Merge pull request #12 from beezy-dev/vault

Vault

Author: romdalf

configuration/k8s/deploy/vault-pod-kleidi-kms.yaml

@@ -12,10 +12,11 @@ spec:
   hostNetwork: true
   containers:
     - name: kleidi-kms-plugin
-      image: ghcr.io/beezy-dev/kleidi-kms-plugin:vault-1283a8e
+      image: ghcr.io/beezy-dev/kleidi-kms-plugin:vault-dev
       imagePullPolicy: Always
       args:
         - -provider=hvault
+        - -debugmode=true
       resources:
         limits:
           cpu: 300m

configuration/k8s/encryption/vault-encryption-config.yaml

@@ -5,9 +5,4 @@ resources:
       - secrets
       - configmaps
     providers: 
-      - kms:
-          apiVersion: v2
-          name: kleidi-kms-plugin
-          endpoint: unix:///tmp/kleidi/kleidi-kms-plugin.socket
-          timeout: 5s    
       - identity: {}

configuration/kleidi/vault-config.json

@@ -1,6 +1,6 @@
 {
-  "Namespace": "",
-  "Transitkey": "kleidi",
-  "Vaultrole": "kleidi",
-  "Address": "http://10.89.0.1:8200" 
+  "namespace": "",
+  "transitkey": "kleidi",
+  "vaultrole": "kleidi",
+  "address": "http://10.89.0.1:8200" 
 }

configuration/testenv4kvault.sh

@@ -66,8 +66,9 @@ fi
 echo -ne ".OK (${NODEVERSION})\n"
 
 echo
-echo -e "  -> Creating a pre kleidi deployment Secret"
-kubectl create secret generic prekleidi -n default --from-literal=mykey=mydata
+echo -e "  -> Creating 990 pre kleidi deployment Secrets"
+# kubectl create secret generic prekleidi -n default --from-literal=mykey=mydata
+for i in {10..1000}; do kubectl create secret generic prekleidi$i --from-literal=mykey=mydata; done
 
 echo
 echo -e "  -> Creating kleidi k8s ServiceAccount/SA Secret/RBAC"
@@ -122,59 +123,74 @@ cp k8s/encryption/vault-encryption-config-with_kms.yaml k8s/encryption/vault-enc
 echo
 echo -e "  -> Trigger Kind k8s API server restart"
 kubectl delete -n kube-system pod/kube-apiserver-kleidi-vault-control-plane
-echo -e "  -> Sleeping for 10 seconds to allow kube-apiserver to restart"
-sleep 30
+echo -e "  -> Sleeping for 30 seconds to allow kube-apiserver to restart"
 
-echo 
-echo -e "  -> Checking a pre kleidi deployment Secret"
+# echo 
+# echo -e "  -> Checking a pre kleidi deployment Secret"
 # kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C
 
-if kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C | grep mydata;
-then 
-    echo -e "  unencrypted prekleidi Secret object found :)" 
-else 
-    echo -e "  /!\ no unencrypted prekleidi Secret object found!"
-fi 
+# if kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C | grep mydata;
+# then 
+#     echo -e "  unencrypted prekleidi Secret object found :)" 
+# else 
+#     echo -e "  /!\ no unencrypted prekleidi Secret object found!"
+# fi 
+
+rvho
+echo -e "  -> Checking a pre kleidi deployment Secret"
+for i in {10..1000}; do kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi$i" | hexdump -C | grep Opaque; done | wc -l
 
 echo
-echo -e "  -> Creating a post kleidi deployment Secret"
-kubectl create secret generic postkleidi -n default --from-literal=mykey=mydata
+echo -e "  -> Creating 990 post kleidi deployment Secrets"
+# kubectl create secret generic postkleidi -n default --from-literal=mykey=mydata
+for i in {10..1000}; do kubectl create secret generic postkleidi$i --from-literal=mykey=mydata; done
 
-echo 
-echo -e "  -> Checking a post kleidi deployment Secret"
+# echo 
+# echo -e "  -> Checking a post kleidi deployment Secret"
 # kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi" | hexdump -C
 
-if kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi" | hexdump -C | grep kms;
-then 
-    echo -e "  encrypted postkleidi Secret object found :)" 
-else 
-    echo -e "  /!\ no encrypted postkleidi Secret object found!"
-    exit
-fi 
+# if kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi" | hexdump -C | grep kms;
+
+# then 
+#     echo -e "  encrypted postkleidi Secret object found :)" 
+# else 
+#     echo -e "  /!\ no encrypted postkleidi Secret object found!"
+#     exit
+# fi 
+
+echo 
+echo -e "  -> Checking a post kleidi deployment Secret"
+for i in {10..1000}; do kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi$i" | hexdump -C | grep vault; done | wc -l
 
 echo 
 echo -e "  -> Performing replace of prekleidi"
-kubectl get secret prekleidi -o json | kubectl replace -f -
+# kubectl get secret prekleidi -o json | kubectl replace -f -
+for i in {10..1000}; do kubectl get secret prekleidi$i -o json | kubectl replace -f -; done
 
-echo -e "  -> Checking a pre kleidi Secret replace"
+
+# echo -e "  -> Checking a pre kleidi Secret replace"
 # kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C
 
-if kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C |grep kms;
-then 
-    echo -e "  encrypted prekleidi Secret object found :)" 
-else 
-    echo -e "  /!\ no encrypted prekleidi Secret object found!"
-fi 
+# if kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C |grep kms;
+# then 
+#     echo -e "  encrypted prekleidi Secret object found :)" 
+# else 
+#     echo -e "  /!\ no encrypted prekleidi Secret object found!"
+# fi 
 
-# echo
-# echo -e "  -> Cleaning any existing vault test env"
-# killall -9 vault ||true
+echo
+echo -e "  -> Checking a pre kleidi Secret replace"
+for i in {10..1000}; do kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi$i" | hexdump -C | grep vault; done | wc -l
 
-# echo
-# echo -e "  -> Cleaning any existing kind test env" 
-# kind delete cluster --name kleidi-vault
+echo
+echo -e "  -> Cleaning any existing vault test env"
+killall -9 vault ||true
 
-# echo
-# echo -e "  -> Cleaning vault-encryption-config.yaml"
-# cp k8s/encryption/vault-encryption-config-bkp.yaml k8s/encryption/vault-encryption-config.yaml
+echo
+echo -e "  -> Cleaning any existing kind test env" 
+kind delete cluster --name kleidi-vault
+
+echo
+echo -e "  -> Cleaning vault-encryption-config.yaml"
+cp k8s/encryption/vault-encryption-config-bkp.yaml k8s/encryption/vault-encryption-config.yaml
 

internal/providers/constants.go

@@ -1,5 +1,6 @@
 package providers
 
 const (
-	keyID = "kleidi-kms-plugin"
+	keyID         = "kleidi-kms-plugin"
+	annotationKey = "v2.kleidi.beezy.dev"
 )

internal/providers/hvault.go

@@ -23,12 +23,12 @@ var _ service.Service = &hvaultRemoteService{}
 type hvaultRemoteService struct {
 	*api.Client
 
-	keyID      string
-	debug      bool
-	Address    string `json:"Address"`
-	Transitkey string `json:"Transitkey"`
-	Vaultrole  string `json:"Vaultrole"`
-	Namespace  string `json:"Namespace"`
+	// keyID      string
+	Debug      bool
+	Namespace  string `json:"namespace"`
+	Transitkey string `json:"transitkey"`
+	Vaultrole  string `json:"vaultrole"`
+	Address    string `json:"address"`
 }
 
 func NewVaultClientRemoteService(configFilePath string, debug bool) (service.Service, error) {
@@ -45,20 +45,29 @@ func NewVaultClientRemoteService(configFilePath string, debug bool) (service.Ser
 		log.Println("DEBUG: verifying keyID:", keyID)
 	}
 
-	vaultService := &hvaultRemoteService{
-		keyID: keyID,
-		debug: debug,
-	}
+	// vaultService := &hvaultRemoteService{
+	// 	// keyID: keyID,
+	// 	Debug: debug,
+	// }
 
+	vaultService := &hvaultRemoteService{}
+	vaultService.Debug = debug
 	json.Unmarshal(([]byte(ctx)), &vaultService)
+
 	vaultconfig := api.DefaultConfig()
 	vaultconfig.Address = vaultService.Address
 
 	keypath := fmt.Sprintf("transit/keys/%s", vaultService.Transitkey)
 
 	if debug {
 		log.Println("DEBUG:--------------------------------------------------")
-		log.Println("DEBUG: unmarshal JSON values:", "\n                    -> vaultService.Address:", vaultService.Address, "\n                    -> vaultService.Trasitkey:", vaultService.Transitkey, "\n                    -> vaultService.Vaultrole:", vaultService.Vaultrole, "\n                    -> vaultService.Namespace:", vaultService.Namespace, "\n                    -> keypath:", keypath)
+		log.Println("DEBUG: unmarshal JSON values:",
+			"\n                    -> vaultService.debug", vaultService.Debug,
+			"\n                    -> vaultService.Address:", vaultService.Address,
+			"\n                    -> vaultService.Transitkey:", vaultService.Transitkey,
+			"\n                    -> vaultService.Vaultrole:", vaultService.Vaultrole,
+			"\n                    -> vaultService.Namespace:", vaultService.Namespace,
+			"\n                    -> keypath:", keypath)
 	}
 
 	client, err := api.NewClient(vaultconfig)
@@ -92,9 +101,10 @@ func NewVaultClientRemoteService(configFilePath string, debug bool) (service.Ser
 		log.Fatalln("EXIT:authInfo: no kubernetes auth info was returned after login")
 	}
 
-	vaultService = &hvaultRemoteService{
-		Client: client,
-	}
+	// vaultService = &hvaultRemoteService{
+	// 	Client: client,
+	// }
+	vaultService.Client = client
 
 	client.SetNamespace(vaultService.Namespace)
 
@@ -115,12 +125,20 @@ func NewVaultClientRemoteService(configFilePath string, debug bool) (service.Ser
 
 func (s *hvaultRemoteService) Encrypt(ctx context.Context, uid string, plaintext []byte) (*service.EncryptResponse, error) {
 
-	if s.debug {
+	if s.Debug {
 		log.Println("DEBUG:--------------------------------------------------")
 		log.Println("DEBUG: unencrypted payload:", string([]byte(plaintext)))
 		log.Println("DEBUG:--------------------------------------------------")
 	}
 
+	log.Println("DEBUG:--------------------------------------------------")
+	log.Println("DEBUG: unmarshal JSON values:",
+		"\n                    -> vaultService.debug", s.Debug,
+		"\n                    -> vaultService.Address:", s.Address,
+		"\n                    -> vaultService.Transitkey:", s.Transitkey,
+		"\n                    -> vaultService.Vaultrole:", s.Vaultrole,
+		"\n                    -> vaultService.Namespace:", s.Namespace)
+
 	enckeypath := fmt.Sprintf("transit/encrypt/%s", s.Transitkey)
 	// keypath := "transit/encrypt/kleidi"
 	encodepayload := map[string]interface{}{
@@ -130,7 +148,11 @@ func (s *hvaultRemoteService) Encrypt(ctx context.Context, uid string, plaintext
 	encrypt, err := s.Logical().WriteWithContext(ctx, enckeypath, encodepayload)
 	if err != nil {
 		log.Println("--------------------------------------------------------")
-		log.Println("DEBUG:encrypt:", "\nplaintext:", string([]byte(plaintext)), "\nkeypath:", enckeypath, "\nencodepayload:", encodepayload)
+		log.Println("DEBUG:encrypt:",
+			"\n debug:", s.Debug,
+			"\nplaintext:", string([]byte(plaintext)),
+			"\nkeypath:", enckeypath,
+			"\nencodepayload:", encodepayload)
 		log.Println("--------------------------------------------------------")
 		log.Fatalln("EXIT:encrypt: with error:\n", err.Error())
 	}

internal/providers/pkcs11.go

@@ -16,10 +16,6 @@ import (
 	"k8s.io/kms/pkg/service"
 )
 
-const (
-	annotationKey = "v2.kleidi.beezy.dev"
-)
-
 var _ service.Service = &pkcs11RemoteService{}
 
 type pkcs11RemoteService struct {

results.sarif

@@ -38,13 +38,13 @@
 								},
 								"region": {
 									"endColumn": 2,
-									"endLine": 53,
+									"endLine": 55,
 									"snippet": {
 										"text": "json.Unmarshal(([]byte(ctx)), \u0026vaultService)"
 									},
 									"sourceLanguage": "go",
 									"startColumn": 2,
-									"startLine": 53
+									"startLine": 55
 								}
 							}
 						}

scripts/prd/vault/manifests/vault-encryption-config.yaml

@@ -5,4 +5,9 @@ resources:
       - secrets
       - configmaps
     providers: 
+      - kms:
+          apiVersion: v2
+          name: kleidi-kms-plugin
+          endpoint: unix:///tmp/kleidi/kleidi-kms-plugin.socket
+          timeout: 5s    
       - identity: {}

scripts/prd/vault/manifests/vault-pod-kleidi-kms.yaml

@@ -12,7 +12,7 @@ spec:
   hostNetwork: true
   containers:
     - name: kleidi-kms-plugin
-      image: ghcr.io/beezy-dev/kleidi-kms-plugin:vault-1283a8e
+      image: ghcr.io/beezy-dev/kleidi-kms-plugin:vault-00547ab
       imagePullPolicy: Always
       args:
         - -provider=hvault