Skip to content

Commit 5c4f03e

Browse files
committed
Tokenize Credential Request
Signed-off-by: desmax74 <mdessi@redhat.com>
1 parent e1a97fc commit 5c4f03e

18 files changed

Lines changed: 929 additions & 10 deletions

config/manifests/bases/rhtpa-operator.clusterserviceversion.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,9 @@ metadata:
1111
features.operators.openshift.io/fips-compliant: "false"
1212
features.operators.openshift.io/proxy-aware: "false"
1313
features.operators.openshift.io/tls-profiles: "false"
14-
features.operators.openshift.io/token-auth-aws: "false"
14+
features.operators.openshift.io/token-auth-aws: "true"
1515
features.operators.openshift.io/token-auth-azure: "false"
16-
features.operators.openshift.io/token-auth-gcp: "false"
16+
features.operators.openshift.io/token-auth-gcp: "true"
1717
operators.openshift.io/valid-subscription: '["Red Hat Trusted Profile Analyzer"]'
1818
name: rhtpa-operator.v0.0.0
1919
namespace: placeholder

config/rbac/clusterrole.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: cco-credentialsrequest-access
5+
namespace: placeholder
6+
rules:
7+
- apiGroups: ["cloudcredential.openshift.io"]
8+
resources: ["credentialsrequests"]
9+
verbs: ["create", "get", "list", "watch", "update", "delete"]
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRoleBinding
3+
metadata:
4+
labels:
5+
app.kubernetes.io/name: rhtpa-operator
6+
app.kubernetes.io/managed-by: kustomize
7+
name: cco-credentialsrequest-rolebinding
8+
roleRef:
9+
apiGroup: rbac.authorization.k8s.io
10+
kind: ClusterRole
11+
name: cco-credentialsrequest-access
12+
subjects:
13+
- kind: ServiceAccount
14+
name: rhtpa-operator-controller-manager
15+
namespace: placeholder

config/rbac/kustomization.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ resources:
1515
- rolebinding_job.yaml
1616
- role_cluster_ingress.yaml
1717
- role_cluster_ingress_binding.yaml
18+
- clusterrole.yaml
19+
- clusterrolebinding_cco.yaml
1820
# The following RBAC configurations are used to protect
1921
# the metrics endpoint with authn/authz. These configurations
2022
# ensure that only authorized users and service accounts

devel/cco/credentialRequest.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
apiVersion: cloudcredential.openshift.io/v1
2+
kind: CredentialsRequest
3+
metadata:
4+
name: my-operator-credentials
5+
namespace: openshift-cloud-credential-operator
6+
spec:
7+
secretRef:
8+
name: my-cloud-creds
9+
namespace: my-operator-namespace
10+
providerSpec:
11+
apiVersion: cloudcredential.openshift.io/v1
12+
kind: AWSProviderSpec # AWS
13+
statementEntries:
14+
- effect: Allow
15+
action:
16+
- "s3:GetObject"
17+
- "s3:PutObject"
18+
resource: "*"

extensions/README.md

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
# Tokenize with Cloud Credentials Operator
2+
3+
Cloud Credentials Operator (CCO) is installed by default on OCP.
4+
To check the CCO status
5+
6+
```console
7+
oc get clusteroperator cloud-credential
8+
```
9+
it show somethig like
10+
11+
```console
12+
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE
13+
cloud-credential 4.x.x True False False ...
14+
```
15+
Pod' status
16+
```console
17+
oc get pods -n openshift-cloud-credential-operator
18+
```
19+
20+
Credential requests checks
21+
```console
22+
oc get credentialsrequests -n openshift-cloud-credential-operator
23+
```
24+
25+
CCO details
26+
```console
27+
oc describe clusteroperator cloud-credential
28+
```
29+
30+
CCO Modality
31+
```console
32+
oc get cloudcredential cluster -o yaml
33+
```
34+
On spec.credentialsMode will be the configured setting (Mint,
35+
Passthrough, Manual, o empty for default).
36+
37+
## How the Operator interact with the CCO
38+
39+
1. Operator declare permissions needed in a CredentialsRequest CR in the namespace openshift-cloud-credential-operator
40+
41+
```console
42+
apiVersion: cloudcredential.openshift.io/v1
43+
kind: CredentialsRequest
44+
metadata:
45+
name: my-operator-credentials
46+
namespace: openshift-cloud-credential-operator
47+
spec:
48+
secretRef:
49+
name: my-cloud-creds
50+
namespace: my-operator-namespace
51+
providerSpec:
52+
apiVersion: cloudcredential.openshift.io/v1
53+
kind: AWSProviderSpec # esempio per AWS
54+
statementEntries:
55+
- effect: Allow
56+
action:
57+
- "s3:GetObject"
58+
- "s3:PutObject"
59+
resource: "*"
60+
```
61+
62+
2. CCO process the CR and create a Kubernetes Secret with the cloud credentails
63+
in the namespace specified in spec.secretRef.
64+
65+
3. Operator reads the Secret and use the credentials to interact with the cloud API.
66+
Operator must tolerate the not immediate availability of the secret becasue take time to create.
67+
68+
## How integrate the CCO with the Helm Chart Operator
69+
70+
1. Define Credential Request in the chart
71+
2.
72+
2. Configure Deployment to use the secret created by the CCO
73+
74+
3. Handling the delay of the creation of the secret
75+
first approact Init container
76+
```console
77+
initContainers:
78+
- name: wait-for-creds
79+
image: registry.redhat.io/openshift4/ose-cli
80+
command:
81+
- /bin/bash
82+
- -c
83+
- |
84+
until oc get secret {{ .Release.Name }}-cloud-creds -n {{
85+
.Release.Namespace }} 2>/dev/null; do
86+
echo "Waiting for cloud credentials..."
87+
sleep 5
88+
done
89+
```
90+
second approach Retry in the Operator's code, but this is available on a full Go Operator
91+
92+
4. Support different cloud provider with values configurations
93+
94+
5. RBAC needed to create the CredentialsRequest
95+
6. Supporto Manual Mode (STS/WIF) if the cluster use mode o STS, CCO didn't create the secret automatically.
96+
In STS mode the user must :
97+
1. Extract CredentialsRequest from chart
98+
2. Use ccoctl tool to generate the credentials
99+
3. Create manually the secrets before install the chart
100+
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
{{- if .Values.cloudProvider }}
2+
apiVersion: cloudcredential.openshift.io/v1
3+
kind: CredentialsRequest
4+
metadata:
5+
name: {{ .Release.Name }}-cloud-creds
6+
namespace: openshift-cloud-credential-operator
7+
spec:
8+
secretRef:
9+
name: {{ .Release.Name }}-cloud-creds
10+
namespace: {{ .Release.Namespace }}
11+
{{- if eq .Values.cloudProvider "aws" }}
12+
providerSpec:
13+
apiVersion: cloudcredential.openshift.io/v1
14+
kind: AWSProviderSpec
15+
statementEntries:
16+
{{- toYaml .Values.cloudCredentials.aws.statementEntries | nindent 6 }}
17+
{{- else if eq .Values.cloudProvider "gcp" }}
18+
providerSpec:
19+
apiVersion: cloudcredential.openshift.io/v1
20+
kind: GCPProviderSpec
21+
predefinedRoles:
22+
{{- toYaml .Values.cloudCredentials.gcp.permissions | nindent 6 }}
23+
{{- end }}
24+
{{- end }}

helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_storage.tpl

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,9 +51,23 @@ Arguments (dict):
5151
value: s3
5252

5353
- name: TRUSTD_S3_ACCESS_KEY
54+
{{- if and .root.Values.cloudProvider (not .storage.accessKey) }}
55+
valueFrom:
56+
secretKeyRef:
57+
name: {{ .root.Release.Name }}-cloud-creds
58+
key: aws_access_key_id
59+
{{- else }}
5460
{{- include "trustification.common.envVarValue" .storage.accessKey | nindent 2 }}
61+
{{- end }}
5562
- name: TRUSTD_S3_SECRET_KEY
63+
{{- if and .root.Values.cloudProvider (not .storage.secretKey) }}
64+
valueFrom:
65+
secretKeyRef:
66+
name: {{ .root.Release.Name }}-cloud-creds
67+
key: aws_secret_access_key
68+
{{- else }}
5669
{{- include "trustification.common.envVarValue" .storage.secretKey | nindent 2 }}
70+
{{- end }}
5771
- name: TRUSTD_S3_REGION
5872
{{- include "trustification.common.envVarValue" .storage.region | nindent 2 }}
5973
- name: TRUSTD_S3_BUCKET

helm-charts/redhat-trusted-profile-analyzer/values.schema.json

Lines changed: 66 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -385,6 +385,71 @@
385385
},
386386
"prometheus": {
387387
"$ref": "#/definitions/Feature"
388+
},
389+
"ccoMode": {
390+
"description": "Cloud Credential Operator mode. When set, enables CCO-managed credentials.\n",
391+
"oneOf": [
392+
{
393+
"type": "object"
394+
},
395+
{
396+
"type": "string",
397+
"enum": [
398+
"mint",
399+
"manual"
400+
]
401+
}
402+
]
403+
},
404+
"cloudProvider": {
405+
"type": "string",
406+
"enum": [
407+
"aws",
408+
"gcp"
409+
],
410+
"description": "Set the cloud provider to enable Cloud Credentials Operator (CCO) integration.\nWhen set, a CredentialsRequest will be created and the resulting secret will be\nused for S3 storage credentials (accessKey and secretKey become optional).\n"
411+
},
412+
"cloudCredentials": {
413+
"type": "object",
414+
"description": "Cloud provider credentials configuration for CCO-managed credentials.\n",
415+
"properties": {
416+
"aws": {
417+
"type": "object",
418+
"properties": {
419+
"statementEntries": {
420+
"type": "array",
421+
"items": {
422+
"type": "object",
423+
"properties": {
424+
"effect": {
425+
"type": "string"
426+
},
427+
"action": {
428+
"type": "array",
429+
"items": {
430+
"type": "string"
431+
}
432+
},
433+
"resource": {
434+
"type": "string"
435+
}
436+
}
437+
}
438+
}
439+
}
440+
},
441+
"gcp": {
442+
"type": "object",
443+
"properties": {
444+
"permissions": {
445+
"type": "array",
446+
"items": {
447+
"type": "string"
448+
}
449+
}
450+
}
451+
}
452+
}
388453
}
389454
},
390455
"allOf": [
@@ -971,12 +1036,10 @@
9711036
}
9721037
},
9731038
"S3StorageConfig": {
974-
"description": "Configure an S3 compatible object storage.\n",
1039+
"description": "Configure an S3 compatible object storage.\nWhen cloudProvider is set, accessKey and secretKey are automatically populated\nfrom the CCO-provisioned secret and do not need to be specified.\n",
9751040
"type": "object",
9761041
"required": [
9771042
"type",
978-
"accessKey",
979-
"secretKey",
9801043
"bucket",
9811044
"region"
9821045
],

helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml

Lines changed: 46 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,46 @@ properties:
6464
description: |
6565
Control the usage of the OpenShift service CA.
6666
67+
cloudProvider:
68+
type: string
69+
enum:
70+
- aws
71+
- gcp
72+
description: |
73+
Set the cloud provider to enable Cloud Credentials Operator (CCO) integration.
74+
When set, a CredentialsRequest will be created and the resulting secret will be
75+
used for S3 storage credentials (accessKey and secretKey become optional).
76+
77+
cloudCredentials:
78+
type: object
79+
description: |
80+
Cloud-specific credential configuration for the Cloud Credentials Operator.
81+
properties:
82+
aws:
83+
type: object
84+
properties:
85+
statementEntries:
86+
type: array
87+
items:
88+
type: object
89+
properties:
90+
effect:
91+
type: string
92+
enum: [Allow, Deny]
93+
action:
94+
type: array
95+
items:
96+
type: string
97+
resource:
98+
type: string
99+
gcp:
100+
type: object
101+
properties:
102+
permissions:
103+
type: array
104+
items:
105+
type: string
106+
67107
oidc:
68108
$ref: "#/definitions/Oidc"
69109

@@ -742,11 +782,11 @@ definitions:
742782
S3StorageConfig:
743783
description: |
744784
Configure an S3 compatible object storage.
785+
When cloudProvider is set, accessKey and secretKey are automatically populated
786+
from the CCO-provisioned secret and do not need to be specified.
745787
type: object
746788
required:
747789
- type
748-
- accessKey
749-
- secretKey
750790
- bucket
751791
- region
752792
additionalProperties: false
@@ -757,11 +797,13 @@ definitions:
757797
- s3
758798
accessKey:
759799
description: |
760-
The access key/username to the storage resource
800+
The access key/username to the storage resource.
801+
Optional when cloudProvider is set (auto-populated from CCO secret).
761802
$ref: "#/definitions/ValueOrRef"
762803
secretKey:
763804
description: |
764-
The secret key/password to the storage resource
805+
The secret key/password to the storage resource.
806+
Optional when cloudProvider is set (auto-populated from CCO secret).
765807
$ref: "#/definitions/ValueOrRef"
766808
bucket:
767809
type: string

0 commit comments

Comments
 (0)