Skip to content

Commit

Permalink
feat(TKC-2140): add basic secret mgmt / support auto-creating secrets…
Browse files Browse the repository at this point in the history 
… for plain-text data (#5606)

* feat(secrets): adjust /secrets endpoint to properly handle listing Testkube-created secrets
* feat(secrets): expose labels in the /secrets endpoint
* feat(secrets): add endpoint for creating secrets
* feat(secrets): add endpoint to delete secret
* feat(secrets): add rest of endpoints to manage secrets
* feat(secrets): return created secret
* feat(secrets): expose secret type (default to Opaque)
* feat(secrets): add create/update time for secrets
* feat(secrets): disable secret endpoints when they are disabled on installation
* feat(secrets): allow configuring the prefix for creating the secrets
* feat(secrets): add endpoint to expose information about secrets configuration in the Agent
* feat(secrets): store granular configuration for secrets
* feat(secrets): use common secret configuration throughout all application
* feat(testworkflows): add logic for identifying and replacing plain-text credentials in TestWorkflows
* feat(secrets): use ownerReferences instead of virtual label for secrets ownership
* feat(secrets): create secret manager common library
* feat(testworkflows): allow auto-creating secrets for TestWorkflows and TestWorkflowTemplates when autoCreateSecrets: true set
* feat(testworkflows): move auto-creating secrets parameter to query string instead of body
* feat(TKC-2140): change mechanism for extracting secrets from TestWorkflows to use <computed> EnvVarSource for detection
* feat(TKC-2140): delete autoCreateSecrets query parameter, and make it a default behavior
* feat(TKC-2140): add more recognizable secret key name for environment variables
* feat(TKC-2140): expose namespace in the Secret model
* feat(TKC-2140): replace `creds-` prefix with shorter `tw-`
  • Loading branch information
@rangoo94
rangoo94 authored Jun 25, 2024
1 parent 14888db commit 1842130
Show file tree
Hide file tree
Showing 30 changed files with 2,034 additions and 54 deletions.
328 changes: 327 additions & 1 deletion api/v1/testkube.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3283,8 +3283,205 @@ paths:
type: array
items:
$ref: "#/components/schemas/Secret"
403:
description: "secret management is disabled"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
502:
description: "problem with communicating with kubernetes cluster or git server"
description: "problem with communicating with kubernetes cluster"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
post:
tags:
- secrets
- api
summary: "Create secret"
description: "Create secret in the cluster"
operationId: createSecret
requestBody:
description: secret data
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/SecretInput"
responses:
200:
description: "successful operation"
content:
application/json:
schema:
$ref: "#/components/schemas/Secret"
400:
description: "invalid input data"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
403:
description: "secret management or modification are disabled"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
502:
description: "problem with communicating with kubernetes cluster"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
/secrets/{id}:
delete:
tags:
- secrets
- api
parameters:
- $ref: "#/components/parameters/Namespace"
summary: "Delete secret"
description: "Delete secret in the cluster"
operationId: deleteSecret
responses:
204:
description: "successful operation"
400:
description: "invalid input data"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
403:
description: "secret is not controlled by Testkube or secret management or modification are disabled"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
404:
description: "secret has not been found"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
502:
description: "problem with communicating with kubernetes cluster"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
patch:
tags:
- secrets
- api
summary: "Update secret"
description: "Update secret in the cluster"
operationId: updateSecret
requestBody:
description: secret data
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/SecretUpdate"
responses:
200:
description: "successful operation"
content:
application/json:
schema:
$ref: "#/components/schemas/Secret"
400:
description: "invalid input data"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
403:
description: "secret is not controlled by Testkube or secret management or modification are disabled"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
404:
description: "secret not found"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
502:
description: "problem with communicating with kubernetes cluster"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
get:
tags:
- secrets
- api
summary: "Get secret"
description: "Get secret in the cluster"
operationId: getSecret
responses:
200:
description: "successful operation"
content:
application/json:
schema:
$ref: "#/components/schemas/Secret"
400:
description: "invalid input data"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
403:
description: "secret is not controlled by Testkube or secret management is disabled"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
404:
description: "secret not found"
content:
application/problem+json:
schema:
type: array
items:
$ref: "#/components/schemas/Problem"
502:
description: "problem with communicating with kubernetes cluster"
content:
application/problem+json:
schema:
Expand Down Expand Up @@ -5889,9 +6086,13 @@ components:
enableSecretEndpoint:
type: boolean
description: enable secret endpoint to list secrets in namespace
deprecated: true
disableSecretCreation:
type: boolean
description: disable secret creation for tests and test sources
deprecated: true
secret:
$ref: "#/components/schemas/SecretConfig"
features:
$ref: "#/components/schemas/Features"
executionNamespaces:
Expand Down Expand Up @@ -7484,18 +7685,143 @@ components:
type: object
required:
- name
- controlled
properties:
name:
type: string
description: secret name
example: "git-secret"
namespace:
type: string
description: secret namespace
type:
type: string
description: secret type
default: Opaque
createdAt:
type: string
format: date-time
example: "2022-07-30T06:54:15Z"
updatedAt:
type: string
format: date-time
example: "2022-07-30T06:54:15Z"
controlled:
type: boolean
description: is this Secret controlled by Testkube
owner:
$ref: "#/components/schemas/SecretOwner"
labels:
type: object
description: labels associated with the secret
additionalProperties:
type: string
keys:
type: array
description: secret keys
items:
type: string
example: ["key1", "key2", "key3"]

SecretInput:
description: Secret input information
type: object
required:
- name
- data
properties:
name:
type: string
description: secret name
example: "git-secret"
type:
type: string
description: secret type
default: Opaque
namespace:
type: string
description: secret namespace
owner:
$ref: "#/components/schemas/SecretOwner"
labels:
type: object
description: labels associated with the secret
additionalProperties:
type: string
data:
type: object
description: data to store in the secret
additionalProperties:
type: string

SecretUpdate:
description: Secret input information to update
type: object
properties:
name:
type: string
description: secret name
example: "git-secret"
owner:
$ref: "#/components/schemas/SecretOwner"
labels:
type: object
description: labels associated with the secret
additionalProperties:
type: string
data:
type: object
description: data to store in the secret
additionalProperties:
type: string

SecretOwner:
description: Resource that owns the secret
type: object
required:
- kind
- name
properties:
kind:
description: kind of the resource that is the owner
type: string
name:
type: string
description: name of the owner resource

SecretConfig:
type: object
required:
- prefix
- list
- listAll
- create
- modify
- delete
- autoCreate
properties:
prefix:
type: string
description: prefix for the secrets created via Testkube
list:
type: boolean
description: allow to list secrets created via Testkube
listAll:
type: boolean
description: allow to list all secrets
create:
type: boolean
description: allow to create a new secret via Testkube
modify:
type: boolean
description: allow to modify a secret created via Testkube
delete:
type: boolean
description: allow to delete a secret created via Testkube
autoCreate:
type: boolean
description: allow to automatically create secrets via Testkube for sensitive credentials

TestWorkflow:
type: object
properties:
Expand Down
Loading

0 comments on commit 1842130

Please sign in to comment.