search

cyberark / secrets-provider-for-k8s

Cyberark secrets provider for k8s
Apache License 2.0
26 stars 11 forks source link

Reorganise Secrets Provider Configuration M1 #329

Open doodlesbykumbi opened 3 years ago

doodlesbykumbi commented 3 years ago

Reorganise the internal representation

https://github.com/cyberark/secrets-provider-for-k8s/blob/53271bd8d884f7782df0c07e6619ec22568ecf50/pkg/secrets/config/config.go#L23-L29

of the Secrets Provider configuration. The configuration can be logically broken down into container configuration + store type configuration.

Container config:

PodName - MY_POD_NAME
PodNamespace - MY_POD_NAMESPACE
RetryCountLimit - RETRY_COUNT_LIMIT
RetryIntervalSec - RETRY_INTERVAL_SEC
StoreType – SECRETS_DESTINATION

Store type config:

RequiredK8sSecrets – K8S_SECRETS

The goal for this issue to prepare for implementing the file store type.

diverdane commented 3 years ago

Tasks:

SP Config (in secrets-provider-for-k8s repository): Split into:

• Container Config
• K8s Secrets config

Authn Client Config (in conjur-authn-k8s-client repository): split into:

• Conjur connect config
• app identity config

=====================================

SP Configuration:

CONTAINER_MODE         (pkg/authenticator) config.Config.ContainerMode
SECRETS_DESTINATION    (pkg/secrets)       config.Config.StoreType
K8S_SECRETS            (pkg/secrets)       config.Config.RequiredK8sSecrets
RETRY_COUNT_LIMIT      (pkg/secrets)       config.Config.RetryCountLimit
RETRY_INTERVAL_SEC     (pkg/secrets)       config.Config.RetryIntervalSec
DEBUG

CONJUR_APPLIANCE_URL.  (pkg/conjur-api-go) conjurapi.Config.ApplianceUrl
CONJUR_AUTHN_URL       (pkg/authenticator) config.Config.URL
CONJUR_ACCOUNT         (pkg/authenticator) config.Config.Account
CONJUR_AUTHN_LOGIN     (pkg/authenticator) config.Config.Username
CONJUR_SSL_CERTIFICATE (pkg/authenticator) config.Config.SSLCertificate

=====================================

Authn-K8s configuration:

DEBUG
CONJUR_AUTHN_URL         (pkg/authenticator) config.Config.URL
CONJUR_AUTHN_LOGIN       (pkg/authenticator) config.Config.Username
CONJUR_SSL_CERTIFICATE   (pkg/authenticator) config.Config.SSLCertificate
CONJUR_TOKEN_TIMEOUT     (pkg/authenticator) config.Config.TokenRefreshTimeout
MY_POD_NAME              (pkg/authenticator) config.Config.PodName
MY_POD_NAMESPACE         (pkg/secrets)       config.Config.PodNamespace
                         (pkg/authenticator) config.Config.PodNamespace
MY_POD_IP
CONTAINER_MODE.          (pkg/authenticator) config.Config.ContainerMode

FILE: secrets-provider-for-k8s/pkg/secrets/config STRUCT:

// Config defines the configuration parameters
// for the authentication requests
type Config struct {
        // Used for Kubernetes Secrets store type
    PodNamespace       string
    RequiredK8sSecrets []string

    // Container/Conjur config
    RetryCountLimit    int
    RetryIntervalSec   int

        // General config
    StoreType          string
}

This is initialized in cmd/secrets-provider/main.go:

import (
    * * *
    secretsConfigProvider "github.com/cyberark/secrets-provider-for-k8s/pkg/secrets/config"

   * * *

    secretsConfig, err := secretsConfigProvider.NewFromEnv()
    if err != nil {
    printErrorAndExit(messages.CSPFK015E)
    }

============================================== Conjur Authn-k8s client config is read in here in cmd/secrets-provider/main.go:

Import (
 * * *
    authnConfigProvider "github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/config"
 * * *

    // Initialize configurations
    authnConfig, err := authnConfigProvider.NewFromEnv()
    if err != nil {
        printErrorAndExit(messages.CSPFK008E)
    }

FILE: conjur-authn-k8s-client/pkg/authenticator/config STRUCT:

// Config defines the configuration parameters
// for the authentication requests
type Config struct {
    Account                   string
    ClientCertPath            string
    ClientCertRetryCountLimit int
    ContainerMode             string
    ConjurVersion             string
    InjectCertLogPath         string
    PodName                   string
    PodNamespace              string
    SSLCertificate            []byte
    TokenFilePath             string
    TokenRefreshTimeout       time.Duration
    URL                       string
    Username                  *Username
}

HOW TO SPLIT UP INTO CONJUR CONNECT, CONTAINER CONFIG, AND APP IDENTITY CONFIG?

// Config defines the configuration parameters
// for the authentication requests
type Config struct {

    // Conjur Connect Config
    Account                   string
    ClientCertPath            string
    ClientCertRetryCountLimit int
    ConjurVersion             string
    InjectCertLogPath         string
    PodName                   string
    PodNamespace              string
    SSLCertificate            []byte
    TokenFilePath             string
    TokenRefreshTimeout       time.Duration

    // Container config
    ContainerMode             string

        // App identity configuration
    URL                       string
    Username                  *Username
}

==============================================

FILE: conjur-api-go/conjurapi/config.go STRUCT:

type Config struct {
    Account      string `yaml:"account,omitempty"`
    ApplianceURL string `yaml:"appliance_url,omitempty"`
    NetRCPath    string `yaml:"netrc_path,omitempty"`
    SSLCert      string `yaml:"-"`
    SSLCertPath  string `yaml:"cert_file,omitempty"`
    V4           bool   `yaml:"v4"`
}