Undo revert "Revert secret cred changes (#311)" (#312)

This reverts commit a4ea06c.
kanisterio · Sep 21, 2019 · 0f8fa1a · 0f8fa1a
1 parent d98c912
commit 0f8fa1a
Show file tree

Hide file tree

Showing 12 changed files with 442 additions and 71 deletions.
diff --git a/pkg/function/backup_data.go b/pkg/function/backup_data.go
@@ -146,7 +146,10 @@ func backupData(ctx context.Context, cli kubernetes.Interface, namespace, pod, c
 
 	// Create backup and dump it on the object store
 	backupTag := rand.String(10)
-	cmd := restic.BackupCommandByTag(tp.Profile, backupArtifactPrefix, backupTag, includePath, encryptionKey)
+	cmd, err := restic.BackupCommandByTag(tp.Profile, backupArtifactPrefix, backupTag, includePath, encryptionKey)
+	if err != nil {
+		return "", "", err
+	}
 	stdout, stderr, err := kube.Exec(cli, namespace, pod, container, cmd, nil)
 	format.Log(pod, container, stdout)
 	format.Log(pod, container, stderr)

diff --git a/pkg/function/copy_volume_data.go b/pkg/function/copy_volume_data.go
@@ -19,7 +19,7 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/kubernetes"
@@ -93,7 +93,10 @@ func copyVolumeDataPodFunc(cli kubernetes.Interface, tp param.TemplateParams, na
 		}
 		// Copy data to object store
 		backupTag := rand.String(10)
-		cmd := restic.BackupCommandByTag(tp.Profile, targetPath, backupTag, mountPoint, encryptionKey)
+		cmd, err := restic.BackupCommandByTag(tp.Profile, targetPath, backupTag, mountPoint, encryptionKey)
+		if err != nil {
+			return nil, err
+		}
 		stdout, stderr, err := kube.Exec(cli, namespace, pod.Name, pod.Spec.Containers[0].Name, cmd, nil)
 		format.Log(pod.Name, pod.Spec.Containers[0].Name, stdout)
 		format.Log(pod.Name, pod.Spec.Containers[0].Name, stderr)

diff --git a/pkg/function/delete_data.go b/pkg/function/delete_data.go
@@ -19,10 +19,10 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 
-	"github.com/kanisterio/kanister/pkg"
+	kanister "github.com/kanisterio/kanister/pkg"
 	"github.com/kanisterio/kanister/pkg/format"
 	"github.com/kanisterio/kanister/pkg/kube"
 	"github.com/kanisterio/kanister/pkg/param"
@@ -84,7 +84,10 @@ func deleteDataPodFunc(cli kubernetes.Interface, tp param.TemplateParams, reclai
 		}
 		defer cleanUpCredsFile(ctx, pw, pod.Namespace, pod.Name, pod.Spec.Containers[0].Name)
 		for i, deleteTag := range deleteTags {
-			cmd := restic.SnapshotsCommandByTag(tp.Profile, targetPaths[i], deleteTag, encryptionKey)
+			cmd, err := restic.SnapshotsCommandByTag(tp.Profile, targetPaths[i], deleteTag, encryptionKey)
+			if err != nil {
+				return nil, err
+			}
 			stdout, stderr, err := kube.Exec(cli, namespace, pod.Name, pod.Spec.Containers[0].Name, cmd, nil)
 			format.Log(pod.Name, pod.Spec.Containers[0].Name, stdout)
 			format.Log(pod.Name, pod.Spec.Containers[0].Name, stderr)
@@ -98,7 +101,10 @@ func deleteDataPodFunc(cli kubernetes.Interface, tp param.TemplateParams, reclai
 			deleteIdentifiers = append(deleteIdentifiers, deleteIdentifier)
 		}
 		for i, deleteIdentifier := range deleteIdentifiers {
-			cmd := restic.ForgetCommandByID(tp.Profile, targetPaths[i], deleteIdentifier, encryptionKey)
+			cmd, err := restic.ForgetCommandByID(tp.Profile, targetPaths[i], deleteIdentifier, encryptionKey)
+			if err != nil {
+				return nil, err
+			}
 			stdout, stderr, err := kube.Exec(cli, namespace, pod.Name, pod.Spec.Containers[0].Name, cmd, nil)
 			format.Log(pod.Name, pod.Spec.Containers[0].Name, stdout)
 			format.Log(pod.Name, pod.Spec.Containers[0].Name, stderr)
@@ -118,7 +124,10 @@ func deleteDataPodFunc(cli kubernetes.Interface, tp param.TemplateParams, reclai
 }
 
 func pruneData(cli kubernetes.Interface, tp param.TemplateParams, pod *v1.Pod, namespace, encryptionKey, targetPath string) error {
-	cmd := restic.PruneCommand(tp.Profile, targetPath, encryptionKey)
+	cmd, err := restic.PruneCommand(tp.Profile, targetPath, encryptionKey)
+	if err != nil {
+		return err
+	}
 	stdout, stderr, err := kube.Exec(cli, namespace, pod.Name, pod.Spec.Containers[0].Name, cmd, nil)
 	format.Log(pod.Name, pod.Spec.Containers[0].Name, stdout)
 	format.Log(pod.Name, pod.Spec.Containers[0].Name, stderr)

diff --git a/pkg/function/restore_data.go b/pkg/function/restore_data.go
@@ -18,7 +18,7 @@ import (
 	"context"
 
 	"github.com/pkg/errors"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 
@@ -147,9 +147,12 @@ func restoreDataPodFunc(cli kubernetes.Interface, tp param.TemplateParams, names
 		var cmd []string
 		// Generate restore command based on the identifier passed
 		if backupTag != "" {
-			cmd = restic.RestoreCommandByTag(tp.Profile, backupArtifactPrefix, backupTag, restorePath, encryptionKey)
+			cmd, err = restic.RestoreCommandByTag(tp.Profile, backupArtifactPrefix, backupTag, restorePath, encryptionKey)
 		} else if backupID != "" {
-			cmd = restic.RestoreCommandByID(tp.Profile, backupArtifactPrefix, backupID, restorePath, encryptionKey)
+			cmd, err = restic.RestoreCommandByID(tp.Profile, backupArtifactPrefix, backupID, restorePath, encryptionKey)
+		}
+		if err != nil {
+			return nil, err
 		}
 		stdout, stderr, err := kube.Exec(cli, namespace, pod.Name, pod.Spec.Containers[0].Name, cmd, nil)
 		format.Log(pod.Name, pod.Spec.Containers[0].Name, stdout)

diff --git a/pkg/location/location.go b/pkg/location/location.go
@@ -24,11 +24,13 @@ import (
 	crv1alpha1 "github.com/kanisterio/kanister/pkg/apis/cr/v1alpha1"
 	"github.com/kanisterio/kanister/pkg/objectstore"
 	"github.com/kanisterio/kanister/pkg/param"
+	"github.com/kanisterio/kanister/pkg/secrets"
 )
 
 const (
 	AWSAccessKeyID      = "AWS_ACCESS_KEY_ID"
 	AWSSecretAccessKey  = "AWS_SECRET_ACCESS_KEY"
+	AWSSessionToken     = "AWS_SESSION_TOKEN"
 	GoogleCloudCreds    = "GOOGLE_APPLICATION_CREDENTIALS"
 	GoogleProjectId     = "GOOGLE_PROJECT_ID"
 	AzureStorageAccount = "AZURE_ACCOUNT_NAME"
@@ -143,11 +145,7 @@ func getOSSecret(pType objectstore.ProviderType, cred param.Credential) (*object
 	secret := &objectstore.Secret{}
 	switch pType {
 	case objectstore.ProviderTypeS3:
-		secret.Type = objectstore.SecretTypeAwsAccessKey
-		secret.Aws = &objectstore.SecretAws{
-			AccessKeyID:     cred.KeyPair.ID,
-			SecretAccessKey: cred.KeyPair.Secret,
-		}
+		return getAWSSecret(cred)
 	case objectstore.ProviderTypeGCS:
 		secret.Type = objectstore.SecretTypeGcpServiceAccountKey
 		secret.Gcp = &objectstore.SecretGcp{
@@ -165,3 +163,30 @@ func getOSSecret(pType objectstore.ProviderType, cred param.Credential) (*object
 	}
 	return secret, nil
 }
+
+func getAWSSecret(cred param.Credential) (*objectstore.Secret, error) {
+	os := &objectstore.Secret{
+		Type: objectstore.SecretTypeAwsAccessKey,
+	}
+	switch cred.Type {
+	case param.CredentialTypeKeyPair:
+		os.Aws = &objectstore.SecretAws{
+			AccessKeyID:     cred.KeyPair.ID,
+			SecretAccessKey: cred.KeyPair.Secret,
+		}
+		return os, nil
+	case param.CredentialTypeSecret:
+		creds, err := secrets.ExtractAWSCredentials(cred.Secret)
+		if err != nil {
+			return nil, err
+		}
+		os.Aws = &objectstore.SecretAws{
+			AccessKeyID:     creds.AccessKeyID,
+			SecretAccessKey: creds.SecretAccessKey,
+			SessionToken:    creds.SessionToken,
+		}
+		return os, nil
+	default:
+		return nil, errors.Errorf("Unsupported type '%s' for credential", cred.Type)
+	}
+}
diff --git a/pkg/param/param.go b/pkg/param/param.go
@@ -29,6 +29,7 @@ import (
 	crv1alpha1 "github.com/kanisterio/kanister/pkg/apis/cr/v1alpha1"
 	"github.com/kanisterio/kanister/pkg/client/clientset/versioned"
 	"github.com/kanisterio/kanister/pkg/kube"
+	"github.com/kanisterio/kanister/pkg/secrets"
 )
 
 const timeFormat = time.RFC3339Nano
@@ -90,12 +91,14 @@ type CredentialType string
 
 const (
 	CredentialTypeKeyPair CredentialType = "keyPair"
+	CredentialTypeSecret  CredentialType = "secret"
 )
 
 // Credential resolves the storage
 type Credential struct {
 	Type    CredentialType
 	KeyPair *KeyPair
+	Secret  *v1.Secret
 }
 
 // KeyPair is a credential that contains two strings: an ID and a secret.
@@ -209,6 +212,8 @@ func fetchCredential(ctx context.Context, cli kubernetes.Interface, c crv1alpha1
 	switch c.Type {
 	case crv1alpha1.CredentialTypeKeyPair:
 		return fetchKeyPairCredential(ctx, cli, c.KeyPair)
+	case crv1alpha1.CredentialTypeSecret:
+		return fetchSecretCredential(ctx, cli, c.Secret)
 	default:
 		return nil, errors.Errorf("CredentialType '%s' not supported", c.Type)
 	}
@@ -237,6 +242,23 @@ func fetchKeyPairCredential(ctx context.Context, cli kubernetes.Interface, c *cr
 	}, nil
 }
 
+func fetchSecretCredential(ctx context.Context, cli kubernetes.Interface, sr *crv1alpha1.ObjectReference) (*Credential, error) {
+	if sr == nil {
+		return nil, errors.New("Secret reference cannot be nil")
+	}
+	s, err := cli.CoreV1().Secrets(sr.Namespace).Get(sr.Name, metav1.GetOptions{})
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to fetch the secret")
+	}
+	if err = secrets.ValidateCredentials(s); err != nil {
+		return nil, err
+	}
+	return &Credential{
+		Type:   CredentialTypeSecret,
+		Secret: s,
+	}, nil
+}
+
 func filterByKind(refs map[string]crv1alpha1.ObjectReference, kind string) map[string]crv1alpha1.ObjectReference {
 	filtered := make(map[string]crv1alpha1.ObjectReference, len(refs))
 	for name, ref := range refs {