feat: Generic Webhook (#29)

* refactor: wip

Signed-off-by: Bence Csati <[email protected]>

* refactor

Signed-off-by: Bence Csati <[email protected]>

* refactor: genericize main functionality

Signed-off-by: Bence Csati <[email protected]>

* refactor: all mutate objects, only pod remains

Signed-off-by: Bence Csati <[email protected]>

* refactor: all mutate objects, only pod remains

Signed-off-by: Bence Csati <[email protected]>

* refactor

Signed-off-by: Bence Csati <[email protected]>

* refactor: last commit before refactoring pod.go

Signed-off-by: Bence Csati <[email protected]>

* refactor: finished

Signed-off-by: Bence Csati <[email protected]>

* refactor: finished

Signed-off-by: Bence Csati <[email protected]>

* fix: Minor fixes

Signed-off-by: Bence Csati <[email protected]>

* feat(bao_tests): Add bao unit tests

Signed-off-by: Bence Csati <[email protected]>

* refactor: Done

Signed-off-by: Bence Csati <[email protected]>

* refactor: Final

Signed-off-by: Bence Csati <[email protected]>

* refactor: finishing touches

Signed-off-by: Bence Csati <[email protected]>

* refactor: finishing touches

Signed-off-by: Bence Csati <[email protected]>

* refactor: done

Signed-off-by: Bence Csati <[email protected]>

* fix

Signed-off-by: Bence Csati <[email protected]>

* ci: trigger

Signed-off-by: Bence Csati <[email protected]>

* ci: trigger

Signed-off-by: Bence Csati <[email protected]>

* ci(e2e-test): use version matrix for operator

Signed-off-by: Bence Csati <[email protected]>

* refactor: Prepare backwards compatibility

Signed-off-by: Bence Csati <[email protected]>

* feat: preserve backwards compatibility

Signed-off-by: Bence Csati <[email protected]>

* refactor: finish up config

Signed-off-by: Bence Csati <[email protected]>

* refactor: factour out env-vars

Signed-off-by: Bence Csati <[email protected]>

* chore: go mod tidy

Signed-off-by: Bence Csati <[email protected]>

* refactor: make env-vars backwards compatible

Signed-off-by: Bence Csati <[email protected]>

* fix: CI errors

Signed-off-by: Bence Csati <[email protected]>

* fix: add startup probe checks

Signed-off-by: Bence Csati <[email protected]>

* feat: add all probes to mutate probes tests

Signed-off-by: Bence Csati <[email protected]>

* refactor: finished webhook refactoring

Signed-off-by: Bence Csati <[email protected]>

* fix: add logger to provider struct

Signed-off-by: Bence Csati <[email protected]>

* fix: only create client when not using vault-agent

Signed-off-by: Bence Csati <[email protected]>

* chore: update nix

Signed-off-by: Bence Csati <[email protected]>

* chore: remove obsolete docker-compose version

Signed-off-by: Bence Csati <[email protected]>

* chore: finishing touches

Signed-off-by: Bence Csati <[email protected]>

* chore: update dependencies

Signed-off-by: Bence Csati <[email protected]>

* fix: use original Bao image

Signed-off-by: Bence Csati <[email protected]>

* chore: export default timeout on e2e tests

Signed-off-by: Bence Csati <[email protected]>

* refactor: Use obj namespace instead of ar namespace, factor out secret Init config, introduce cleanup annotation

Signed-off-by: Bence Csati <[email protected]>

* fix: old annotations only checked, but not deleted

Signed-off-by: Bence Csati <[email protected]>

* feat: Add example fiels recently deleted from operator repo

Signed-off-by: Bence Csati <[email protected]>

* fix: linters

Signed-off-by: Bence Csati <[email protected]>

* chore: update dependencies

Signed-off-by: Bence Csati <[email protected]>

* chore: take out annotation prefix

Signed-off-by: Bence Csati <[email protected]>

* chore: move out params to structs, common for all providers

Signed-off-by: Bence Csati <[email protected]>

* chore: use secret-init env-vars from secret-init repo

Signed-off-by: Bence Csati <[email protected]>

* chore: add comment to agent configs

Signed-off-by: Bence Csati <[email protected]>

* fix

Signed-off-by: Bence Csati <[email protected]>

* fix: introduced error

Signed-off-by: Bence Csati <[email protected]>

---------

Signed-off-by: Bence Csati <[email protected]>

.github/workflows/ci.yaml

@@ -61,6 +61,15 @@ jobs:
           VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
         ports:
           - 8200:8200
+      bao:
+        image: quay.io/openbao/openbao@sha256:a015ae0adb1af5b45b33632e29879ff87063d0878e9359584a50b2706e500e9a # 2.0.0-alpha20240329
+        env:
+          SKIP_SETCAP: true
+          BAO_ADDR: http://127.0.0.1:8200
+          BAO_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+          BAO_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+        ports:
+          - 8300:8200
 
     steps:
       - name: Checkout repository
@@ -227,6 +236,7 @@ jobs:
     strategy:
       matrix:
         k8s_version: ["v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"]
+        operator_version: ["v1.22.1"] # First version that works with the generic webhook: v1.22.1
         # vault_version: ["1.11.12", "1.12.8", "1.13.4", "1.14.8"]
 
     steps:
@@ -262,7 +272,8 @@ jobs:
         env:
           KIND_K8S_VERSION: ${{ matrix.k8s_version }}
           LOAD_IMAGE_ARCHIVE: ${{ github.workspace }}/docker.tar
-          # VAULT_VERSION: ${{ matrix.vault_version }}
           WEBHOOK_VERSION: ${{ needs.artifacts.outputs.container-image-tag }}
+          OPERATOR_VERSION: ${{ matrix.operator_version }}
+          # VAULT_VERSION: ${{ matrix.vault_version }}
           HELM_CHART: "${{ github.workspace }}/${{ needs.artifacts.outputs.helm-chart-package }}"
           LOG_VERBOSE: "true"

Makefile

@@ -3,6 +3,7 @@
 export PATH := $(abspath bin/):${PATH}
 
 CONTAINER_IMAGE_REF = ghcr.io/bank-vaults/secrets-webhook:dev
+OPERATOR_VERSION ?= latest
 
 ##@ General
 
@@ -72,7 +73,7 @@ test-e2e: ## Run e2e tests
 
 .PHONY: test-e2e-local
 test-e2e-local: container-image ## Run e2e tests locally
-	LOAD_IMAGE=${CONTAINER_IMAGE_REF} WEBHOOK_VERSION=dev ${MAKE} test-e2e
+	LOAD_IMAGE=${CONTAINER_IMAGE_REF} WEBHOOK_VERSION=dev OPERATOR_VERSION=$(OPERATOR_VERSION) ${MAKE} test-e2e
 
 .PHONY: lint
 lint: lint-go lint-helm lint-docker lint-yaml

deploy/charts/secrets-webhook/README.md

@@ -12,15 +12,15 @@ It can also inject statically into ConfigMaps, Secrets, and CustomResources.
 You will need to add the following annotations to the resources that you wish to mutate:
 
 ```yaml
-vault.security.banzaicloud.io/vault-addr: https://[URL FOR VAULT]
-vault.security.banzaicloud.io/vault-path: [Auth path]
-vault.security.banzaicloud.io/vault-role: [Auth role]
-vault.security.banzaicloud.io/vault-skip-verify: "true" # Container is missing Trusted Mozilla roots too.
+secrets-webhook.security.bank-vaults.io/vault-addr: https://[URL FOR VAULT]
+secrets-webhook.security.bank-vaults.io/vault-path: [Auth path]
+secrets-webhook.security.bank-vaults.io/vault-role: [Auth role]
+secrets-webhook.security.bank-vaults.io/vault-skip-verify: "true" # Container is missing Trusted Mozilla roots too.
 ```
 
 Be mindful how you reference Vault secrets itself. For KV v2 secrets, you will need to add the `/data/` to the path of the secret.
 
-```
+```bash
 $ vault kv get kv/rax/test
 ====== Metadata ======
 Key              Value
@@ -39,7 +39,7 @@ MYSQL_ROOT_PASSWORD    s3cr3t
 
 The secret shown above is referenced like this:
 
-```
+```plaintext
 vault:[ENGINE]/data/[SECRET_NAME]#[KEY]
 vault:kv/rax/data/test#MYSQL_PASSWORD
 ```
@@ -71,15 +71,15 @@ kubectl label namespace "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
 ### Install the chart
 
 ```bash
-$ helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --create-namespace
+helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --create-namespace
 ```
 
 ### Openshift 4.3
 
 For security reasons, the `runAsUser` must be in the range between 1000570000 and 1000579999. By setting the value of `securityContext.runAsUser` to `""`, OpenShift chooses a valid User.
 
 ```bash
-$ helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
+helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
 ```
 
 ### About GKE Private Clusters
@@ -192,7 +192,7 @@ The default option is to let helm generate the CA and TLS certificates on deploy
 
 This will renew the certificates on each deployment.
 
-```
+```yaml
 certificate:
     generate: true
 ```

deploy/charts/secrets-webhook/README.md.gotmpl

@@ -12,15 +12,15 @@ It can also inject statically into ConfigMaps, Secrets, and CustomResources.
 You will need to add the following annotations to the resources that you wish to mutate:
 
 ```yaml
-vault.security.banzaicloud.io/vault-addr: https://[URL FOR VAULT]
-vault.security.banzaicloud.io/vault-path: [Auth path]
-vault.security.banzaicloud.io/vault-role: [Auth role]
-vault.security.banzaicloud.io/vault-skip-verify: "true" # Container is missing Trusted Mozilla roots too.
+secrets-webhook.security.bank-vaults.io/vault-addr: https://[URL FOR VAULT]
+secrets-webhook.security.bank-vaults.io/vault-path: [Auth path]
+secrets-webhook.security.bank-vaults.io/vault-role: [Auth role]
+secrets-webhook.security.bank-vaults.io/vault-skip-verify: "true" # Container is missing Trusted Mozilla roots too.
 ```
 
 Be mindful how you reference Vault secrets itself. For KV v2 secrets, you will need to add the `/data/` to the path of the secret.
 
-```
+```bash
 $ vault kv get kv/rax/test
 ====== Metadata ======
 Key              Value
@@ -39,7 +39,7 @@ MYSQL_ROOT_PASSWORD    s3cr3t
 
 The secret shown above is referenced like this:
 
-```
+```plaintext
 vault:[ENGINE]/data/[SECRET_NAME]#[KEY]
 vault:kv/rax/data/test#MYSQL_PASSWORD
 ```
@@ -71,15 +71,15 @@ kubectl label namespace "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
 ### Install the chart
 
 ```bash
-$ helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --create-namespace
+helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --create-namespace
 ```
 
 ### Openshift 4.3
 
 For security reasons, the `runAsUser` must be in the range between 1000570000 and 1000579999. By setting the value of `securityContext.runAsUser` to `""`, OpenShift chooses a valid User.
 
 ```bash
-$ helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
+helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
 ```
 
 ### About GKE Private Clusters
@@ -116,7 +116,7 @@ The default option is to let helm generate the CA and TLS certificates on deploy
 
 This will renew the certificates on each deployment.
 
-```
+```yaml
 certificate:
     generate: true
 ```

deploy/charts/secrets-webhook/templates/apiservice-webhook.yaml

@@ -107,7 +107,7 @@ metadata:
     cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ .Values.certificate.servingCertificate }}"
 {{- end }}
 webhooks:
-- name: pods.{{ template "secrets-webhook.name" . }}.admission.banzaicloud.com
+- name: pods.{{ template "secrets-webhook.name" . }}.admission.bank-vaults.com
   {{- if semverCompare ">=1.14-0" (include "secrets-webhook.capabilities.kubeVersion" .) }}
   {{- with .Values.reinvocationPolicy }}
   reinvocationPolicy: {{ . }}
@@ -162,7 +162,7 @@ webhooks:
     {{- if $podsObjectSelector.matchExpressions }}
 {{ toYaml $podsObjectSelector.matchExpressions | indent 4 }}
     {{- end }}
-    - key: security.banzaicloud.io/mutate
+    - key: security.bank-vaults.io/mutate
       operator: NotIn
       values:
       - skip
@@ -171,7 +171,7 @@ webhooks:
   sideEffects: {{ .Values.apiSideEffectValue }}
 {{- end }}
 {{- if .Values.secretsMutation }}
-- name: secrets.{{ template "secrets-webhook.name" . }}.admission.banzaicloud.com
+- name: secrets.{{ template "secrets-webhook.name" . }}.admission.bank-vaults.com
   {{- with .Values.reinvocationPolicy }}
   reinvocationPolicy: {{ . }}
   {{- end }}
@@ -231,7 +231,7 @@ webhooks:
       operator: NotIn
       values:
       - helm
-    - key: security.banzaicloud.io/mutate
+    - key: security.bank-vaults.io/mutate
       operator: NotIn
       values:
       - skip
@@ -241,7 +241,7 @@ webhooks:
 {{- end }}
 {{- end }}
 {{- if .Values.configMapMutation }}
-- name: configmaps.{{ template "secrets-webhook.name" . }}.admission.banzaicloud.com
+- name: configmaps.{{ template "secrets-webhook.name" . }}.admission.bank-vaults.com
   {{- if semverCompare ">=1.14-0" (include "secrets-webhook.capabilities.kubeVersion" .) }}
   admissionReviewVersions: ["v1beta1"]
   {{- with .Values.reinvocationPolicy }}
@@ -301,7 +301,7 @@ webhooks:
       operator: NotIn
       values:
       - helm
-    - key: security.banzaicloud.io/mutate
+    - key: security.bank-vaults.io/mutate
       operator: NotIn
       values:
       - skip
@@ -311,7 +311,7 @@ webhooks:
 {{- end }}
 {{- end }}
 {{- if .Values.customResourceMutations }}
-- name: objects.{{ template "secrets-webhook.name" . }}.admission.banzaicloud.com
+- name: objects.{{ template "secrets-webhook.name" . }}.admission.bank-vaults.com
   {{- if semverCompare ">=1.14-0" (include "secrets-webhook.capabilities.kubeVersion" .) }}
   admissionReviewVersions: ["v1beta1"]
   {{- if .Values.timeoutSeconds }}
@@ -364,7 +364,7 @@ webhooks:
     {{- if $crObjectSelector.matchExpressions }}
 {{ toYaml $crObjectSelector.matchExpressions | indent 4 }}
     {{- end }}
-    - key: security.banzaicloud.io/mutate
+    - key: security.bank-vaults.io/mutate
       operator: NotIn
       values:
       - skip

deploy/charts/secrets-webhook/templates/webhook-deployment.yaml

@@ -29,7 +29,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ template "secrets-webhook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
-        security.banzaicloud.io/mutate: skip
+        security.bank-vaults.io/mutate: skip
         {{- if .Values.labels }}
 {{ toYaml .Values.labels | indent 8 }}
         {{- end }}

deploy/charts/secrets-webhook/values.yaml

@@ -248,7 +248,7 @@ namespaceSelector:
 # -- Object selector to use, will limit webhook scope (K8s version 1.15+)
 objectSelector: {}
   # matchExpressions:
-  # - key: security.banzaicloud.io/mutate
+  # - key: security.bank-vaults.io/mutate
   #   operator: NotIn
   #   values:
   #   - skip

docker-compose.yaml

@@ -1,10 +1,22 @@
-version: "3.9"
-
 services:
   vault:
+    container_name: secrets-webhook-vault
     image: hashicorp/vault:1.14.8
     ports:
       - 127.0.0.1:8200:8200
     environment:
-      SKIP_SETCAP: true
+      SKIP_SETCAP: "true"
+      VAULT_ADDR: http://127.0.0.1:8200
+      VAULT_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf
       VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+
+  bao:
+    container_name: secrets-webhook-bao
+    image: quay.io/openbao/openbao@sha256:a015ae0adb1af5b45b33632e29879ff87063d0878e9359584a50b2706e500e9a # 2.0.0-alpha20240329
+    ports:
+      - 127.0.0.1:8300:8200
+    environment:
+      SKIP_SETCAP: "true"
+      BAO_ADDR: http://127.0.0.1:8200
+      BAO_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+      BAO_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf