weaveworks · mproffitt · Feb 19, 2024 · Feb 20, 2024
diff --git a/cmd/clusters-service/app/server.go b/cmd/clusters-service/app/server.go
@@ -45,7 +45,6 @@ import (
 	capiv1 "github.com/weaveworks/templates-controller/apis/capi/v1alpha2"
 	gapiv1 "github.com/weaveworks/templates-controller/apis/gitops/v1alpha2"
 	tfctrl "github.com/weaveworks/tf-controller/api/v1alpha1"
-	ent "github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement"
 	csgit "github.com/weaveworks/weave-gitops-enterprise/cmd/clusters-service/pkg/git"
 	"github.com/weaveworks/weave-gitops-enterprise/cmd/clusters-service/pkg/mgmtfetcher"
 	capi_proto "github.com/weaveworks/weave-gitops-enterprise/cmd/clusters-service/pkg/protos"
@@ -121,8 +120,6 @@ func EnterprisePublicRoutes() []string {
 
 // Options contains all the options for the `ui run` command.
 type Params struct {
-	EntitlementSecretName             string                    `mapstructure:"entitlement-secret-name"`
-	EntitlementSecretNamespace        string                    `mapstructure:"entitlement-secret-namespace"`
 	HelmRepoNamespace                 string                    `mapstructure:"helm-repo-namespace"`
 	HelmRepoName                      string                    `mapstructure:"helm-repo-name"`
 	ProfileCacheLocation              string                    `mapstructure:"profile-cache-location"`
@@ -214,8 +211,6 @@ func NewAPIServerCommand() *cobra.Command {
 	// Have to declare a flag for viper to correctly read and then bind environment variables too
 	// FIXME: why? We don't actually use the flags in helm templates etc.
 	//
-	cmdFlags.String("entitlement-secret-name", ent.DefaultSecretName, "The name of the entitlement secret")
-	cmdFlags.String("entitlement-secret-namespace", "flux-system", "The namespace of the entitlement secret")
 	cmdFlags.String("helm-repo-namespace", os.Getenv("RUNTIME_NAMESPACE"), "the namespace of the Helm Repository resource to scan for profiles")
 	cmdFlags.String("helm-repo-name", "weaveworks-charts", "the name of the Helm Repository resource to scan for profiles")
 	cmdFlags.String("profile-cache-location", "/tmp/helm-cache", "the location where the cache Profile data lives")
@@ -556,10 +551,6 @@ func StartServer(ctx context.Context, p Params, logOptions flux_logger.Options)
 	return RunInProcessGateway(ctx, "0.0.0.0:8000",
 		WithLog(log),
 		WithProfileHelmRepository(types.NamespacedName{Name: p.HelmRepoName, Namespace: p.HelmRepoNamespace}),
-		WithEntitlementSecretKey(client.ObjectKey{
-			Name:      p.EntitlementSecretName,
-			Namespace: p.EntitlementSecretNamespace,
-		}),
 		WithKubernetesClient(kubeClient),
 		WithDiscoveryClient(discoveryClient),
 		WithGitProvider(csgit.NewGitProviderService(log)),

diff --git a/common/entitlement/entitlement.go b/common/entitlement/entitlement.go
@@ -6,17 +6,19 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/url"
-	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement"
-	v1 "k8s.io/api/core/v1"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type contextKey string
 
+type entitlement struct {
+	LicencedUntil time.Time `json:"licencedUntil"`
+}
+
 func (c contextKey) String() string {
 	return "entitlement context key " + string(c)
 }
@@ -28,8 +30,6 @@ const (
 )
 
 var (
-	//go:embed public.pem
-	public                string
 	contextKeyEntitlement = contextKey("entitlement")
 )
 
@@ -41,16 +41,8 @@ type response struct {
 // LoadEntitlementIntoContextHandler retrieves the entitlement from Kubernetes
 // and adds it to the request context.
 func EntitlementHandler(ctx context.Context, log logr.Logger, c client.Client, key client.ObjectKey, next http.Handler) http.Handler {
-	var sec v1.Secret
-	if err := c.Get(ctx, key, &sec); err != nil {
-		log.Error(err, "Entitlement cannot be retrieved")
-		return next
-	}
-
-	ent, err := entitlement.VerifyEntitlement(strings.NewReader(public), string(sec.Data["entitlement"]))
-	if err != nil {
-		log.Error(err, "Entitlement was not verified successfully")
-		return next
+	var ent *entitlement = &entitlement{
+		LicencedUntil: time.Now().AddDate(1, 0, 0),
 	}
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -68,7 +60,7 @@ func CheckEntitlementHandler(log logr.Logger, next http.Handler, publicRoutes []
 			return
 		}
 		ent, ok := entitlementFromContext(r.Context())
-		if ent == nil {
+		if !ok {
 			log.Info("Entitlement was not found.")
 			w.WriteHeader(http.StatusInternalServerError)
 			response, err := json.Marshal(
@@ -79,21 +71,22 @@ func CheckEntitlementHandler(log logr.Logger, next http.Handler, publicRoutes []
 			if err != nil {
 				log.Error(err, "unexpected error while handling entitlement not found response")
 			}
-			w.Write(response)
+			if _, err := w.Write(response); err != nil {
+				log.Error(err, "unexpected error while writing entitlement not found response")
+			}
 			return
 		}
-		if ok {
-			if time.Now().After(ent.LicencedUntil) {
-				log.Info("Entitlement expired.", "licencedUntil", ent.LicencedUntil.Format("Mon 02 January, 2006"))
-				w.Header().Add(entitlementExpiredMessageHeader, expiredMessage)
-			}
+
+		if time.Now().After(ent.LicencedUntil) {
+			log.Info("Entitlement expired.", "licencedUntil", ent.LicencedUntil.Format("Mon 02 January, 2006"))
+			w.Header().Add(entitlementExpiredMessageHeader, expiredMessage)
 		}
 		next.ServeHTTP(w, r)
 	})
 }
 
-func entitlementFromContext(ctx context.Context) (*entitlement.Entitlement, bool) {
-	ent, ok := ctx.Value(contextKeyEntitlement).(*entitlement.Entitlement)
+func entitlementFromContext(ctx context.Context) (*entitlement, bool) {
+	ent, ok := ctx.Value(contextKeyEntitlement).(*entitlement)
 	return ent, ok
 }
 

diff --git a/common/entitlement/entitlement_test.go b/common/entitlement/entitlement_test.go
@@ -2,7 +2,6 @@ package entitlement
 
 import (
 	"context"
-	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -11,7 +10,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/golang-jwt/jwt/v4"
-	"github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -23,10 +22,6 @@ var (
 	// This entitlement has been generated with the right private key for 1 day
 	validEntitlement = `eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJsaWNlbmNlZFVudGlsIjoxNjMxMzYxMjg2LCJpYXQiOjE2MzEyNzQ4ODYsImlzcyI6InNhbGVzQHdlYXZlLndvcmtzIiwibmJmIjoxNjMxMjc0ODg2LCJzdWIiOiJ0ZXN0QHdlYXZlLndvcmtzIn0.EKGp89DFcRKZ_kGmC8FuLVPB0wiab2KddkQKAmVNC9UH459v63tCP13eFybx9dAmMuaC77SA8rp7ukN1qZM7DA`
 	validTimestamp   = time.Unix(1631274886, 0)
-
-	// This entitlement has been generated with a different private key
-	invalidEntitlement = `eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJsaWNlbmNlZFVudGlsIjoxNjMxMzYxNDkwLCJpYXQiOjE2MzEyNzUwOTAsImlzcyI6InNhbGVzQHdlYXZlLndvcmtzIiwibmJmIjoxNjMxMjc1MDkwLCJzdWIiOiJ0ZXN0QHdlYXZlLndvcmtzIn0.E3Kfg4YzDOYJsTN9lD6B4uoW29tE0IB9X7lOpirSTwcZ7vVHk5PUXznYdiPIi9aSgLGAPIQL3YkAM4lyft3BDg`
-	invalidTimestamp   = time.Unix(1631275090, 0)
 )
 
 func TestEntitlementHandler(t *testing.T) {
@@ -36,23 +31,6 @@ func TestEntitlementHandler(t *testing.T) {
 		verified time.Time
 		exists   bool
 	}{
-		{
-			name:   "secret does not exist",
-			state:  []runtime.Object{},
-			exists: false,
-		},
-		{
-			name:     "invalid entitlement",
-			state:    []runtime.Object{createSecret(invalidEntitlement)},
-			verified: invalidTimestamp,
-			exists:   false,
-		},
-		{
-			name:     "expired entitlement",
-			state:    []runtime.Object{createSecret(validEntitlement)},
-			verified: validTimestamp.AddDate(0, 0, 2),
-			exists:   true,
-		},
 		{
 			name:     "valid entitlement",
 			state:    []runtime.Object{createSecret(validEntitlement)},
@@ -98,25 +76,10 @@ func TestCheckEntitlementHandler(t *testing.T) {
 		response    string
 		headerValue string
 	}{
-		{
-			name:     "no entitlement",
-			status:   http.StatusInternalServerError,
-			header:   false,
-			response: fmt.Sprintf(`{"message":"%s"}`, errorMessage),
-		},
-		{
-			name: "expired entitlement",
-			ctxValue: &entitlement.Entitlement{
-				LicencedUntil: time.Now().Add(-1 * time.Minute),
-			},
-			status:      http.StatusOK,
-			header:      true,
-			headerValue: expiredMessage,
-		},
 		{
 			name: "valid entitlement",
-			ctxValue: &entitlement.Entitlement{
-				LicencedUntil: time.Now().Add(time.Minute),
+			ctxValue: &entitlement{
+				LicencedUntil: time.Now().AddDate(1, 0, 0),
 			},
 			status: http.StatusOK,
 			header: false,
@@ -172,7 +135,7 @@ func createFakeClient(clusterState []runtime.Object) client.Client {
 	schemeBuilder := runtime.SchemeBuilder{
 		corev1.AddToScheme,
 	}
-	schemeBuilder.AddToScheme(scheme)
+	_ = schemeBuilder.AddToScheme(scheme)
 
 	c := fake.NewClientBuilder().
 		WithScheme(scheme).

diff --git a/common/entitlement/public.pem b/common/entitlement/public.pem
diff --git a/common/go.mod b/common/go.mod
@@ -5,7 +5,6 @@ go 1.20
 require (
 	github.com/go-logr/logr v1.2.3
 	github.com/golang-jwt/jwt/v4 v4.0.0
-	github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2
 	k8s.io/api v0.26.2
 	k8s.io/apimachinery v0.26.2
 	sigs.k8s.io/controller-runtime v0.14.5

diff --git a/common/go.sum b/common/go.sum
@@ -186,8 +186,6 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
-github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 h1:7jeiQehqmI4ds6YIq8TW1Vqhlb6V7G2BVRJ8VM3r99I=
-github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2/go.mod h1:6PMYg+VtSNePnP7EXyNG+/hNRNZ3r0mQtolIZU4s/J0=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/go.mod b/go.mod
@@ -16,7 +16,6 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
 	github.com/weaveworks/weave-gitops v0.38.1-0.20231228113211-a38fbeca6a75
-	github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2
 	github.com/weaveworks/weave-gitops-enterprise/common v0.0.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.27.7

diff --git a/go.sum b/go.sum
@@ -1228,8 +1228,6 @@ github.com/weaveworks/tf-controller/api v0.0.0-20231101110059-994a65055198 h1:lx
 github.com/weaveworks/tf-controller/api v0.0.0-20231101110059-994a65055198/go.mod h1:201u5xXY+YI7+ggWljE0VvqMxa+zP1Y1lyRXc1RlXBc=
 github.com/weaveworks/weave-gitops v0.38.1-0.20231228113211-a38fbeca6a75 h1:+udUl2vbhDBaRUhnpJd+hukDUv+iDCkBrk7hFWJwhpw=
 github.com/weaveworks/weave-gitops v0.38.1-0.20231228113211-a38fbeca6a75/go.mod h1:rJL3PRaPIaWY4Nduss4Ws6H2zTNWw15sd1z8OSCqYBs=
-github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 h1:7jeiQehqmI4ds6YIq8TW1Vqhlb6V7G2BVRJ8VM3r99I=
-github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2/go.mod h1:6PMYg+VtSNePnP7EXyNG+/hNRNZ3r0mQtolIZU4s/J0=
 github.com/xanzy/go-gitlab v0.90.0 h1:j8ZUHfLfXdnC+B8njeNaW/kM44c1zw8fiuNj7D+qQN8=
 github.com/xanzy/go-gitlab v0.90.0/go.mod h1:5ryv+MnpZStBH8I/77HuQBsMbBGANtVpLWC15qOjWAw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=

diff --git a/pkg/bootstrap/bootstrap.go b/pkg/bootstrap/bootstrap.go
@@ -33,7 +33,6 @@ func Bootstrap(config steps.Config) error {
 		steps.NewAskBootstrapFluxStep(config),
 		repositoryConfig,
 		steps.NewBootstrapFlux(config),
-		steps.CheckEntitlementSecret,
 		adminCredentials,
 		installWge,
 		steps.NewInstallOIDCStep(config),

diff --git a/pkg/bootstrap/bootstrap_auth.go b/pkg/bootstrap/bootstrap_auth.go
@@ -26,7 +26,6 @@ func bootstrapOIDC(config steps.Config) error {
 	var steps = []steps.BootstrapStep{
 		// FIXE: remove this steps after checking for WGE as it is our only dependency
 		steps.VerifyFluxInstallation,
-		steps.CheckEntitlementSecret,
 		steps.NewBootstrapFlux(config),
 
 		steps.NewInstallOIDCStep(config),

diff --git a/pkg/bootstrap/steps/entitlement.go b/pkg/bootstrap/steps/entitlement.go
@@ -2,77 +2,9 @@ package steps
 
 import (
 	_ "embed"
-	"errors"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement"
-	"github.com/weaveworks/weave-gitops-enterprise/pkg/bootstrap/utils"
-	k8s_client "sigs.k8s.io/controller-runtime/pkg/client"
-)
-
-// user messages
-const (
-	entitlementCheckConfirmMsg      = "entitlement file exists and is valid"
-	nonExistingEntitlementSecretMsg = "entitlement file is not found, To get Weave GitOps Entitelment secret, please contact *sales@weave.works* and add it to your cluster"
-	invalidEntitlementSecretMsg     = "entitlement file is invalid, please verify the secret content. If you still facing issues, please contact *sales@weave.works*"
-	expiredEntitlementSecretMsg     = "entitlement file is expired at: %s, please contact *sales@weave.works*"
-	entitlementCheckMsg             = "verifying Weave GitOps Entitlement File"
 )
 
 // wge consts
 const (
 	entitlementSecretName = "weave-gitops-enterprise-credentials"
 )
-
-var (
-	//go:embed public.pem
-	publicKey string
-)
-
-var CheckEntitlementSecret = BootstrapStep{
-	Name: "checking entitlement",
-	Step: checkEntitlementSecret,
-}
-
-func checkEntitlementSecret(input []StepInput, c *Config) ([]StepOutput, error) {
-	c.Logger.Actionf(entitlementCheckMsg)
-	err := verifyEntitlementSecret(c.KubernetesClient)
-	if err != nil {
-		return []StepOutput{}, err
-	}
-	c.Logger.Successf(entitlementCheckConfirmMsg)
-
-	return []StepOutput{}, nil
-}
-
-// verifyEntitlementSecret ensures the entitlement is valid and not expired also verifying username & password
-// verifing entitlement by the public key (private key is used for encrypting and public is for verification)
-// and making sure it's not expired
-// verifying username and password by making http request for downloading charts and ensuring it's authenticated
-func verifyEntitlementSecret(client k8s_client.Client) error {
-	secret, err := utils.GetSecret(client, entitlementSecretName, WGEDefaultNamespace)
-	if err != nil {
-		return fmt.Errorf("%s: %v", nonExistingEntitlementSecretMsg, err)
-	}
-
-	if secret.Data["entitlement"] == nil || secret.Data["username"] == nil || secret.Data["password"] == nil {
-		return errors.New(invalidEntitlementSecretMsg)
-	}
-
-	ent, err := entitlement.VerifyEntitlement(strings.NewReader(string(publicKey)), string(secret.Data["entitlement"]))
-	if err != nil {
-		return fmt.Errorf("%s: %v", invalidEntitlementSecretMsg, err)
-	}
-	if time.Now().Compare(ent.LicencedUntil) >= 0 {
-		return fmt.Errorf(expiredEntitlementSecretMsg, ent.LicencedUntil)
-	}
-
-	body, err := doBasicAuthGetRequest(wgeChartUrl, string(secret.Data["username"]), string(secret.Data["password"]))
-	if err != nil || body == nil {
-		return fmt.Errorf("%s: %v", invalidEntitlementSecretMsg, err)
-	}
-
-	return nil
-}