stakater · SheryarButt · Nov 25, 2024 · Sep 24, 2024 · Sep 26, 2024 · Sep 26, 2024
diff --git a/api/v1alpha1/endpointmonitor_types.go b/api/v1alpha1/endpointmonitor_types.go
@@ -163,6 +163,10 @@ type StatusCakeConfig struct {
 	// +optional
 	BasicAuthUser string `json:"basicAuthUser,omitempty"`
 
+	// Basic Auth Secret Name
+	// +optional
+	BasicAuthSecret string `json:"basicAuthSecret,omitempty"`
+
 	// Set Check Rate for the monitor
 	// +optional
 	CheckRate int `json:"checkRate,omitempty"`

diff --git a/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml b/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml
@@ -255,6 +255,9 @@ spec:
               statusCakeConfig:
                 description: Configuration for StatusCake Monitor Provider
                 properties:
+                  basicAuthSecret:
+                    description: Basic Auth Secret Name
+                    type: string
                   basicAuthUser:
                     description: Basic Auth User
                     type: string

diff --git a/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml b/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml
@@ -255,6 +255,9 @@ spec:
               statusCakeConfig:
                 description: Configuration for StatusCake Monitor Provider
                 properties:
+                  basicAuthSecret:
+                    description: Basic Auth Secret Name
+                    type: string
                   basicAuthUser:
                     description: Basic Auth User
                     type: string

diff --git a/docs/statuscake-configuration.md b/docs/statuscake-configuration.md
@@ -16,15 +16,16 @@ Currently additional Statuscake configurations can be added through these fields
 |:--------------------------------------------------------:|:------------------------------------------------:|
 | CheckRate               | Set Check Rate for the monitor (default: 300)    |
 | TestType                | Set Test type - HTTP, TCP, PING (default: HTTP)  |
-| Paused                   | Pause the service                                |
+| Paused                  | Pause the service                                |
 | PingURL                 | Webhook for alerts                               |
 | FollowRedirect          | Enable ingress redirects                         |
-| Port                     | TCP Port                                         |
+| Port                    | TCP Port                                         |
 | TriggerRate             | Minutes to wait before sending an alert          |
 | ContactGroup            | Contact Group to be alerted.                     |
 | TestTags                | Comma separated list of tags                     |
 | FindString              | String to look for within the response           |
-| BasicAuthUser          | Required for [basic-authenticationchecks](#basic-auth-checks)  |
+| BasicAuthUser           | Required for [basic-authenticationchecks](#basic-auth-checks)  |
+| BasicAuthSecret         | Allows for an alternate method of adding basic-auth to checks |
 | Regions                 | Regions to execute the check from                |
 
 
@@ -34,6 +35,10 @@ Statuscake supports checks completing basic auth requirements. In `EndpointMonit
 
 For example; setting the field like `basic-auth-user: 'my-service-username'` will set the username field to the value `my-service-username` and will retrieve the password via `os.Getenv('my-service-username')` and set this appropriately.
 
+In addition to the previous method, you can use the `basicAuthSecret` field to define a secret that should be read by the monitor which contains the basic-auth data. This secret should only contain the keys `username` and `password`. It expects the values for those keys to be strings. NOT base64 encoded strings. Furthermore, the secret must be present in the same namespace as the IngressMonitorController operator. This ensures that we can keep the permissions of the operator to be as small as possible.
+
+So for example, if you have a secret called `my-deployment-secret` it should contain the data `username: my-user` and `password: MyPassword1!` and you should set to `basicAuthSecret: my-deployment-secret`. This will ensure that the monitor can read the basic-auth data correctly.
+
 ## Example:
 
 ```yaml

diff --git a/examples/endpointMonitor/statuscake-config.yaml b/examples/endpointMonitor/statuscake-config.yaml
@@ -7,6 +7,7 @@ spec:
   statusCakeConfig:
     port: 123
     basicAuthUser: my-service-username
+    basicAuthSecret: my-basicauth-secret
     checkRate: 300
     realBrowser: true
     testTags: 'abc,def'

diff --git a/pkg/monitors/statuscake/statuscake-monitor.go b/pkg/monitors/statuscake/statuscake-monitor.go
@@ -17,7 +17,9 @@ import (
 	statuscake "github.com/StatusCakeDev/statuscake-go"
 	endpointmonitorv1alpha1 "github.com/stakater/IngressMonitorController/v2/api/v1alpha1"
 	"github.com/stakater/IngressMonitorController/v2/pkg/config"
+	"github.com/stakater/IngressMonitorController/v2/pkg/kube"
 	"github.com/stakater/IngressMonitorController/v2/pkg/models"
+	"github.com/stakater/IngressMonitorController/v2/pkg/secret"
 )
 
 var log = logf.Log.WithName("statuscake-monitor")
@@ -100,6 +102,24 @@ func buildUpsertForm(m models.Monitor, cgroup string) url.Values {
 		}
 	}
 
+	if providerConfig != nil && len(providerConfig.BasicAuthSecret) > 0 {
+		k8sClient, err := kube.GetClient()
+		if err != nil {
+			panic(err)
+		}
+
+		namespace := kube.GetCurrentKubernetesNamespace()
+		username, password, err := secret.ReadBasicAuthSecret(k8sClient.CoreV1().Secrets(namespace), providerConfig.BasicAuthSecret)
+
+		if err != nil {
+			log.Error(err, "Could not read the secret")
+		} else {
+			f.Add("basic_username", username)
+			f.Add("basic_password", password)
+			log.Info("Basic auth requirement detected. Setting username and password")
+		}
+	}
+
 	if providerConfig != nil && len(providerConfig.StatusCodes) > 0 {
 		f.Add("status_codes_csv", providerConfig.StatusCodes)
 

diff --git a/pkg/secret/secrets.go b/pkg/secret/secrets.go
@@ -5,7 +5,9 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	clientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -23,3 +25,32 @@ func LoadSecretData(apiReader client.Reader, secretName, namespace, dataKey stri
 	}
 	return string(retStr), nil
 }
+
+func ReadBasicAuthSecret(apiReader clientv1.SecretInterface, secretName string) (string, string, error) {
+	secret, err := apiReader.Get(context.TODO(), secretName, metav1.GetOptions{})
+	username, password := "", ""
+	if err != nil {
+		return "", "", err
+	}
+
+	for key, value := range secret.Data {
+		switch key {
+		case "username":
+			username = string(value)
+		case "password":
+			password = string(value)
+		default:
+			return "", "", fmt.Errorf("secret %s contained unkown key %s", secretName, key)
+		}
+	}
+
+	if username == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected key '%s'", secretName, "username")
+	} else if password == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected key '%s'", secretName, "password")
+	} else if username == "" && password == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected keys '%s','%s'", secretName, "username", "password")
+	}
+
+	return username, password, err
+}