Configure Authn client with annotations (#366)

* Configure authenticator with annotations * Supply custom env to Authn config settings retrieval * Update Integration test case 4 * Pin Authn client dep to cyberark/conjur-authn-k8s-client@5ca2371 This will included unreleased functionality allowing the authn client to be configured using arbitrary sources.
cyberark · Oct 18, 2021 · b692ecc · b692ecc
1 parent 561a30f
commit b692ecc
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 21 deletions.
diff --git a/cmd/secrets-provider/main.go b/cmd/secrets-provider/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"io/ioutil"
 	"os"
 	"time"
 
@@ -18,39 +19,44 @@ import (
 	"github.com/cyberark/secrets-provider-for-k8s/pkg/utils"
 )
 
-const annotationsFile = "/conjur/podinfo/annotations"
+const (
+	annotationsFile      = "/conjur/podinfo/annotations"
+	defaultContainerMode = "init"
+)
+
+var annotationsMap map[string]string
+
+var envAnnotationsConversion = map[string]string{
+	"CONJUR_AUTHN_LOGIN":  "conjur.org/authn-identity",
+	"CONTAINER_MODE":      "conjur.org/container-mode",
+	"SECRETS_DESTINATION": "conjur.org/secrets-destination",
+	"K8S_SECRETS":         "conjur.org/k8s-secrets",
+	"RETRY_COUNT_LIMIT":   "conjur.org/retry-count-limit",
+	"RETRY_INTERVAL_SEC":  "conjur.org/retry-interval-sec",
+	"DEBUG":               "conjur.org/debug-logging",
+}
 
 func main() {
 	var err error
 
 	log.Info(messages.CSPFK008I, secrets.FullVersionName)
 
-	// Initialize authn configuration
-	authnConfig, err := authnConfigProvider.NewFromEnv()
-	if err != nil {
-		printErrorAndExit(messages.CSPFK008E)
-	}
-
-	validateContainerMode(authnConfig.ContainerMode)
-
-	annotationsMap := map[string]string{}
 	if _, err := os.Stat(annotationsFile); err == nil {
 		annotationsMap, err = annotations.NewAnnotationsFromFile(annotationsFile)
 		if err != nil {
 			printErrorAndExit(messages.CSPFK040E)
 		}
-	}
 
-	errLogs, infoLogs := secretsConfigProvider.ValidateAnnotations(annotationsMap)
-	logErrorsAndConditionalExit(errLogs, infoLogs, messages.CSPFK049E)
-
-	secretsProviderSettings := secretsConfigProvider.GatherSecretsProviderSettings(annotationsMap)
+		errLogs, infoLogs := secretsConfigProvider.ValidateAnnotations(annotationsMap)
+		logErrorsAndConditionalExit(errLogs, infoLogs, messages.CSPFK049E)
+	}
 
-	errLogs, infoLogs = secretsConfigProvider.ValidateSecretsProviderSettings(secretsProviderSettings)
-	logErrorsAndConditionalExit(errLogs, infoLogs, messages.CSPFK015E)
+	// Initialize Authenticator configuration
+	authnConfig := setupAuthnConfig()
+	validateContainerMode(authnConfig.ContainerMode)
 
 	// Initialize Secrets Provider configuration
-	secretsConfig := secretsConfigProvider.NewConfig(secretsProviderSettings)
+	secretsConfig := setupSecretsConfig()
 
 	provideConjurSecrets, err := secrets.GetProvideConjurSecretFunc(secretsConfig.StoreType)
 	if err != nil {
@@ -92,6 +98,45 @@ func main() {
 	}
 }
 
+func setupAuthnConfig() *authnConfigProvider.Config {
+	// Provides a custom env for authenticator settings retrieval.
+	// Log the origin of settings which have multiple possible sources.
+	customEnv := func(key string) string {
+		if annotation, ok := envAnnotationsConversion[key]; ok {
+			if value := annotationsMap[annotation]; value != "" {
+				log.Info(messages.CSPFK014I, key, fmt.Sprintf("annotation %s", annotation))
+				return value
+			}
+
+			if value := os.Getenv(key); value == "" && key == "CONTAINER_MODE" {
+				log.Info(messages.CSPFK014I, key, "default")
+				return defaultContainerMode
+			}
+
+			log.Info(messages.CSPFK014I, key, "environment")
+		}
+
+		return os.Getenv(key)
+	}
+
+	log.Info(messages.CSPFK013I)
+	authnSettings := authnConfigProvider.GatherSettings(customEnv)
+
+	errLogs := authnSettings.Validate(ioutil.ReadFile)
+	logErrorsAndConditionalExit(errLogs, nil, messages.CSPFK008E)
+
+	return authnSettings.NewConfig()
+}
+
+func setupSecretsConfig() *secretsConfigProvider.Config {
+	secretsProviderSettings := secretsConfigProvider.GatherSecretsProviderSettings(annotationsMap)
+
+	errLogs, infoLogs := secretsConfigProvider.ValidateSecretsProviderSettings(secretsProviderSettings)
+	logErrorsAndConditionalExit(errLogs, infoLogs, messages.CSPFK015E)
+
+	return secretsConfigProvider.NewConfig(secretsProviderSettings)
+}
+
 func provideSecretsToTarget(authn *authenticator.Authenticator, provideConjurSecrets secrets.ProvideConjurSecrets,
 	accessToken *memory.AccessToken, secretsConfig *secretsConfigProvider.Config) error {
 	log.Info(fmt.Sprintf(messages.CSPFK001I, authn.Config.Username))

diff --git a/deploy/test/test_cases/TEST_ID_4_CONTAINER_MODE_not_exist.sh b/deploy/test/test_cases/TEST_ID_4_CONTAINER_MODE_not_exist.sh
@@ -9,7 +9,8 @@ echo "Deploying test_env without CONTAINER_MODE envrionment variable"
 export CONTAINER_MODE_KEY_VALUE=$KEY_VALUE_NOT_EXIST
 deploy_init_env
 
-echo "Expecting secrets provider to fail with error 'CSPFK007E Setting SECRETS_DESTINATION environment variable to 'k8s_secrets' must run as init container'"
+echo "Expecting secrets provider to succeed as an init container"
 pod_name="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-env')"
 
-$cli_with_timeout "logs $pod_name -c cyberark-secrets-provider-for-k8s | grep CSPFK007E"
+$cli_with_timeout "logs $pod_name -c cyberark-secrets-provider-for-k8s | grep \"CSPFK014I Authenticator setting CONTAINER_MODE provided by default\""
+verify_secret_value_in_pod $pod_name TEST_SECRET supersecret
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.15
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cyberark/conjur-api-go v0.8.0
-	github.com/cyberark/conjur-authn-k8s-client v0.19.1
+	github.com/cyberark/conjur-authn-k8s-client v0.22.1-0.20211013211359-5ca23711965d
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/googleapis/gnostic v0.3.1 // indirect
 	github.com/json-iterator/go v1.1.9 // indirect

diff --git a/go.sum b/go.sum
@@ -12,6 +12,8 @@ github.com/cyberark/conjur-authn-k8s-client v0.19.1 h1:/o7De4Br4p1j2p9gOPQuurkdj
 github.com/cyberark/conjur-authn-k8s-client v0.19.1/go.mod h1:tD6+rie3c7LFclihIzg12vVK6+yKm0NB+3+0Pmau/A4=
 github.com/cyberark/conjur-authn-k8s-client v0.22.0 h1:ZAY96+k0UR4ABp2QBcjkUCXgF/scNC+ItR19tAY9yKM=
 github.com/cyberark/conjur-authn-k8s-client v0.22.0/go.mod h1:tD6+rie3c7LFclihIzg12vVK6+yKm0NB+3+0Pmau/A4=
+github.com/cyberark/conjur-authn-k8s-client v0.22.1-0.20211013211359-5ca23711965d h1:Ix6ya+uGlacPZ44qZ2mhxixjZxu1X89YxX+Kl8twDX8=
+github.com/cyberark/conjur-authn-k8s-client v0.22.1-0.20211013211359-5ca23711965d/go.mod h1:84L7z7UqBBxesjmbkUjcElGzJEPmoMLmtgWlClK8RN0=
 github.com/cyberark/secrets-provider-for-k8s v1.1.5 h1:ntoCJ+lEopdbda2XO/B0bjoxBaGdZ+imdhNNSoVnqiA=
 github.com/cyberark/secrets-provider-for-k8s v1.1.5/go.mod h1:JvqaYzj+2XdzDVb6clEh0+ppzpj48oiMTW3UGGXGs6A=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/pkg/log/messages/info_messages.go b/pkg/log/messages/info_messages.go
@@ -24,3 +24,5 @@ const CSPFK009I string = "CSPFK009I DAP/Conjur Secrets updated in Kubernetes suc
 const CSPFK010I string = "CSPFK010I Updating Kubernetes Secrets: %d retries out of %d"
 const CSPFK011I string = "CSPFK011I Annotation '%s' valid, but not recognized"
 const CSPFK012I string = "CSPFK012I Secrets Provider setting '%s' set by both environment variable '%s' and annotation '%s'"
+const CSPFK013I string = "CSPFK013I Gathering settings for Authenticator client configuration..."
+const CSPFK014I string = "CSPFK014I Authenticator setting %s provided by %s"