: /api/v1/conversion-webhook caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUV5RENDQXJBQ0NRRElnR3V4VUZkYWFUQU5CZ2txaGtpRzl3MEJBUXNGQURBbU1TUXdJZ1lEVlFRRERCdHIKWVcxMWN5MWtaV055ZVhCMGIzSXVaR1ZtWVhWc2RDNXpkbU13SGhjTk1Ua3dPREE0TVRReE56RTFXaGNOTWpBdwpPREEzTVRReE56RTFXakFtTVNRd0lnWURWUVFEREJ0cllXMTFjeTFrWldOeWVYQjBiM0l1WkdWbVlYVnNkQzV6CmRtTXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDd09xSEFuWWdzblhYQkNkODUKVlNjUDhUa3V5UjRQTERSWG4vV21icWMxQVkwV3UvMkRtRktLSU84a1Rrc1d4dUpwbklBVFlFTUVXN2JWaDVKNQpXTGhmNC84RFVxWXZuTndNK2k1Z3hmK25BM2l5N09zN24zZks1SU1BaU00YTJiU3NqU2oyU3NqTmJEZVJDTE1CCjNhMThPM1dsV2RNWTh1ZGs4dlB1L1BTOHhMYTZONldaZ1p4dVZETEhkYXkwaWVBR1pjTkZqVFl6U1pqa1VHSnAKblJkRTNUUlkwSkI0eE1wOG1DMGNJWGZUaEU0R1I0L0xLbU1NR3FQckhDM1ErUjZ5enZuWkNVYVpOanA2VGwvagpHKzV3TVNQRzFYU1g0anpZOFFxQjRRaDZzL2NZYVNyZEI5aStqQzltYlYwU0tjOVU4U1kyQzNkcDZML3ZZckliCnZKNTJZZWl6ZUtjSWFEVS9wQlBpQ3JzdXhwb0Q4YWRzMEhmUWZsY2Z1YlRhcGdWYkZYTVk4WW16UEpjaDRGMEoKSVQxWUd4QkZwYVhERlMrQmRWU2JtOFptdWhsVEdiVlJGQ2hjNHdhTW4wSkFYTDRtZVlITXRPcmtyNTUzdFNVWAovY1ZZY2FhcW13V2NFS3ZqVDZRa3dWMkN0OFd0Y3FnVTViaVlxaUsrRWlVNHBhZXI2OXlhY25EVW03dUREbDdDCm5VQitWY0pRNFpYOC9RbXVjOXBUY2xlVFBVVUNCRnNZaHZYYVVOWjRpNVpXQXZQQjJCaFRnZ3BuNEo0OHlpczgKRzlWZENMcEpiVEZXWTk1WmV2aXhWWXdCeEVrdmxOamxPT3o4Z29Xb0RUOGhsdUoxM1h5bUx0Tml3TFcvcHVwbQpCMFpJRmR1V05GSFJQWDF0cHZxUUhZMlhYUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ2NEN1hlCkNrN0lXaklzeElQUkpzS24wOVdlZ0UxbllmdXA3d1FmVGJZdjdvOVh2NWZKVGRCc3ZDdEVITWJuVDFxTmNGY1cKMnJvN0hCcVFyc2E4TnE3VGhyNnJrSHhabmd6bXUrMVFRamdrVTYxQTJNclVadS95UVk3TjJFbFBmWTlOcnhQeApGblpGalRqeDkxc081Y3BYbWgwaTBmcmo1QlNlb0poYndNOEVOa0ZqT3I4cVdvZWpQa2xoaGFaL1duZ243RGxNClI4WUtEMmFldVZJclptN05mdHNpZ3ZCSWttYTlrUDc2KzlRWjY3VDhZR2hOSVFqbmlIRzRkZWxlRDhibWxBamUKVE9iMGlxZlBFU3h3T2l0eUNwcEFoUERzcWVXRStUMHRBSXp3MTgxUmp2QTVyNmlTOEorVlk0N3lHRjRoVFYxTAoyZk1ST3hEVzdGYTJPblVxeFg4MkJHOHhpMVY2RGU2ekE0NlpnbjRzc2V4RmZDTW8rd3hLei9ISG1Cd3Yvb1BlCkkyZEo1UTR5Z0N4REZpcU5CbGRTZkNpU0RkdVZUdkFMWENsUjJwK1hnRnVJQ1BTdXFhamZySTdlTjVZVElFTHEKclVNdEJNMFNPVlhTM21sbHVkWDZkaDNUeWIzSXdVSVZVbENyRUFhVlF6YXdBYTlsUm1JQXZvdGRMME5VY0FpTAprUk5KZmFiNTZxSFE2SURkYm1tMGdVVUoxL3IrVzRGQ3c2dmkvL1JpbG16NEpHTW56d2dac21kZjF0YnJPUlA4CjRSWGdpQ2VLZjEydFY1akJFZmpaMDVzTUZITWRaY1lPK0JXYjZkVFRGWE1BcU81NmVMV3JScVluUVp4UlNLaEoKYzVZaFEyUUxrN0hIdG5KOFVQSmYzZlh2czQrK0lCZ3J2Q0o0bWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== \ No newline at end of file diff --git a/tests/crd-controller/deployment.yaml b/tests/crd-controller/deployment.yaml index 8f45b2bd2..9189ef357 100644 --- a/tests/crd-controller/deployment.yaml +++ b/tests/crd-controller/deployment.yaml @@ -32,7 +32,7 @@ roleRef: apiVersion: v1 kind: Service metadata: - name: kamus-controller + name: kamus-decryptor labels: app: kamus component: crd-controller From 00be2b2af2d3d4a151914e5f48981d88ccb4764e Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 20:29:48 -0400 Subject: [PATCH 24/44] fix the tests --- tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml b/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml index 6fb00c53b..1c00dd3ec 100644 --- a/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml +++ b/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml @@ -3,6 +3,6 @@ kind: KamusSecret metadata: name: my-tls-secret type: TlsSecret -data: +stringData: key: fX+zM9o709PGkitf0f7PNg==:1iLWChg0N5+SwysTXvLSCw== serviceAccount: some-sa \ No newline at end of file From a8cb8c097b16388267c5f52e9d6de34fad41a75b Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 21:27:34 -0400 Subject: [PATCH 25/44] ugly patch :praying af --- tests/crd-controller/FlowTest.cs | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index c56963ffd..e5f32728a 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -191,6 +191,23 @@ private async Task DeployController() Console.WriteLine("Deploying CRD"); RunKubectlCommand("apply -f deployment.yaml"); + + Console.WriteLine("running ugly patch"); + + if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("kubernetesVersion"))) + { + var version = Environment.GetEnvironmentVariable("kubernetesVersion").Split("."); + + if (version.Length == 3 && int.TryParse(version[1], out var minor)) + { + if (minor < 15) + { + Console.WriteLine("patching"); + File.WriteAllText("crd.yaml", File.ReadAllText("crd.yaml").Replace("preserveUnknownFields: false", "")); + } + } + } + RunKubectlCommand("apply -f crd.yaml"); var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); From 26ed6ff142563719f29a70c9fc6e859a64b92a83 Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 12 Aug 2019 21:40:01 -0400 Subject: [PATCH 26/44] try to fix the build --- tests/crd-controller/FlowTest.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index e5f32728a..5abc0a5b2 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -203,7 +203,7 @@ private async Task DeployController() if (minor < 15) { Console.WriteLine("patching"); - File.WriteAllText("crd.yaml", File.ReadAllText("crd.yaml").Replace("preserveUnknownFields: false", "")); + File.WriteAllText("../../../crd.yaml", File.ReadAllText("crd.yaml").Replace("preserveUnknownFields: false", "")); } } } From 0395f0679b1a95f6b14e5b1496e7912b75fc2f40 Mon Sep 17 00:00:00 2001 From: omerlh Date: Tue, 13 Aug 2019 16:15:58 -0500 Subject: [PATCH 27/44] no judgment --- tests/crd-controller/FlowTest.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index 5abc0a5b2..6a951b0e7 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -208,7 +208,7 @@ private async Task DeployController() } } - RunKubectlCommand("apply -f crd.yaml"); + RunKubectlCommand("apply -f crd.yaml --validate=false"); var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); From 1c9b152679f80275ab6b63b023c7e9753e49171c Mon Sep 17 00:00:00 2001 From: omerlh Date: Tue, 13 Aug 2019 16:28:35 -0500 Subject: [PATCH 28/44] enable CustomResourceWebhookConversion --- tests/crd-controller/kind-config.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/crd-controller/kind-config.yaml b/tests/crd-controller/kind-config.yaml index 4f0e93447..621346fa8 100644 --- a/tests/crd-controller/kind-config.yaml +++ b/tests/crd-controller/kind-config.yaml @@ -1,5 +1,28 @@ kind: Config apiVersion: kind.sigs.k8s.io/v1alpha3 +kubeadmConfigPatches: +- | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: ClusterConfiguration + metadata: + name: config + apiServer: + extraArgs: + "feature-gates": "CustomResourceWebhookConversion=true" + scheduler: + extraArgs: + "feature-gates": "CustomResourceWebhookConversion=true" + controllerManager: + extraArgs: + "feature-gates": "CustomResourceWebhookConversion=true" +- | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: InitConfiguration + metadata: + name: config + nodeRegistration: + kubeletExtraArgs: + "feature-gates": "CustomResourceWebhookConversion=true" nodes: - role: control-plane - role: worker From b4392d354afb8a13751a054eee4ec8e97ca3ba0f Mon Sep 17 00:00:00 2001 From: omerlh Date: Tue, 13 Aug 2019 16:59:52 -0500 Subject: [PATCH 29/44] try to fix the build --- tests/crd-controller/kind-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/crd-controller/kind-config.yaml b/tests/crd-controller/kind-config.yaml index 621346fa8..79e488175 100644 --- a/tests/crd-controller/kind-config.yaml +++ b/tests/crd-controller/kind-config.yaml @@ -2,7 +2,7 @@ kind: Config apiVersion: kind.sigs.k8s.io/v1alpha3 kubeadmConfigPatches: - | - apiVersion: kubeadm.k8s.io/v1beta2 + apiVersion: kubeadm.k8s.io/v1beta1 kind: ClusterConfiguration metadata: name: config @@ -16,7 +16,7 @@ kubeadmConfigPatches: extraArgs: "feature-gates": "CustomResourceWebhookConversion=true" - | - apiVersion: kubeadm.k8s.io/v1beta2 + apiVersion: kubeadm.k8s.io/v1beta1 kind: InitConfiguration metadata: name: config From b8e723db8754afa60f8f740dd6442621a7cf84cc Mon Sep 17 00:00:00 2001 From: omerlh Date: Tue, 13 Aug 2019 17:18:59 -0500 Subject: [PATCH 30/44] maybe :shrug --- .circleci/config.yml | 2 ++ tests/crd-controller/kind-config-1.15.yaml | 17 +++++++++++++++++ tests/crd-controller/run-tests.sh | 9 ++++++++- 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 tests/crd-controller/kind-config-1.15.yaml diff --git a/.circleci/config.yml b/.circleci/config.yml index e7ef6c7a2..8264e6b9c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -14,6 +14,8 @@ commands: - docker_api_cache_key-{{ .Revision }} - run: name: install + environment: + kubernetesVersion: parameters.kubernetesVersion command: | tests/crd-controller/run-tests.sh << parameters.kubernetesVersion >> no_output_timeout: 3600 diff --git a/tests/crd-controller/kind-config-1.15.yaml b/tests/crd-controller/kind-config-1.15.yaml new file mode 100644 index 000000000..4f0e93447 --- /dev/null +++ b/tests/crd-controller/kind-config-1.15.yaml @@ -0,0 +1,17 @@ +kind: Config +apiVersion: kind.sigs.k8s.io/v1alpha3 +nodes: + - role: control-plane + - role: worker + replicas: 3 + +# this config file contains all config fields with comments +kind: Cluster +apiVersion: kind.sigs.k8s.io/v1alpha3 +nodes: +# the control plane node config +- role: control-plane +# the three workers +- role: worker +- role: worker +- role: worker \ No newline at end of file diff --git a/tests/crd-controller/run-tests.sh b/tests/crd-controller/run-tests.sh index f0fba93ff..137df49ee 100755 --- a/tests/crd-controller/run-tests.sh +++ b/tests/crd-controller/run-tests.sh @@ -43,7 +43,14 @@ create_kind_cluster() { docker cp kubectl e2e:/usr/local/bin/kubectl - kind create cluster --name "$CLUSTER_NAME" --config tests/crd-controller/kind-config.yaml --image "kindest/node:$K8S_VERSION" + if [[ $kubernetesVersion == "v.15.0" ]] + then + kind_config="kind-config-1.15.yaml" + else + kind_config="kind-config.yaml" + fi + + kind create cluster --name "$CLUSTER_NAME" --config tests/crd-controller/$kind_config --image "kindest/node:$K8S_VERSION" kind load image-archive docker-cache-api/crd-controller.tar --name "$CLUSTER_NAME" docker_exec mkdir -p /root/.kube From 6028c23d2671b9d238989946f6522476ca7dc0fc Mon Sep 17 00:00:00 2001 From: omerlh Date: Tue, 13 Aug 2019 17:22:47 -0500 Subject: [PATCH 31/44] fix the build --- tests/crd-controller/run-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/run-tests.sh b/tests/crd-controller/run-tests.sh index 137df49ee..4ac2ab0c6 100755 --- a/tests/crd-controller/run-tests.sh +++ b/tests/crd-controller/run-tests.sh @@ -43,7 +43,7 @@ create_kind_cluster() { docker cp kubectl e2e:/usr/local/bin/kubectl - if [[ $kubernetesVersion == "v.15.0" ]] + if [[ ${kubernetesVersion:?} == "v.15.0" ]] then kind_config="kind-config-1.15.yaml" else From 97dcfe12c1d23f1e9e2a228ae6557586f01693e2 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 14 Aug 2019 09:02:43 -0500 Subject: [PATCH 32/44] try again --- tests/crd-controller/run-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/run-tests.sh b/tests/crd-controller/run-tests.sh index 4ac2ab0c6..070b85643 100755 --- a/tests/crd-controller/run-tests.sh +++ b/tests/crd-controller/run-tests.sh @@ -43,7 +43,7 @@ create_kind_cluster() { docker cp kubectl e2e:/usr/local/bin/kubectl - if [[ ${kubernetesVersion:?} == "v.15.0" ]] + if [[ $K8S_VERSION == "v.15.0" ]] then kind_config="kind-config-1.15.yaml" else From bd81c551dd6a07d1290530af8c78e4cdb171eda9 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 14 Aug 2019 09:39:49 -0500 Subject: [PATCH 33/44] pleaseeee --- tests/crd-controller/run-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/run-tests.sh b/tests/crd-controller/run-tests.sh index 070b85643..06a9622ec 100755 --- a/tests/crd-controller/run-tests.sh +++ b/tests/crd-controller/run-tests.sh @@ -43,7 +43,7 @@ create_kind_cluster() { docker cp kubectl e2e:/usr/local/bin/kubectl - if [[ $K8S_VERSION == "v.15.0" ]] + if [[ $K8S_VERSION == "v1.15.0" ]] then kind_config="kind-config-1.15.yaml" else From 6c8f091e4272262e2ae1ebcc2c37105fbcfd874f Mon Sep 17 00:00:00 2001 From: omerlh Date: Sun, 1 Sep 2019 18:05:03 +0300 Subject: [PATCH 34/44] added logging --- .../ConversionWebhookController.cs | 52 ++++++++++++------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/src/crd-controller/Controllers/ConversionWebhookController.cs b/src/crd-controller/Controllers/ConversionWebhookController.cs index 9a1b3d2a1..fe2c0eff7 100644 --- a/src/crd-controller/Controllers/ConversionWebhookController.cs +++ b/src/crd-controller/Controllers/ConversionWebhookController.cs @@ -1,28 +1,49 @@ using System; -using System.Collections.Generic; using System.Linq; using CustomResourceDescriptorController.Models; using k8s.Models; using Microsoft.AspNetCore.Mvc; using Newtonsoft.Json.Linq; +using Serilog; namespace CustomResourceDescriptorController.Controllers { public class ConversionWebhookController : Controller { + private readonly ILogger mLogger = Log.ForContext(); + [HttpPost] [Route("/api/v1/conversion-webhook")] public ActionResult Convert([FromBody]ConversionReview conversionReview) { - var response = new ConversionReviewResponse + ConversionReviewResponse response; + + mLogger.Information("Received conversion request"); + try { - UID = conversionReview.Request.UID, - ConvertedObjects = conversionReview.Request.Objects.Select(o => Convert(o, conversionReview.Request.DesiredAPIVersion)).ToArray(), - Result = new V1Status + response = new ConversionReviewResponse { - Status = "Success" - } - }; + UID = conversionReview.Request.UID, + ConvertedObjects = conversionReview.Request.Objects.Select(o => Convert(o, conversionReview.Request.DesiredAPIVersion)).ToArray(), + Result = new V1Status + { + Status = "Success" + } + }; + } + catch (Exception e) + { + mLogger.Error(e, "Coversation failed"); + response = new ConversionReviewResponse + { + UID = conversionReview.Request.UID, + Result = new V1Status + { + Status = "Failure", + Message = "Conversation failed, check logs for more details" + } + }; + } return new ConversionReview { @@ -36,6 +57,8 @@ private object Convert(JObject source, string desiredApiVersion) { var apiVersion = source.Value("apiVersion"); + mLogger.Information("Starting to convert from {apiVersion} to {desirediVersion}", apiVersion, desiredApiVersion); + switch (desiredApiVersion) { case "soluto.com/v1alpha1": @@ -54,9 +77,7 @@ private object Convert(JObject source, string desiredApiVersion) }; default: - Console.WriteLine("Oh no!"); - Console.WriteLine(apiVersion); - return null; + throw new InvalidOperationException($"Unsupported conversation from {apiVersion} to {desiredApiVersion}"); } @@ -77,16 +98,11 @@ private object Convert(JObject source, string desiredApiVersion) }; default: - Console.WriteLine("Oh no!"); - Console.WriteLine(apiVersion); - return null; - + throw new InvalidOperationException($"Unsupported conversation from {apiVersion} to {desiredApiVersion}"); } default: - Console.WriteLine("Oh no!"); - Console.WriteLine(apiVersion); - return null; + throw new InvalidOperationException($"Unsupported conversation from {apiVersion} to {desiredApiVersion}"); } } From 4c41106c93f9dbe626a1298ac3eb53551e1f88e6 Mon Sep 17 00:00:00 2001 From: omerlh Date: Sun, 1 Sep 2019 18:05:52 +0300 Subject: [PATCH 35/44] clarify docs --- site/content/docs/user/crd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/docs/user/crd.md b/site/content/docs/user/crd.md index 424ac4a89..00b352e97 100644 --- a/site/content/docs/user/crd.md +++ b/site/content/docs/user/crd.md @@ -38,7 +38,7 @@ metadata: type: TlsSecret //The type of the secret that will be created stringData: //Put here all the encrypted data, that will be stored (decrypted) on the secret data key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== -data: //Put here base64 encoded data (usually, binary data like private keys in der format) +data: //Put here base64 encoded data (usually, binary data like private keys in der format) encrypted (e.g. encrypt the value after base64 encoding it) key2: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg== serviceAccount: some-sa //The service account used for encrypting the data ``` From 6826ab1186ec07db3eecbeabab4b23bb73f7f180 Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 4 Sep 2019 20:51:26 +0300 Subject: [PATCH 36/44] remove certificate from the dockerfile --- Dockerfile | 1 - tests/crd-controller/crd.yaml | 4 ++-- tests/crd-controller/deployment.yaml | 24 ++++++++++++++++++++---- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6b54532d6..8dadbd6d3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,6 +26,5 @@ USER dotnet WORKDIR /home/dotnet/app ENV ASPNETCORE_URLS=http://+:9999 COPY --from=build-env /app/$PROJECT_NAME/obj/Docker/publish . -COPY --chown=dotnet:dotnet certificate.pfx /home/dotnet/https/aspnetapp.pfx ENTRYPOINT dotnet $PROJECT_NAME_ENV.dll diff --git a/tests/crd-controller/crd.yaml b/tests/crd-controller/crd.yaml index 8f5788212..56d65fc8f 100644 --- a/tests/crd-controller/crd.yaml +++ b/tests/crd-controller/crd.yaml @@ -59,7 +59,7 @@ spec: webhookClientConfig: service: namespace: default - name: kamus-decryptor + name: kamus-crd path: /api/v1/conversion-webhook - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUV5RENDQXJBQ0NRRElnR3V4VUZkYWFUQU5CZ2txaGtpRzl3MEJBUXNGQURBbU1TUXdJZ1lEVlFRRERCdHIKWVcxMWN5MWtaV055ZVhCMGIzSXVaR1ZtWVhWc2RDNXpkbU13SGhjTk1Ua3dPREE0TVRReE56RTFXaGNOTWpBdwpPREEzTVRReE56RTFXakFtTVNRd0lnWURWUVFEREJ0cllXMTFjeTFrWldOeWVYQjBiM0l1WkdWbVlYVnNkQzV6CmRtTXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDd09xSEFuWWdzblhYQkNkODUKVlNjUDhUa3V5UjRQTERSWG4vV21icWMxQVkwV3UvMkRtRktLSU84a1Rrc1d4dUpwbklBVFlFTUVXN2JWaDVKNQpXTGhmNC84RFVxWXZuTndNK2k1Z3hmK25BM2l5N09zN24zZks1SU1BaU00YTJiU3NqU2oyU3NqTmJEZVJDTE1CCjNhMThPM1dsV2RNWTh1ZGs4dlB1L1BTOHhMYTZONldaZ1p4dVZETEhkYXkwaWVBR1pjTkZqVFl6U1pqa1VHSnAKblJkRTNUUlkwSkI0eE1wOG1DMGNJWGZUaEU0R1I0L0xLbU1NR3FQckhDM1ErUjZ5enZuWkNVYVpOanA2VGwvagpHKzV3TVNQRzFYU1g0anpZOFFxQjRRaDZzL2NZYVNyZEI5aStqQzltYlYwU0tjOVU4U1kyQzNkcDZML3ZZckliCnZKNTJZZWl6ZUtjSWFEVS9wQlBpQ3JzdXhwb0Q4YWRzMEhmUWZsY2Z1YlRhcGdWYkZYTVk4WW16UEpjaDRGMEoKSVQxWUd4QkZwYVhERlMrQmRWU2JtOFptdWhsVEdiVlJGQ2hjNHdhTW4wSkFYTDRtZVlITXRPcmtyNTUzdFNVWAovY1ZZY2FhcW13V2NFS3ZqVDZRa3dWMkN0OFd0Y3FnVTViaVlxaUsrRWlVNHBhZXI2OXlhY25EVW03dUREbDdDCm5VQitWY0pRNFpYOC9RbXVjOXBUY2xlVFBVVUNCRnNZaHZYYVVOWjRpNVpXQXZQQjJCaFRnZ3BuNEo0OHlpczgKRzlWZENMcEpiVEZXWTk1WmV2aXhWWXdCeEVrdmxOamxPT3o4Z29Xb0RUOGhsdUoxM1h5bUx0Tml3TFcvcHVwbQpCMFpJRmR1V05GSFJQWDF0cHZxUUhZMlhYUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ2NEN1hlCkNrN0lXaklzeElQUkpzS24wOVdlZ0UxbllmdXA3d1FmVGJZdjdvOVh2NWZKVGRCc3ZDdEVITWJuVDFxTmNGY1cKMnJvN0hCcVFyc2E4TnE3VGhyNnJrSHhabmd6bXUrMVFRamdrVTYxQTJNclVadS95UVk3TjJFbFBmWTlOcnhQeApGblpGalRqeDkxc081Y3BYbWgwaTBmcmo1QlNlb0poYndNOEVOa0ZqT3I4cVdvZWpQa2xoaGFaL1duZ243RGxNClI4WUtEMmFldVZJclptN05mdHNpZ3ZCSWttYTlrUDc2KzlRWjY3VDhZR2hOSVFqbmlIRzRkZWxlRDhibWxBamUKVE9iMGlxZlBFU3h3T2l0eUNwcEFoUERzcWVXRStUMHRBSXp3MTgxUmp2QTVyNmlTOEorVlk0N3lHRjRoVFYxTAoyZk1ST3hEVzdGYTJPblVxeFg4MkJHOHhpMVY2RGU2ekE0NlpnbjRzc2V4RmZDTW8rd3hLei9ISG1Cd3Yvb1BlCkkyZEo1UTR5Z0N4REZpcU5CbGRTZkNpU0RkdVZUdkFMWENsUjJwK1hnRnVJQ1BTdXFhamZySTdlTjVZVElFTHEKclVNdEJNMFNPVlhTM21sbHVkWDZkaDNUeWIzSXdVSVZVbENyRUFhVlF6YXdBYTlsUm1JQXZvdGRMME5VY0FpTAprUk5KZmFiNTZxSFE2SURkYm1tMGdVVUoxL3IrVzRGQ3c2dmkvL1JpbG16NEpHTW56d2dac21kZjF0YnJPUlA4CjRSWGdpQ2VLZjEydFY1akJFZmpaMDVzTUZITWRaY1lPK0JXYjZkVFRGWE1BcU81NmVMV3JScVluUVp4UlNLaEoKYzVZaFEyUUxrN0hIdG5KOFVQSmYzZlh2czQrK0lCZ3J2Q0o0bWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwRENDQVl3Q0NRQ3hNd29hK0JleVVqQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbHIKWVcxMWN5MWpjbVF3SGhjTk1Ua3dPVEEwTVRNd05qRTBXaGNOTWpBd09UQXpNVE13TmpFMFdqQVVNUkl3RUFZRApWUVFEREFscllXMTFjeTFqY21Rd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURaCmZNdEdncUhHTkszVTZyS2pZWXhRc1NLQ1l4QUxxQ1pndk1JWEtoRkJPYmI1ek5pU3VTZ1RuRDN6UGMwTE8vRVEKclFFNTk3THJ5aGgwOFBPdXQ5WTBENEVDcURDMlhKb0VmU0Y1bkIrK3dwNXFnSDEyNllDS3F2aGlWTnpFQ3N0Kwp5QTd4QUVoYWUwdCtiWG9PTGxFbitZR2E1VytyK3l5bDFVN3VkaGZQVG5GbUxRaWJkQk55SnBPQUpHU1pHSExFCjBKbmpqcE9IYzRaSmtiMDlhNHNnenJYMmZ1Mi94UEF0VkIzbGQ3dGRORTRrZkZJdHV0ZkxpL08vRHl6VmQzOEoKbThCQXhtbm4zZ2Irdjh6MnpuN1BOVk9MbjRpeWIrMElnb3pnS0RrYUZCL2pHUGRTRFFUNG4xU1FGNjg2bUxWSQo4NXRWSitEWjgvZTVJaG5YcjJ5aEFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUdPeFJoS014Tm1QClYrTkl5UFBDdG5BTG8rOEtrb3I0VGpqZVVPRHQreWpLckNzZEhnY1hLZHFTVkFwbmVMWWQ2RjdkNTNaNHlwRm0KZjd1V2xCaENVNk1BakhQZS9ZM3dsRFNhVU02UDVjSWZRcFFTeUZtYUhtMHFsRlJtaWVlUlBqaTBDeEVRcVI2QQo5d1lGNExhaEVJY0NNMzMreDgxcmpBRTdDUE8ySU9idXV6aFcvd1B6anM2eER3dERCbTJJdUtidDA4VzRid0NkCnNuVDlZYVpZbkhQR1NIc3NQNERWU3NpVkJSRVJGV1MxQ1Q4V3JqYW81cURwT1RNdS9jS00yMVJ0OW1YRHNHT3UKQnN5NXRqN250N0F1UzNGY1BORmRqR2RGVDFCT0gwTXlpSElQSkFUUURGcUVTdFRRSlRQNHRuNEpNTzVQTE1YTApWbjlBQmVONituST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= \ No newline at end of file diff --git a/tests/crd-controller/deployment.yaml b/tests/crd-controller/deployment.yaml index 9189ef357..9c5c4e062 100644 --- a/tests/crd-controller/deployment.yaml +++ b/tests/crd-controller/deployment.yaml @@ -3,6 +3,14 @@ kind: ServiceAccount metadata: name: crd-controller --- +apiVersion: v1 +kind: Secret +metadata: + name: tls-certificate +type: Opaque +data: + certificate.pfx: MIII6QIBAzCCCK8GCSqGSIb3DQEHAaCCCKAEggicMIIImDCCA08GCSqGSIb3DQEHBqCCA0AwggM8AgEAMIIDNQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIUCOsQd/Lk4MCAggAgIIDCCjUZ5ht9Up4D8iMrC6IQbvXXfcaj1sTUyxiLGNpDLEPMkAHIc6N8WX2xtV465DMo2FBIuZp7VIu9BCmKfOkNIoMRIJD1iXc2BfJN5KBja94c8woB9yYjGnfUbxhxBn/bUwP5Etw/cBB9+Hgb9e6IqMjqdUU75xZrCBs0WmvNVm6nS3rqgY9ZqzOkz7P9MN4tyavqjm2CUJaU2ZNXTdb++E6bT6iDYkP271S6nry8irWPVCfNyBleJJqAfB3lqHWkxYFxOx2iZSQQ8F3cD16/FSQpBnMSNBELWljDFXU3T5Ys7AlUFqaFuz/GSZnYp/5+KnYRSi+UxnzmaSyWd1Vc0FWdrdeBHJ7yvanb/wgNMECGHCYNCEyoiPtFs0xG6f9N7mEcEt54Vq42OaWzAPYyXZ42U8TBhMzDJCVMeyL7+UWFir8E5M9vPAMQr6ZVQ+UJPfc9KfcGsPb60IUAhgNIqEusAGdPEWB6fk6Lnh9X2p867Dx2y+tKhpADC7gBewoZpZN//GTPlYsq/gzB+UlxazV2kjAyLvV8rL8Th86852gzun+6sTKB0Br4tAhMbsGC9qhVNYwhJ16EfNEhqN6AbUhe3WJnMYPcSntV4OqoyBoQirFUDR5ul4bPBsScn9mKI24wKVHEzbuBGuDIx+eDfPC0PPOlmhJBfkO+8OIEzqCraBkBkwbJY7VQdNGhi9vuZvurbiSTeodThh33V46Xan+s99WbyGBrWfEN42wNKCsxa4BTA2SjMo1ESHL23C8ZKl75ECNygAjmJY9Bq6Hdm1ncdmBNXrPmdU1qOTCMjejKgW1Z7gVAjDjoqhuvg0L1VzR7LENx5F5sX+GGh5QpN/VlLiGowlswfrQD7cKo4aZ1/kIOjemD1jMJAG0nlOcuU1T6P/173I0/dR6lc04yFSE82ULt+Pb8e5xawFDqDhvYTCJZAOm8kH8unlXtvBsksEOrBtn0AAdX2HGzY//aaYZJ4uspSjOrY8U0KefBcAgqZGzrPuu1vJbpADTOSNpF+A1VFMDRYXMMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECOLhXpT+vwA2AgIIAASCBMibLL8NNhS+GZmY0Hne1wM5YRMTRXovdtrwsQQF7I/yrf/hOnSayF5gqiV0dp7GBah/rAAIw0T7rXnN6y/chL++qy/TVn61hNN6RvNwrj4kLmMj2AECFkUDguT7iiwiyFWC4N+OO+45h/oQd9xx0Cuu+LgvqIlUWNd6DEsf7N9r4JK5JfaLBCoPEaY5xHMK5R0DT3fsfBG8ID9n2keFegyFF+WZEtM/H6OOrG9JK9JkymJOBYQjsfNpiniQsXnhgDjTTw2zdTw1k4MlBS5PKRhCJJH/Q7v3kRrkH/5mSND0bevNFpDItPzonmtfFhl0A+ImddkEUsV0hk3WapfnjzfcdMFGD1NUpEuin2szwJORsD2n19KaVCGZN7/zZlg2z+RwQzbQQ5K4Cyuc7Fc8z3mPcT1Wvu9Mvr/GtzBeLnxkTjcwjpBVVGhcNAjxWJQQvFGtTZWkMolL4ZTZaV6sb/8ttwPXN1APhvijk3nwU1rFa4TVz1C746JyiBHvvQR1mR28wBvkKEsmipDcnincttYUTKGnAusawHy9o7vIByaHfBrVBNt1cjKzAh0QycbaK2Fujz11yBj/98g9dhJ14TU+z/qO/8j90I2O7MjT3zetnX5NMAYIfIgjB1XCmcz/pvr44xL++TgsVhEKF0FJYvjMfiB156VPqmeMj3HDEbOoe0HU5rPzgvQZCrPhL48MTPf0XbywIkK7QK0ORmFWikGCjVvGNr4AETPxAnbNtmYl5myFI19V6R+s5A344Kr9KbN9Ros/D+JVuQZZ4pXlOQpIqsUu/MTe5kz+vnGXhslt5QV1sssC3Bie5yNcVaXqVfY6qGfkrjGwZGka1m8b8D+kAaveDR5x2+nUV7wAr4lVV9s948k7bdmTa7VMkpiSJ/MhOo4xvzq4mWZJnhtnHBR6a9bHWCgyhjI8tkDeDKKq5+bolyply0oU7o9G4htn5BDXWwnxYjrudW1ksA4qIpAR0yaAwkSwK3K3e4sIww3YowQdauZhdbpgXvuqD9WUn7CL9Y5NeBgq+pdQ3QOI7UiUtDwwwpqnmwpHJuZiz06EsCsVjweuWS/Sn2kzUsytjN31N5CuvcU810Iy2vt40PIq6+vO4t1zot4pr2ThcM+sQ9KcjWqcNPdczFotawYQp06yXVMQI7NWvTHHSZrobjLOs865dMOz4an3Q83sUPIHD6N8XKuWqRoUrD+hXehwIzLSe9eErojFEydEshFA5Ld3pj8jQpBogvhOw0jJWBO17NnSfb8QKsUXEyC5aEyCZ56N8b0PkCjXBkAvPMXFD7wVXAiuiv/1f+8v8eGaEk3CNxhF5H/OrXfgGKsXRfr8Sg4iCLZaOEdxY3H0o7zqKBclGGEgX5kEPKr1tq8Q9fvntKqYLfkVOCd9HVFMHPdKPqZTO9PyDfHMfvMvmdGdMgU0nTAJdhJ0sey8J/WS0K202OS/M8T9uz1k6R1gGeY97CON9CZMrXPdZvJhLrNUX/yK8nHCha1ZBIlqqQDB2TU9yIrhkhpICyoM9TQXH4DDIBDd0Kl70i5pnzbd+LFOD89Vof3E/rU/hKRd1EkSaS11cPms2H1zChJVkjTCvbanJRXd6Q64pAJPOeqg0KHZ2WXYWFUc+4LmcPIxJTAjBgkqhkiG9w0BCRUxFgQUPR8x1+MBexH0jqe9HKP0mHgvPNIwMTAhMAkGBSsOAwIaBQAEFE9Te6w5XFAyfy2r3xlWXrHZAJ06BAjh0zVUklkyRQICCAA= +--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -32,7 +40,7 @@ roleRef: apiVersion: v1 kind: Service metadata: - name: kamus-decryptor + name: kamus-crd labels: app: kamus component: crd-controller @@ -77,9 +85,9 @@ spec: - name: ASPNETCORE_URLS value: "http://+:9999;https://+:8888" - name: ASPNETCORE_Kestrel__Certificates__Default__Path - value: "/home/dotnet/https/aspnetapp.pfx" + value: "/home/dotnet/https/certificate.pfx" - name: ASPNETCORE_Kestrel__Certificates__Default__Password - value: "" + value: "aaaa" livenessProbe: httpGet: path: /healthz @@ -87,4 +95,12 @@ spec: readinessProbe: httpGet: path: /healthz - port: 9999 \ No newline at end of file + port: 9999 + volumeMounts: + - name: foo + mountPath: "/home/dotnet/https/" + readOnly: true + volumes: + - name: foo + secret: + secretName: tls-certificate \ No newline at end of file From 03cb102ec576149a2ed113618a6a8a215b0fecdf Mon Sep 17 00:00:00 2001 From: omerlh Date: Wed, 4 Sep 2019 21:15:40 +0300 Subject: [PATCH 37/44] this time create the certificate for the proper name --- tests/crd-controller/crd.yaml | 2 +- tests/crd-controller/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/crd-controller/crd.yaml b/tests/crd-controller/crd.yaml index 56d65fc8f..e3aa8eb8b 100644 --- a/tests/crd-controller/crd.yaml +++ b/tests/crd-controller/crd.yaml @@ -61,5 +61,5 @@ spec: namespace: default name: kamus-crd path: /api/v1/conversion-webhook - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwRENDQVl3Q0NRQ3hNd29hK0JleVVqQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbHIKWVcxMWN5MWpjbVF3SGhjTk1Ua3dPVEEwTVRNd05qRTBXaGNOTWpBd09UQXpNVE13TmpFMFdqQVVNUkl3RUFZRApWUVFEREFscllXMTFjeTFqY21Rd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURaCmZNdEdncUhHTkszVTZyS2pZWXhRc1NLQ1l4QUxxQ1pndk1JWEtoRkJPYmI1ek5pU3VTZ1RuRDN6UGMwTE8vRVEKclFFNTk3THJ5aGgwOFBPdXQ5WTBENEVDcURDMlhKb0VmU0Y1bkIrK3dwNXFnSDEyNllDS3F2aGlWTnpFQ3N0Kwp5QTd4QUVoYWUwdCtiWG9PTGxFbitZR2E1VytyK3l5bDFVN3VkaGZQVG5GbUxRaWJkQk55SnBPQUpHU1pHSExFCjBKbmpqcE9IYzRaSmtiMDlhNHNnenJYMmZ1Mi94UEF0VkIzbGQ3dGRORTRrZkZJdHV0ZkxpL08vRHl6VmQzOEoKbThCQXhtbm4zZ2Irdjh6MnpuN1BOVk9MbjRpeWIrMElnb3pnS0RrYUZCL2pHUGRTRFFUNG4xU1FGNjg2bUxWSQo4NXRWSitEWjgvZTVJaG5YcjJ5aEFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUdPeFJoS014Tm1QClYrTkl5UFBDdG5BTG8rOEtrb3I0VGpqZVVPRHQreWpLckNzZEhnY1hLZHFTVkFwbmVMWWQ2RjdkNTNaNHlwRm0KZjd1V2xCaENVNk1BakhQZS9ZM3dsRFNhVU02UDVjSWZRcFFTeUZtYUhtMHFsRlJtaWVlUlBqaTBDeEVRcVI2QQo5d1lGNExhaEVJY0NNMzMreDgxcmpBRTdDUE8ySU9idXV6aFcvd1B6anM2eER3dERCbTJJdUtidDA4VzRid0NkCnNuVDlZYVpZbkhQR1NIc3NQNERWU3NpVkJSRVJGV1MxQ1Q4V3JqYW81cURwT1RNdS9jS00yMVJ0OW1YRHNHT3UKQnN5NXRqN250N0F1UzNGY1BORmRqR2RGVDFCT0gwTXlpSElQSkFUUURGcUVTdFRRSlRQNHRuNEpNTzVQTE1YTApWbjlBQmVONituST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2RENDQWFRQ0NRRHpHN3U1em45Wk5qQU5CZ2txaGtpRzl3MEJBUXNGQURBZ01SNHdIQVlEVlFRRERCVnIKWVcxMWN5MWpjbVF1WkdWbVlYVnNkQzV6ZG1Nd0hoY05NVGt3T1RBME1UZ3hORE16V2hjTk1qQXdPVEF6TVRneApORE16V2pBZ01SNHdIQVlEVlFRRERCVnJZVzExY3kxamNtUXVaR1ZtWVhWc2RDNXpkbU13Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURBRzMrZFpncXdscGNDZm04dWJVZUd6WWU5UmhGUngwUlkKODZYTlc2d1Y1Mkc4WnlWYXNpU0FJTW54ZXpQekdIZ2M1SVpZVFBzcGFvQTVPcVUrZExSK2NMcEZ2YlloWm84OApYNHQrcnpSVXdXNjg1bytTNkdPcTNCdnZjZjVsYkFYeGU5aURYOWJsUU4reGtTaU9UZkpwR0JITWZPdGcxbjhwCmp1OWJ5Z0laSW9LdUtMMzByUjJLN1VBdWtWOGlwZjltcUFtTlBPc3Q3VjVmWDB3UXpwR2lUdUNVN29NNmpKRUIKajhjMGg2WkxvYnBVQ01KOHJvNTVkQmM5bURkTzgydzJoWHAzTEtHRUFSV2FYVjllSlErZVVSWkdnQXJpbDVrdwpERkhRbVJwSmk3L2FmRTl4cWlKaEIvbGY5YkxsQ0dmL1hsRjlQK0VtckcvU245RUw5U2x0QWdNQkFBRXdEUVlKCktvWklodmNOQVFFTEJRQURnZ0VCQUc3SjhNVmNMMXlyVC9JZVcweEhseDJIRmUrdldIZVBrc3ZTK0Z1NnRBMGEKQ21vaGt2bnI2U3NTaVhZNWl6TmhsTXNSRzNzUmVjQklxaWJlTUo4WWU0SmdzSzJ3YWlkdE9pLytsT0VyaXJicwpuZ2tncDBZdFdrUVJaUWFBc002YUwzMWtVek5YOGNUcXZZc3pEZ2FDeHZYU25LY3dRVFRQbDRPVEZDUmUreWtRCmJuU3VvaHZsNzY0STFQemJibUVpNWVrYXFMUG9jMGhwY0RIOWpMZ0ZheUpkRXVPSklLREo1c3d0dDBxOGxrNXEKYlJmWjJURzZoM2JkUFc5TjFjbUxYTDBSd2FVYUh6cWZwU3FJSGNEWWY3Vk92WjVlc0owWDMyTDlUVXZHV1hnSAo4eGZNMmtZRnl4azlkTmRyRk5qMmdpK3dwclhIRUxaNmVDMXBmeDRKa3VFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== \ No newline at end of file diff --git a/tests/crd-controller/deployment.yaml b/tests/crd-controller/deployment.yaml index 9c5c4e062..d1f51e420 100644 --- a/tests/crd-controller/deployment.yaml +++ b/tests/crd-controller/deployment.yaml @@ -9,7 +9,7 @@ metadata: name: tls-certificate type: Opaque data: - certificate.pfx: MIII6QIBAzCCCK8GCSqGSIb3DQEHAaCCCKAEggicMIIImDCCA08GCSqGSIb3DQEHBqCCA0AwggM8AgEAMIIDNQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIUCOsQd/Lk4MCAggAgIIDCCjUZ5ht9Up4D8iMrC6IQbvXXfcaj1sTUyxiLGNpDLEPMkAHIc6N8WX2xtV465DMo2FBIuZp7VIu9BCmKfOkNIoMRIJD1iXc2BfJN5KBja94c8woB9yYjGnfUbxhxBn/bUwP5Etw/cBB9+Hgb9e6IqMjqdUU75xZrCBs0WmvNVm6nS3rqgY9ZqzOkz7P9MN4tyavqjm2CUJaU2ZNXTdb++E6bT6iDYkP271S6nry8irWPVCfNyBleJJqAfB3lqHWkxYFxOx2iZSQQ8F3cD16/FSQpBnMSNBELWljDFXU3T5Ys7AlUFqaFuz/GSZnYp/5+KnYRSi+UxnzmaSyWd1Vc0FWdrdeBHJ7yvanb/wgNMECGHCYNCEyoiPtFs0xG6f9N7mEcEt54Vq42OaWzAPYyXZ42U8TBhMzDJCVMeyL7+UWFir8E5M9vPAMQr6ZVQ+UJPfc9KfcGsPb60IUAhgNIqEusAGdPEWB6fk6Lnh9X2p867Dx2y+tKhpADC7gBewoZpZN//GTPlYsq/gzB+UlxazV2kjAyLvV8rL8Th86852gzun+6sTKB0Br4tAhMbsGC9qhVNYwhJ16EfNEhqN6AbUhe3WJnMYPcSntV4OqoyBoQirFUDR5ul4bPBsScn9mKI24wKVHEzbuBGuDIx+eDfPC0PPOlmhJBfkO+8OIEzqCraBkBkwbJY7VQdNGhi9vuZvurbiSTeodThh33V46Xan+s99WbyGBrWfEN42wNKCsxa4BTA2SjMo1ESHL23C8ZKl75ECNygAjmJY9Bq6Hdm1ncdmBNXrPmdU1qOTCMjejKgW1Z7gVAjDjoqhuvg0L1VzR7LENx5F5sX+GGh5QpN/VlLiGowlswfrQD7cKo4aZ1/kIOjemD1jMJAG0nlOcuU1T6P/173I0/dR6lc04yFSE82ULt+Pb8e5xawFDqDhvYTCJZAOm8kH8unlXtvBsksEOrBtn0AAdX2HGzY//aaYZJ4uspSjOrY8U0KefBcAgqZGzrPuu1vJbpADTOSNpF+A1VFMDRYXMMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECOLhXpT+vwA2AgIIAASCBMibLL8NNhS+GZmY0Hne1wM5YRMTRXovdtrwsQQF7I/yrf/hOnSayF5gqiV0dp7GBah/rAAIw0T7rXnN6y/chL++qy/TVn61hNN6RvNwrj4kLmMj2AECFkUDguT7iiwiyFWC4N+OO+45h/oQd9xx0Cuu+LgvqIlUWNd6DEsf7N9r4JK5JfaLBCoPEaY5xHMK5R0DT3fsfBG8ID9n2keFegyFF+WZEtM/H6OOrG9JK9JkymJOBYQjsfNpiniQsXnhgDjTTw2zdTw1k4MlBS5PKRhCJJH/Q7v3kRrkH/5mSND0bevNFpDItPzonmtfFhl0A+ImddkEUsV0hk3WapfnjzfcdMFGD1NUpEuin2szwJORsD2n19KaVCGZN7/zZlg2z+RwQzbQQ5K4Cyuc7Fc8z3mPcT1Wvu9Mvr/GtzBeLnxkTjcwjpBVVGhcNAjxWJQQvFGtTZWkMolL4ZTZaV6sb/8ttwPXN1APhvijk3nwU1rFa4TVz1C746JyiBHvvQR1mR28wBvkKEsmipDcnincttYUTKGnAusawHy9o7vIByaHfBrVBNt1cjKzAh0QycbaK2Fujz11yBj/98g9dhJ14TU+z/qO/8j90I2O7MjT3zetnX5NMAYIfIgjB1XCmcz/pvr44xL++TgsVhEKF0FJYvjMfiB156VPqmeMj3HDEbOoe0HU5rPzgvQZCrPhL48MTPf0XbywIkK7QK0ORmFWikGCjVvGNr4AETPxAnbNtmYl5myFI19V6R+s5A344Kr9KbN9Ros/D+JVuQZZ4pXlOQpIqsUu/MTe5kz+vnGXhslt5QV1sssC3Bie5yNcVaXqVfY6qGfkrjGwZGka1m8b8D+kAaveDR5x2+nUV7wAr4lVV9s948k7bdmTa7VMkpiSJ/MhOo4xvzq4mWZJnhtnHBR6a9bHWCgyhjI8tkDeDKKq5+bolyply0oU7o9G4htn5BDXWwnxYjrudW1ksA4qIpAR0yaAwkSwK3K3e4sIww3YowQdauZhdbpgXvuqD9WUn7CL9Y5NeBgq+pdQ3QOI7UiUtDwwwpqnmwpHJuZiz06EsCsVjweuWS/Sn2kzUsytjN31N5CuvcU810Iy2vt40PIq6+vO4t1zot4pr2ThcM+sQ9KcjWqcNPdczFotawYQp06yXVMQI7NWvTHHSZrobjLOs865dMOz4an3Q83sUPIHD6N8XKuWqRoUrD+hXehwIzLSe9eErojFEydEshFA5Ld3pj8jQpBogvhOw0jJWBO17NnSfb8QKsUXEyC5aEyCZ56N8b0PkCjXBkAvPMXFD7wVXAiuiv/1f+8v8eGaEk3CNxhF5H/OrXfgGKsXRfr8Sg4iCLZaOEdxY3H0o7zqKBclGGEgX5kEPKr1tq8Q9fvntKqYLfkVOCd9HVFMHPdKPqZTO9PyDfHMfvMvmdGdMgU0nTAJdhJ0sey8J/WS0K202OS/M8T9uz1k6R1gGeY97CON9CZMrXPdZvJhLrNUX/yK8nHCha1ZBIlqqQDB2TU9yIrhkhpICyoM9TQXH4DDIBDd0Kl70i5pnzbd+LFOD89Vof3E/rU/hKRd1EkSaS11cPms2H1zChJVkjTCvbanJRXd6Q64pAJPOeqg0KHZ2WXYWFUc+4LmcPIxJTAjBgkqhkiG9w0BCRUxFgQUPR8x1+MBexH0jqe9HKP0mHgvPNIwMTAhMAkGBSsOAwIaBQAEFE9Te6w5XFAyfy2r3xlWXrHZAJ06BAjh0zVUklkyRQICCAA= + certificate.pfx: MIIJAQIBAzCCCMcGCSqGSIb3DQEHAaCCCLgEggi0MIIIsDCCA2cGCSqGSIb3DQEHBqCCA1gwggNUAgEAMIIDTQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQInlgTs7YabLECAggAgIIDIKLxyB4YFc9y9rEr3vHEY2pSmfSFHarPpmVtpYPJl2z0OMqI5jX+Ft1VUjP5sbzBWRcixfdYTIoT4gtaFDfYG1aNtqvrt6ewhrLAWNDiQ5UrzIXbtNNP9cgTcPgJqpQNI1QsAQiJk5bvzSTACXbp37uRo1O8fc4wVJj02YQHeHWeSOXnMg4rPFTjWcTOdVhtWHS4H19H6ePqdylfDU9e6LU2yGRpdKE9Vzcb3pTULcUiHl/7+aXY/IbUK89mAMkFfmviM2GCg6WUAjMyLfFMCt+DBxRIThgGKK8dzrE9fRvknpc8JC5KeoPeQrC9bVp7vAf4P3I2HI/ejTEZSd9vU0qkMaKJ++s2JFuHJdkqZv51CZyxsohHZBVICB1H4HzjU2w95Z7HSiTcln6ARrJpdmZJFedZJqZl6+j9e1/VIbYtSD+n17N4dLtJEWppjHbUfCL9o+HSo0k5bc1X+6KWH6cY0y7swBcCdiQ3aIpqBOJScc+fDosfUuK07HKnUCC/Vww4PS8Tj3zLDCNzjI5Ora+lAl8fwom/dP1O2W7lWzA7BT7nOCZXu2VLjMNhm8pDTllEPVwsQ0gKFB8iO3RH84E0bmkZdbE7s0WvIfaMGPdmq3S/yp2DNl7BQr0M9O/B8HZVGC8Cs8S4RLjPDyQu+zDB3aMJSKBX9RvvjFQw2Lou+7sIkeVjeg95V6qeQB0WBcC0NqLJ9j9vfevIljxTcF0M4BN5jZHFDoeBip5yYlRPKpw5dhghUo9EMtgUs0G1S/v1tXLrxmCfOPA+1oLJBqVrZ8DPHOXP59iMvpL2BdqRx8zLrTQYneUgFqEYR7ycvnNKELtP4tv6ZPZG2R61nfOroGTA4Zi7/mGajJSGPqD3hrOXkOZh+x/nKkTvo9q8kahP/Dfyjzd8LVqD7x1GzNZf7bfbwPRh31p5jkrwI6dwcE17SeSobctq8h4EQc1ZNw26UO569vQ2APlj1gRUH3/KAMv0dp6lBnKtU65dwt3P1LFHrpRqX0UJzorOzLOcpu9vqrxLtIW2Xrc3teJAT260lAr0xYCCzknRrdhzkItUMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECMbIhBfve/llAgIIAASCBMhlZoBazevIRW3WCKgeuMG++GYFu8dTn5ljqsUWNRZ7PdWCaGRlxrTqRJz2/pZPc4fHa1d1wWqFURgU2Hjv0vJyVQVd6J0qp3LYudE++/T7lOP7l9CpYHZmaJJ+TM21aREPyGwkXBNfk+/aj7LKAn3rsIeD7Y3TK9H1dJwBr+cFFsornbyXCtxKpxILRghw8OCD0TcS8ghytdObEFlS7YCKKSupvfHNLgeDpFuDTSq9Nm7lkT0E6uHz1VUHtXgXLnIE3VPpr3jn2wQqlG+/FGNQYKUqN6zO6xhBF/4omsErnzKLbQoMjrf+P/usV3ex3OR5kZtZgwX5F1mzTzHhCuouUpwOiA6//W9o5nPuT2jbOapeXNcsXn8K+kVlcXI+ZZH5hg8z85esTif10eybBRSAR3GmDTqC6000ISBQyMWHxksoxRBCa5TloXNnX6HKAEAmTqj7lIHGM4/BJMNlnPeMIbRjGuJOdqW5o+ZFzNR4c8j54GA1wGu6YuNdAQZPSJycpgwW1RK+k+iRnM3rI2/gpRFzdKubtZNqgHVvC2W4krxwfditPV0pSfJaJCxk6jtTpTuGaRP24XyoKbDL2CjCysgpqz7vJJeClxIn/2GfhdO8s0Y4d5usrDzViafI5k4ykMqRYp9rqfOXhmtbhTROOZwJKuyoWUrCmVQb9+wnuUCMItfqEXyLVcNBU1MwzIq7hkzh+KnpJR5OIuw9PWG4IQ0Inx3qTG7hsvmz/7sjRx75YyCU9I6LI//csR13+RITXVvf+5aL3HK5Jr8sopALnZYRB/E4aG70tAIEfP8I+YAmqnjXgvj2ufy0DPIT+Gg7pk79zKgOAR52fF+WbXzp6OUOEDDK7bn2+TFOqQgS3jh70CRx6PGXHCEUm6YCkUbBk4qJ1BBzvSMNEN7txR7UmfLJfQsLr5lnFxdcj3c3EsgyeRT/ap97ZFkeIJ3SZmRyckzcR42FHg0uRJyNLYP9NXuthv74E+OzDPEsLk4lBmjmJs3JxQlHaqtKbDPogbUmLmKKEZV0UvgWA7Dl1lxBeEuqKB3JBsFFpOW0L8f0HzamowD/mOF4PwyOxPXdoh2MC9kUBZfIvSIYnuMOwNSG3Dl6uRiovwBiixtnUfGu0Xyuekefit7NHxYqA49ZtveaAA/2G4/gfBZfbPaiUM0YXQeFaP1ngWc4+4eekMg9Hay3X8CMMhK2kE+KVKEM887WJeAkQ9NBgfgOBNiL3XnYGlZj+eYEelBeJ7w91AUcoqCS62B4cCwHY/cgHFMzd+4/UC1bP3mjcTjTkELvaTkGffgqM0B0Q2jKJkWpCo6oSm/Y0Z17vNF2oxtb2MEZpbU4BU1PYL95QrNlacVtj0KDKO3/NXk6ro4vp9OLrd39z0vLhesisIb89ejzKDM0PQlh5dUBYTgizgoQpDI1itWIKO2T3dTZPFzsxbYv1HZpbMozpG5YhJWuPWv1xYnUByr01+iUnDsupF1FtO65JPY/vKgEwzsk5E63InEcl44+hlGfDJN25MbOeOicq+C6zHmjOnVlbFWyqRGJ1mtNUNR+XPzgOzK52VVYbn5hUoDMfTAap16B+99TI/IxBbJlI6z7Ic0oWsxDAwbVGYMYtS0Jf14idEJPJ4AxJTAjBgkqhkiG9w0BCRUxFgQUyihw+C5PYWMwEFas1Y6J9hoPAecwMTAhMAkGBSsOAwIaBQAEFOxKwiP3oXzlHLBaozLTD/GbrWrSBAivD4xGI2TNxQICCAA= --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 From fea90fc256ba2c2a4f6259532f48818de96c2029 Mon Sep 17 00:00:00 2001 From: Omer Levi Hevroni Date: Thu, 5 Sep 2019 12:02:58 +0300 Subject: [PATCH 38/44] Update src/crd-controller/Startup.cs Co-Authored-By: Shai Katz --- src/crd-controller/Startup.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/crd-controller/Startup.cs b/src/crd-controller/Startup.cs index 1a07a1faa..f3a7f2764 100644 --- a/src/crd-controller/Startup.cs +++ b/src/crd-controller/Startup.cs @@ -57,7 +57,6 @@ public void ConfigureServices (IServiceCollection services) { } ); - // services.AddHostedService(); services.AddHostedService(); services.AddHealthChecks() From bc02b159cf5a684b416774bf50bc59f449b10269 Mon Sep 17 00:00:00 2001 From: Omer Levi Hevroni Date: Thu, 5 Sep 2019 12:03:17 +0300 Subject: [PATCH 39/44] Update tests/crd-controller/deployment.yaml Co-Authored-By: Shai Katz --- tests/crd-controller/deployment.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/crd-controller/deployment.yaml b/tests/crd-controller/deployment.yaml index d1f51e420..63d0cf8ed 100644 --- a/tests/crd-controller/deployment.yaml +++ b/tests/crd-controller/deployment.yaml @@ -44,7 +44,6 @@ metadata: labels: app: kamus component: crd-controller - chart: kamus-0.3.0 heritage: Tiller spec: type: ClusterIP @@ -103,4 +102,4 @@ spec: volumes: - name: foo secret: - secretName: tls-certificate \ No newline at end of file + secretName: tls-certificate From c53ac812e5bf1b49f4aca45450f79c377503dceb Mon Sep 17 00:00:00 2001 From: Omer Levi Hevroni Date: Thu, 5 Sep 2019 12:03:26 +0300 Subject: [PATCH 40/44] Update src/crd-controller/Models/V1Alpha2/KamusSecret.cs Co-Authored-By: Shai Katz --- src/crd-controller/Models/V1Alpha2/KamusSecret.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/crd-controller/Models/V1Alpha2/KamusSecret.cs b/src/crd-controller/Models/V1Alpha2/KamusSecret.cs index 348fd84d9..1c56c7677 100644 --- a/src/crd-controller/Models/V1Alpha2/KamusSecret.cs +++ b/src/crd-controller/Models/V1Alpha2/KamusSecret.cs @@ -12,6 +12,5 @@ public class KamusSecret : KubernetesObject public V1ObjectMeta Metadata { get; set; } public string ServiceAccount { get; set; } - public string Status { get; set; } } } From 9eb09c553383e8b49965e58699e1598c0ba80b88 Mon Sep 17 00:00:00 2001 From: omerlh Date: Sun, 8 Sep 2019 08:17:09 +0300 Subject: [PATCH 41/44] fix CR comments --- .../Models/V1Alpha1/KamusSecret.cs | 2 -- tests/crd-controller/FlowTest.cs | 19 ++----------------- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/src/crd-controller/Models/V1Alpha1/KamusSecret.cs b/src/crd-controller/Models/V1Alpha1/KamusSecret.cs index b33c22acb..d70ea798b 100644 --- a/src/crd-controller/Models/V1Alpha1/KamusSecret.cs +++ b/src/crd-controller/Models/V1Alpha1/KamusSecret.cs @@ -10,7 +10,5 @@ public class KamusSecret : KubernetesObject public string Type { get; set; } public V1ObjectMeta Metadata { get; set; } public string ServiceAccount { get; set; } - - public string Status { get; set; } } } diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index 6a951b0e7..4078e007f 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -49,6 +49,7 @@ public async Task CreateKamusSecretV1Alpha1_SecretCreated() Assert.Equal("TlsSecret", v1Secret.Type); Assert.True(v1Secret.Data.ContainsKey("key")); + Assert.Equal("hello", Encoding.UTF8.GetString(v1Secret.Data["key"])); } [Fact] @@ -192,23 +193,7 @@ private async Task DeployController() RunKubectlCommand("apply -f deployment.yaml"); - Console.WriteLine("running ugly patch"); - - if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("kubernetesVersion"))) - { - var version = Environment.GetEnvironmentVariable("kubernetesVersion").Split("."); - - if (version.Length == 3 && int.TryParse(version[1], out var minor)) - { - if (minor < 15) - { - Console.WriteLine("patching"); - File.WriteAllText("../../../crd.yaml", File.ReadAllText("crd.yaml").Replace("preserveUnknownFields: false", "")); - } - } - } - - RunKubectlCommand("apply -f crd.yaml --validate=false"); + RunKubectlCommand("apply -f crd.yaml"); var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); From fe5aa7d0a2879652c0951e9315a7c2288914a65d Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 9 Sep 2019 08:27:00 +0300 Subject: [PATCH 42/44] try to fix the build --- tests/crd-controller/FlowTest.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index 4078e007f..f4de519a2 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -193,7 +193,7 @@ private async Task DeployController() RunKubectlCommand("apply -f deployment.yaml"); - RunKubectlCommand("apply -f crd.yaml"); + RunKubectlCommand("apply -f crd.yaml --validate=false"); var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); From 73c72343b2b61b374db9c6dce1964b8243f4d9ca Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 9 Sep 2019 11:35:48 +0300 Subject: [PATCH 43/44] add comments --- tests/crd-controller/FlowTest.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/crd-controller/FlowTest.cs b/tests/crd-controller/FlowTest.cs index f4de519a2..1a93a020d 100644 --- a/tests/crd-controller/FlowTest.cs +++ b/tests/crd-controller/FlowTest.cs @@ -193,6 +193,7 @@ private async Task DeployController() RunKubectlCommand("apply -f deployment.yaml"); + //The `--validate=false` is required because of `preserveUnknownFields` which is not support on k8s bellow 1.15 RunKubectlCommand("apply -f crd.yaml --validate=false"); var kubernetes = new Kubernetes(KubernetesClientConfiguration.BuildDefaultConfig()); From 8f8249ab6e60610a9663f085e7b66770ffa9a301 Mon Sep 17 00:00:00 2001 From: omerlh Date: Mon, 9 Sep 2019 11:39:41 +0300 Subject: [PATCH 44/44] version bump --- src/crd-controller/crd-controller.csproj | 2 +- src/decrypt-api/decrypt-api.csproj | 2 +- src/encrypt-api/encrypt-api.csproj | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/crd-controller/crd-controller.csproj b/src/crd-controller/crd-controller.csproj index 9f0b58f4d..85cb441a2 100644 --- a/src/crd-controller/crd-controller.csproj +++ b/src/crd-controller/crd-controller.csproj @@ -7,7 +7,7 @@ - 0.4.5.0 + 0.5.0.0 diff --git a/src/decrypt-api/decrypt-api.csproj b/src/decrypt-api/decrypt-api.csproj index 39e0ae9a5..2d77dc102 100644 --- a/src/decrypt-api/decrypt-api.csproj +++ b/src/decrypt-api/decrypt-api.csproj @@ -3,7 +3,7 @@ netcoreapp2.2 - 0.4.5.0 + 0.5.0.0 diff --git a/src/encrypt-api/encrypt-api.csproj b/src/encrypt-api/encrypt-api.csproj index e41fefd15..5cc953a1c 100644 --- a/src/encrypt-api/encrypt-api.csproj +++ b/src/encrypt-api/encrypt-api.csproj @@ -3,7 +3,7 @@ netcoreapp2.2 - 0.4.5.0 + 0.5.0.0