kms: add initial bits for plugin lifecycle

Author: bertinatto

pkg/operator/encryption/kms/helpers.go

@@ -2,16 +2,24 @@ package kms
 
 import (
 	"fmt"
+	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/api/features"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
+	"github.com/openshift/library-go/pkg/operator/encryption/encoding"
 	corev1 "k8s.io/api/core/v1"
+	apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
 )
 
+var kmsEndpointRegexp = regexp.MustCompile(`^unix:///var/run/kmsplugin/kms-(\d+)\.sock$`)
+
 const providerConfigDataKeyPrefix = "kms-provider-config-"
 const credentialDataKeyPrefix = "kms-secret-data-"
+const credentialsDir = "/etc/kubernetes/static-pod-resources/secrets/encryption-config"
 
 // ToProviderConfigSecretDataKeyFor constructs the data key for storing a KMS provider config in the encryption-config Secret.
 // The keyID must be a valid non-negative integer string.
@@ -113,3 +121,50 @@ func AddKMSPluginVolumeAndMountToPodSpec(podSpec *corev1.PodSpec, containerName
 
 	return nil
 }
+
+func findFirstKMSConfiguration(config *apiserverv1.EncryptionConfiguration) *apiserverv1.KMSConfiguration {
+	for _, resource := range config.Resources {
+		for _, provider := range resource.Providers {
+			if provider.KMS != nil {
+				return provider.KMS
+			}
+		}
+	}
+	return nil
+}
+
+func parseKeyIDFromEndpoint(endpoint string) (string, error) {
+	matches := kmsEndpointRegexp.FindStringSubmatch(endpoint)
+	if matches == nil {
+		return "", fmt.Errorf("unexpected KMS endpoint format: %s", endpoint)
+	}
+	return matches[1], nil
+}
+
+func parseProviderConfig(secret *corev1.Secret, kmsConfiguration *apiserverv1.KMSConfiguration) (*configv1.KMSConfig, error) {
+	keyID, err := parseKeyIDFromEndpoint(kmsConfiguration.Endpoint)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse key ID from endpoint: %w", err)
+	}
+	providerConfigKey, err := ToProviderConfigSecretDataKeyFor(keyID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create provider config secret key ID from endpoint: %w", err)
+	}
+	providerConfigData, ok := secret.Data[providerConfigKey]
+	if !ok {
+		return nil, fmt.Errorf("missing provider config key %s in encryption-config secret", providerConfigKey)
+	}
+	kmsConfig, err := encoding.DecodeKMSConfig(providerConfigData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode provider config: %w", err)
+	}
+	return kmsConfig, nil
+}
+
+func parseSecretDataPath(kmsConfiguration *apiserverv1.KMSConfiguration) (string, error) {
+	keyID, err := parseKeyIDFromEndpoint(kmsConfiguration.Endpoint)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse key ID from endpoint: %w", err)
+	}
+	return filepath.Join(credentialsDir, credentialDataKeyPrefix+keyID), nil
+}

pkg/operator/encryption/kms/helpers_test.go

@@ -7,9 +7,10 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/api/features"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
-	corev1 "k8s.io/api/core/v1"
-
+	"github.com/openshift/library-go/pkg/operator/encryption/encoding"
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
 )
 
 func TestKeyIDFromProviderConfigSecretDataKey(t *testing.T) {
@@ -114,6 +115,145 @@ func TestToProviderConfigSecretDataKeyFor(t *testing.T) {
 	}
 }
 
+func TestParseKeyIDFromEndpoint(t *testing.T) {
+	tests := []struct {
+		name      string
+		endpoint  string
+		wantKeyID string
+		wantErr   string
+	}{
+		{
+			name:      "standard endpoint",
+			endpoint:  "unix:///var/run/kmsplugin/kms-555.sock",
+			wantKeyID: "555",
+		},
+		{
+			name:      "single digit key ID",
+			endpoint:  "unix:///var/run/kmsplugin/kms-3.sock",
+			wantKeyID: "3",
+		},
+		{
+			name:     "missing kms- prefix",
+			endpoint: "unix:///var/run/kmsplugin/plugin-555.sock",
+			wantErr:  "unexpected KMS endpoint format",
+		},
+		{
+			name:     "missing .sock suffix",
+			endpoint: "unix:///var/run/kmsplugin/kms-555.socket",
+			wantErr:  "unexpected KMS endpoint format",
+		},
+		{
+			name:     "empty key ID",
+			endpoint: "unix:///var/run/kmsplugin/kms-.sock",
+			wantErr:  "unexpected KMS endpoint format",
+		},
+		{
+			name:     "no unix prefix",
+			endpoint: "/var/run/kmsplugin/kms-555.sock",
+			wantErr:  "unexpected KMS endpoint format",
+		},
+		{
+			name:     "no digit key ID",
+			endpoint: "/var/run/kmsplugin/kms-abc.sock",
+			wantErr:  "unexpected KMS endpoint format",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			keyID, err := parseKeyIDFromEndpoint(tt.endpoint)
+			if tt.wantErr != "" {
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+			require.Equal(t, tt.wantKeyID, keyID)
+		})
+	}
+}
+
+func TestParseProviderConfig(t *testing.T) {
+	vaultConfig := &configv1.KMSConfig{
+		Type: configv1.VaultKMSProvider,
+		Vault: configv1.VaultKMSConfig{
+			KMSPluginImage: "quay.io/test/vault:v1",
+			VaultAddress:   "https://vault.example.com:8200",
+			VaultNamespace: "my-namespace",
+			TransitKey:     "my-key",
+			TransitMount:   "transit",
+		},
+	}
+	configBytes, err := encoding.EncodeKMSConfig(vaultConfig)
+	require.NoError(t, err)
+
+	providerConfigKey, err := ToProviderConfigSecretDataKeyFor("555")
+	require.NoError(t, err)
+
+	tests := []struct {
+		name      string
+		secret    *corev1.Secret
+		kmsConfig *apiserverv1.KMSConfiguration
+		wantErr   string
+	}{
+		{
+			name: "valid provider config",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					providerConfigKey: configBytes,
+				},
+			},
+			kmsConfig: &apiserverv1.KMSConfiguration{
+				Endpoint: "unix:///var/run/kmsplugin/kms-555.sock",
+			},
+		},
+		{
+			name: "missing provider config key",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{},
+			},
+			kmsConfig: &apiserverv1.KMSConfiguration{
+				Endpoint: "unix:///var/run/kmsplugin/kms-555.sock",
+			},
+			wantErr: "missing provider config key",
+		},
+		{
+			name: "invalid JSON",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					providerConfigKey: []byte(`{invalid`),
+				},
+			},
+			kmsConfig: &apiserverv1.KMSConfiguration{
+				Endpoint: "unix:///var/run/kmsplugin/kms-555.sock",
+			},
+			wantErr: "failed to decode provider config",
+		},
+		{
+			name: "invalid endpoint",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{},
+			},
+			kmsConfig: &apiserverv1.KMSConfiguration{
+				Endpoint: "invalid-endpoint",
+			},
+			wantErr: "failed to parse key ID from endpoint",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config, err := parseProviderConfig(tt.secret, tt.kmsConfig)
+			if tt.wantErr != "" {
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, config)
+			require.Equal(t, vaultConfig, config)
+		})
+	}
+}
+
 func TestAddKMSPluginVolume(t *testing.T) {
 	directoryOrCreate := corev1.HostPathDirectoryOrCreate
 

pkg/operator/encryption/kms/plugins/vault.go

@@ -0,0 +1,63 @@
+package plugins
+
+import (
+	"fmt"
+
+	configv1 "github.com/openshift/api/config/v1"
+	corev1 "k8s.io/api/core/v1"
+	apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
+	"k8s.io/utils/ptr"
+)
+
+type VaultSidecarProvider struct {
+	Config         *configv1.VaultKMSConfig
+	SecretDataPath string
+}
+
+func NewVaultSidecarProvider(providerConfig *configv1.KMSConfig, secretDataPath string) (*VaultSidecarProvider, error) {
+	return &VaultSidecarProvider{
+		Config:         &providerConfig.Vault,
+		SecretDataPath: secretDataPath,
+	}, nil
+}
+
+func (v *VaultSidecarProvider) BuildSidecarContainer(name string, kmsConfig *apiserverv1.KMSConfiguration) (corev1.Container, error) {
+	if v.Config == nil {
+		return corev1.Container{}, fmt.Errorf("vault config cannot be nil")
+	}
+
+	// FIXME: this is fragile. TBD
+	args := fmt.Sprintf(`set -e
+	CREDS=$(cat %s)
+	SECRET_ID=${CREDS#*\"VAULT_SECRET_ID\":\"}
+	SECRET_ID=${SECRET_ID%%%%\"*}
+	ROLE_ID=${CREDS#*\"VAULT_ROLE_ID\":\"}
+	ROLE_ID=${ROLE_ID%%%%\"*}
+	printf '%%s' "$SECRET_ID" > /tmp/secret-id
+	exec /vault-kube-kms \
+	-listen-address=%s \
+	-vault-address=%s \
+	-vault-namespace=%s \
+	-transit-mount=%s \
+	-transit-key=%s \
+	-approle-role-id=$ROLE_ID \
+	-approle-secret-id-path=/tmp/secret-id`,
+		v.SecretDataPath,
+		kmsConfig.Endpoint,
+		v.Config.VaultAddress,
+		v.Config.VaultNamespace,
+		v.Config.TransitMount,
+		v.Config.TransitKey,
+	)
+
+	return corev1.Container{
+		Name:    name,
+		Image:   v.Config.KMSPluginImage,
+		Command: []string{"/bin/sh", "-c"},
+		Args:    []string{args},
+		// This is necessary to read the secret data in /etc/kubernetes/static-pod-resources/secrets/encryption-config
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser: ptr.To(int64(0)),
+		},
+	}, nil
+}

pkg/operator/encryption/kms/plugins/vault_test.go

@@ -0,0 +1,93 @@
+package plugins
+
+import (
+	"fmt"
+	"testing"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"github.com/stretchr/testify/require"
+	apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
+	"k8s.io/utils/ptr"
+)
+
+func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
+	tests := []struct {
+		name           string
+		vaultConfig    *configv1.VaultKMSConfig
+		secretDataPath string
+		containerName  string
+		kmsConfig      *apiserverv1.KMSConfiguration
+		wantErr        string
+	}{
+		{
+			name:           "builds container with correct args",
+			secretDataPath: "/etc/kubernetes/static-pod-resources/secrets/encryption-config/kms-secret-data-555",
+			vaultConfig: &configv1.VaultKMSConfig{
+				KMSPluginImage: "quay.io/test/vault:v2",
+				VaultAddress:   "https://vault.example.com:8200",
+				VaultNamespace: "my-namespace",
+				TransitKey:     "my-key",
+				TransitMount:   "transit",
+			},
+			containerName: "kms-plugin",
+			kmsConfig: &apiserverv1.KMSConfiguration{
+				APIVersion: "v2",
+				Name:       "555_secrets",
+				Endpoint:   "unix:///var/run/kmsplugin/kms-555.sock",
+			},
+		},
+		{
+			name:           "nil vault config",
+			secretDataPath: "/etc/kubernetes/static-pod-resources/secrets/encryption-config/kms-secret-data-555",
+			vaultConfig:    nil,
+			containerName:  "kms-plugin",
+			kmsConfig:      &apiserverv1.KMSConfiguration{},
+			wantErr:        "vault config cannot be nil",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			provider := &VaultSidecarProvider{
+				Config:         tt.vaultConfig,
+				SecretDataPath: tt.secretDataPath,
+			}
+
+			container, err := provider.BuildSidecarContainer(tt.containerName, tt.kmsConfig)
+			if tt.wantErr != "" {
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+			require.Equal(t, tt.containerName, container.Name)
+			require.Equal(t, tt.vaultConfig.KMSPluginImage, container.Image)
+			require.Equal(t, []string{"/bin/sh", "-c"}, container.Command)
+
+			expectedArgs := fmt.Sprintf(`set -e
+	CREDS=$(cat %s)
+	SECRET_ID=${CREDS#*\"VAULT_SECRET_ID\":\"}
+	SECRET_ID=${SECRET_ID%%%%\"*}
+	ROLE_ID=${CREDS#*\"VAULT_ROLE_ID\":\"}
+	ROLE_ID=${ROLE_ID%%%%\"*}
+	printf '%%s' "$SECRET_ID" > /tmp/secret-id
+	exec /vault-kube-kms \
+	-listen-address=%s \
+	-vault-address=%s \
+	-vault-namespace=%s \
+	-transit-mount=%s \
+	-transit-key=%s \
+	-approle-role-id=$ROLE_ID \
+	-approle-secret-id-path=/tmp/secret-id`,
+				tt.secretDataPath,
+				tt.kmsConfig.Endpoint,
+				tt.vaultConfig.VaultAddress,
+				tt.vaultConfig.VaultNamespace,
+				tt.vaultConfig.TransitMount,
+				tt.vaultConfig.TransitKey,
+			)
+			require.Len(t, container.Args, 1)
+			require.Equal(t, expectedArgs, container.Args[0])
+			require.Equal(t, ptr.To(int64(0)), container.SecurityContext.RunAsUser)
+		})
+	}
+}