Read basic-auth data from secret (#1)

* WIP add config option * Update controller-gen version Fixes the broken v0.9 of controller-gen because it causes a segfault when running `make install` * Update formatting for base CRDS * Working read secret * Fixed read secret * Use new secret function not client function * Revert random formatting changes * More stupid formatting fixes * Final formatting fixes I don't like formatting :( * Small fixes and docs update * Update example * Update CRDs * Include explicit checking of keys * Annotations update #2
RosemanLabs · Oct 15, 2024 · 076e1ab · 076e1ab
1 parent 29669dd
commit 076e1ab
Show file tree

Hide file tree

Showing 8 changed files with 73 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -154,7 +154,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
-CONTROLLER_TOOLS_VERSION ?= v0.9.0
+CONTROLLER_TOOLS_VERSION ?= v0.14.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

diff --git a/api/v1alpha1/endpointmonitor_types.go b/api/v1alpha1/endpointmonitor_types.go
@@ -163,6 +163,10 @@ type StatusCakeConfig struct {
 	// +optional
 	BasicAuthUser string `json:"basicAuthUser,omitempty"`
 
+	// Basic Auth Secret Name
+	// +optional
+	BasicAuthSecret string `json:"basicAuthSecret,omitempty"`
+
 	// Set Check Rate for the monitor
 	// +optional
 	CheckRate int `json:"checkRate,omitempty"`

diff --git a/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml b/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   creationTimestamp: null
   name: endpointmonitors.endpointmonitor.stakater.com
 spec:
@@ -255,6 +255,9 @@ spec:
               statusCakeConfig:
                 description: Configuration for StatusCake Monitor Provider
                 properties:
+                  basicAuthSecret:
+                    description: Basic Auth Secret Name
+                    type: string
                   basicAuthUser:
                     description: Basic Auth User
                     type: string

diff --git a/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml b/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   creationTimestamp: null
   name: endpointmonitors.endpointmonitor.stakater.com
 spec:
@@ -255,6 +255,9 @@ spec:
               statusCakeConfig:
                 description: Configuration for StatusCake Monitor Provider
                 properties:
+                  basicAuthSecret:
+                    description: Basic Auth Secret Name
+                    type: string
                   basicAuthUser:
                     description: Basic Auth User
                     type: string

diff --git a/docs/statuscake-configuration.md b/docs/statuscake-configuration.md
@@ -16,15 +16,16 @@ Currently additional Statuscake configurations can be added through these fields
 |:--------------------------------------------------------:|:------------------------------------------------:|
 | CheckRate               | Set Check Rate for the monitor (default: 300)    |
 | TestType                | Set Test type - HTTP, TCP, PING (default: HTTP)  |
-| Paused                   | Pause the service                                |
+| Paused                  | Pause the service                                |
 | PingURL                 | Webhook for alerts                               |
 | FollowRedirect          | Enable ingress redirects                         |
-| Port                     | TCP Port                                         |
+| Port                    | TCP Port                                         |
 | TriggerRate             | Minutes to wait before sending an alert          |
 | ContactGroup            | Contact Group to be alerted.                     |
 | TestTags                | Comma separated list of tags                     |
 | FindString              | String to look for within the response           |
-| BasicAuthUser          | Required for [basic-authenticationchecks](#basic-auth-checks)  |
+| BasicAuthUser           | Required for [basic-authenticationchecks](#basic-auth-checks)  |
+| BasicAuthSecret         | Allows for an alternate method of adding basic-auth to checks |
 | Regions                 | Regions to execute the check from                |
 
 
@@ -34,6 +35,10 @@ Statuscake supports checks completing basic auth requirements. In `EndpointMonit
 
 For example; setting the field like `basic-auth-user: 'my-service-username'` will set the username field to the value `my-service-username` and will retrieve the password via `os.Getenv('my-service-username')` and set this appropriately.
 
+In addition to the previous method, you can use the `basicAuthSecret` field to define a secret that should be read by the monitor which contains the basic-auth data. This secret should only contain the keys `username` and `password`. It expects the values for those keys to be strings. NOT base64 encoded strings. Furthermore, the secret must be present in the same namespace as the IngressMonitorController operator. This ensures that we can keep the permissions of the operator to be as small as possible.
+
+So for example, if you have a secret called `my-deployment-secret` it should contain the data `username: my-user` and `password: MyPassword1!` and you should set to `basicAuthSecret: my-deployment-secret`. This will ensure that the monitor can read the basic-auth data correctly.
+
 ## Example:
 
 ```yaml

diff --git a/examples/endpointMonitor/statuscake-config.yaml b/examples/endpointMonitor/statuscake-config.yaml
@@ -7,6 +7,7 @@ spec:
   statusCakeConfig:
     port: 123
     basicAuthUser: my-service-username
+    basicAuthSecret: my-basicauth-secret
     checkRate: 300
     realBrowser: true
     testTags: 'abc,def'

diff --git a/pkg/monitors/statuscake/statuscake-monitor.go b/pkg/monitors/statuscake/statuscake-monitor.go
@@ -17,7 +17,9 @@ import (
 	statuscake "github.com/StatusCakeDev/statuscake-go"
 	endpointmonitorv1alpha1 "github.com/stakater/IngressMonitorController/v2/api/v1alpha1"
 	"github.com/stakater/IngressMonitorController/v2/pkg/config"
+	"github.com/stakater/IngressMonitorController/v2/pkg/kube"
 	"github.com/stakater/IngressMonitorController/v2/pkg/models"
+	"github.com/stakater/IngressMonitorController/v2/pkg/secret"
 )
 
 var log = logf.Log.WithName("statuscake-monitor")
@@ -100,6 +102,24 @@ func buildUpsertForm(m models.Monitor, cgroup string) url.Values {
 		}
 	}
 
+	if providerConfig != nil && len(providerConfig.BasicAuthSecret) > 0 {
+		k8sClient, err := kube.GetClient()
+		if err != nil {
+			panic(err)
+		}
+
+		namespace := kube.GetCurrentKubernetesNamespace()
+		username, password, err := secret.ReadBasicAuthSecret(k8sClient.CoreV1().Secrets(namespace), providerConfig.BasicAuthSecret)
+
+		if err != nil {
+			log.Error(err, "Could not read the secret")
+		} else {
+			f.Add("basic_username", username)
+			f.Add("basic_password", password)
+			log.Info("Basic auth requirement detected. Setting username and password")
+		}
+	}
+
 	if providerConfig != nil && len(providerConfig.StatusCodes) > 0 {
 		f.Add("status_codes_csv", providerConfig.StatusCodes)
 

diff --git a/pkg/secret/secrets.go b/pkg/secret/secrets.go
@@ -5,7 +5,9 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	clientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -23,3 +25,32 @@ func LoadSecretData(apiReader client.Reader, secretName, namespace, dataKey stri
 	}
 	return string(retStr), nil
 }
+
+func ReadBasicAuthSecret(apiReader clientv1.SecretInterface, secretName string) (string, string, error) {
+	secret, err := apiReader.Get(context.TODO(), secretName, metav1.GetOptions{})
+	username, password := "", ""
+	if err != nil {
+		return "", "", err
+	}
+
+	for key, value := range secret.Data {
+		switch key {
+		case "username":
+			username = string(value)
+		case "password":
+			password = string(value)
+		default:
+			return "", "", fmt.Errorf("secret %s contained unkown key %s", secretName, key)
+		}
+	}
+
+	if username == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected key '%s'", secretName, "username")
+	} else if password == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected key '%s'", secretName, "password")
+	} else if username == "" && password == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected keys '%s','%s'", secretName, "username", "password")
+	}
+
+	return username, password, err
+}