Renamed annotations

Signed-off-by: Maksim Kiselev <maksim.kiselev@flant.com>
deckhouse · Jun 28, 2024 · 60468fd · 60468fd
1 parent 5af2c9d
commit 60468fd
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 221 deletions.
diff --git a/docs/USAGE_RU.md b/docs/USAGE_RU.md
@@ -83,7 +83,8 @@ metadata:
   name: myapp1
   namespace: my-namespace
   annotations:
-    stronghold.deckhouse.io/env-from-path: secret/data/myapp
+    secret-store.deckhouse.io/role: "myapp"
+    secret-store.deckhouse.io/env-from-path: secret/data/myapp
 spec:
   serviceAccountName: myapp
   containers:
@@ -121,6 +122,8 @@ apiVersion: v1
 metadata:
   name: myapp2
   namespace: my-namespace
+  annotations:
+    secret-store.deckhouse.io/role: "myapp"
 spec:
   serviceAccountName: myapp
   containers:

diff --git a/images/env-injector/injector.go b/images/env-injector/injector.go
@@ -66,7 +66,7 @@ func NewSecretInjector(config Config, client *vault.Client, renewer SecretRenewe
 	}
 }
 
-var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}stronghold:.*?#*}?)}`)
+var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}secret-store:.*?#*}?)}`)
 
 func (i *SecretInjector) FetchTransitSecrets(secrets []string) (map[string][]byte, error) {
 	if len(i.config.TransitKeyID) == 0 {
@@ -204,20 +204,20 @@ func (i *SecretInjector) InjectSecretsFromVault(references map[string]string, in
 		}
 
 		var update bool
-		if strings.HasPrefix(value, ">>stronghold:") {
+		if strings.HasPrefix(value, ">>secret-store:") {
 			value = strings.TrimPrefix(value, ">>")
 			update = true
 		} else {
 			update = false
 		}
 
-		if !strings.HasPrefix(value, "stronghold:") {
+		if !strings.HasPrefix(value, "secret-store:") {
 			inject(name, value)
 
 			continue
 		}
 
-		valuePath := strings.TrimPrefix(value, "stronghold:")
+		valuePath := strings.TrimPrefix(value, "secret-store:")
 
 		// handle special case for vault:login env value
 		// namely pass through the VAULT_TOKEN received from the Vault login procedure

diff --git a/images/vault-secrets-webhook/pkg/common/common.go b/images/vault-secrets-webhook/pkg/common/common.go
@@ -23,43 +23,24 @@ import (
 const (
 	// Webhook annotations
 	// ref: https://bank-vaults.dev/docs/mutating-webhook/annotations/
-	PSPAllowPrivilegeEscalationAnnotation = "stronghold.deckhouse.io/psp-allow-privilege-escalation"
-	RunAsNonRootAnnotation                = "stronghold.deckhouse.io/run-as-non-root"
-	RunAsUserAnnotation                   = "stronghold.deckhouse.io/run-as-user"
-	RunAsGroupAnnotation                  = "stronghold.deckhouse.io/run-as-group"
-	ReadOnlyRootFsAnnotation              = "stronghold.deckhouse.io/readonly-root-fs"
-	RegistrySkipVerifyAnnotation          = "stronghold.deckhouse.io/registry-skip-verify"
-	MutateAnnotation                      = "stronghold.deckhouse.io/mutate"
-	MutateProbesAnnotation                = "stronghold.deckhouse.io/mutate-probes"
-
-	EnableJSONLogAnnotation = "stronghold.deckhouse.io/enable-json-log"
-	// SecretInitJSONLogAnnotation = "stronghold.deckhouse.io/secret-init-json-log"
-	VaultEnvImageAnnotation = "stronghold.deckhouse.io/env-injector-image"
-	// SecretInitImageAnnotation = "stronghold.deckhouse.io/secret-init-image"
-	VaultEnvImagePullPolicyAnnotation = "stronghold.deckhouse.io/env-injector-image-pull-policy"
-	// SecretInitImagePullPolicyAnnotation = "stronghold.deckhouse.io/secret-init-image-pull-policy"
+	MutateProbesAnnotation                = "secret-store.deckhouse.io/mutate-probes"
 
+	EnableJSONLogAnnotation = "secret-store.deckhouse.io/enable-json-log"
 	// Vault annotations
-	VaultAddrAnnotation                     = "stronghold.deckhouse.io/addr"
-	VaultRoleAnnotation                     = "stronghold.deckhouse.io/role"
-	VaultPathAnnotation                     = "stronghold.deckhouse.io/auth-path"
-	VaultSkipVerifyAnnotation               = "stronghold.deckhouse.io/tls-skip-verify"
-	VaultTLSSecretAnnotation                = "stronghold.deckhouse.io/tls-secret"
-	VaultIgnoreMissingSecretsAnnotation     = "stronghold.deckhouse.io/ignore-missing-secrets"
-	VaultClientTimeoutAnnotation            = "stronghold.deckhouse.io/client-timeout"
-	TransitKeyIDAnnotation                  = "stronghold.deckhouse.io/transit-key-id"
-	TransitPathAnnotation                   = "stronghold.deckhouse.io/transit-path"
-	VaultAuthMethodAnnotation               = "stronghold.deckhouse.io/auth-method"
-	TransitBatchSizeAnnotation              = "stronghold.deckhouse.io/transit-batch-size"
-	VaultServiceaccountAnnotation           = "stronghold.deckhouse.io/serviceaccount"
-	VaultNamespaceAnnotation                = "stronghold.deckhouse.io/namespace"
-	ServiceAccountTokenVolumeNameAnnotation = "stronghold.deckhouse.io/service-account-token-volume-name"
-	LogLevelAnnotation                      = "stronghold.deckhouse.io/log-level"
-	VaultEnvPassthroughAnnotation = "stronghold.deckhouse.io/vault-env-passthrough"
-	VaultEnvFromPathAnnotation = "stronghold.deckhouse.io/env-from-path"
+	VaultAddrAnnotation                     = "secret-store.deckhouse.io/addr"
+	VaultRoleAnnotation                     = "secret-store.deckhouse.io/role"
+	VaultPathAnnotation                     = "secret-store.deckhouse.io/auth-path"
+	VaultSkipVerifyAnnotation               = "secret-store.deckhouse.io/tls-skip-verify"
+	VaultTLSSecretAnnotation                = "secret-store.deckhouse.io/tls-secret"
+	VaultIgnoreMissingSecretsAnnotation     = "secret-store.deckhouse.io/ignore-missing-secrets"
+	VaultClientTimeoutAnnotation            = "secret-store.deckhouse.io/client-timeout"
+	VaultNamespaceAnnotation                = "secret-store.deckhouse.io/namespace"
+	ServiceAccountTokenVolumeNameAnnotation = "secret-store.deckhouse.io/service-account-token-volume-name"
+	LogLevelAnnotation                      = "secret-store.deckhouse.io/log-level"
+	VaultEnvFromPathAnnotation = "secret-store.deckhouse.io/env-from-path"
 
 )
 
 func HasVaultPrefix(value string) bool {
-	return strings.HasPrefix(value, "stronghold:") || strings.HasPrefix(value, ">>stronghold:")
+	return strings.HasPrefix(value, "secret-store:") || strings.HasPrefix(value, ">>secret-store:")
 }
diff --git a/images/vault-secrets-webhook/pkg/webhook/config.go b/images/vault-secrets-webhook/pkg/webhook/config.go
@@ -75,51 +75,16 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig
 
 	annotations := obj.GetAnnotations()
 
-	if val := annotations[common.MutateAnnotation]; val == "skip" {
-		vaultConfig.Skip = true
-
-		return vaultConfig
-	}
-
-	if val, ok := annotations[common.VaultAddrAnnotation]; ok {
-		vaultConfig.Addr = val
-	} else {
-		vaultConfig.Addr = viper.GetString("addr")
-	}
-
 	if val, ok := annotations[common.VaultRoleAnnotation]; ok {
 		vaultConfig.Role = val
 	} else {
-		if val := viper.GetString("role"); val != "" {
-			vaultConfig.Role = val
-		} else {
-			switch p := obj.(type) {
-			case *corev1.Pod:
-				vaultConfig.Role = p.Spec.ServiceAccountName
-			default:
-				vaultConfig.Role = "default"
-			}
-		}
-	}
-
-	if val, ok := annotations[common.VaultAuthMethodAnnotation]; ok {
-		vaultConfig.AuthMethod = val
-	} else {
-		vaultConfig.AuthMethod = viper.GetString("auth_method")
+		vaultConfig.Skip = true
+		return vaultConfig
 	}
 
-	if val, ok := annotations[common.VaultPathAnnotation]; ok {
-		vaultConfig.Path = val
-	} else {
-		vaultConfig.Path = viper.GetString("auth_path")
-	}
-
-	// TODO: Check for flag to verify we want to use namespace-local SAs instead of the vault webhook namespaces SA
-	if val, ok := annotations[common.VaultServiceaccountAnnotation]; ok {
-		vaultConfig.VaultServiceAccount = val
-	} else {
-		vaultConfig.VaultServiceAccount = viper.GetString("serviceaccount")
-	}
+	vaultConfig.Addr = viper.GetString("addr")
+	vaultConfig.AuthMethod = "jwt"
+	vaultConfig.Path = viper.GetString("auth_path")
 
 	if val, ok := annotations[common.VaultSkipVerifyAnnotation]; ok {
 		vaultConfig.SkipVerify, _ = strconv.ParseBool(val)
@@ -139,60 +104,23 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig
 		vaultConfig.ClientTimeout, _ = time.ParseDuration(viper.GetString("client_timeout"))
 	}
 
-	if val, ok := annotations[common.ServiceAccountTokenVolumeNameAnnotation]; ok {
-		vaultConfig.ServiceAccountTokenVolumeName = val
-	} else if viper.GetString("SERVICE_ACCOUNT_TOKEN_VOLUME_NAME") != "" {
-		vaultConfig.ServiceAccountTokenVolumeName = viper.GetString("SERVICE_ACCOUNT_TOKEN_VOLUME_NAME")
-	} else {
-		vaultConfig.ServiceAccountTokenVolumeName = "/var/run/secrets/kubernetes.io/serviceaccount"
-	}
+	vaultConfig.ServiceAccountTokenVolumeName = "/var/run/secrets/kubernetes.io/serviceaccount"
 
 	if val, ok := annotations[common.VaultIgnoreMissingSecretsAnnotation]; ok {
 		vaultConfig.IgnoreMissingSecrets = val
 	} else {
 		vaultConfig.IgnoreMissingSecrets = viper.GetString("ignore_missing_secrets")
 	}
-	if val, ok := annotations[common.VaultEnvPassthroughAnnotation]; ok {
-		vaultConfig.VaultEnvPassThrough = val
-	} else {
-		vaultConfig.VaultEnvPassThrough = viper.GetString("vault_env_passthrough")
-	}
 
-	if val, ok := annotations[common.PSPAllowPrivilegeEscalationAnnotation]; ok {
-		vaultConfig.PspAllowPrivilegeEscalation, _ = strconv.ParseBool(val)
-	} else {
-		vaultConfig.PspAllowPrivilegeEscalation, _ = strconv.ParseBool(viper.GetString("psp_allow_privilege_escalation"))
-	}
+	vaultConfig.PspAllowPrivilegeEscalation = false
+	vaultConfig.RunAsNonRoot = true
 
-	if val, ok := annotations[common.RunAsNonRootAnnotation]; ok {
-		vaultConfig.RunAsNonRoot, _ = strconv.ParseBool(val)
-	} else {
-		vaultConfig.RunAsNonRoot, _ = strconv.ParseBool(viper.GetString("run_as_non_root"))
-	}
-
-	if val, ok := annotations[common.RunAsUserAnnotation]; ok {
-		vaultConfig.RunAsUser, _ = strconv.ParseInt(val, 10, 64)
-	} else {
-		vaultConfig.RunAsUser, _ = strconv.ParseInt(viper.GetString("run_as_user"), 0, 64)
-	}
-
-	if val, ok := annotations[common.RunAsGroupAnnotation]; ok {
-		vaultConfig.RunAsGroup, _ = strconv.ParseInt(val, 10, 64)
-	} else {
-		vaultConfig.RunAsGroup, _ = strconv.ParseInt(viper.GetString("run_as_group"), 0, 64)
-	}
+	vaultConfig.RunAsUser = 64535
+	vaultConfig.RunAsGroup = 64535
 
-	if val, ok := annotations[common.ReadOnlyRootFsAnnotation]; ok {
-		vaultConfig.ReadOnlyRootFilesystem, _ = strconv.ParseBool(val)
-	} else {
-		vaultConfig.ReadOnlyRootFilesystem, _ = strconv.ParseBool(viper.GetString("readonly_root_fs"))
-	}
+	vaultConfig.ReadOnlyRootFilesystem = true
 
-	if val, ok := annotations[common.RegistrySkipVerifyAnnotation]; ok {
-		vaultConfig.RegistrySkipVerify, _ = strconv.ParseBool(val)
-	} else {
-		vaultConfig.RegistrySkipVerify, _ = strconv.ParseBool(viper.GetString("registry_skip_verify"))
-	}
+	vaultConfig.RegistrySkipVerify = true
 
 	if val, ok := annotations[common.LogLevelAnnotation]; ok {
 		vaultConfig.LogLevel = val
@@ -206,81 +134,31 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig
 		vaultConfig.EnableJSONLog = viper.GetString("enable_json_log")
 	}
 
-	if val, ok := annotations[common.TransitKeyIDAnnotation]; ok {
-		vaultConfig.TransitKeyID = val
-	} else {
-		vaultConfig.TransitKeyID = viper.GetString("transit_key_id")
-	}
-
-	if val, ok := annotations[common.TransitPathAnnotation]; ok {
-		vaultConfig.TransitPath = val
-	} else {
-		vaultConfig.TransitPath = viper.GetString("transit_path")
-	}
-
 	if val, ok := annotations[common.VaultEnvFromPathAnnotation]; ok {
 		vaultConfig.VaultEnvFromPath = val
 	}
 
-	if val, ok := annotations[common.VaultEnvImageAnnotation]; ok {
-		vaultConfig.EnvImage = val
-	} else {
-		vaultConfig.EnvImage = viper.GetString("env_injector_image")
-	}
+	vaultConfig.EnvImage = viper.GetString("env_injector_image")
 
 	vaultConfig.EnvLogServer = viper.GetString("VAULT_ENV_LOG_SERVER")
 
-	if val, ok := annotations[common.VaultEnvImagePullPolicyAnnotation]; ok {
-		vaultConfig.EnvImagePullPolicy = getPullPolicy(val)
-	} else {
-		vaultConfig.EnvImagePullPolicy = getPullPolicy(viper.GetString("env_injector_pull_policy"))
-	}
-
 	if val, ok := annotations[common.VaultNamespaceAnnotation]; ok {
 		vaultConfig.VaultNamespace = val
 	} else {
 		vaultConfig.VaultNamespace = viper.GetString("VAULT_NAMESPACE")
 	}
 
-	if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_CPU_REQUEST")); err == nil {
-		vaultConfig.EnvCPURequest = val
-	} else {
-		vaultConfig.EnvCPURequest = resource.MustParse("50m")
-	}
-
-	if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_MEMORY_REQUEST")); err == nil {
-		vaultConfig.EnvMemoryRequest = val
-	} else {
-		vaultConfig.EnvMemoryRequest = resource.MustParse("64Mi")
-	}
-
-	if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_CPU_LIMIT")); err == nil {
-		vaultConfig.EnvCPULimit = val
-	} else {
-		vaultConfig.EnvCPULimit = resource.MustParse("250m")
-	}
-
-	if val, err := resource.ParseQuantity(viper.GetString("VAULT_ENV_MEMORY_LIMIT")); err == nil {
-		vaultConfig.EnvMemoryLimit = val
-	} else {
-		vaultConfig.EnvMemoryLimit = resource.MustParse("64Mi")
-	}
+	vaultConfig.EnvCPURequest = resource.MustParse("50m")
+	vaultConfig.EnvMemoryRequest = resource.MustParse("64Mi")
+	vaultConfig.EnvCPULimit = resource.MustParse("250m")
+	vaultConfig.EnvMemoryLimit = resource.MustParse("64Mi")
 
 	if val, ok := annotations[common.MutateProbesAnnotation]; ok {
 		vaultConfig.MutateProbes, _ = strconv.ParseBool(val)
 	} else {
 		vaultConfig.MutateProbes = false
 	}
 
-	if val, ok := annotations[common.TransitBatchSizeAnnotation]; ok {
-		batchSize, _ := strconv.ParseInt(val, 10, 32)
-		vaultConfig.TransitBatchSize = int(batchSize)
-	} else {
-		vaultConfig.TransitBatchSize = viper.GetInt("transit_batch_size")
-	}
-
-	vaultConfig.Token = viper.GetString("vault_token")
-
 	return vaultConfig
 }
 
@@ -300,39 +178,21 @@ func getPullPolicy(pullPolicyStr string) corev1.PullPolicy {
 func SetConfigDefaults() {
 	viper.SetDefault("env_injector_image", "trublast/env-injector:v0.0.1")
 	viper.SetDefault("env_injector_pull_policy", string(corev1.PullIfNotPresent))
-	viper.SetDefault("addr", "https://stronghold.d8-stronghold:8200")
+	// viper.SetDefault("addr", "https://stronghold.d8-stronghold:8200")
 	viper.SetDefault("tls_skip_verify", "false")
-	viper.SetDefault("auth_path", "kubernetes_local")
+	// viper.SetDefault("auth_path", "kubernetes_local")
 	viper.SetDefault("auth_method", "jwt")
 	viper.SetDefault("role", "")
 	viper.SetDefault("tls_secret", "")
 	viper.SetDefault("client_timeout", "10s")
-	viper.SetDefault("psp_allow_privilege_escalation", "false")
-	viper.SetDefault("run_as_non_root", "false")
-	viper.SetDefault("run_as_user", "0")
-	viper.SetDefault("run_as_group", "0")
-	viper.SetDefault("readonly_root_fs", "true")
 	viper.SetDefault("ignore_missing_secrets", "false")
-	viper.SetDefault("vault_env_passthrough", "")
 	viper.SetDefault("tls_cert_file", "")
 	viper.SetDefault("tls_private_key_file", "")
 	viper.SetDefault("listen_address", ":8443")
 	viper.SetDefault("telemetry_listen_address", "")
-	viper.SetDefault("transit_key_id", "")
-	viper.SetDefault("transit_path", "")
-	viper.SetDefault("transit_batch_size", 25)
-	viper.SetDefault("default_image_pull_secret", "")
-	viper.SetDefault("default_image_pull_secret_service_account", "")
-	viper.SetDefault("default_image_pull_secret_namespace", "")
 	viper.SetDefault("registry_skip_verify", "false")
 	viper.SetDefault("enable_json_log", "false")
 	viper.SetDefault("log_level", "info")
-	viper.SetDefault("VAULT_ENV_CPU_REQUEST", "")
-	viper.SetDefault("VAULT_ENV_MEMORY_REQUEST", "")
-	viper.SetDefault("VAULT_ENV_CPU_LIMIT", "")
-	viper.SetDefault("VAULT_ENV_MEMORY_LIMIT", "")
-	viper.SetDefault("VAULT_ENV_LOG_SERVER", "")
-	viper.SetDefault("VAULT_NAMESPACE", "")
 
 	viper.AutomaticEnv()
 }
diff --git a/images/vault-secrets-webhook/pkg/webhook/injector.go b/images/vault-secrets-webhook/pkg/webhook/injector.go
@@ -67,7 +67,7 @@ func NewSecretInjector(config Config, client *vault.Client, renewer SecretRenewe
 	}
 }
 
-var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}stronghold:.*?#*}?)}`)
+var inlineMutationRegex = regexp.MustCompile(`\${([>]{0,2}secret-store:.*?#*}?)}`)
 
 func (i *SecretInjector) FetchTransitSecrets(secrets []string) (map[string][]byte, error) {
 	if len(i.config.TransitKeyID) == 0 {
@@ -205,20 +205,20 @@ func (i *SecretInjector) InjectSecretsFromVault(references map[string]string, in
 		}
 
 		var update bool
-		if strings.HasPrefix(value, ">>stronghold:") {
+		if strings.HasPrefix(value, ">>secret-store:") {
 			value = strings.TrimPrefix(value, ">>")
 			update = true
 		} else {
 			update = false
 		}
 
-		if !strings.HasPrefix(value, "stronghold:") {
+		if !strings.HasPrefix(value, "secret-store:") {
 			inject(name, value)
 
 			continue
 		}
 
-		valuePath := strings.TrimPrefix(value, "stronghold:")
+		valuePath := strings.TrimPrefix(value, "secret-store:")
 
 		// handle special case for vault:login env value
 		// namely pass through the VAULT_TOKEN received from the Vault login procedure