Mount client secret to providers

Signed-off-by: ezgidemirel <[email protected]>
awetomaton · Mar 21, 2023 · 19ff8a3 · 19ff8a3
1 parent 4fd933c
commit 19ff8a3
Show file tree

Hide file tree

Showing 16 changed files with 204 additions and 166 deletions.
diff --git a/apis/apiextensions/fn/proto/v1alpha1/run_function_grpc.pb.go b/apis/apiextensions/fn/proto/v1alpha1/run_function_grpc.pb.go
diff --git a/apis/pkg/v1/interfaces.go b/apis/pkg/v1/interfaces.go
@@ -380,6 +380,9 @@ type PackageRevision interface {
 
 	GetCommonLabels() map[string]string
 	SetCommonLabels(l map[string]string)
+
+	GetESSTLSSecretName() *string
+	SetESSTLSSecretName(s *string)
 }
 
 // GetCondition of this ProviderRevision.
@@ -514,6 +517,16 @@ func (p *ProviderRevision) SetWebhookTLSSecretName(b *string) {
 	p.Spec.WebhookTLSSecretName = b
 }
 
+// GetESSTLSSecretName of this ProviderRevision.
+func (p *ProviderRevision) GetESSTLSSecretName() *string {
+	return p.Spec.ESSTLSSecretName
+}
+
+// SetESSTLSSecretName of this ProviderRevision.
+func (p *ProviderRevision) SetESSTLSSecretName(s *string) {
+	p.Spec.ESSTLSSecretName = s
+}
+
 // GetCommonLabels of this ProviderRevision.
 func (p *ProviderRevision) GetCommonLabels() map[string]string {
 	return p.Spec.CommonLabels
@@ -656,6 +669,16 @@ func (p *ConfigurationRevision) SetWebhookTLSSecretName(b *string) {
 	p.Spec.WebhookTLSSecretName = b
 }
 
+// GetESSTLSSecretName of this ConfigurationRevision.
+func (p *ConfigurationRevision) GetESSTLSSecretName() *string {
+	return p.Spec.ESSTLSSecretName
+}
+
+// SetESSTLSSecretName of this ConfigurationRevision.
+func (p *ConfigurationRevision) SetESSTLSSecretName(s *string) {
+	p.Spec.ESSTLSSecretName = s
+}
+
 // GetCommonLabels of this ConfigurationRevision.
 func (p *ConfigurationRevision) GetCommonLabels() map[string]string {
 	return p.Spec.CommonLabels

diff --git a/apis/pkg/v1/revision_types.go b/apis/pkg/v1/revision_types.go
@@ -96,6 +96,11 @@ type PackageRevisionSpec struct {
 	// More info: http://kubernetes.io/docs/user-guide/labels
 	// +optional
 	CommonLabels map[string]string `json:"commonLabels,omitempty"`
+
+	// ESSTLSSecretName is the secret name of the TLS certificates that will be used
+	// by the provider for External Secret Stores.
+	// +optional
+	ESSTLSSecretName *string `json:"essTLSSecretName,omitempty"`
 }
 
 // PackageRevisionStatus represents the observed state of a PackageRevision.

diff --git a/apis/pkg/v1/zz_generated.deepcopy.go b/apis/pkg/v1/zz_generated.deepcopy.go
diff --git a/cluster/charts/crossplane/templates/deployment.yaml b/cluster/charts/crossplane/templates/deployment.yaml
@@ -151,6 +151,8 @@ spec:
           {{- if has "--enable-external-secret-stores" .Values.args }}
           - name: "ESS_CLIENT_CERTS_SECRET_NAME"
             value: ess-client-certs
+          - name: "ESS_TLS_CERTS_DIR"
+            value: /ess/tls
           {{- end }}
         {{- range $key, $value := .Values.extraEnvVarsCrossplane }}
           - name: {{ $key | replace "." "_" }}

diff --git a/cluster/charts/crossplane/templates/secret.yaml b/cluster/charts/crossplane/templates/secret.yaml
@@ -18,6 +18,26 @@ type: Opaque
 # deployment wouldn't be deployed at all with secret to mount not found error.
 apiVersion: v1
 kind: Secret
+metadata:
+  name: ess-ca-certs
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+---
+# The reason this is created empty and filled by the init container is that it's
+# mounted by the actual container, so if it wasn't created by Helm, then the
+# deployment wouldn't be deployed at all with secret to mount not found error.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ess-server-certs
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+---
+# The reason this is created empty and filled by the init container is that it's
+# mounted by the actual container, so if it wasn't created by Helm, then the
+# deployment wouldn't be deployed at all with secret to mount not found error.
+apiVersion: v1
+kind: Secret
 metadata:
   name: ess-client-certs
   namespace: {{ .Release.Namespace }}

diff --git a/cluster/crds/pkg.crossplane.io_configurationrevisions.yaml b/cluster/crds/pkg.crossplane.io_configurationrevisions.yaml
@@ -80,6 +80,10 @@ spec:
                 description: DesiredState of the PackageRevision. Can be either Active
                   or Inactive.
                 type: string
+              essTLSSecretName:
+                description: ESSTLSSecretName is the secret name of the TLS certificates
+                  that will be used by the provider for External Secret Stores.
+                type: string
               ignoreCrossplaneConstraints:
                 default: false
                 description: IgnoreCrossplaneConstraints indicates to the package

diff --git a/cluster/crds/pkg.crossplane.io_providerrevisions.yaml b/cluster/crds/pkg.crossplane.io_providerrevisions.yaml
@@ -80,6 +80,10 @@ spec:
                 description: DesiredState of the PackageRevision. Can be either Active
                   or Inactive.
                 type: string
+              essTLSSecretName:
+                description: ESSTLSSecretName is the secret name of the TLS certificates
+                  that will be used by the provider for External Secret Stores.
+                type: string
               ignoreCrossplaneConstraints:
                 default: false
                 description: IgnoreCrossplaneConstraints indicates to the package

diff --git a/cluster/crds/secrets.crossplane.io_storeconfigs.yaml b/cluster/crds/secrets.crossplane.io_storeconfigs.yaml
@@ -118,11 +118,39 @@ spec:
                 required:
                 - auth
                 type: object
+              plugin:
+                description: Plugin configures External secret store as a plugin.
+                properties:
+                  configRef:
+                    description: ConfigRef contains store config reference info.
+                    properties:
+                      apiVersion:
+                        description: APIVersion of the referenced config.
+                        type: string
+                      kind:
+                        description: Kind of the referenced config.
+                        type: string
+                      name:
+                        description: Name of the referenced config.
+                        type: string
+                    required:
+                    - apiVersion
+                    - kind
+                    - name
+                    type: object
+                  endpoint:
+                    description: Endpoint is the endpoint of the gRPC server.
+                    type: string
+                type: object
               type:
                 default: Kubernetes
                 description: Type configures which secret store to be used. Only the
                   configuration block for this store will be used and others will
                   be ignored if provided. Default is Kubernetes.
+                enum:
+                - Kubernetes
+                - Vault
+                - Plugin
                 type: string
               vault:
                 description: Vault configures a Vault secret store.

diff --git a/cmd/crossplane/core/core.go b/cmd/crossplane/core/core.go
@@ -27,6 +27,7 @@ import (
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	ctrl "sigs.k8s.io/controller-runtime"
 
+	"github.com/crossplane/crossplane-runtime/pkg/certificates"
 	"github.com/crossplane/crossplane-runtime/pkg/controller"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/feature"
@@ -38,6 +39,7 @@ import (
 	"github.com/crossplane/crossplane/internal/controller/pkg"
 	pkgcontroller "github.com/crossplane/crossplane/internal/controller/pkg/controller"
 	"github.com/crossplane/crossplane/internal/features"
+	"github.com/crossplane/crossplane/internal/initializer"
 	"github.com/crossplane/crossplane/internal/transport"
 	"github.com/crossplane/crossplane/internal/xpkg"
 )
@@ -76,6 +78,7 @@ type startCommand struct {
 	SyncInterval     time.Duration `short:"s" help:"How often all resources will be double-checked for drift from the desired state." default:"1h"`
 	PollInterval     time.Duration `help:"How often individual resources will be checked for drift from the desired state." default:"1m"`
 	MaxReconcileRate int           `help:"The global maximum rate per second at which resources may checked for drift from the desired state." default:"10"`
+	ESSTLSCertsDir   string        `help:"The path of the folder which will store TLS certificates to be used by core Crossplane, External Secret Store plugins and providers." env:"ESS_TLS_CERTS_DIR"`
 
 	EnableCompositionRevisions bool `group:"Beta Features:" help:"Enable support for CompositionRevisions." default:"true"`
 
@@ -138,6 +141,21 @@ func (c *startCommand) Run(s *runtime.Scheme, log logging.Logger) error { //noli
 		Features:                feats,
 	}
 
+	if c.EnableExternalSecretStores {
+		feats.Enable(features.EnableAlphaExternalSecretStores)
+		log.Info("Alpha feature enabled", "flag", features.EnableAlphaExternalSecretStores)
+
+		tlsConfig, err := certificates.LoadMTLSConfig(c.ESSTLSCertsDir, initializer.SecretKeyCACert,
+			initializer.SecretKeyTLSCert, initializer.SecretKeyTLSKey, false)
+		if err != nil {
+			return errors.Wrap(err, "Cannot load TLS certificates")
+		}
+
+		o.ESSOptions = &controller.ESSOptions{
+			TLSConfig: tlsConfig,
+		}
+	}
+
 	if err := apiextensions.Setup(mgr, o); err != nil {
 		return errors.Wrap(err, "Cannot setup API extension controllers")
 	}

diff --git a/go.mod b/go.mod
@@ -22,7 +22,7 @@ require (
 	golang.org/x/sync v0.1.0
 	golang.org/x/sys v0.5.0
 	google.golang.org/grpc v1.50.1
-	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0
+	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.2.0
 	google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8
 	k8s.io/api v0.26.2
 	k8s.io/apiextensions-apiserver v0.26.2
@@ -36,8 +36,10 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
+require cloud.google.com/go/compute/metadata v0.2.3 // indirect
+
 require (
-	cloud.google.com/go/compute v1.6.1 // indirect
+	cloud.google.com/go/compute v1.14.0 // indirect
 	github.com/Azure/azure-sdk-for-go v64.1.0+incompatible // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -178,14 +180,14 @@ require (
 	golang.org/x/crypto v0.5.0 // indirect
 	golang.org/x/mod v0.7.0 // indirect
 	golang.org/x/net v0.7.0 // indirect; indirect // indirect
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
+	golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect
 	golang.org/x/term v0.5.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.4.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c // indirect
+	google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -198,3 +200,5 @@ require (
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
+
+replace github.com/crossplane/crossplane-runtime => github.com/ezgidemirel/crossplane-runtime v0.17.0-rc.0.0.20230321144608-740435b7d8d0