From 8e63d1e360be3bc33387fc702ff9837c0f70bdaf Mon Sep 17 00:00:00 2001 From: Shawn Hurley Date: Thu, 15 Feb 2018 15:13:43 -0500 Subject: [PATCH 1/4] Proposal for saving extracted credentials --- .../extracted_credentials_saved_as_secrets.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/proposals/extracted_credentials_saved_as_secrets.md diff --git a/docs/proposals/extracted_credentials_saved_as_secrets.md b/docs/proposals/extracted_credentials_saved_as_secrets.md new file mode 100644 index 0000000000..9154f21b97 --- /dev/null +++ b/docs/proposals/extracted_credentials_saved_as_secrets.md @@ -0,0 +1,28 @@ +## Extracted Credentials Saved As Secrets + +Extracted Credentials are currently saved in our etcd for the service broker. This is not desirable for many reasons, but the two biggest are kubernetes already has a built-in way to manage this data, secrets, and when moving to CRDs we don't want to create a resource for extracted credentials. + +### Problem Description +The problem is that we should not manage data that is of a sensitive nature if we do not have to. This proposal is limited in scope and only interested in how we save the extracted credentials. It is worth noting that we should eventually be better about how we transmit this data to APBs. + +In our secret, we will save the data in the following format. +```yaml +data: + DB_PASSWORD: + DB_USERNAME: + .... +apiVersion: v1 +kind: Secret +metadata: + name: + namespace: +``` + +[Gob encoding](https://godoc.org/encoding/gob) will allow us to save arbitrary data in a key, and our secrets keys will look rational to a user who looks are our secret. + +The functions for saving and retrieving will be in the `clients` package. This means the callers will be required to use the underlying extracted credentials type `map[string]interface{}` because we do not want a circular dependency between `apb` package and `clients` package. + +### Work Items +- [ ] Add kubernetes client methods to save and retrieve extracted credentials to the [namespace](https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#openshift-configuration). +- [ ] Remove all dao implementation and interface methods regarding extracted credentials. +- [ ] Update all instances of saving and retrieving extracted credentials to use new methods. \ No newline at end of file From f7bc22590f4879e7a71ca711cae328ebfaf81c40 Mon Sep 17 00:00:00 2001 From: Shawn Hurley Date: Thu, 15 Feb 2018 17:27:22 -0500 Subject: [PATCH 2/4] update to include more info about implementation * Deal with where extracted credentials will be updated. * Add more explict statements around the secrets. --- .../extracted_credentials_saved_as_secrets.md | 39 ++++++++++++++++--- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/docs/proposals/extracted_credentials_saved_as_secrets.md b/docs/proposals/extracted_credentials_saved_as_secrets.md index 9154f21b97..07cfd25ea2 100644 --- a/docs/proposals/extracted_credentials_saved_as_secrets.md +++ b/docs/proposals/extracted_credentials_saved_as_secrets.md @@ -5,7 +5,7 @@ Extracted Credentials are currently saved in our etcd for the service broker. Th ### Problem Description The problem is that we should not manage data that is of a sensitive nature if we do not have to. This proposal is limited in scope and only interested in how we save the extracted credentials. It is worth noting that we should eventually be better about how we transmit this data to APBs. -In our secret, we will save the data in the following format. +In the secret, we will save the data in the following format. ```yaml data: DB_PASSWORD: @@ -18,11 +18,40 @@ metadata: namespace: ``` -[Gob encoding](https://godoc.org/encoding/gob) will allow us to save arbitrary data in a key, and our secrets keys will look rational to a user who looks are our secret. +[Gob encoding](https://godoc.org/encoding/gob) will allow us to save arbitrary data in the secret for a key. The secrets keys will look rational to a user who looks at the created secret. This user would need permissions to see the secret, but if someone is looking at the secret making it obvious what data is in there will be helpful. + +The functions for saving and retrieving will be in the `clients` package. This means the callers will be required to use the underlying extracted credentials type `map[string]interface{}` because we do not want a circular dependency between `apb` package and `clients` package. + +We will interact with the secrets from the namespace defined in the configuration by the `openshift.namespace` value. + +The APB package will now be required to do all CRUD operations for extracted credentials. The APB package will expose a single retrieve extracted credentials method, that will take a UUID (either service instance id or binding instance id) and returns an `apb` package extracted credentials object. + +Runtime package should be used to encapsulate the `clients` package calls. This will mean we have a default function for CRUD operations with extracted credentials. These default functions will be set to function vars at init of runtime. The function vars are then overrideable in the future. example: +```go +var SaveExtractedCredentials SaveExtractedCredentialsFunc +... + +func saveExtractedCredentials(...) { + ... + k8scli, err := clients.Kubernetes() + if err != nil { + ... + } + k8scli.Clients.CoreV1().Secrets()... + +} + +init { + SaveExtractedCredentials = saveExtractedCredentials + .... +} +``` -The functions for saving and retrieving will be in the `clients` package. This means the callers will be required to use the underlying extracted credentials type `map[string]interface{}` because we do not want a circular dependency between `apb` package and `clients` package. ### Work Items -- [ ] Add kubernetes client methods to save and retrieve extracted credentials to the [namespace](https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#openshift-configuration). +- [ ] Add kubernetes client methods to interact with extracted credentials to the [namespace](https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#openshift-configuration). +- [ ] Add runtime methods for interacting with extracted credentials. These methods should be overridable. - [ ] Remove all dao implementation and interface methods regarding extracted credentials. -- [ ] Update all instances of saving and retrieving extracted credentials to use new methods. \ No newline at end of file +- [ ] Remove all instances of interacting with dao extracted credentials in the `broker` package. Add back call to APB package to get extracted credentials when needed. +- [ ] Update APB package to create/save/delete extracted credentials for the correct actions. this should call the correct `runtime` package methods. +- [ ] Add exposed method on APB that will retrieve the extracted credentials. \ No newline at end of file From bd4dc32c08ed99d4b5ad58c30d5d11a7602fa603 Mon Sep 17 00:00:00 2001 From: Shawn Hurley Date: Fri, 16 Feb 2018 08:14:26 -0500 Subject: [PATCH 3/4] update based on comments --- docs/proposals/extracted_credentials_saved_as_secrets.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/proposals/extracted_credentials_saved_as_secrets.md b/docs/proposals/extracted_credentials_saved_as_secrets.md index 07cfd25ea2..3008a2d45b 100644 --- a/docs/proposals/extracted_credentials_saved_as_secrets.md +++ b/docs/proposals/extracted_credentials_saved_as_secrets.md @@ -16,6 +16,8 @@ kind: Secret metadata: name: namespace: + labels: + ``` [Gob encoding](https://godoc.org/encoding/gob) will allow us to save arbitrary data in the secret for a key. The secrets keys will look rational to a user who looks at the created secret. This user would need permissions to see the secret, but if someone is looking at the secret making it obvious what data is in there will be helpful. @@ -49,7 +51,7 @@ init { ### Work Items -- [ ] Add kubernetes client methods to interact with extracted credentials to the [namespace](https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#openshift-configuration). +- [ ] Add kubernetes client methods to interact with extracted credentials in the [namespace](https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#openshift-configuration). - [ ] Add runtime methods for interacting with extracted credentials. These methods should be overridable. - [ ] Remove all dao implementation and interface methods regarding extracted credentials. - [ ] Remove all instances of interacting with dao extracted credentials in the `broker` package. Add back call to APB package to get extracted credentials when needed. From ae4e103f5a0fa590d66fa621b904846f45f4fe4b Mon Sep 17 00:00:00 2001 From: Shawn Hurley Date: Fri, 16 Feb 2018 11:34:48 -0500 Subject: [PATCH 4/4] Updating runtime proposal. --- .../extracted_credentials_saved_as_secrets.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/proposals/extracted_credentials_saved_as_secrets.md b/docs/proposals/extracted_credentials_saved_as_secrets.md index 3008a2d45b..7af8bf8da2 100644 --- a/docs/proposals/extracted_credentials_saved_as_secrets.md +++ b/docs/proposals/extracted_credentials_saved_as_secrets.md @@ -28,23 +28,28 @@ We will interact with the secrets from the namespace defined in the configuratio The APB package will now be required to do all CRUD operations for extracted credentials. The APB package will expose a single retrieve extracted credentials method, that will take a UUID (either service instance id or binding instance id) and returns an `apb` package extracted credentials object. -Runtime package should be used to encapsulate the `clients` package calls. This will mean we have a default function for CRUD operations with extracted credentials. These default functions will be set to function vars at init of runtime. The function vars are then overrideable in the future. example: +Runtime package should be used to encapsulate the `clients` package calls. This will mean we have a default functions for CRUD operations with extracted credentials. These default functions will be attached to a default struct and the default struct will be unexported. the NewRuntime function will now have a parameter of an ExtractedCredentials interface. If this interface is nil we will use the default struct. to function vars at init of runtime. The function vars are then overrideable in the future. example: ```go -var SaveExtractedCredentials SaveExtractedCredentialsFunc -... -func saveExtractedCredentials(...) { +type defaultExtCreds struct{} + +func (d defaultExtCreds) saveExtractedCredentials(...) { ... k8scli, err := clients.Kubernetes() if err != nil { ... } k8scli.Clients.CoreV1().Secrets()... - } +... -init { - SaveExtractedCredentials = saveExtractedCredentials +type ExtractedCredentials interface { + // Saves the extracted credentials. + // string - Id or name of the extracted credntials. + // string - namespace or location information for the extracted credentials. + // map[strin]interface{} - extracted credentials + // map[string]string - labels or other metadata to associate with the extracted credentials. + SaveExtractedCredentials(string, string, map[string]interface{}, map[string]string) error .... } ```