corrected workload identity and added instance principal

oracle · May 28, 2024 · ece344f · ece344f
1 parent 2fd3825
commit ece344f
Show file tree

Hide file tree

Showing 9 changed files with 171 additions and 36 deletions.
diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml
@@ -181,45 +181,48 @@ jobs:
           kubectl get daemonset --namespace oci-provider \
             --selector='app.kubernetes.io/name in (oci-secrets-store-csi-driver-provider, secrets-store-csi-driver)'
 
-      - name: update auth file with correct values
+      - name: user principal authentication - update auth file with correct values
         run: | 
           sed -e 's/region:.*/region: ${{ env.OCI_CLI_REGION }}/' \
           -e 's/tenancy:.*/tenancy: ${{ env.OCI_CLI_TENANCY }}/' \
           -e 's/user:.*/user: ${{ env.OCI_CLI_USER }}/' \
-          -e 's/fingerprint:.*/fingerprint: ${{ env.OCI_CLI_FINGERPRINT }}/' e2e/example/user-auth-config-example.yaml > e2e/example/user-auth-config-example.yaml.tmp
+          -e 's/fingerprint:.*/fingerprint: ${{ env.OCI_CLI_FINGERPRINT }}/' e2e/example/user-principal/user-auth-config-example.yaml > e2e/example/user-principal/user-auth-config-example.yaml.tmp
       
       # - name: print updated yaml file
       #   run: cat e2e/example/user-auth-config-example.yaml.tmp
+
+      - name: user principal authentication - create namespace
+        run: kubectl create namespace app-user
 
-      - name: delete secret if exists
+      - name: user principal authentication - delete secret if exists
         continue-on-error: true
-        run: kubectl delete secret oci-config
+        run: kubectl delete secret oci-config -n app-user
 
-      - name: create kubernetes secret for user auth config
+      - name: user principal authentication - create kubernetes secret for user auth config
         run: |
           kubectl create secret generic oci-config \
-          --from-file=config=e2e/example/user-auth-config-example.yaml.tmp \
-          --from-literal=private-key="${{ env.OCI_CLI_KEY_CONTENT }}"
+          --from-file=config=e2e/example/user-principal/user-auth-config-example.yaml.tmp \
+          --from-literal=private-key="${{ env.OCI_CLI_KEY_CONTENT }}" -n app-user
 
       - name: user principal authentication - update spc file with correct values
         run: | 
           sed -e 's/vaultId:.*/vaultId: ${{ env.OCI_VAULT_ID }}/' \
           -e 's/authType:.*/authType: user/' \
-          -e 's/- name:.*/- name: ${{ env.OCI_VAULT_SECRET_NAME }}/' e2e/example/secret-provider-class.yaml > e2e/example/secret-provider-class.yaml.tmp
+          -e 's/- name:.*/- name: ${{ env.OCI_VAULT_SECRET_NAME }}/' e2e/example/user-principal/secret-provider-class.yaml > e2e/example/user-principal/secret-provider-class.yaml.tmp
 
       - name: user principal authentication - update deployment file with secret name
         run: | 
           sed -e 's/testingSecretName:.*/testingSecretName: ${{ env.OCI_VAULT_SECRET_NAME }}/' \
-            e2e/example/app.deployment.yaml > e2e/example/app.deployment.yaml.tmp
+            e2e/example/user-principal/app.deployment.yaml > e2e/example/user-principal/app.deployment.yaml.tmp
 
       - name: user principal authentication - print updated yaml file
-        run: cat e2e/example/secret-provider-class.yaml.tmp
+        run: cat e2e/example/user-principal/secret-provider-class.yaml.tmp
 
       - name: user principal authentication - deploy spc
-        run: kubectl apply -f e2e/example/secret-provider-class.yaml.tmp 
+        run: kubectl apply -f e2e/example/user-principal/secret-provider-class.yaml.tmp -n app-user
 
       - name: user principal authentication - deploy workload
-        run: kubectl apply -f e2e/example/app.deployment.yaml.tmp
+        run: kubectl apply -f e2e/example/user-principal/app.deployment.yaml.tmp -n app-user
 
       - name: user principal authentication - Wait for pod to run
         id: wait-on-pod
@@ -228,14 +231,14 @@ jobs:
 
       - name: user principal authentication - Verify pods are running
         id: pod-names
-        run: kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers
+        run: kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers -n app-user
 
       - name: user principal authentication - capture pod name into env
-        run: echo "POD_NAME=`kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers`" >> $GITHUB_ENV
+        run: echo "POD_NAME=`kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers -n app-user`" >> $GITHUB_ENV
 
       - name: user principal authentication - print secret value
         id: print-secret-content
-        run: echo "SECRET_CONTENT=`kubectl exec -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV
+        run: echo "SECRET_CONTENT=`kubectl exec -n app-user -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV
 
       # - name: convert to base64
       #   id: convert-to-base64
@@ -247,6 +250,9 @@ jobs:
       - name: user principal authentication - verify value
         run: if [ "${{ env.SECRET_CONTENT }}" == "${{ env.OCI_VAULT_SECRET_VALUE}}" ]; then exit 0; else exit 1; fi
 
+      #
+      # End of user principal
+      #
       - name: workload identity principal authentication - update spc file with correct values
         run: | 
           sed -e 's/vaultId:.*/vaultId: ${{ env.OCI_VAULT_ID }}/' \
@@ -256,19 +262,22 @@ jobs:
       - name: workload identity principal authentication - update deployment file with secret name
         run: | 
           sed -e 's/testingSecretName:.*/testingSecretName: workload-${{ env.OCI_VAULT_SECRET_NAME }}/' \
-            e2e/example/app.deployment.yaml > e2e/example/workload-identity/app.deployment.yaml.tmp
+            e2e/example/workload-identity/app.deployment.yaml > e2e/example/workload-identity/app.deployment.yaml.tmp
 
       - name: workload identity principal authentication - print updated yaml file
         run: cat e2e/example/workload-identity/secret-provider-class.yaml.tmp
 
+      - name: workload identity principal authentication - create namespace
+        run: kubectl create namespace app-workload
+
       - name: workload identity principal authentication - deploy namespace and service account
-        run: kubectl apply -f e2e/example/workload-identity/service-account.yaml
+        run: kubectl apply -f e2e/example/workload-identity/service-account.yaml -n app-workload
 
       - name: workload identity principal authentication - deploy spc
-        run: kubectl apply -f e2e/example/workload-identity/secret-provider-class.yaml.tmp 
+        run: kubectl apply -f e2e/example/workload-identity/secret-provider-class.yaml.tmp  -n app-workload
 
       - name: workload identity principal authentication - deploy workload
-        run: kubectl apply -f e2e/example/workload-identity/app.deployment.yaml.tmp
+        run: kubectl apply -f e2e/example/workload-identity/app.deployment.yaml.tmp  -n app-workload
 
       - name: workload identity principal authentication - Wait for pod to run
         id: wait-on-pod
@@ -277,30 +286,88 @@ jobs:
 
       - name: workload identity principal authentication - Verify pods are running
         id: pod-names
-        run: kubectl get pods -l testingSecretName=workload-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers
+        run: kubectl get pods -l testingSecretName=workload-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers  -n app-workload
 
       - name: workload identity principal authentication - capture pod name into env
-        run: echo "POD_NAME=`kubectl get pods -l testingSecretName=workload-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers`" >> $GITHUB_ENV
+        run: echo "POD_NAME=`kubectl get pods -l testingSecretName=workload-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers  -n app-workload`" >> $GITHUB_ENV
 
       - name: workload identity principal authentication - print secret value
         id: print-secret-content
-        run: echo "SECRET_CONTENT=`kubectl exec -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV
+        run: echo "SECRET_CONTENT=`kubectl exec -n app-workload -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV
 
       - name: workload identity principal authentication - print values
         run: echo "${{ env.SECRET_CONTENT }} == ${{ env.OCI_VAULT_SECRET_VALUE}}"
 
       - name: workload identity principal authentication - verify value
         run: if [ "${{ env.SECRET_CONTENT }}" == "${{ env.OCI_VAULT_SECRET_VALUE}}" ]; then exit 0; else exit 1; fi  
 
+      #
+      # End of workload identity principal
+      #
+      - name: instance principal authentication - update spc file with correct values
+        run: | 
+          sed -e 's/vaultId:.*/vaultId: ${{ env.OCI_VAULT_ID }}/' \
+          -e 's/authType:.*/authType: instance/' \
+          -e 's/- name:.*/- name: ${{ env.OCI_VAULT_SECRET_NAME }}/' e2e/example/instance-principal/secret-provider-class.yaml > e2e/example/instance-principal/secret-provider-class.yaml.tmp
+
+      - name: instance principal authentication - update deployment file with secret name
+        run: | 
+          sed -e 's/testingSecretName:.*/testingSecretName: instance-${{ env.OCI_VAULT_SECRET_NAME }}/' \
+            e2e/example/instance-principal/app.deployment.yaml > e2e/example/instance-principal/app.deployment.yaml.tmp
+
+      - name: instance principal authentication - print updated yaml file
+        run: cat e2e/example/instance-principal/secret-provider-class.yaml.tmp
+
+      - name: instance principal authentication - create namespace
+        run: kubectl create namespace app-instance
+
+      - name: instance principal authentication - deploy spc
+        run: kubectl apply -f e2e/example/instance-principal/secret-provider-class.yaml.tmp -n app-instance
+
+      - name: instance principal authentication - deploy workload
+        run: kubectl apply -f e2e/example/instance-principal/app.deployment.yaml.tmp -n app-instance
+
+      - name: instance principal authentication - Wait for pod to run
+        id: wait-on-pod
+        # run: kubectl wait --for=jsonpath='{.status.phase}'=Running pods/${{ env.POD_NAME }} --timeout=90s
+        run: sleep 90
+
+      - name: instance principal authentication - Verify pods are running
+        id: pod-names
+        run: kubectl get pods -l testingSecretName=instance-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers  -n app-instance
+
+      - name: instance principal authentication - capture pod name into env
+        run: echo "POD_NAME=`kubectl get pods -l testingSecretName=instance-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers  -n app-instance`" >> $GITHUB_ENV
+
+      - name: instance principal authentication - print secret value
+        id: print-secret-content
+        run: echo "SECRET_CONTENT=`kubectl exec  -n app-instance -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV
+
+      - name: instance principal authentication - print values
+        run: echo "${{ env.SECRET_CONTENT }} == ${{ env.OCI_VAULT_SECRET_VALUE}}"
+
+      - name: instance principal authentication - verify value
+        run: if [ "${{ env.SECRET_CONTENT }}" == "${{ env.OCI_VAULT_SECRET_VALUE}}" ]; then exit 0; else exit 1; fi    
+
       # cleanup
-      - name: remove deployment
+      - name: remove deployment - user principal authentication
+        if: ${{ always() }} 
+        run: |
+          kubectl delete -f e2e/example/user-principal/app.deployment.yaml.tmp \
+            -f e2e/example/user-principal/secret-provider-class.yaml.tmp -n app-user
+
+      - name: remove deployment - workload identity authentication
         if: ${{ always() }} 
         run: |
-          kubectl delete -f e2e/example/app.deployment.yaml.tmp \
-            -f e2e/example/secret-provider-class.yaml.tmp \
-            -f e2e/example/workload-identity/secret-provider-class.yaml.tmp \
+          kubectl delete -f e2e/example/workload-identity/secret-provider-class.yaml.tmp \
             -f e2e/example/workload-identity/app.deployment.yaml.tmp \
-            -f e2e/example/workload-identity/service-account.yaml
+            -f e2e/example/workload-identity/service-account.yaml -n app-workload
+
+      - name: remove deployment - instance principal authentication
+        if: ${{ always() }} 
+        run: |
+          kubectl delete -f e2e/example/instance-principal/secret-provider-class.yaml.tmp \
+            -f e2e/example/instance-principal/app.deployment.yaml.tmp -n app-instance         
 
       - name: delete secret
         if: ${{ always() }} 

diff --git a/e2e/example/app.deployment.yaml → ...le/instance-principal/app.deployment.yaml b/e2e/example/app.deployment.yaml → ...le/instance-principal/app.deployment.yaml
diff --git a/e2e/example/instance-principal/secret-provider-class.yaml b/e2e/example/instance-principal/secret-provider-class.yaml
@@ -0,0 +1,30 @@
+#
+# OCI Secrets Store CSI Driver Provider
+# 
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+
+# SecretProviderClass is a custom resource to provide driver configurations and
+# provider-specific parameters to the CSI driver.
+#
+# On pod start and restart, the driver will communicate with the provider to retrieve the secret content
+# from the external Secrets Store you have specified in the SecretProviderClass resource.
+#
+# For more information check: https://secrets-store-csi-driver.sigs.k8s.io/getting-started/usage.html
+#
+# This SecretProviderClass is used as a reference example of how to configure the OCI Vault provider.
+# Each SecretProviderClass enumerates secrets to mount into the pod.
+# So, multiple SecretProviderClass resources could exist in a single Kubernetes cluster.
+
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: test-oci-provider-class  # SecretProviderClass name is referenced from pod definition
+spec:
+  parameters:
+    authType: instance
+    secrets: |
+      - name: test-secret-12813
+    vaultId: ocid1.vault.oc1..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  
+  provider: oci
diff --git a/e2e/example/user-principal/app.deployment.yaml b/e2e/example/user-principal/app.deployment.yaml
@@ -0,0 +1,46 @@
+#
+# OCI Secrets Store CSI Driver Provider
+# 
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+
+# This Deployment is used as a reference example of how to mount secrets into the pod
+# via Secrets Store CSI Driver and OCI Vault Provider.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+        testingSecretName: abc
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.21.4-alpine
+          ports:
+            - containerPort: 80
+          resources:
+            limits:
+              memory: 128Mi
+              cpu: 200m
+          volumeMounts:
+            - name: 'some-creds'
+              mountPath: '/mnt/secrets-store'  # here are mounted secrets
+              readOnly: true
+      volumes:
+        - name: some-creds
+          csi:
+            driver: 'secrets-store.csi.k8s.io'
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: 'test-oci-provider-class'  # here we reference particular SecretProviderClass
diff --git a/e2e/example/secret-provider-class.yaml → ...user-principal/secret-provider-class.yaml b/e2e/example/secret-provider-class.yaml → ...user-principal/secret-provider-class.yaml
diff --git a/e2e/example/user-auth-config-example.yaml → ...r-principal/user-auth-config-example.yaml b/e2e/example/user-auth-config-example.yaml → ...r-principal/user-auth-config-example.yaml
diff --git a/e2e/example/workload-identity/app.deployment.yaml b/e2e/example/workload-identity/app.deployment.yaml
@@ -12,7 +12,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: nginx
-  namespace: app-workload
   labels:
     app: nginx
 spec:

diff --git a/e2e/example/workload-identity/secret-provider-class.yaml b/e2e/example/workload-identity/secret-provider-class.yaml
@@ -21,7 +21,6 @@ apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
   name: test-oci-provider-class  # SecretProviderClass name is referenced from pod definition
-  namespace: app-workload
 spec:
   provider: oci # `provider` value is used as the provider socket name, must be constant
   parameters:

diff --git a/e2e/example/workload-identity/service-account.yaml b/e2e/example/workload-identity/service-account.yaml
@@ -6,12 +6,6 @@
 #
 ---
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: app-workload
----
-apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: workload-sa
-  namespace: app-workload
+  name: workload-sa