Skip to content

Commit

Permalink
#29 - implement support Azure key vault for store SOPS Age keys
Browse files Browse the repository at this point in the history
  • Loading branch information
apanasiuk-el committed Dec 11, 2024
1 parent 358d4e6 commit 57c742a
Show file tree
Hide file tree
Showing 12 changed files with 439 additions and 35 deletions.
9 changes: 8 additions & 1 deletion cmd/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -337,9 +337,16 @@ func (cc *ClusterCommands) provisionDestroyTargetCluster() error {
return err
}
case azure_provider.AzureClusterProvider:
// Pre-provision hook for Azure
if err := cc.createAzureSecrets(cc.Conf.AzureConfigure); err != nil {
return err
}
case google_provider.GoogleClusterProvider:
// Pre-provision hook for GCP
//if err := cc.createGCPNATGateway(); err != nil {
// return err
//}

//return nil
}

cc.SpecCMD = cc.prepareHelmfile("--log-level", "error", "-l", "cluster="+cc.Conf.ClusterProvider, "sync")
Expand Down
5 changes: 5 additions & 0 deletions cmd/cluster_capg.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,3 +85,8 @@ func (cc *ClusterCommands) getGCPClusterContext() ([]byte, error) {
return google_provider.NewGCPConfigure(cc.Ctx.Context, cc.Conf.GCPConfigure.AppCredentialsPath).
GetGCPClusterContext(cc.Conf.Name)
}

//func (cc *ClusterCommands) createGCPNATGateway() error {
// return google_provider.NewGCPConfigure(cc.Ctx.Context, cc.Conf.GCPConfigure.AppCredentialsPath).
// CreateGateway()
//}
40 changes: 39 additions & 1 deletion cmd/cluster_capz.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,14 @@ package cmd
import (
"os"
"path/filepath"
"strings"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
v1 "k8s.io/client-go/applyconfigurations/core/v1"

"rmk/providers/azure_provider"
"rmk/util"
)

const (
Expand Down Expand Up @@ -140,9 +142,45 @@ func (cc *ClusterCommands) applyAzureClusterIdentity() error {
func (cc *ClusterCommands) getAzureClusterContext() ([]byte, error) {
ac := azure_provider.NewAzureConfigure()

if err := ac.NewAzureManagedClustersClient(cc.Ctx.Context, cc.Conf.Name); err != nil {
if err := ac.NewAzureClient(cc.Ctx.Context, cc.Conf.Name); err != nil {
return nil, err
}

return ac.GetAzureClusterContext(cc.Conf.Tenant, cc.Conf.Name)
}

func (cc *ClusterCommands) createAzureSecrets(ac *azure_provider.AzureConfigure) error {
if err := ac.NewAzureClient(cc.Ctx.Context, cc.Conf.Name); err != nil {
return err
}

secrets, err := ac.GetAzureSecrets()
if err != nil {
return err
}

if len(secrets) > 0 {
return err
}

walkMatch, err := util.WalkMatch(cc.Conf.SopsAgeKeys, cc.Conf.Tenant+"*"+util.SopsAgeKeyExt)
if err != nil {
return err
}

for _, val := range walkMatch {
file, err := os.ReadFile(val)
if err != nil {
return err
}

keyName := strings.TrimSuffix(filepath.Base(val), util.SopsAgeKeyExt)
value := string(file)

if err := ac.SetAzureSecret(keyName, value); err != nil {
return err
}
}

return nil
}
42 changes: 35 additions & 7 deletions cmd/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"encoding/json"
"fmt"
"os"
"path/filepath"
"regexp"
"strconv"
"strings"
Expand Down Expand Up @@ -325,6 +326,10 @@ func initAzureProfile(c *cli.Context, conf *config.Config, gitSpec *git_handler.
ac.ClientSecret = c.String("azure-client-secret")
}

if c.IsSet("azure-location") {
ac.Location = c.String("azure-location")
}

if c.IsSet("azure-subscription-id") {
ac.SubscriptionID = c.String("azure-subscription-id")
}
Expand All @@ -343,6 +348,35 @@ func initAzureProfile(c *cli.Context, conf *config.Config, gitSpec *git_handler.
return err
}

if err := ac.NewAzureClient(c.Context, gitSpec.ID); err != nil {
return err
}

ok, err := ac.GetAzureKeyVault(conf.Tenant)
if err != nil {
return err
}

if !ok {
err := ac.CreateAzureKeyVault(conf.Tenant)
if err != nil {
return err
}
} else {
secrets, err := ac.GetAzureSecrets()
if err != nil {
return err
}

for key, val := range secrets {
zap.S().Infof("download Azure key vault secret %s to %s",
key, filepath.Join(conf.SopsAgeKeys, key+util.SopsAgeKeyExt))
if err := os.WriteFile(filepath.Join(conf.SopsAgeKeys, key+util.SopsAgeKeyExt), val, 0644); err != nil {
return err
}
}
}

return nil
}

Expand Down Expand Up @@ -432,6 +466,7 @@ func configInitAction(conf *config.Config, gitSpec *git_handler.GitSpec) cli.Act
conf.ClusterProvider = c.String("cluster-provider")
conf.ProgressBar = c.Bool("progress-bar")
conf.GitHubToken = c.String("github-token")
conf.SopsAgeKeys = util.GetHomePath(util.RMKDir, util.SopsRootName, conf.Tenant)
zap.S().Infof("RMK will use values for %s environment", conf.Environment)

if c.Bool("slack-notifications") {
Expand All @@ -453,29 +488,22 @@ func configInitAction(conf *config.Config, gitSpec *git_handler.GitSpec) cli.Act
if err := initAWSProfile(c, conf, gitSpec); err != nil {
return err
}

conf.SopsAgeKeys = util.GetHomePath(util.RMKDir, util.SopsRootName, conf.Tenant+"-"+util.SopsRootName+"-"+aws_provider.AWSClusterProvider)
case azure_provider.AzureClusterProvider:
conf.AwsConfigure = nil
conf.GCPConfigure = nil
if err := initAzureProfile(c, conf, gitSpec); err != nil {
return err
}

conf.SopsAgeKeys = util.GetHomePath(util.RMKDir, util.SopsRootName, conf.Tenant+"-"+util.SopsRootName+"-"+azure_provider.AzureClusterProvider)
case google_provider.GoogleClusterProvider:
conf.AwsConfigure = nil
conf.AzureConfigure = nil
if err := initGCPProfile(c, conf, gitSpec); err != nil {
return err
}

conf.SopsAgeKeys = util.GetHomePath(util.RMKDir, util.SopsRootName, conf.Tenant+"-"+util.SopsRootName+"-"+google_provider.GoogleClusterProvider)
case util.LocalClusterProvider:
conf.AwsConfigure = nil
conf.AzureConfigure = nil
conf.GCPConfigure = nil
conf.SopsAgeKeys = util.GetHomePath(util.RMKDir, util.SopsRootName, conf.Tenant+"-"+util.SopsRootName+"-"+util.LocalClusterProvider)
}

if err := conf.InitConfig().SetRootDomain(c, gitSpec.ID); err != nil {
Expand Down
7 changes: 7 additions & 0 deletions cmd/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,13 @@ func flagsConfig() []cli.Flag {
Aliases: []string{"azp"},
EnvVars: []string{"RMK_AZURE_CLIENT_SECRET", "AZURE_CLIENT_SECRET"},
},
&cli.StringFlag{
Category: azureFlagsCategory,
Name: "azure-location",
Usage: "Azure location region",
Aliases: []string{"azl"},
EnvVars: []string{"RMK_AZURE_LOCATION", "AZURE_LOCATION"},
},
&cli.BoolFlag{
Category: azureFlagsCategory,
Name: "azure-service-principle",
Expand Down
1 change: 1 addition & 0 deletions cmd/release.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ func (rc *ReleaseCommands) prepareHelmfile(args ...string) *util.SpecCMD {
)
case azure_provider.AzureClusterProvider:
envs = append(envs,
"AZURE_LOCATION="+rc.Conf.AzureConfigure.Location,
"AZURE_SUBSCRIPTION_ID="+rc.Conf.AzureConfigure.SubscriptionID,
)
case google_provider.GoogleClusterProvider:
Expand Down
73 changes: 71 additions & 2 deletions cmd/secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ import (
"gopkg.in/yaml.v3"

"rmk/config"
"rmk/providers/aws_provider"
"rmk/providers/azure_provider"
"rmk/providers/google_provider"
"rmk/util"
)

Expand Down Expand Up @@ -150,6 +153,72 @@ func (sc *SecretCommands) CreateKeys() error {
return nil
}

func (sc *SecretCommands) DownloadKeys() error {
switch sc.Conf.ClusterProvider {
case aws_provider.AWSClusterProvider:
return nil
case azure_provider.AzureClusterProvider:
if err := sc.Conf.NewAzureClient(sc.Ctx.Context, sc.Conf.Name); err != nil {
return err
}

secrets, err := sc.Conf.GetAzureSecrets()
if err != nil {
return err
}

for key, val := range secrets {
zap.S().Infof("download Azure key vault secret %s to %s",
key, filepath.Join(sc.Conf.SopsAgeKeys, key+util.SopsAgeKeyExt))
if err := os.WriteFile(filepath.Join(sc.Conf.SopsAgeKeys, key+util.SopsAgeKeyExt), val, 0644); err != nil {
return err
}
}

return nil
case google_provider.GoogleClusterProvider:
return nil
default:
return nil
}
}

func (sc *SecretCommands) UploadKeys() error {
switch sc.Conf.ClusterProvider {
case aws_provider.AWSClusterProvider:
return nil
case azure_provider.AzureClusterProvider:
if err := sc.Conf.NewAzureClient(sc.Ctx.Context, sc.Conf.Name); err != nil {
return err
}

walkMatch, err := util.WalkMatch(sc.Conf.SopsAgeKeys, sc.Conf.Tenant+"*"+util.SopsAgeKeyExt)
if err != nil {
return err
}

for _, val := range walkMatch {
file, err := os.ReadFile(val)
if err != nil {
return err
}

keyName := strings.TrimSuffix(filepath.Base(val), util.SopsAgeKeyExt)
value := string(file)

if err := sc.Conf.SetAzureSecret(keyName, value); err != nil {
return err
}
}

return nil
case google_provider.GoogleClusterProvider:
return nil
default:
return nil
}
}

func (sc *SecretCommands) getOptionFiles(option string) ([]string, error) {
var optionFiles, optionPaths []string
var check int
Expand Down Expand Up @@ -420,7 +489,7 @@ func secretKeysDownloadAction(conf *config.Config) cli.ActionFunc {
return err
}

return conf.DownloadFromBucket("", conf.SopsBucketName, conf.SopsAgeKeys, conf.Tenant)
return newSecretCommands(conf, c, util.GetPwdPath("")).DownloadKeys()
}
}

Expand All @@ -430,7 +499,7 @@ func secretKeysUploadAction(conf *config.Config) cli.ActionFunc {
return err
}

return conf.UploadToBucket(conf.SopsBucketName, conf.SopsAgeKeys, "*"+util.SopsAgeKeyExt)
return newSecretCommands(conf, c, util.GetPwdPath("")).UploadKeys()
}
}

Expand Down
1 change: 0 additions & 1 deletion config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ type Config struct {
SlackChannel string `yaml:"slack-channel,omitempty"`
SlackMsgDetails []string `yaml:"slack-message-details,omitempty"`
SopsAgeKeys string `yaml:"sops-age-keys,omitempty"`
SopsBucketName string `yaml:"sops-bucket-name,omitempty"`
AWSMFAProfile string `yaml:"aws-mfa-profile,omitempty"`
AWSMFATokenExpiration string `yaml:"aws-mfa-token-expiration,omitempty"`
*aws_provider.AwsConfigure `yaml:"aws,omitempty"`
Expand Down
6 changes: 5 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,12 @@ toolchain go1.22.8

require (
cloud.google.com/go/auth v0.10.2
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.1.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
github.com/Masterminds/semver v1.5.0
github.com/Masterminds/sprig/v3 v3.2.3
github.com/aws/aws-sdk-go-v2 v1.32.3
Expand Down Expand Up @@ -45,8 +49,8 @@ require (
cloud.google.com/go/iam v1.1.6 // indirect
cloud.google.com/go/storage v1.39.1 // indirect
dario.cat/mergo v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
github.com/BurntSushi/toml v1.4.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
Expand Down
10 changes: 10 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -195,12 +195,22 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 h1:xnO4sFyG8UH2fElBkcqLTOZsAajvKfnSlgBBW8dXYjw=
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0/go.mod h1:XD3DIOOVgBCO03OleB1fHjgktVRFxlT++KwKgIOewdM=
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw=
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0/go.mod h1:HcZY0PHPo/7d75p99lB6lK0qYOP4vLRJUBpiehYXtLQ=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.1.0 h1:FvuejXWdMIPK6sY0Tt3lgb45BCVybrvmmnGCEC7a1i4=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.1.0/go.mod h1:drbnYtukMoZqUQq9hJASf41w3RB4VoTJPoPpe+XDHPU=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0/go.mod h1:LRr2FzBTQlONPPa5HREE5+RjSCTXl7BwOvYOaWTqCaI=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsIIvxVT+uE6yrNldntJKlLRgxGbZ85kgtz5SNBhMw=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0 h1:HlZMUZW8S4P9oob1nCHxCCKrytxyLc+24nUJGssoEto=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0/go.mod h1:StGsLbuJh06Bd8IBfnAlIFV3fLb+gkczONWf15hpX2E=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0 h1:pPvTJ1dY0sA35JOeFq6TsY2xj6Z85Yo23Pj4wCCvu4o=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0/go.mod h1:mLfWfj8v3jfWKsL9G4eoBoXVcsqcIUTapmdKy7uGOp0=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
Expand Down
Loading

0 comments on commit 57c742a

Please sign in to comment.