mirror of https://github.com/helm/helm
Merge pull request #2721 from RemingtonReackhof/secrets-support
feat(2196): secrets managementpull/3006/merge
commit
ab096b883a
@ -0,0 +1,258 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors All rights reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package driver // import "k8s.io/helm/pkg/storage/driver"
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
kblabels "k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/util/validation"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
|
||||
|
||||
rspb "k8s.io/helm/pkg/proto/hapi/release"
|
||||
)
|
||||
|
||||
var _ Driver = (*Secrets)(nil)
|
||||
|
||||
// SecretsDriverName is the string name of the driver.
|
||||
const SecretsDriverName = "Secret"
|
||||
|
||||
// Secrets is a wrapper around an implementation of a kubernetes
|
||||
// SecretsInterface.
|
||||
type Secrets struct {
|
||||
impl internalversion.SecretInterface
|
||||
Log func(string, ...interface{})
|
||||
}
|
||||
|
||||
// NewSecrets initializes a new Secrets wrapping an implmenetation of
|
||||
// the kubernetes SecretsInterface.
|
||||
func NewSecrets(impl internalversion.SecretInterface) *Secrets {
|
||||
return &Secrets{
|
||||
impl: impl,
|
||||
Log: func(_ string, _ ...interface{}) {},
|
||||
}
|
||||
}
|
||||
|
||||
// Name returns the name of the driver.
|
||||
func (secrets *Secrets) Name() string {
|
||||
return SecretsDriverName
|
||||
}
|
||||
|
||||
// Get fetches the release named by key. The corresponding release is returned
|
||||
// or error if not found.
|
||||
func (secrets *Secrets) Get(key string) (*rspb.Release, error) {
|
||||
// fetch the secret holding the release named by key
|
||||
obj, err := secrets.impl.Get(key, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) {
|
||||
return nil, ErrReleaseNotFound(key)
|
||||
}
|
||||
|
||||
secrets.Log("get: failed to get %q: %s", key, err)
|
||||
return nil, err
|
||||
}
|
||||
// found the secret, decode the base64 data string
|
||||
r, err := decodeRelease(string(obj.Data["release"]))
|
||||
if err != nil {
|
||||
secrets.Log("get: failed to decode data %q: %s", key, err)
|
||||
return nil, err
|
||||
}
|
||||
// return the release object
|
||||
return r, nil
|
||||
}
|
||||
|
||||
// List fetches all releases and returns the list releases such
|
||||
// that filter(release) == true. An error is returned if the
|
||||
// secret fails to retrieve the releases.
|
||||
func (secrets *Secrets) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) {
|
||||
lsel := kblabels.Set{"OWNER": "TILLER"}.AsSelector()
|
||||
opts := metav1.ListOptions{LabelSelector: lsel.String()}
|
||||
|
||||
list, err := secrets.impl.List(opts)
|
||||
if err != nil {
|
||||
secrets.Log("list: failed to list: %s", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var results []*rspb.Release
|
||||
|
||||
// iterate over the secrets object list
|
||||
// and decode each release
|
||||
for _, item := range list.Items {
|
||||
rls, err := decodeRelease(string(item.Data["release"]))
|
||||
if err != nil {
|
||||
secrets.Log("list: failed to decode release: %v: %s", item, err)
|
||||
continue
|
||||
}
|
||||
if filter(rls) {
|
||||
results = append(results, rls)
|
||||
}
|
||||
}
|
||||
return results, nil
|
||||
}
|
||||
|
||||
// Query fetches all releases that match the provided map of labels.
|
||||
// An error is returned if the secret fails to retrieve the releases.
|
||||
func (secrets *Secrets) Query(labels map[string]string) ([]*rspb.Release, error) {
|
||||
ls := kblabels.Set{}
|
||||
for k, v := range labels {
|
||||
if errs := validation.IsValidLabelValue(v); len(errs) != 0 {
|
||||
return nil, fmt.Errorf("invalid label value: %q: %s", v, strings.Join(errs, "; "))
|
||||
}
|
||||
ls[k] = v
|
||||
}
|
||||
|
||||
opts := metav1.ListOptions{LabelSelector: ls.AsSelector().String()}
|
||||
|
||||
list, err := secrets.impl.List(opts)
|
||||
if err != nil {
|
||||
secrets.Log("query: failed to query with labels: %s", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(list.Items) == 0 {
|
||||
return nil, ErrReleaseNotFound(labels["NAME"])
|
||||
}
|
||||
|
||||
var results []*rspb.Release
|
||||
for _, item := range list.Items {
|
||||
rls, err := decodeRelease(string(item.Data["release"]))
|
||||
if err != nil {
|
||||
secrets.Log("query: failed to decode release: %s", err)
|
||||
continue
|
||||
}
|
||||
results = append(results, rls)
|
||||
}
|
||||
return results, nil
|
||||
}
|
||||
|
||||
// Create creates a new Secret holding the release. If the
|
||||
// Secret already exists, ErrReleaseExists is returned.
|
||||
func (secrets *Secrets) Create(key string, rls *rspb.Release) error {
|
||||
// set labels for secrets object meta data
|
||||
var lbs labels
|
||||
|
||||
lbs.init()
|
||||
lbs.set("CREATED_AT", strconv.Itoa(int(time.Now().Unix())))
|
||||
|
||||
// create a new secret to hold the release
|
||||
obj, err := newSecretsObject(key, rls, lbs)
|
||||
if err != nil {
|
||||
secrets.Log("create: failed to encode release %q: %s", rls.Name, err)
|
||||
return err
|
||||
}
|
||||
// push the secret object out into the kubiverse
|
||||
if _, err := secrets.impl.Create(obj); err != nil {
|
||||
if apierrors.IsAlreadyExists(err) {
|
||||
return ErrReleaseExists(rls.Name)
|
||||
}
|
||||
|
||||
secrets.Log("create: failed to create: %s", err)
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Update updates the Secret holding the release. If not found
|
||||
// the Secret is created to hold the release.
|
||||
func (secrets *Secrets) Update(key string, rls *rspb.Release) error {
|
||||
// set labels for secrets object meta data
|
||||
var lbs labels
|
||||
|
||||
lbs.init()
|
||||
lbs.set("MODIFIED_AT", strconv.Itoa(int(time.Now().Unix())))
|
||||
|
||||
// create a new secret object to hold the release
|
||||
obj, err := newSecretsObject(key, rls, lbs)
|
||||
if err != nil {
|
||||
secrets.Log("update: failed to encode release %q: %s", rls.Name, err)
|
||||
return err
|
||||
}
|
||||
// push the secret object out into the kubiverse
|
||||
_, err = secrets.impl.Update(obj)
|
||||
if err != nil {
|
||||
secrets.Log("update: failed to update: %s", err)
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Delete deletes the Secret holding the release named by key.
|
||||
func (secrets *Secrets) Delete(key string) (rls *rspb.Release, err error) {
|
||||
// fetch the release to check existence
|
||||
if rls, err = secrets.Get(key); err != nil {
|
||||
if apierrors.IsNotFound(err) {
|
||||
return nil, ErrReleaseExists(rls.Name)
|
||||
}
|
||||
|
||||
secrets.Log("delete: failed to get release %q: %s", key, err)
|
||||
return nil, err
|
||||
}
|
||||
// delete the release
|
||||
if err = secrets.impl.Delete(key, &metav1.DeleteOptions{}); err != nil {
|
||||
return rls, err
|
||||
}
|
||||
return rls, nil
|
||||
}
|
||||
|
||||
// newSecretsObject constructs a kubernetes Secret object
|
||||
// to store a release. Each secret data entry is the base64
|
||||
// encoded string of a release's binary protobuf encoding.
|
||||
//
|
||||
// The following labels are used within each secret:
|
||||
//
|
||||
// "MODIFIED_AT" - timestamp indicating when this secret was last modified. (set in Update)
|
||||
// "CREATED_AT" - timestamp indicating when this secret was created. (set in Create)
|
||||
// "VERSION" - version of the release.
|
||||
// "STATUS" - status of the release (see proto/hapi/release.status.pb.go for variants)
|
||||
// "OWNER" - owner of the secret, currently "TILLER".
|
||||
// "NAME" - name of the release.
|
||||
//
|
||||
func newSecretsObject(key string, rls *rspb.Release, lbs labels) (*api.Secret, error) {
|
||||
const owner = "TILLER"
|
||||
|
||||
// encode the release
|
||||
s, err := encodeRelease(rls)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if lbs == nil {
|
||||
lbs.init()
|
||||
}
|
||||
|
||||
// apply labels
|
||||
lbs.set("NAME", rls.Name)
|
||||
lbs.set("OWNER", owner)
|
||||
lbs.set("STATUS", rspb.Status_Code_name[int32(rls.Info.Status.Code)])
|
||||
lbs.set("VERSION", strconv.Itoa(int(rls.Version)))
|
||||
|
||||
// create and return secret object
|
||||
return &api.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: key,
|
||||
Labels: lbs.toMap(),
|
||||
},
|
||||
Data: map[string][]byte{"release": []byte(s)},
|
||||
}, nil
|
||||
}
|
@ -0,0 +1,186 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors All rights reserved.
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package driver
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"github.com/gogo/protobuf/proto"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
|
||||
rspb "k8s.io/helm/pkg/proto/hapi/release"
|
||||
)
|
||||
|
||||
func TestSecretName(t *testing.T) {
|
||||
c := newTestFixtureSecrets(t)
|
||||
if c.Name() != SecretsDriverName {
|
||||
t.Errorf("Expected name to be %q, got %q", SecretsDriverName, c.Name())
|
||||
}
|
||||
}
|
||||
|
||||
func TestSecretGet(t *testing.T) {
|
||||
vers := int32(1)
|
||||
name := "smug-pigeon"
|
||||
namespace := "default"
|
||||
key := testKey(name, vers)
|
||||
rel := releaseStub(name, vers, namespace, rspb.Status_DEPLOYED)
|
||||
|
||||
secrets := newTestFixtureSecrets(t, []*rspb.Release{rel}...)
|
||||
|
||||
// get release with key
|
||||
got, err := secrets.Get(key)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to get release: %s", err)
|
||||
}
|
||||
// compare fetched release with original
|
||||
if !reflect.DeepEqual(rel, got) {
|
||||
t.Errorf("Expected {%q}, got {%q}", rel, got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestUNcompressedSecretGet(t *testing.T) {
|
||||
vers := int32(1)
|
||||
name := "smug-pigeon"
|
||||
namespace := "default"
|
||||
key := testKey(name, vers)
|
||||
rel := releaseStub(name, vers, namespace, rspb.Status_DEPLOYED)
|
||||
|
||||
// Create a test fixture which contains an uncompressed release
|
||||
secret, err := newSecretsObject(key, rel, nil)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to create secret: %s", err)
|
||||
}
|
||||
b, err := proto.Marshal(rel)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to marshal release: %s", err)
|
||||
}
|
||||
secret.Data["release"] = []byte(base64.StdEncoding.EncodeToString(b))
|
||||
var mock MockSecretsInterface
|
||||
mock.objects = map[string]*api.Secret{key: secret}
|
||||
secrets := NewSecrets(&mock)
|
||||
|
||||
// get release with key
|
||||
got, err := secrets.Get(key)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to get release: %s", err)
|
||||
}
|
||||
// compare fetched release with original
|
||||
if !reflect.DeepEqual(rel, got) {
|
||||
t.Errorf("Expected {%q}, got {%q}", rel, got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSecretList(t *testing.T) {
|
||||
secrets := newTestFixtureSecrets(t, []*rspb.Release{
|
||||
releaseStub("key-1", 1, "default", rspb.Status_DELETED),
|
||||
releaseStub("key-2", 1, "default", rspb.Status_DELETED),
|
||||
releaseStub("key-3", 1, "default", rspb.Status_DEPLOYED),
|
||||
releaseStub("key-4", 1, "default", rspb.Status_DEPLOYED),
|
||||
releaseStub("key-5", 1, "default", rspb.Status_SUPERSEDED),
|
||||
releaseStub("key-6", 1, "default", rspb.Status_SUPERSEDED),
|
||||
}...)
|
||||
|
||||
// list all deleted releases
|
||||
del, err := secrets.List(func(rel *rspb.Release) bool {
|
||||
return rel.Info.Status.Code == rspb.Status_DELETED
|
||||
})
|
||||
// check
|
||||
if err != nil {
|
||||
t.Errorf("Failed to list deleted: %s", err)
|
||||
}
|
||||
if len(del) != 2 {
|
||||
t.Errorf("Expected 2 deleted, got %d:\n%v\n", len(del), del)
|
||||
}
|
||||
|
||||
// list all deployed releases
|
||||
dpl, err := secrets.List(func(rel *rspb.Release) bool {
|
||||
return rel.Info.Status.Code == rspb.Status_DEPLOYED
|
||||
})
|
||||
// check
|
||||
if err != nil {
|
||||
t.Errorf("Failed to list deployed: %s", err)
|
||||
}
|
||||
if len(dpl) != 2 {
|
||||
t.Errorf("Expected 2 deployed, got %d", len(dpl))
|
||||
}
|
||||
|
||||
// list all superseded releases
|
||||
ssd, err := secrets.List(func(rel *rspb.Release) bool {
|
||||
return rel.Info.Status.Code == rspb.Status_SUPERSEDED
|
||||
})
|
||||
// check
|
||||
if err != nil {
|
||||
t.Errorf("Failed to list superseded: %s", err)
|
||||
}
|
||||
if len(ssd) != 2 {
|
||||
t.Errorf("Expected 2 superseded, got %d", len(ssd))
|
||||
}
|
||||
}
|
||||
|
||||
func TestSecretCreate(t *testing.T) {
|
||||
secrets := newTestFixtureSecrets(t)
|
||||
|
||||
vers := int32(1)
|
||||
name := "smug-pigeon"
|
||||
namespace := "default"
|
||||
key := testKey(name, vers)
|
||||
rel := releaseStub(name, vers, namespace, rspb.Status_DEPLOYED)
|
||||
|
||||
// store the release in a secret
|
||||
if err := secrets.Create(key, rel); err != nil {
|
||||
t.Fatalf("Failed to create release with key %q: %s", key, err)
|
||||
}
|
||||
|
||||
// get the release back
|
||||
got, err := secrets.Get(key)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to get release with key %q: %s", key, err)
|
||||
}
|
||||
|
||||
// compare created release with original
|
||||
if !reflect.DeepEqual(rel, got) {
|
||||
t.Errorf("Expected {%q}, got {%q}", rel, got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSecretUpdate(t *testing.T) {
|
||||
vers := int32(1)
|
||||
name := "smug-pigeon"
|
||||
namespace := "default"
|
||||
key := testKey(name, vers)
|
||||
rel := releaseStub(name, vers, namespace, rspb.Status_DEPLOYED)
|
||||
|
||||
secrets := newTestFixtureSecrets(t, []*rspb.Release{rel}...)
|
||||
|
||||
// modify release status code
|
||||
rel.Info.Status.Code = rspb.Status_SUPERSEDED
|
||||
|
||||
// perform the update
|
||||
if err := secrets.Update(key, rel); err != nil {
|
||||
t.Fatalf("Failed to update release: %s", err)
|
||||
}
|
||||
|
||||
// fetch the updated release
|
||||
got, err := secrets.Get(key)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to get release with key %q: %s", key, err)
|
||||
}
|
||||
|
||||
// check release has actually been updated by comparing modified fields
|
||||
if rel.Info.Status.Code != got.Info.Status.Code {
|
||||
t.Errorf("Expected status %s, got status %s", rel.Info.Status.Code, got.Info.Status.Code)
|
||||
}
|
||||
}
|
@ -0,0 +1,85 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors All rights reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package driver // import "k8s.io/helm/pkg/storage/driver"
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"compress/gzip"
|
||||
"encoding/base64"
|
||||
"io/ioutil"
|
||||
|
||||
"github.com/golang/protobuf/proto"
|
||||
rspb "k8s.io/helm/pkg/proto/hapi/release"
|
||||
)
|
||||
|
||||
var b64 = base64.StdEncoding
|
||||
|
||||
var magicGzip = []byte{0x1f, 0x8b, 0x08}
|
||||
|
||||
// encodeRelease encodes a release returning a base64 encoded
|
||||
// gzipped binary protobuf encoding representation, or error.
|
||||
func encodeRelease(rls *rspb.Release) (string, error) {
|
||||
b, err := proto.Marshal(rls)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
var buf bytes.Buffer
|
||||
w, err := gzip.NewWriterLevel(&buf, gzip.BestCompression)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if _, err = w.Write(b); err != nil {
|
||||
return "", err
|
||||
}
|
||||
w.Close()
|
||||
|
||||
return b64.EncodeToString(buf.Bytes()), nil
|
||||
}
|
||||
|
||||
// decodeRelease decodes the bytes in data into a release
|
||||
// type. Data must contain a base64 encoded string of a
|
||||
// valid protobuf encoding of a release, otherwise
|
||||
// an error is returned.
|
||||
func decodeRelease(data string) (*rspb.Release, error) {
|
||||
// base64 decode string
|
||||
b, err := b64.DecodeString(data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// For backwards compatibility with releases that were stored before
|
||||
// compression was introduced we skip decompression if the
|
||||
// gzip magic header is not found
|
||||
if bytes.Equal(b[0:3], magicGzip) {
|
||||
r, err := gzip.NewReader(bytes.NewReader(b))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
b2, err := ioutil.ReadAll(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
b = b2
|
||||
}
|
||||
|
||||
var rls rspb.Release
|
||||
// unmarshal protobuf bytes
|
||||
if err := proto.Unmarshal(b, &rls); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &rls, nil
|
||||
}
|
Loading…
Reference in new issue