refactor(provider): create dedicated credentials package and rework repository provider (#528)

* refactor(provider): create dedicated credentials package and rework repository provider

* test(credentials): cover most non transient paths

* fix(creds): ttl condition on updating credentials

* fix(creds): add some comments in credential store

* fix(credentials): make mock provider work

* feat(credentials): controllers use credentials store

* feat(webhook): webhook server use credentials store

* feat(manifests): remove secretName from tfrepo

* refactor(config): remove deprecated structs for credentials

* fix(lint): check err values

* fix(test): rework test NormalizeURL

* fix(lint): check err values

* feat(config): add config key for credentials TTL

* feat(repo-controller): update bundle with latest changes

* fix(credentials): add secret indexer on field type

* fix(providers): use the correct repo URL

---------

Co-authored-by: Alan <[email protected]>
Co-authored-by: Luca Corrieri <[email protected]>
Co-authored-by: Lucas Marques <[email protected]>

Author: 4 people

api/v1alpha1/terraformrepository_types.go

@@ -41,8 +41,7 @@ type TerraformRepositorySpec struct {
 	SyncWindows             []SyncWindow                  `json:"syncWindows,omitempty"`
 }
 type TerraformRepositoryRepository struct {
-	Url        string `json:"url,omitempty"`
-	SecretName string `json:"secretName,omitempty"`
+	Url string `json:"url,omitempty"`
 }
 
 // TerraformRepositoryStatus defines the observed state of TerraformRepository

cmd/controllers/start.go

@@ -28,11 +28,13 @@ func buildControllersStartCmd(app *burrito.App) *cobra.Command {
 	defaultWaitActionTimer, _ := time.ParseDuration("5s")
 	defaultFailureGracePeriod, _ := time.ParseDuration("15s")
 	defaultRepositorySyncTimer, _ := time.ParseDuration("5m")
+	defaultCredentialsTTL, _ := time.ParseDuration("2m")
 
 	cmd.Flags().StringSliceVar(&app.Config.Controller.Namespaces, "namespaces", []string{"burrito-system"}, "list of namespaces to watch")
 	cmd.Flags().StringArrayVar(&app.Config.Controller.Types, "types", []string{"layer", "run", "pullrequest"}, "list of controllers to start")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.DriftDetection, "drift-detection-period", defaultDriftDetectionTimer, "period between two plans. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.RepositorySync, "repository-sync-period", defaultRepositorySyncTimer, "period between two repository sync. Must end with s, m or h.")
+	cmd.Flags().DurationVar(&app.Config.Controller.Timers.CredentialsTTL, "credentials-ttl", defaultCredentialsTTL, "default TTL for git providers credentials in controller's memory. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.OnError, "on-error-period", defaultOnErrorTimer, "period between two runners launch when an error occurred in the controllers. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.WaitAction, "wait-action-period", defaultWaitActionTimer, "period between two runners when a layer is locked. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.FailureGracePeriod, "failure-grace-period", defaultFailureGracePeriod, "initial time before retry, goes exponential function of number failure. Must end with s, m or h.")

internal/annotations/annotations.go

@@ -27,7 +27,8 @@ const (
 	ForceApply              string = "notifications.terraform.padok.cloud/force-apply"
 	AdditionnalTriggerPaths string = "config.terraform.padok.cloud/additionnal-trigger-paths"
 
-	SyncNow string = "api.terraform.padok.cloud/sync-now"
+	SyncNow        string = "api.terraform.padok.cloud/sync-now"
+	AllowedTenants string = "credentials.terraform.padok.cloud/allowed-tenants"
 )
 
 func ComputeKeyForSyncBranchNow(branch string) string {

internal/burrito/config/config.go

@@ -50,19 +50,6 @@ type AzureConfig struct {
 	Container      string `mapstructure:"container"`
 }
 
-type WebhookConfig struct {
-	Github WebhookGithubConfig `mapstructure:"github"`
-	Gitlab WebhookGitlabConfig `mapstructure:"gitlab"`
-}
-
-type WebhookGithubConfig struct {
-	Secret string `mapstructure:"secret"`
-}
-
-type WebhookGitlabConfig struct {
-	Secret string `mapstructure:"secret"`
-}
-
 type ControllerConfig struct {
 	MainNamespace           string                      `mapstructure:"mainNamespace"`
 	Namespaces              []string                    `mapstructure:"namespaces"`
@@ -74,25 +61,11 @@ type ControllerConfig struct {
 	MetricsBindAddress      string                      `mapstructure:"metricsBindAddress"`
 	HealthProbeBindAddress  string                      `mapstructure:"healthProbeBindAddress"`
 	KubernetesWebhookPort   int                         `mapstructure:"kubernetesWebhookPort"`
-	GithubConfig            GithubConfig                `mapstructure:"githubConfig"`
-	GitlabConfig            GitlabConfig                `mapstructure:"gitlabConfig"`
 	RunParallelism          int                         `mapstructure:"runParallelism"`
 	MaxConcurrentReconciles int                         `mapstructure:"maxConcurrentReconciles"`
 	MaxConcurrentRunnerPods int                         `mapstructure:"maxConcurrentRunnerPods"`
 }
 
-type GithubConfig struct {
-	AppId          int64  `mapstructure:"appId"`
-	InstallationId int64  `mapstructure:"installationId"`
-	PrivateKey     string `mapstructure:"privateKey"`
-	APIToken       string `mapstructure:"apiToken"`
-}
-
-type GitlabConfig struct {
-	APIToken string `mapstructure:"apiToken"`
-	URL      string `mapstructure:"url"`
-}
-
 type LeaderElectionConfig struct {
 	Enabled bool   `mapstructure:"enabled"`
 	ID      string `mapstructure:"id"`
@@ -104,30 +77,19 @@ type ControllerTimers struct {
 	WaitAction         time.Duration `mapstructure:"waitAction"`
 	FailureGracePeriod time.Duration `mapstructure:"failureGracePeriod"`
 	RepositorySync     time.Duration `mapstructure:"repositorySync"`
-}
-
-type RepositoryConfig struct {
-	SSHPrivateKey           string `mapstructure:"sshPrivateKey"`
-	Username                string `mapstructure:"username"`
-	Password                string `mapstructure:"password"`
-	GithubAppId             int64  `mapstructure:"githubAppId"`
-	GithubAppInstallationId int64  `mapstructure:"githubAppInstallationId"`
-	GithubAppPrivateKey     string `mapstructure:"githubAppPrivateKey"`
-	GithubToken             string `mapstructure:"githubToken"`
-	GitlabToken             string `mapstructure:"gitlabToken"`
+	CredentialsTTL     time.Duration `mapstructure:"credentialsTTL"`
 }
 
 type RunnerConfig struct {
-	Action                     string           `mapstructure:"action"`
-	Layer                      Layer            `mapstructure:"layer"`
-	Run                        string           `mapstructure:"run"`
-	Repository                 RepositoryConfig `mapstructure:"repository"`
-	SSHKnownHostsConfigMapName string           `mapstructure:"sshKnownHostsConfigMapName"`
-	Image                      ImageConfig      `mapstructure:"image"`
-	RunnerBinaryPath           string           `mapstructure:"runnerBinaryPath"`
-	RepositoryPath             string           `mapstructure:"repositoryPath"`
-	Args                       []string         `mapstructure:"args"`
-	Command                    []string         `mapstructure:"command"`
+	Action                     string      `mapstructure:"action"`
+	Layer                      Layer       `mapstructure:"layer"`
+	Run                        string      `mapstructure:"run"`
+	SSHKnownHostsConfigMapName string      `mapstructure:"sshKnownHostsConfigMapName"`
+	Image                      ImageConfig `mapstructure:"image"`
+	RunnerBinaryPath           string      `mapstructure:"runnerBinaryPath"`
+	RepositoryPath             string      `mapstructure:"repositoryPath"`
+	Args                       []string    `mapstructure:"args"`
+	Command                    []string    `mapstructure:"command"`
 }
 
 type ImageConfig struct {
@@ -148,8 +110,7 @@ type HermitcrabConfig struct {
 }
 
 type ServerConfig struct {
-	Addr    string        `mapstructure:"addr"`
-	Webhook WebhookConfig `mapstructure:"webhook"`
+	Addr string `mapstructure:"addr"`
 }
 
 func (c *Config) Load(flags *pflag.FlagSet) error {
@@ -241,6 +202,7 @@ func TestConfig() *Config {
 				FailureGracePeriod: 15 * time.Second,
 				OnError:            1 * time.Minute,
 				RepositorySync:     5 * time.Minute,
+				CredentialsTTL:     5 * time.Second,
 			},
 		},
 		Runner: RunnerConfig{

internal/burrito/config/config_test.go

@@ -50,11 +50,6 @@ func TestConfig_FromYamlFile(t *testing.T) {
 				Tag:        "test-tag",
 				PullPolicy: "Always",
 			},
-			Repository: config.RepositoryConfig{
-				SSHPrivateKey: "private-key",
-				Username:      "test",
-				Password:      "password",
-			},
 			SSHKnownHostsConfigMapName: "burrito-ssh-known-hosts",
 		},
 		Controller: config.ControllerConfig{
@@ -64,6 +59,7 @@ func TestConfig_FromYamlFile(t *testing.T) {
 				OnError:            1 * time.Minute,
 				WaitAction:         1 * time.Minute,
 				FailureGracePeriod: 15 * time.Second,
+				CredentialsTTL:     1 * time.Hour,
 			},
 			DefaultSyncWindows: []configv1alpha1.SyncWindow{
 				{
@@ -85,27 +81,9 @@ func TestConfig_FromYamlFile(t *testing.T) {
 			MetricsBindAddress:     ":8080",
 			HealthProbeBindAddress: ":8081",
 			KubernetesWebhookPort:  9443,
-			GithubConfig: config.GithubConfig{
-				AppId:          123456,
-				InstallationId: 12345678,
-				PrivateKey:     "private-key",
-				APIToken:       "github-token",
-			},
-			GitlabConfig: config.GitlabConfig{
-				APIToken: "gitlab-token",
-				URL:      "https://gitlab.example.com",
-			},
 		},
 		Server: config.ServerConfig{
 			Addr: ":9090",
-			Webhook: config.WebhookConfig{
-				Github: config.WebhookGithubConfig{
-					Secret: "github-secret",
-				},
-				Gitlab: config.WebhookGitlabConfig{
-					Secret: "gitlab-secret",
-				},
-			},
 		},
 	}
 
@@ -143,9 +121,6 @@ func TestConfig_EnvVarOverrides(t *testing.T) {
 	setEnvVar(t, "BURRITO_RUNNER_ACTION", "plan", &envVarList)
 	setEnvVar(t, "BURRITO_RUNNER_LAYER_NAME", "other-layer", &envVarList)
 	setEnvVar(t, "BURRITO_RUNNER_LAYER_NAMESPACE", "other-namespace", &envVarList)
-	setEnvVar(t, "BURRITO_RUNNER_REPOSITORY_USERNAME", "other-username", &envVarList)
-	setEnvVar(t, "BURRITO_RUNNER_REPOSITORY_PASSWORD", "other-password", &envVarList)
-	setEnvVar(t, "BURRITO_RUNNER_REPOSITORY_SSHPRIVATEKEY", "other-private-key", &envVarList)
 	setEnvVar(t, "BURRITO_RUNNER_IMAGE_REPOSITORY", "other-repository", &envVarList)
 	setEnvVar(t, "BURRITO_RUNNER_IMAGE_TAG", "other-tag", &envVarList)
 	setEnvVar(t, "BURRITO_RUNNER_IMAGE_PULLPOLICY", "Always", &envVarList)
@@ -156,20 +131,13 @@ func TestConfig_EnvVarOverrides(t *testing.T) {
 	setEnvVar(t, "BURRITO_CONTROLLER_TIMERS_ONERROR", "30s", &envVarList)
 	setEnvVar(t, "BURRITO_CONTROLLER_TIMERS_WAITACTION", "30s", &envVarList)
 	setEnvVar(t, "BURRITO_CONTROLLER_TIMERS_FAILUREGRACEPERIOD", "1m", &envVarList)
+	setEnvVar(t, "BURRITO_CONTROLLER_TIMERS_CREDENTIALSTTL", "2h", &envVarList)
 	setEnvVar(t, "BURRITO_CONTROLLER_MAXCONCURRENTRECONCILES", "3", &envVarList)
 	setEnvVar(t, "BURRITO_CONTROLLER_MAXCONCURRENTRUNNERPODS", "10", &envVarList)
 	setEnvVar(t, "BURRITO_CONTROLLER_TERRAFORMMAXRETRIES", "32", &envVarList)
 	setEnvVar(t, "BURRITO_CONTROLLER_LEADERELECTION_ID", "other-leader-id", &envVarList)
-	setEnvVar(t, "BURRITO_CONTROLLER_GITHUBCONFIG_APPID", "123456", &envVarList)
-	setEnvVar(t, "BURRITO_CONTROLLER_GITHUBCONFIG_INSTALLATIONID", "12345678", &envVarList)
-	setEnvVar(t, "BURRITO_CONTROLLER_GITHUBCONFIG_PRIVATEKEY", "private-key", &envVarList)
-	setEnvVar(t, "BURRITO_CONTROLLER_GITHUBCONFIG_APITOKEN", "pr-github-token", &envVarList)
-	setEnvVar(t, "BURRITO_CONTROLLER_GITLABCONFIG_APITOKEN", "mr-gitlab-token", &envVarList)
-	setEnvVar(t, "BURRITO_CONTROLLER_GITLABCONFIG_URL", "https://gitlab.com", &envVarList)
 	// Server
 	setEnvVar(t, "BURRITO_SERVER_ADDR", ":8090", &envVarList)
-	setEnvVar(t, "BURRITO_SERVER_WEBHOOK_GITHUB_SECRET", "other-github-secret", &envVarList)
-	setEnvVar(t, "BURRITO_SERVER_WEBHOOK_GITLAB_SECRET", "other-gitlab-secret", &envVarList)
 
 	// Create a test config instance
 	cfg := &config.Config{}
@@ -201,11 +169,6 @@ func TestConfig_EnvVarOverrides(t *testing.T) {
 				Tag:        "other-tag",
 				PullPolicy: "Always",
 			},
-			Repository: config.RepositoryConfig{
-				SSHPrivateKey: "other-private-key",
-				Username:      "other-username",
-				Password:      "other-password",
-			},
 			SSHKnownHostsConfigMapName: "burrito-ssh-known-hosts",
 		},
 		Controller: config.ControllerConfig{
@@ -215,6 +178,7 @@ func TestConfig_EnvVarOverrides(t *testing.T) {
 				OnError:            30 * time.Second,
 				WaitAction:         30 * time.Second,
 				FailureGracePeriod: 1 * time.Minute,
+				CredentialsTTL:     2 * time.Hour,
 			},
 			DefaultSyncWindows: []configv1alpha1.SyncWindow{
 				{
@@ -236,27 +200,9 @@ func TestConfig_EnvVarOverrides(t *testing.T) {
 			MetricsBindAddress:     ":8080",
 			HealthProbeBindAddress: ":8081",
 			KubernetesWebhookPort:  9443,
-			GithubConfig: config.GithubConfig{
-				AppId:          123456,
-				InstallationId: 12345678,
-				PrivateKey:     "private-key",
-				APIToken:       "pr-github-token",
-			},
-			GitlabConfig: config.GitlabConfig{
-				APIToken: "mr-gitlab-token",
-				URL:      "https://gitlab.com",
-			},
 		},
 		Server: config.ServerConfig{
 			Addr: ":8090",
-			Webhook: config.WebhookConfig{
-				Github: config.WebhookGithubConfig{
-					Secret: "other-github-secret",
-				},
-				Gitlab: config.WebhookGitlabConfig{
-					Secret: "other-gitlab-secret",
-				},
-			},
 		},
 	}
 

internal/burrito/config/testdata/test-config-1.yaml

@@ -7,10 +7,6 @@ runner:
     repository: test-repository
     tag: test-tag
     pullPolicy: Always
-  repository:
-    sshPrivateKey: "private-key"
-    username: "test"
-    password: "password"
   sshKnownHostsConfigMapName: burrito-ssh-known-hosts
 
 controller:
@@ -22,6 +18,7 @@ controller:
     onError: 1m
     waitAction: 1m
     failureGracePeriod: 15s
+    credentialsTTL: 1h
   defaultSyncWindows:
     - kind: "deny"
       schedule: "0 0 * * *"
@@ -38,19 +35,6 @@ controller:
   metricsBindAddress: ":8080"
   healthProbeBindAddress: ":8081"
   kubernetesWebhookPort: 9443
-  githubConfig:
-    appId: 123456
-    installationId: 12345678
-    privateKey: "private-key"
-    apiToken: "github-token"
-  gitlabConfig:
-    apiToken: "gitlab-token"
-    url: "https://gitlab.example.com"
 
 server:
   addr: ":9090"
-  webhook:
-    github:
-      secret: "github-secret"
-    gitlab:
-      secret: "gitlab-secret"

internal/controllers/manager.go

@@ -17,8 +17,10 @@ limitations under the License.
 package controllers
 
 import (
+	"context"
 	"os"
 
+	corev1 "k8s.io/api/core/v1"
 	logClient "k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
@@ -28,6 +30,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -38,6 +41,7 @@ import (
 	"github.com/padok-team/burrito/internal/controllers/terraformrepository"
 	"github.com/padok-team/burrito/internal/controllers/terraformrun"
 	datastore "github.com/padok-team/burrito/internal/datastore/client"
+	"github.com/padok-team/burrito/internal/repository/credentials"
 	"github.com/sirupsen/logrus"
 	log "github.com/sirupsen/logrus"
 
@@ -99,6 +103,7 @@ func (c *Controllers) Exec() {
 		log.Fatalf("unable to start manager: %s", err)
 	}
 	datastoreClient := datastore.NewDefaultClient(c.config.Datastore)
+	credentialStore := credentials.NewCredentialStore(mgr.GetClient(), c.config.Controller.Timers.CredentialsTTL)
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		panic(err.Error())
@@ -108,6 +113,14 @@ func (c *Controllers) Exec() {
 		panic(err.Error())
 	}
 
+	// Setup field indexer for Secret type (used for credentials)
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &corev1.Secret{}, "type", func(rawObj client.Object) []string {
+		secret := rawObj.(*corev1.Secret)
+		return []string{string(secret.Type)}
+	}); err != nil {
+		panic(err.Error())
+	}
+
 	log.Infof("starting these controllers: %v", c.config.Controller.Types)
 
 	for _, ctrlType := range c.config.Controller.Types {
@@ -125,11 +138,12 @@ func (c *Controllers) Exec() {
 			log.Infof("layer controller started successfully")
 		case "repository":
 			if err = (&terraformrepository.Reconciler{
-				Client:    mgr.GetClient(),
-				Scheme:    mgr.GetScheme(),
-				Recorder:  mgr.GetEventRecorderFor("Burrito"),
-				Config:    c.config,
-				Datastore: datastoreClient,
+				Client:      mgr.GetClient(),
+				Scheme:      mgr.GetScheme(),
+				Recorder:    mgr.GetEventRecorderFor("Burrito"),
+				Config:      c.config,
+				Datastore:   datastoreClient,
+				Credentials: credentialStore,
 			}).SetupWithManager(mgr); err != nil {
 				log.Fatalf("unable to create repository controller: %s", err)
 			}
@@ -148,11 +162,12 @@ func (c *Controllers) Exec() {
 			log.Infof("run controller started successfully")
 		case "pullrequest":
 			if err = (&terraformpullrequest.Reconciler{
-				Client:    mgr.GetClient(),
-				Scheme:    mgr.GetScheme(),
-				Recorder:  mgr.GetEventRecorderFor("Burrito"),
-				Config:    c.config,
-				Datastore: datastoreClient,
+				Client:      mgr.GetClient(),
+				Scheme:      mgr.GetScheme(),
+				Recorder:    mgr.GetEventRecorderFor("Burrito"),
+				Config:      c.config,
+				Datastore:   datastoreClient,
+				Credentials: credentialStore,
 			}).SetupWithManager(mgr); err != nil {
 				log.Fatalf("unable to create pullrequest controller: %s", err)
 			}