Merge pull request #244 from syntasso/242/auth-for-promise-release

Feat: Accept authorization header for promise release URL fetch

Makefile

@@ -61,6 +61,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
 
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
+	go generate ./...
 
 ##@ Environment
 

api/v1alpha1/interface.go

@@ -4,5 +4,5 @@ package v1alpha1
 //
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 . PromiseFetcher
 type PromiseFetcher interface {
-	FromURL(string) (*Promise, error)
+	FromURL(string, string) (*Promise, error)
 }

api/v1alpha1/promiserelease_types.go

@@ -17,7 +17,11 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const TypeHTTP = "http"
@@ -33,6 +37,10 @@ type SourceRef struct {
 	// +kubebuilder:validation:Enum:={http}
 	Type string `json:"type"`
 	URL  string `json:"url,omitempty"`
+	// Reference a secret with credentials to access the source.
+	// For more details on the secret format, see the documentation:
+	//   https://docs.kratix.io/main/reference/promises/releases#promise-release
+	SecretRef *corev1.SecretReference `json:"secretRef,omitempty"`
 }
 
 // PromiseReleaseStatus defines the observed state of PromiseRelease
@@ -68,3 +76,25 @@ type PromiseReleaseList struct {
 func init() {
 	SchemeBuilder.Register(&PromiseRelease{}, &PromiseReleaseList{})
 }
+
+func (pr *PromiseRelease) FetchSecretFromReference() (map[string][]byte, error) {
+	if pr.Spec.SourceRef.SecretRef == nil {
+		return nil, nil
+	}
+
+	fetchSecret := &corev1.Secret{}
+	ns := pr.Namespace
+	if pr.Spec.SourceRef.SecretRef.Namespace != "" {
+		ns = pr.Spec.SourceRef.SecretRef.Namespace
+	}
+	namespacedName := client.ObjectKey{
+		Namespace: ns,
+		Name:      pr.Spec.SourceRef.SecretRef.Name,
+	}
+
+	err := k8sClient.Get(context.TODO(), namespacedName, fetchSecret)
+	if err != nil {
+		return nil, err
+	}
+	return fetchSecret.Data, nil
+}

api/v1alpha1/promiserelease_webhook.go

@@ -21,6 +21,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -36,7 +37,8 @@ var (
 	promisereleaselog = logf.Log.WithName("promiserelease-resource")
 )
 
-func (r *PromiseRelease) SetupWebhookWithManager(mgr ctrl.Manager, pf PromiseFetcher) error {
+func (r *PromiseRelease) SetupWebhookWithManager(mgr ctrl.Manager, c client.Client, pf PromiseFetcher) error {
+	k8sClient = c
 	promiseFetcher = pf
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
@@ -52,7 +54,17 @@ func (r *PromiseRelease) ValidateCreate() (admission.Warnings, error) {
 		return nil, err
 	}
 
-	promise, err := promiseFetcher.FromURL(r.Spec.SourceRef.URL)
+	secretRefData, err := r.FetchSecretFromReference()
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch data from secretRef: %w", err)
+	}
+
+	authHeader, exists := secretRefData["authorizationHeader"]
+	if !exists {
+		authHeader = []byte("")
+	}
+
+	promise, err := promiseFetcher.FromURL(r.Spec.SourceRef.URL, string(authHeader))
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch promise: %w", err)
 	}

config/crd/bases/platform.kratix.io_promisereleases.yaml

@@ -52,6 +52,21 @@ spec:
                 default:
                   type: http
                 properties:
+                  secretRef:
+                    description: |-
+                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                      in any namespace
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
                   type:
                     enum:
                     - http

controllers/destination_controller.go

@@ -45,7 +45,7 @@ type DestinationReconciler struct {
 
 //+kubebuilder:rbac:groups=platform.kratix.io,resources=destinations,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=platform.kratix.io,resources=bucketstatestores;gitstatestores,verbs=get;list;watch
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch // Also used by promiseRelease
 //+kubebuilder:rbac:groups=platform.kratix.io,resources=destinations/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=platform.kratix.io,resources=destinations/finalizers,verbs=update
 

controllers/promiserelease_controller.go

@@ -106,9 +106,19 @@ func (r *PromiseReleaseReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 
 	var promise *v1alpha1.Promise
 
+	secretRefData, err := promiseRelease.FetchSecretFromReference()
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to fetch data from secretRef: %w", err)
+	}
+
+	authHeader := ""
+	if secretRefData != nil {
+		authHeader = string(secretRefData["authorizationHeader"])
+	}
+
 	switch sourceRefType := promiseRelease.Spec.SourceRef.Type; sourceRefType {
 	case v1alpha1.TypeHTTP:
-		promise, err = r.PromiseFetcher.FromURL(promiseRelease.Spec.SourceRef.URL)
+		promise, err = r.PromiseFetcher.FromURL(promiseRelease.Spec.SourceRef.URL, authHeader)
 		if err != nil {
 			r.updateStatusAndConditions(opts, promiseRelease, statusErrorInstalling, "Failed to fetch Promise from URL", "FailedToFetchPromise")
 			return ctrl.Result{}, fmt.Errorf("failed to fetch promise from url: %w", err)

hack/kratix-promise-release-test-hoster-image/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${TARGETPLATFORM} golang:1.21 as builder
+FROM golang:1.21 AS builder
 ARG TARGETARCH
 ARG TARGETOS
 
@@ -12,7 +12,7 @@ RUN go mod download
 # Build work-creator binary
 RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on go build -a main.go
 
-FROM --platform=${TARGETPLATFORM} alpine
+FROM alpine
 # Use rancher/kubectl to get ./kubeconfig
 WORKDIR /
 

hack/kratix-promise-release-test-hoster-image/build_and_push.sh

@@ -1,10 +1,9 @@
 #!/usr/bin/env sh
 
-export IMG="syntassodev/kratix-promise-release-test-hoster:v0.0.2"
+export IMG="syntassodev/kratix-promise-release-test-hoster:v0.0.3"
 
 if ! docker buildx ls | grep -q "kratix-image-builder"; then \
 	docker buildx create --name kratix-image-builder; \
 fi;
 
 docker buildx build --builder kratix-image-builder --push --platform linux/arm64,linux/amd64 -t ${IMG} .
-

hack/kratix-promise-release-test-hoster-image/deployment.yaml

@@ -17,14 +17,14 @@ spec:
         kratix-promise-release: pod
     spec:
       containers:
-      - image: syntassodev/kratix-promise-release-test-hoster:v0.0.2
-        name: test
-        resources: {}
-        env:
-        - name: PROMISE_ENCODED
-          value: "REPLACEME"
-        ports:
-        - containerPort: 8080
+        - image: syntassodev/kratix-promise-release-test-hoster:v0.0.3
+          name: test
+          resources: {}
+          env:
+            - name: PROMISE_ENCODED
+              value: "REPLACEME"
+          ports:
+            - containerPort: 8080
 ---
 apiVersion: v1
 kind: Service
@@ -33,9 +33,9 @@ metadata:
   namespace: kratix-platform-system
 spec:
   ports:
-  - port: 8080
-    protocol: TCP
-    targetPort: 8080
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
   selector:
     kratix-promise-release: pod
   sessionAffinity: None

hack/kratix-promise-release-test-hoster-image/main.go

@@ -5,16 +5,39 @@ import (
 	"log"
 	"os"
 
-	gohttp "net/http"
+	"net/http"
 
 	"encoding/base64"
 
 	"github.com/gorilla/mux"
 )
 
+func SecureHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	name := vars["name"]
+	fmt.Println("fetching promise: " + name)
+
+	authHeader := r.Header.Get("Authorization")
+	fmt.Println("Checking Authorization header:" + authHeader)
+	if authHeader == "" {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+	if authHeader != "Bearer your-secret-token" {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	promiseContent, err := base64.StdEncoding.DecodeString(os.Getenv(name))
+	if err != nil {
+		panic(err)
+	}
+	w.Write(promiseContent)
+}
+
 func main() {
 	router := mux.NewRouter()
-	router.HandleFunc("/promise/{name}", func(w gohttp.ResponseWriter, r *gohttp.Request) {
+	router.HandleFunc("/promise/{name}", func(w http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 		name := vars["name"]
 		fmt.Println("fetching promise: " + name)
@@ -24,13 +47,14 @@ func main() {
 		}
 		w.Write(promiseContent)
 	}).Methods("GET")
+	router.HandleFunc("/secure/promise/{name}", SecureHandler).Methods("GET")
 
-	srv := &gohttp.Server{
+	srv := &http.Server{
 		Addr:    ":8080",
 		Handler: router,
 	}
 
-	if err := srv.ListenAndServe(); err != nil && err != gohttp.ErrServerClosed {
+	if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 		log.Fatalf("listen: %s\n", err)
 	}
 }

lib/fetchers/url.go

@@ -3,6 +3,7 @@ package fetchers
 import (
 	"fmt"
 	"net/http"
+	"time"
 
 	"github.com/syntasso/kratix/api/v1alpha1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -13,8 +14,20 @@ import (
 type URLFetcher struct {
 }
 
-func (u *URLFetcher) FromURL(urlString string) (*v1alpha1.Promise, error) {
-	resp, err := http.Get(urlString)
+func (u *URLFetcher) FromURL(urlString, authHeader string) (*v1alpha1.Promise, error) {
+	req, err := http.NewRequest("GET", urlString, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if authHeader != "" {
+		req.Header.Add("Authorization", authHeader)
+	}
+
+	client := &http.Client{
+		Timeout: time.Second * 10,
+	}
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get url: %w", err)
 	}