fix: reference secret in context

gravitee-io · a-cordier · Oct 11, 2022 · Oct 10, 2022 · Oct 13, 2022 · Oct 14, 2022
commit b54d9a721d28002c83fe2b72d8bbe04acfc87cba
@@ -15,10 +15,6 @@
 // +kubebuilder:object:generate=true
 package model
 
-import (
-	"net/http"
-)
-
 type ContextRef struct {
 	Name      string `json:"name"`
 	Namespace string `json:"namespace,omitempty"`
@@ -38,6 +34,7 @@ type Context struct {
 type Auth struct {
 	BearerToken string     `json:"bearerToken,omitempty"`
 	Credentials *BasicAuth `json:"credentials,omitempty"`
+	SecretRef   *SecretRef `json:"secretRef,omitempty"`
 }
 
 type BasicAuth struct {
@@ -47,23 +44,7 @@ type BasicAuth struct {
 	Password string `json:"password,omitempty"`
 }
 
-func (ctx Context) Authenticate(req *http.Request) {
-	if ctx.Auth == nil {
-		return
-	}
-
-	bearerToken := ctx.Auth.BearerToken
-	if bearerToken != "" {
-		req.Header.Add("Authorization", "Bearer "+bearerToken)
-	} else if ctx.Auth.Credentials != nil {
-		username := ctx.Auth.Credentials.Username
-		password := ctx.Auth.Credentials.Password
-		setBasicAuth(req, username, password)
-	}
-}
-
-func setBasicAuth(request *http.Request, username, password string) {
-	if username != "" {
-		request.SetBasicAuth(username, password)
-	}
+type SecretRef struct {
+	Name      string `json:"name"`
+	Namespace string `json:"namespace,omitempty"`
 }
@@ -17,6 +17,8 @@
 package v1alpha1
 
 import (
+	"net/http"
+
 	"github.com/gravitee-io/gravitee-kubernetes-operator/api/model"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -57,3 +59,42 @@ type ManagementContextList struct {
 func init() {
 	SchemeBuilder.Register(&ManagementContext{}, &ManagementContextList{})
 }
+
+func (ctx *ManagementContext) HasAuthentication() bool {
+	return ctx.Spec.Auth != nil
+}
+
+func (ctx *ManagementContext) HasSecretRef() bool {
+	if !ctx.HasAuthentication() {
+		return false
+	}
+
+	return ctx.Spec.Auth.SecretRef != nil
+}
+
+func (ctx *ManagementContext) Authenticate(req *http.Request) {
+	if !ctx.HasAuthentication() {
+		return
+	}
+
+	bearerToken := ctx.Spec.Auth.BearerToken
+	basicAuth := ctx.Spec.Auth.Credentials
+
+	if bearerToken != "" {
+		setBearerToken(req, bearerToken)
+	} else if basicAuth != nil {
+		setBasicAuth(req, basicAuth)
+	}
+}
+
+func setBearerToken(request *http.Request, token string) {
+	if token != "" {
+		request.Header.Add("Authorization", "Bearer "+token)
+	}
+}
+
+func setBasicAuth(request *http.Request, auth *model.BasicAuth) {
+	if auth != nil && auth.Username != "" {
+		request.SetBasicAuth(auth.Username, auth.Password)
+	}
+}
@@ -56,6 +56,15 @@ spec:
                       username:
                         type: string
                     type: object
+                  secretRef:
+                    properties:
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                    required:
+                    - name
+                    type: object
                 type: object
               baseUrl:
                 pattern: ^http(s?):\/\/.+$

diff --git a/config/samples/context/dev/managementcontext_secretRef.yaml b/config/samples/context/dev/managementcontext_secretRef.yaml
@@ -0,0 +1,28 @@
+# Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use this context if you are running APIM in K3d and GKO locally
+apiVersion: gravitee.io/v1alpha1
+kind: ManagementContext
+metadata:
+  name: dev-mgmt-ctx
+  namespace: default
+spec:
+  baseUrl: http://localhost:9000
+  environmentId: DEFAULT
+  organizationId: DEFAULT
+  auth:
+    secretRef:
+      name: apim-context-credentials
+      namespace: apim-dev
@@ -32,7 +32,6 @@ import (
 	"github.com/go-logr/logr"
 	gio "github.com/gravitee-io/gravitee-kubernetes-operator/api/v1alpha1"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/controllers/apim/apidefinition/internal"
-	"github.com/gravitee-io/gravitee-kubernetes-operator/controllers/apim/managementcontext"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/utils"
 
 	"github.com/gravitee-io/gravitee-kubernetes-operator/pkg/keys"
@@ -91,7 +90,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	event := utils.NewEvent(r.Recorder)
 
 	if apiDefinition.Spec.Context != nil {
-		managementContext, ctxErr := managementcontext.Get(ctx, r.Client, log, apiDefinition.Spec.Context)
+		managementContext, ctxErr := apisDelegate.ResolveContext(apiDefinition.Spec.Context)
+
 		if ctxErr != nil {
 			log.Error(ctxErr, "And error has occurred while trying to retrieve ManagementContext")
 			event.NormalEvent(

@@ -0,0 +1,64 @@
+// Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package internal
+
+import (
+	"github.com/gravitee-io/gravitee-kubernetes-operator/api/model"
+	gio "github.com/gravitee-io/gravitee-kubernetes-operator/api/v1alpha1"
+	coreV1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+const (
+	bearerTokenSecretKey = "bearerToken"
+	usernameSecretKey    = "username"
+	passwordSecretKey    = "password"
+)
+
+func (d *Delegate) ResolveContext(
+	contextRef *model.ContextRef,
+) (*gio.ManagementContext, error) {
+	apimContext := new(gio.ManagementContext)
+	ns := types.NamespacedName{Name: contextRef.Name, Namespace: contextRef.Namespace}
+
+	d.log.Info("Looking for context from", "namespace", contextRef.Namespace, "name", contextRef.Name)
+
+	if err := d.k8sClient.Get(d.ctx, ns, apimContext); err != nil {
+		return nil, err
+	}
+
+	if apimContext.HasSecretRef() {
+		secret := new(coreV1.Secret)
+		secretName := apimContext.Spec.Auth.SecretRef.Name
+		secretNameSpace := apimContext.Spec.Auth.SecretRef.Namespace
+		secretKey := types.NamespacedName{Name: secretName, Namespace: secretNameSpace}
+
+		if err := d.k8sClient.Get(d.ctx, secretKey, secret); err != nil {
+			return nil, err
+		}
+
+		bearerToken := string(secret.Data[bearerTokenSecretKey])
+		username := string(secret.Data[usernameSecretKey])
+		password := string(secret.Data[passwordSecretKey])
+
+		apimContext.Spec.Auth.BearerToken = bearerToken
+		apimContext.Spec.Auth.Credentials = &model.BasicAuth{
+			Username: username,
+			Password: password,
+		}
+	}
+
+	return apimContext, nil
+}
@@ -16,30 +16,49 @@ package managementcontext
 
 import (
 	"context"
+	"fmt"
 
-	"github.com/go-logr/logr"
+	log "github.com/go-logr/logr"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/api/model"
 	gio "github.com/gravitee-io/gravitee-kubernetes-operator/api/v1alpha1"
+	coreV1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func Get(
 	ctx context.Context,
 	k8sClient client.Client,
-	log logr.Logger,
+	log log.Logger,
 	contextRef *model.ContextRef,
 ) (*gio.ManagementContext, error) {
 	apimContext := new(gio.ManagementContext)
 	ns := types.NamespacedName{Name: contextRef.Name, Namespace: contextRef.Namespace}
 
 	log.Info("Looking for context from", "namespace", contextRef.Namespace, "name", contextRef.Name)
 
-	err := k8sClient.Get(ctx, ns, apimContext)
-
-	if err != nil {
+	if err := k8sClient.Get(ctx, ns, apimContext); err != nil {
 		return nil, err
 	}
 
+	if apimContext.HasSecretRef() {
+		secret := new(coreV1.Secret)
+		secretName := apimContext.Spec.Auth.SecretRef.Name
+		secretNameSpace := apimContext.Spec.Auth.SecretRef.Namespace
+		secretKey := types.NamespacedName{Name: secretName, Namespace: secretNameSpace}
+
+		if err := k8sClient.Get(ctx, secretKey, secret); err != nil {
+			return nil, err
+		}
+
+		bearerToken, ok := secret.StringData["token"]
+
+		if !ok {
+			return nil, fmt.Errorf("token not found in secret %s/%s", secretNameSpace, secretName)
+		}
+
+		apimContext.Spec.Auth.BearerToken = bearerToken
+	}
+
 	return apimContext, nil
 }
@@ -3558,6 +3558,13 @@ ManagementContext represents the configuration for a Management API.
           <br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#managementcontextspecauthsecretref">secretRef</a></b></td>
+        <td>object</td>
+        <td>
+          <br/>
+        </td>
+        <td>false</td>
       </tr></tbody>
 </table>
 
@@ -3593,4 +3600,38 @@ ManagementContext represents the configuration for a Management API.
         </td>
         <td>false</td>
       </tr></tbody>
+</table>
+
+
+### ManagementContext.spec.auth.secretRef
+<sup><sup>[↩ Parent](#managementcontextspecauth)</sup></sup>
+
+
+
+
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>name</b></td>
+        <td>string</td>
+        <td>
+          <br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>namespace</b></td>
+        <td>string</td>
+        <td>
+          <br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
 </table>
@@ -45,7 +45,7 @@ func newAuthenticatedRoundTripper(
 }
 
 func (t *AuthenticatedRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	t.apimCtx.Spec.Authenticate(req)
+	t.apimCtx.Authenticate(req)
 	return t.transport.RoundTrip(req)
 }