feat: Kubernetes Secrets Backend

Signed-off-by: Lucas Fontes <[email protected]>
wasmCloud · Jul 31, 2024 · 13660cb · 13660cb
1 parent df9f783
commit 13660cb
Show file tree

Hide file tree

Showing 19 changed files with 1,695 additions and 0 deletions.
diff --git a/secrets/secrets-kubernetes/Dockerfile b/secrets/secrets-kubernetes/Dockerfile
@@ -0,0 +1,24 @@
+FROM golang:1.22 AS builder
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+WORKDIR /workspace
+COPY go.* .
+RUN go mod download
+
+COPY *.go .
+COPY pkg/ pkg/
+
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -a -o secrets-kubernetes
+
+FROM gcr.io/distroless/static-debian12:debug AS debug
+COPY --from=builder /workspace/secrets-kubernetes .
+USER 65532:65532
+ENTRYPOINT ["/secrets-kubernetes"]
+
+FROM gcr.io/distroless/static-debian12:nonroot AS release
+WORKDIR /
+COPY --from=builder /workspace/secrets-kubernetes .
+USER 65532:65532
+
+ENTRYPOINT ["/secrets-kubernetes"]
diff --git a/secrets/secrets-kubernetes/Makefile b/secrets/secrets-kubernetes/Makefile
@@ -0,0 +1,13 @@
+VERSION?=dev
+IMG?=ghcr.io/wasmcloud/contrib/secrets-kubernetes:$(VERSION)
+
+build:
+	docker build -t $(IMG) $(PWD)
+
+dev-init:
+	kubectl apply -k deploy/dev
+dev-deploy: build
+	kubectl -n wasmcloud-secrets rollout restart deployment --selector=app=wasmcloud-secrets
+dev-logs:
+	while true; do kubectl -n wasmcloud-secrets logs -f -l=app=wasmcloud-secrets; sleep 1; done
+
diff --git a/secrets/secrets-kubernetes/deploy/base/deployment.yaml b/secrets/secrets-kubernetes/deploy/base/deployment.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: wasmcloud-secrets
+  name: wasmcloud-secrets
+spec:
+  selector:
+    matchLabels:
+      app: wasmcloud-secrets
+  template:
+    metadata:
+      labels:
+        app: wasmcloud-secrets
+    spec:
+      containers:
+        - image: wasmcloud-secrets
+          imagePullPolicy: IfNotPresent
+          name: wasmcloud-secrets
diff --git a/secrets/secrets-kubernetes/deploy/base/kustomization.yaml b/secrets/secrets-kubernetes/deploy/base/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - deployment.yaml
+namespace: wasmcloud-secrets
diff --git a/secrets/secrets-kubernetes/deploy/base/namespace.yaml b/secrets/secrets-kubernetes/deploy/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wasmcloud-secrets
diff --git a/secrets/secrets-kubernetes/deploy/dev/kustomization.yaml b/secrets/secrets-kubernetes/deploy/dev/kustomization.yaml
@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../impersonation/
+
+images:
+  - name: wasmcloud-secrets
+    newName: ghcr.io/wasmcloud/contrib/secrets-kubernetes
+    newTag: dev
+
+patches:
+  - patch: |-
+      - op: replace
+        path: "/spec/template/spec/containers/0/args"
+        value:
+          - "--backend-seed=SXAD2NAUWO6YNEFMY4FQT7D45VLLWFOZDVHCENMPHCWA6ABBLZ4OBBKGKQ"
+          - "--nats-url=nats.default.svc.cluster.local:4222"
+    target:
+      kind: Deployment
+      namespace: wasmcloud-secrets
+      name: wasmcloud-secrets
diff --git a/secrets/secrets-kubernetes/deploy/impersonation/README.md b/secrets/secrets-kubernetes/deploy/impersonation/README.md
@@ -0,0 +1,40 @@
+# RBAC example
+
+- `default.yaml`: Allows the secrets backend to see all secrets in the `default` namespace, without impersonation.
+- `cluster-wide.yaml`: Creates an impersonation target `wasmcloud-secrets-privileged`, which can read secrets in any namespace.
+
+wadm snippets
+
+```
+spec:
+  policies:
+    - name: rust-hello-world-secrets-default
+      type: policy.secret.wasmcloud.dev/v1alpha1
+      properties:
+        backend: kube
+    - name: rust-hello-world-secrets-impersonation
+      type: policy.secret.wasmcloud.dev/v1alpha1
+      properties:
+        backend: kube
+        impersonate: wasmcloud-secrets-privileged
+        namespace: kube-system
+
+  components:
+    - name: http-component
+      type: component
+      properties:
+        image: ....
+        secrets:
+          # secret in 'kube-system' namespace
+          - name: example-impersonated
+            properties:
+              policy: rust-hello-world-secrets-impersonation
+              key: k3s-serving
+              field: tls.crt
+          # secret in 'default' namespace
+          - name: example
+            properties:
+              policy: rust-hello-world-secrets-default
+              key: cluster-secrets
+              field: api-password
+```
diff --git a/secrets/secrets-kubernetes/deploy/impersonation/cluster-wide.yaml b/secrets/secrets-kubernetes/deploy/impersonation/cluster-wide.yaml
@@ -0,0 +1,46 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wasmcloud-secrets-privileged
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wasmcloud-secrets-privileged
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: wasmcloud-secrets-privileged
+subjects:
+  - kind: User
+    name: wasmcloud-secrets-privileged
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wasmcloud-secrets-impersonation
+rules:
+  - apiGroups: [""]
+    resources: ["users"]
+    verbs: ["impersonate"]
+    resourceNames:
+      - wasmcloud-secrets-privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wasmcloud-secrets-impersonation
+  namespace: wasmcloud-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: wasmcloud-secrets-impersonation
+subjects:
+  - kind: ServiceAccount
+    name: "default"
+    namespace: "wasmcloud-secrets"
diff --git a/secrets/secrets-kubernetes/deploy/impersonation/default.yaml b/secrets/secrets-kubernetes/deploy/impersonation/default.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wasmcloud-secrets-reader-default
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wasmcloud-secrets-reader-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: wasmcloud-secrets-reader-default
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: "system:serviceaccount:wasmcloud-secrets:default"
diff --git a/secrets/secrets-kubernetes/deploy/impersonation/kustomization.yaml b/secrets/secrets-kubernetes/deploy/impersonation/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base/
+  - default.yaml
+  - cluster-wide.yaml
diff --git a/secrets/secrets-kubernetes/go.mod b/secrets/secrets-kubernetes/go.mod
@@ -0,0 +1,59 @@
+module github.com/wasmCloud/wasmCloud-contrib/secrets/secrets-kubernetes
+
+go 1.22.5
+
+require (
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/nats-io/nats-server/v2 v2.10.18
+	github.com/nats-io/nats.go v1.36.0
+	github.com/nats-io/nkeys v0.4.7
+	k8s.io/apimachinery v0.30.1
+	k8s.io/client-go v0.30.1
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/minio/highwayhash v1.0.3 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nats-io/jwt/v2 v2.5.8 // indirect
+	github.com/nats-io/nuid v1.0.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.17.1 // indirect
+	github.com/onsi/gomega v1.32.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/oauth2 v0.12.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.30.1 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)