diff --git a/deploy/charts/vault-secrets-webhook/README.md b/deploy/charts/vault-secrets-webhook/README.md index 80c3bff2..b3ed7105 100644 --- a/deploy/charts/vault-secrets-webhook/README.md +++ b/deploy/charts/vault-secrets-webhook/README.md @@ -143,6 +143,11 @@ The following table lists the configurable parameters of the Helm chart. | `affinity` | object | `{}` | Node affinity settings for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ | | `topologySpreadConstraints` | object | `{}` | TopologySpreadConstraints to add for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | | `priorityClassName` | string | `""` | Assign a PriorityClassName to pods if set. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ | +| `livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness and readiness probes for the webhook container | +| `readinessProbe.failureThreshold` | int | `3` | | +| `readinessProbe.periodSeconds` | int | `10` | | +| `readinessProbe.successThreshold` | int | `1` | | +| `readinessProbe.timeoutSeconds` | int | `1` | | | `rbac.psp.enabled` | bool | `false` | Use pod security policy | | `rbac.authDelegatorRole.enabled` | bool | `false` | Bind `system:auth-delegator` ClusterRoleBinding to given `serviceAccount` | | `serviceAccount.create` | bool | `true` | Specifies whether a service account should be created | diff --git a/pkg/webhook/common.go b/pkg/common/common.go similarity index 68% rename from pkg/webhook/common.go rename to pkg/common/common.go index 48636712..a428c6b3 100644 --- a/pkg/webhook/common.go +++ b/pkg/common/common.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package webhook +package common import ( "strings" @@ -21,34 +21,52 @@ import ( const ( // Webhook annotations // ref: https://bank-vaults.dev/docs/mutating-webhook/annotations/ - MutateAnnotation = "vault.security.banzaicloud.io/mutate" - MutateProbesAnnotation = "vault.security.banzaicloud.io/mutate-probes" + PSPAllowPrivilegeEscalationAnnotation = "vault.security.banzaicloud.io/psp-allow-privilege-escalation" + RunAsNonRootAnnotation = "vault.security.banzaicloud.io/run-as-non-root" + RunAsUserAnnotation = "vault.security.banzaicloud.io/run-as-user" + RunAsGroupAnnotation = "vault.security.banzaicloud.io/run-as-group" + ReadOnlyRootFsAnnotation = "vault.security.banzaicloud.io/readonly-root-fs" + RegistrySkipVerifyAnnotation = "vault.security.banzaicloud.io/registry-skip-verify" + MutateAnnotation = "vault.security.banzaicloud.io/mutate" + MutateProbesAnnotation = "vault.security.banzaicloud.io/mutate-probes" + + // Vault-env/Secret-init annotations + // NOTE: Change these once vault-env has been replaced with secret-init + VaultEnvDaemonAnnotation = "vault.security.banzaicloud.io/vault-env-daemon" + // SecretInitDaemonAnnotation = "vault.security.banzaicloud.io/secret-init-daemon" + VaultEnvDelayAnnotation = "vault.security.banzaicloud.io/vault-env-delay" + // SecretInitDelayAnnotation = "vault.security.banzaicloud.io/secret-init-delay" + EnableJSONLogAnnotation = "vault.security.banzaicloud.io/enable-json-log" + // SecretInitJSONLogAnnotation = "vault.security.banzaicloud.io/secret-init-json-log" + VaultEnvImageAnnotation = "vault.security.banzaicloud.io/vault-env-image" + // SecretInitImageAnnotation = "vault.security.banzaicloud.io/secret-init-image" + VaultEnvImagePullPolicyAnnotation = "vault.security.banzaicloud.io/vault-env-image-pull-policy" + // SecretInitImagePullPolicyAnnotation = "vault.security.banzaicloud.io/secret-init-image-pull-policy" + + // Vault annotations + VaultAddrAnnotation = "vault.security.banzaicloud.io/vault-addr" + VaultImageAnnotation = "vault.security.banzaicloud.io/vault-image" + VaultImagePullPolicyAnnotation = "vault.security.banzaicloud.io/vault-image-pull-policy" + VaultRoleAnnotation = "vault.security.banzaicloud.io/vault-role" + VaultPathAnnotation = "vault.security.banzaicloud.io/vault-path" + VaultSkipVerifyAnnotation = "vault.security.banzaicloud.io/vault-skip-verify" + VaultTLSSecretAnnotation = "vault.security.banzaicloud.io/vault-tls-secret" + VaultIgnoreMissingSecretsAnnotation = "vault.security.banzaicloud.io/vault-ignore-missing-secrets" + VaultClientTimeoutAnnotation = "vault.security.banzaicloud.io/vault-client-timeout" + TransitKeyIDAnnotation = "vault.security.banzaicloud.io/transit-key-id" + TransitPathAnnotation = "vault.security.banzaicloud.io/transit-path" + VaultAuthMethodAnnotation = "vault.security.banzaicloud.io/vault-auth-method" + TransitBatchSizeAnnotation = "vault.security.banzaicloud.io/transit-batch-size" TokenAuthMountAnnotation = "vault.security.banzaicloud.io/token-auth-mount" VaultServiceaccountAnnotation = "vault.security.banzaicloud.io/vault-serviceaccount" VaultNamespaceAnnotation = "vault.security.banzaicloud.io/vault-namespace" - RunAsNonRootAnnotation = "vault.security.banzaicloud.io/run-as-non-root" - RunAsUserAnnotation = "vault.security.banzaicloud.io/run-as-user" - RunAsGroupAnnotation = "vault.security.banzaicloud.io/run-as-group" - ReadOnlyRootFsAnnotation = "vault.security.banzaicloud.io/readonly-root-fs" ServiceAccountTokenVolumeNameAnnotation = "vault.security.banzaicloud.io/service-account-token-volume-name" - PSPAllowPrivilegeEscalationAnnotation = "vault.security.banzaicloud.io/psp-allow-privilege-escalation" - RegistrySkipVerifyAnnotation = "vault.security.banzaicloud.io/registry-skip-verify" LogLevelAnnotation = "vault.security.banzaicloud.io/log-level" - - // Vault annotations - VaultAddrAnnotation = "vault.security.banzaicloud.io/vault-addr" - VaultImageAnnotation = "vault.security.banzaicloud.io/vault-image" - VaultImagePullPolicyAnnotation = "vault.security.banzaicloud.io/vault-image-pull-policy" - VaultRoleAnnotation = "vault.security.banzaicloud.io/vault-role" - VaultPathAnnotation = "vault.security.banzaicloud.io/vault-path" - VaultSkipVerifyAnnotation = "vault.security.banzaicloud.io/vault-skip-verify" - VaultTLSSecretAnnotation = "vault.security.banzaicloud.io/vault-tls-secret" - VaultIgnoreMissingSecretsAnnotation = "vault.security.banzaicloud.io/vault-ignore-missing-secrets" - VaultClientTimeoutAnnotation = "vault.security.banzaicloud.io/vault-client-timeout" - TransitKeyIDAnnotation = "vault.security.banzaicloud.io/transit-key-id" - TransitPathAnnotation = "vault.security.banzaicloud.io/transit-path" - VaultAuthMethodAnnotation = "vault.security.banzaicloud.io/vault-auth-method" - TransitBatchSizeAnnotation = "vault.security.banzaicloud.io/transit-batch-size" + // NOTE: Change these once vault-env has been replaced with secret-init + VaultEnvPassthroughAnnotation = "vault.security.banzaicloud.io/vault-env-passthrough" + // VaultPasstroughAnnotation = "vault.security.banzaicloud.io/vault-passthrough" + VaultEnvFromPathAnnotation = "vault.security.banzaicloud.io/vault-env-from-path" + // VaultFromPathAnnotation = "vault.security.banzaicloud.io/vault-from-path" // Vault agent annotations // ref: https://bank-vaults.dev/docs/mutating-webhook/vault-agent-templating/ @@ -76,24 +94,8 @@ const ( VaultConsulTemplateMemoryAnnotation = "vault.security.banzaicloud.io/vault-ct-memory" VaultConsuleTemplateSecretsMountPathAnnotation = "vault.security.banzaicloud.io/vault-ct-secrets-mount-path" VaultConsuleTemplateInjectInInitcontainersAnnotation = "vault.security.banzaicloud.io/vault-ct-inject-in-initcontainers" - - // Vault-env/Secret-init annotations - EnableJSONLogAnnotation = "vault.security.banzaicloud.io/enable-json-log" - // NOTE: Change these once vault-env has been replaced with secret-init - // SecretInitPasstroughAnnotation = "vault.security.banzaicloud.io/secret-init-passthrough" - VaultEnvPassthroughAnnotation = "vault.security.banzaicloud.io/vault-env-passthrough" - // SecretInitDaemonAnnotation = "vault.security.banzaicloud.io/secret-init-daemon" - VaultEnvDaemonAnnotation = "vault.security.banzaicloud.io/vault-env-daemon" - // SecretInitImageAnnotation = "vault.security.banzaicloud.io/secret-init-image" - VaultEnvImageAnnotation = "vault.security.banzaicloud.io/vault-env-image" - // SecretInitImagePullPolicyAnnotation = "vault.security.banzaicloud.io/secret-init-image-pull-policy" - VaultEnvImagePullPolicyAnnotation = "vault.security.banzaicloud.io/vault-env-image-pull-policy" - // VaultFromPathAnnotation = "vault.security.banzaicloud.io/vault-from-path" - VaultEnvFromPathAnnotation = "vault.security.banzaicloud.io/vault-env-from-path" - // SecretInitDelayAnnotation = "vault.security.banzaicloud.io/secret-init-delay" - VaultEnvDelayAnnotation = "vault.security.banzaicloud.io/vault-env-delay" ) -func hasVaultPrefix(value string) bool { +func HasVaultPrefix(value string) bool { return strings.HasPrefix(value, "vault:") || strings.HasPrefix(value, ">>vault:") } diff --git a/pkg/webhook/config.go b/pkg/webhook/config.go index 67252f3b..53003002 100644 --- a/pkg/webhook/config.go +++ b/pkg/webhook/config.go @@ -23,6 +23,8 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/bank-vaults/vault-secrets-webhook/pkg/common" ) // VaultConfig represents vault options @@ -96,19 +98,19 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig annotations := obj.GetAnnotations() - if val := annotations[MutateAnnotation]; val == "skip" { + if val := annotations[common.MutateAnnotation]; val == "skip" { vaultConfig.Skip = true return vaultConfig } - if val, ok := annotations[VaultAddrAnnotation]; ok { + if val, ok := annotations[common.VaultAddrAnnotation]; ok { vaultConfig.Addr = val } else { vaultConfig.Addr = viper.GetString("vault_addr") } - if val, ok := annotations[VaultRoleAnnotation]; ok { + if val, ok := annotations[common.VaultRoleAnnotation]; ok { vaultConfig.Role = val } else { if val := viper.GetString("vault_role"); val != "" { @@ -123,68 +125,68 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig } } - if val, ok := annotations[VaultAuthMethodAnnotation]; ok { + if val, ok := annotations[common.VaultAuthMethodAnnotation]; ok { vaultConfig.AuthMethod = val } else { vaultConfig.AuthMethod = viper.GetString("vault_auth_method") } - if val, ok := annotations[VaultPathAnnotation]; ok { + if val, ok := annotations[common.VaultPathAnnotation]; ok { vaultConfig.Path = val } else { vaultConfig.Path = viper.GetString("vault_path") } // TODO: Check for flag to verify we want to use namespace-local SAs instead of the vault webhook namespaces SA - if val, ok := annotations[VaultServiceaccountAnnotation]; ok { + if val, ok := annotations[common.VaultServiceaccountAnnotation]; ok { vaultConfig.VaultServiceAccount = val } else { vaultConfig.VaultServiceAccount = viper.GetString("vault_serviceaccount") } - if val, ok := annotations[VaultSkipVerifyAnnotation]; ok { + if val, ok := annotations[common.VaultSkipVerifyAnnotation]; ok { vaultConfig.SkipVerify, _ = strconv.ParseBool(val) } else { vaultConfig.SkipVerify = viper.GetBool("vault_skip_verify") } - if val, ok := annotations[VaultTLSSecretAnnotation]; ok { + if val, ok := annotations[common.VaultTLSSecretAnnotation]; ok { vaultConfig.TLSSecret = val } else { vaultConfig.TLSSecret = viper.GetString("vault_tls_secret") } - if val, ok := annotations[VaultClientTimeoutAnnotation]; ok { + if val, ok := annotations[common.VaultClientTimeoutAnnotation]; ok { vaultConfig.ClientTimeout, _ = time.ParseDuration(val) } else { vaultConfig.ClientTimeout, _ = time.ParseDuration(viper.GetString("vault_client_timeout")) } - if val, ok := annotations[VaultAgentAnnotation]; ok { + if val, ok := annotations[common.VaultAgentAnnotation]; ok { vaultConfig.UseAgent, _ = strconv.ParseBool(val) } else { vaultConfig.UseAgent, _ = strconv.ParseBool(viper.GetString("vault_agent")) } - if val, ok := annotations[VaultEnvDaemonAnnotation]; ok { + if val, ok := annotations[common.VaultEnvDaemonAnnotation]; ok { vaultConfig.VaultEnvDaemon, _ = strconv.ParseBool(val) } else { vaultConfig.VaultEnvDaemon, _ = strconv.ParseBool(viper.GetString("vault_env_daemon")) } - if val, ok := annotations[VaultEnvDelayAnnotation]; ok { + if val, ok := annotations[common.VaultEnvDelayAnnotation]; ok { vaultConfig.VaultEnvDelay, _ = time.ParseDuration(val) } else { vaultConfig.VaultEnvDelay, _ = time.ParseDuration(viper.GetString("vault_env_delay")) } - if val, ok := annotations[VaultConsulTemplateConfigmapAnnotation]; ok { + if val, ok := annotations[common.VaultConsulTemplateConfigmapAnnotation]; ok { vaultConfig.CtConfigMap = val } else { vaultConfig.CtConfigMap = "" } - if val, ok := annotations[ServiceAccountTokenVolumeNameAnnotation]; ok { + if val, ok := annotations[common.ServiceAccountTokenVolumeNameAnnotation]; ok { vaultConfig.ServiceAccountTokenVolumeName = val } else if viper.GetString("SERVICE_ACCOUNT_TOKEN_VOLUME_NAME") != "" { vaultConfig.ServiceAccountTokenVolumeName = viper.GetString("SERVICE_ACCOUNT_TOKEN_VOLUME_NAME") @@ -192,55 +194,55 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig vaultConfig.ServiceAccountTokenVolumeName = "/var/run/secrets/kubernetes.io/serviceaccount" } - if val, ok := annotations[VaultConsulTemplateImageAnnotation]; ok { + if val, ok := annotations[common.VaultConsulTemplateImageAnnotation]; ok { vaultConfig.CtImage = val } else { vaultConfig.CtImage = viper.GetString("vault_ct_image") } - if val, ok := annotations[VaultIgnoreMissingSecretsAnnotation]; ok { + if val, ok := annotations[common.VaultIgnoreMissingSecretsAnnotation]; ok { vaultConfig.IgnoreMissingSecrets = val } else { vaultConfig.IgnoreMissingSecrets = viper.GetString("vault_ignore_missing_secrets") } - if val, ok := annotations[VaultEnvPassthroughAnnotation]; ok { + if val, ok := annotations[common.VaultEnvPassthroughAnnotation]; ok { vaultConfig.VaultEnvPassThrough = val } else { vaultConfig.VaultEnvPassThrough = viper.GetString("vault_env_passthrough") } - if val, ok := annotations[VaultConfigfilePathAnnotation]; ok { + if val, ok := annotations[common.VaultConfigfilePathAnnotation]; ok { vaultConfig.ConfigfilePath = val - } else if val, ok := annotations[VaultConsuleTemplateSecretsMountPathAnnotation]; ok { + } else if val, ok := annotations[common.VaultConsuleTemplateSecretsMountPathAnnotation]; ok { vaultConfig.ConfigfilePath = val } else { vaultConfig.ConfigfilePath = "/vault/secrets" } - if val, ok := annotations[VaultConsulTemplatePullPolicyAnnotation]; ok { + if val, ok := annotations[common.VaultConsulTemplatePullPolicyAnnotation]; ok { vaultConfig.CtImagePullPolicy = getPullPolicy(val) } else { vaultConfig.CtImagePullPolicy = getPullPolicy(viper.GetString("vault_ct_pull_policy")) } - if val, ok := annotations[VaultConsulTemplateOnceAnnotation]; ok { + if val, ok := annotations[common.VaultConsulTemplateOnceAnnotation]; ok { vaultConfig.CtOnce, _ = strconv.ParseBool(val) } else { vaultConfig.CtOnce = false } - if val, err := resource.ParseQuantity(annotations[VaultConsulTemplateCPUAnnotation]); err == nil { + if val, err := resource.ParseQuantity(annotations[common.VaultConsulTemplateCPUAnnotation]); err == nil { vaultConfig.CtCPU = val } else { vaultConfig.CtCPU = resource.MustParse("100m") } - if val, err := resource.ParseQuantity(annotations[VaultConsulTemplateMemoryAnnotation]); err == nil { + if val, err := resource.ParseQuantity(annotations[common.VaultConsulTemplateMemoryAnnotation]); err == nil { vaultConfig.CtMemory = val } else { vaultConfig.CtMemory = resource.MustParse("128Mi") } - if val, ok := annotations[VaultConsulTemplateShareProcessNamespaceAnnotation]; ok { + if val, ok := annotations[common.VaultConsulTemplateShareProcessNamespaceAnnotation]; ok { vaultConfig.CtShareProcessDefault = "found" vaultConfig.CtShareProcess, _ = strconv.ParseBool(val) } else { @@ -248,109 +250,109 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig vaultConfig.CtShareProcess = false } - if val, ok := annotations[PSPAllowPrivilegeEscalationAnnotation]; ok { + if val, ok := annotations[common.PSPAllowPrivilegeEscalationAnnotation]; ok { vaultConfig.PspAllowPrivilegeEscalation, _ = strconv.ParseBool(val) } else { vaultConfig.PspAllowPrivilegeEscalation, _ = strconv.ParseBool(viper.GetString("psp_allow_privilege_escalation")) } - if val, ok := annotations[RunAsNonRootAnnotation]; ok { + if val, ok := annotations[common.RunAsNonRootAnnotation]; ok { vaultConfig.RunAsNonRoot, _ = strconv.ParseBool(val) } else { vaultConfig.RunAsNonRoot, _ = strconv.ParseBool(viper.GetString("run_as_non_root")) } - if val, ok := annotations[RunAsUserAnnotation]; ok { + if val, ok := annotations[common.RunAsUserAnnotation]; ok { vaultConfig.RunAsUser, _ = strconv.ParseInt(val, 10, 64) } else { vaultConfig.RunAsUser, _ = strconv.ParseInt(viper.GetString("run_as_user"), 0, 64) } - if val, ok := annotations[RunAsGroupAnnotation]; ok { + if val, ok := annotations[common.RunAsGroupAnnotation]; ok { vaultConfig.RunAsGroup, _ = strconv.ParseInt(val, 10, 64) } else { vaultConfig.RunAsGroup, _ = strconv.ParseInt(viper.GetString("run_as_group"), 0, 64) } - if val, ok := annotations[ReadOnlyRootFsAnnotation]; ok { + if val, ok := annotations[common.ReadOnlyRootFsAnnotation]; ok { vaultConfig.ReadOnlyRootFilesystem, _ = strconv.ParseBool(val) } else { vaultConfig.ReadOnlyRootFilesystem, _ = strconv.ParseBool(viper.GetString("readonly_root_fs")) } - if val, ok := annotations[RegistrySkipVerifyAnnotation]; ok { + if val, ok := annotations[common.RegistrySkipVerifyAnnotation]; ok { vaultConfig.RegistrySkipVerify, _ = strconv.ParseBool(val) } else { vaultConfig.RegistrySkipVerify, _ = strconv.ParseBool(viper.GetString("registry_skip_verify")) } - if val, ok := annotations[LogLevelAnnotation]; ok { + if val, ok := annotations[common.LogLevelAnnotation]; ok { vaultConfig.LogLevel = val } else { vaultConfig.LogLevel = viper.GetString("log_level") } - if val, ok := annotations[EnableJSONLogAnnotation]; ok { + if val, ok := annotations[common.EnableJSONLogAnnotation]; ok { vaultConfig.EnableJSONLog = val } else { vaultConfig.EnableJSONLog = viper.GetString("enable_json_log") } - if val, ok := annotations[TransitKeyIDAnnotation]; ok { + if val, ok := annotations[common.TransitKeyIDAnnotation]; ok { vaultConfig.TransitKeyID = val } else { vaultConfig.TransitKeyID = viper.GetString("transit_key_id") } - if val, ok := annotations[TransitPathAnnotation]; ok { + if val, ok := annotations[common.TransitPathAnnotation]; ok { vaultConfig.TransitPath = val } else { vaultConfig.TransitPath = viper.GetString("transit_path") } - if val, ok := annotations[VaultAgentConfigmapAnnotation]; ok { + if val, ok := annotations[common.VaultAgentConfigmapAnnotation]; ok { vaultConfig.AgentConfigMap = val } else { vaultConfig.AgentConfigMap = "" } - if val, ok := annotations[VaultAgentOnceAnnotation]; ok { + if val, ok := annotations[common.VaultAgentOnceAnnotation]; ok { vaultConfig.AgentOnce, _ = strconv.ParseBool(val) } else { vaultConfig.AgentOnce = false } // This is done to preserve backwards compatibility with vault-agent-cpu - if val, err := resource.ParseQuantity(annotations[VaultAgentCPUAnnotation]); err == nil { + if val, err := resource.ParseQuantity(annotations[common.VaultAgentCPUAnnotation]); err == nil { vaultConfig.AgentCPULimit = val - } else if val, err := resource.ParseQuantity(annotations[VaultAgentCPULimitAnnotation]); err == nil { + } else if val, err := resource.ParseQuantity(annotations[common.VaultAgentCPULimitAnnotation]); err == nil { vaultConfig.AgentCPULimit = val } else { vaultConfig.AgentCPULimit = resource.MustParse("100m") } // This is done to preserve backwards compatibility with vault-agent-memory - if val, err := resource.ParseQuantity(annotations[VaultAgentMemoryAnnotation]); err == nil { + if val, err := resource.ParseQuantity(annotations[common.VaultAgentMemoryAnnotation]); err == nil { vaultConfig.AgentMemoryLimit = val - } else if val, err := resource.ParseQuantity(annotations[VaultAgentMemoryLimitAnnotation]); err == nil { + } else if val, err := resource.ParseQuantity(annotations[common.VaultAgentMemoryLimitAnnotation]); err == nil { vaultConfig.AgentMemoryLimit = val } else { vaultConfig.AgentMemoryLimit = resource.MustParse("128Mi") } - if val, err := resource.ParseQuantity(annotations[VaultAgentCPURequestAnnotation]); err == nil { + if val, err := resource.ParseQuantity(annotations[common.VaultAgentCPURequestAnnotation]); err == nil { vaultConfig.AgentCPURequest = val } else { vaultConfig.AgentCPURequest = resource.MustParse("100m") } - if val, err := resource.ParseQuantity(annotations[VaultAgentMemoryRequestAnnotation]); err == nil { + if val, err := resource.ParseQuantity(annotations[common.VaultAgentMemoryRequestAnnotation]); err == nil { vaultConfig.AgentMemoryRequest = val } else { vaultConfig.AgentMemoryRequest = resource.MustParse("128Mi") } - if val, ok := annotations[VaultAgentShareProcessNamespaceAnnotation]; ok { + if val, ok := annotations[common.VaultAgentShareProcessNamespaceAnnotation]; ok { vaultConfig.AgentShareProcessDefault = "found" vaultConfig.AgentShareProcess, _ = strconv.ParseBool(val) } else { @@ -358,15 +360,15 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig vaultConfig.AgentShareProcess = false } - if val, ok := annotations[VaultEnvFromPathAnnotation]; ok { + if val, ok := annotations[common.VaultEnvFromPathAnnotation]; ok { vaultConfig.VaultEnvFromPath = val } - if val, ok := annotations[TokenAuthMountAnnotation]; ok { + if val, ok := annotations[common.TokenAuthMountAnnotation]; ok { vaultConfig.TokenAuthMount = val } - if val, ok := annotations[VaultEnvImageAnnotation]; ok { + if val, ok := annotations[common.VaultEnvImageAnnotation]; ok { vaultConfig.EnvImage = val } else { vaultConfig.EnvImage = viper.GetString("vault_env_image") @@ -374,34 +376,34 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig vaultConfig.EnvLogServer = viper.GetString("VAULT_ENV_LOG_SERVER") - if val, ok := annotations[VaultEnvImagePullPolicyAnnotation]; ok { + if val, ok := annotations[common.VaultEnvImagePullPolicyAnnotation]; ok { vaultConfig.EnvImagePullPolicy = getPullPolicy(val) } else { vaultConfig.EnvImagePullPolicy = getPullPolicy(viper.GetString("vault_env_pull_policy")) } - if val, ok := annotations[VaultImageAnnotation]; ok { + if val, ok := annotations[common.VaultImageAnnotation]; ok { vaultConfig.AgentImage = val } else { vaultConfig.AgentImage = viper.GetString("vault_image") } - if val, ok := annotations[VaultImagePullPolicyAnnotation]; ok { + if val, ok := annotations[common.VaultImagePullPolicyAnnotation]; ok { vaultConfig.AgentImagePullPolicy = getPullPolicy(val) } else { vaultConfig.AgentImagePullPolicy = getPullPolicy(viper.GetString("vault_image_pull_policy")) } - if val, ok := annotations[VaultAgentEnvVariablesAnnotation]; ok { + if val, ok := annotations[common.VaultAgentEnvVariablesAnnotation]; ok { vaultConfig.AgentEnvVariables = val } - if val, ok := annotations[VaultNamespaceAnnotation]; ok { + if val, ok := annotations[common.VaultNamespaceAnnotation]; ok { vaultConfig.VaultNamespace = val } else { vaultConfig.VaultNamespace = viper.GetString("VAULT_NAMESPACE") } - if val, ok := annotations[VaultConsuleTemplateInjectInInitcontainersAnnotation]; ok { + if val, ok := annotations[common.VaultConsuleTemplateInjectInInitcontainersAnnotation]; ok { vaultConfig.CtInjectInInitcontainers, _ = strconv.ParseBool(val) } else { vaultConfig.CtInjectInInitcontainers = false @@ -431,13 +433,13 @@ func parseVaultConfig(obj metav1.Object, ar *model.AdmissionReview) VaultConfig vaultConfig.EnvMemoryLimit = resource.MustParse("64Mi") } - if val, ok := annotations[MutateProbesAnnotation]; ok { + if val, ok := annotations[common.MutateProbesAnnotation]; ok { vaultConfig.MutateProbes, _ = strconv.ParseBool(val) } else { vaultConfig.MutateProbes = false } - if val, ok := annotations[TransitBatchSizeAnnotation]; ok { + if val, ok := annotations[common.TransitBatchSizeAnnotation]; ok { batchSize, _ := strconv.ParseInt(val, 10, 32) vaultConfig.TransitBatchSize = int(batchSize) } else { diff --git a/pkg/webhook/configmap.go b/pkg/webhook/configmap.go index ba7b9477..1db57984 100644 --- a/pkg/webhook/configmap.go +++ b/pkg/webhook/configmap.go @@ -20,16 +20,18 @@ import ( "emperror.dev/errors" "github.com/bank-vaults/internal/injector" corev1 "k8s.io/api/core/v1" + + "github.com/bank-vaults/vault-secrets-webhook/pkg/common" ) func configMapNeedsMutation(configMap *corev1.ConfigMap) bool { for _, value := range configMap.Data { - if hasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { + if common.HasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { return true } } for _, value := range configMap.BinaryData { - if hasVaultPrefix(string(value)) { + if common.HasVaultPrefix(string(value)) { return true } } @@ -63,7 +65,7 @@ func (mw *MutatingWebhook) MutateConfigMap(configMap *corev1.ConfigMap, vaultCon } for key, value := range configMap.BinaryData { - if hasVaultPrefix(string(value)) { + if common.HasVaultPrefix(string(value)) { binaryData := map[string]string{ key: string(value), } diff --git a/pkg/webhook/object.go b/pkg/webhook/object.go index 8dcc851d..e4a83975 100644 --- a/pkg/webhook/object.go +++ b/pkg/webhook/object.go @@ -21,6 +21,8 @@ import ( "emperror.dev/errors" "github.com/bank-vaults/internal/injector" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + + "github.com/bank-vaults/vault-secrets-webhook/pkg/common" ) type element interface { @@ -89,7 +91,7 @@ func traverseObject(o interface{}, secretInjector *injector.SecretInjector) erro for e := range iterator { switch s := e.Get().(type) { case string: - if hasVaultPrefix(s) { + if common.HasVaultPrefix(s) { dataFromVault, err := secretInjector.GetDataFromVault(map[string]string{"data": s}) if err != nil { return err diff --git a/pkg/webhook/pod.go b/pkg/webhook/pod.go index 1e83fc6e..64c0642e 100644 --- a/pkg/webhook/pod.go +++ b/pkg/webhook/pod.go @@ -28,6 +28,8 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kubeVer "k8s.io/apimachinery/pkg/version" + + "github.com/bank-vaults/vault-secrets-webhook/pkg/common" ) const ( @@ -245,7 +247,7 @@ func (mw *MutatingWebhook) mutateContainers(ctx context.Context, containers []co } for _, env := range container.Env { - if hasVaultPrefix(env.Value) || injector.HasInlineVaultDelimiters(env.Value) { + if common.HasVaultPrefix(env.Value) || injector.HasInlineVaultDelimiters(env.Value) { envVars = append(envVars, env) } if env.ValueFrom != nil { diff --git a/pkg/webhook/secret.go b/pkg/webhook/secret.go index 4b662816..a819e878 100644 --- a/pkg/webhook/secret.go +++ b/pkg/webhook/secret.go @@ -23,6 +23,8 @@ import ( "emperror.dev/errors" "github.com/bank-vaults/internal/injector" corev1 "k8s.io/api/core/v1" + + "github.com/bank-vaults/vault-secrets-webhook/pkg/common" ) type dockerCredentials struct { @@ -66,11 +68,11 @@ func secretNeedsMutation(secret *corev1.Secret) (bool, error) { } auth := string(authBytes) - if hasVaultPrefix(auth) { + if common.HasVaultPrefix(auth) { return true, nil } } - } else if hasVaultPrefix(string(value)) { + } else if common.HasVaultPrefix(string(value)) { return true, nil } else if injector.HasInlineVaultDelimiters(string(value)) { return true, nil @@ -134,7 +136,7 @@ func (mw *MutatingWebhook) mutateDockerCreds(secret *corev1.Secret, dc *dockerCr } auth := string(authBytes) - if hasVaultPrefix(auth) { + if common.HasVaultPrefix(auth) { split := strings.Split(auth, ":") if len(split) != 4 { return errors.New("splitting auth credentials failed") diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index 54b7fa36..ea01b7d8 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -37,6 +37,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/client-go/kubernetes" + + "github.com/bank-vaults/vault-secrets-webhook/pkg/common" ) type MutatingWebhook struct { @@ -119,7 +121,7 @@ func (mw *MutatingWebhook) lookForEnvFrom(envFrom []corev1.EnvFromSource, ns str return envVars, err } for key, value := range data { - if hasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { + if common.HasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { envFromCM := corev1.EnvVar{ Name: key, Value: value, @@ -139,7 +141,7 @@ func (mw *MutatingWebhook) lookForEnvFrom(envFrom []corev1.EnvFromSource, ns str } for name, v := range data { value := string(v) - if hasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { + if common.HasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { envFromSec := corev1.EnvVar{ Name: name, Value: value, @@ -162,7 +164,7 @@ func (mw *MutatingWebhook) lookForValueFrom(env corev1.EnvVar, ns string) (*core return nil, err } value := data[env.ValueFrom.ConfigMapKeyRef.Key] - if hasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { + if common.HasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { fromCM := corev1.EnvVar{ Name: env.Name, Value: value, @@ -179,7 +181,7 @@ func (mw *MutatingWebhook) lookForValueFrom(env corev1.EnvVar, ns string) (*core return nil, err } value := string(data[env.ValueFrom.SecretKeyRef.Key]) - if hasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { + if common.HasVaultPrefix(value) || injector.HasInlineVaultDelimiters(value) { fromSecret := corev1.EnvVar{ Name: env.Name, Value: value,