Skip to content

Commit 114439b

Browse files
vh05vh05
committed
Azure kms handling for noobaa
This patch provides the support for azure keyvault. We are using "libopenstorage/secrets" as the wrapper package to integrate with different kms and package provides the abstraction over several kms. It also provides the integraton support for azure and helps communication with azure key vault. We are required to provide the definition for house keeping calls registered calls with libopenstorage/secrets. "libopenstorage/secrets" does the creation of client handle based on the details provided in configmap. The certificate details present in the secret are preserved inside a temp file and used to establish the connection with azure key vault as of now. Below are the connection details that are going to be populated on Noobaa CR by `noobaa_system_reconciler` at ocs side and this is the ocs code where connectiondetails on Noobaa CR are built: https://github.com/red-hat-storage/ocs-operator/blob/2d082fc4c1ac4cec961406053cece448f4b07684/controllers/storagecluster/noobaa_system_reconciler.go#L249 ex: configmap data: ``` data: AZURE_CERT_SECRET_NAME: azure-ocs-ffwc9o1j AZURE_CLIENT_ID: az-client-id1 AZURE_TENANT_ID: az-tenant-id1 AZURE_VAULT_URL: az-valut-url1 KMS_PROVIDER: azure-kv KMS_SERVICE_NAME: kms-conn-azure1 ``` Signed-off-by: Vinayakswami Hariharmath <[email protected]>
1 parent 489d361 commit 114439b

12 files changed

+467
-1351
lines changed

.github/workflows/run_kms_azure_vault_test.yml

+43
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: KMS Test - Azure Vault
2+
on: [push, pull_request, workflow_dispatch]
3+
4+
jobs:
5+
run-azure-vault-test:
6+
runs-on: ubuntu-latest
7+
timeout-minutes: 90
8+
concurrency:
9+
group: ${{ github.workflow }}-${{ github.ref }}
10+
cancel-in-progress: true
11+
steps:
12+
- name: checkout
13+
uses: actions/checkout@v4
14+
- uses: actions/setup-go@v4
15+
with:
16+
go-version: "1.20"
17+
18+
- name: Set environment variables
19+
run: |
20+
echo PATH=$PATH:$HOME/go/bin >> $GITHUB_ENV
21+
echo OPERATOR_IMAGE=localhost:5000/noobaa/noobaa-operator:integration >> $GITHUB_ENV
22+
23+
- name: Deploy Dependencies
24+
run: |
25+
set -x
26+
bash .travis/install-5nodes-kind-cluster.sh
27+
go get -v github.com/onsi/ginkgo/ginkgo
28+
go install -mod=mod -v github.com/onsi/ginkgo/ginkgo
29+
ginkgo version
30+
31+
- name: Build NooBaa
32+
run: |
33+
make cli
34+
make image
35+
docker tag noobaa/noobaa-operator:$(go run cmd/version/main.go) $OPERATOR_IMAGE
36+
docker push $OPERATOR_IMAGE
37+
38+
- name: Install NooBaa
39+
run: |
40+
bash .travis/install-noobaa-pull-azure-parameters.sh
41+
42+
- name: Run KMS Azure test
43+
run: make test-kms-azure-vault

.travis/install-noobaa-pull-azure-parameters.sh

+13
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
#!/bin/sh
2+
set -o errexit
3+
4+
5+
# TODO: Replace it with azure key vault URL once we have Azure key vault
6+
# account is created
7+
echo AZURE_VAULT_URL="https://noobaa-vault.vault.azure.net/" >> $GITHUB_ENV
8+
9+
echo "💬 Install NooBaa CRD"
10+
./build/_output/bin/noobaa-operator-local crd create
11+
12+
echo "💬 Create NooBaa operator deployment"
13+
./build/_output/bin/noobaa-operator-local operator --operator-image=$OPERATOR_IMAGE install

Makefile

+5
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,11 @@ test-kms-tls-token: vendor
240240
@echo "✅ test-kms-tls-token"
241241
.PHONY: test-kms-tls-token
242242

243+
test-kms-azure-vault: vendor
244+
ginkgo -v pkg/util/kms/test/azure-vault
245+
@echo "✅ test-kms-azure-vault"
246+
.PHONY: test-kms-azure-vault
247+
243248
test-kms-ibm-kp: vendor
244249
ginkgo -v pkg/util/kms/test/ibm-kp
245250
@echo "✅ test-kms-ibm-kp"

go.mod

+20-10
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,11 @@ module github.com/noobaa/noobaa-operator/v5
22

33
go 1.20
44

5+
replace (
6+
github.com/libopenstorage/secrets => github.com/sp98/secrets v0.0.0-20240307061418-5a08606f7676
7+
github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
8+
)
9+
510
require (
611
cloud.google.com/go/storage v1.30.1
712
github.com/Azure/azure-sdk-for-go v67.2.0+incompatible
@@ -16,7 +21,7 @@ require (
1621
github.com/coreos/go-semver v0.3.1
1722
github.com/docker/distribution v2.8.2+incompatible
1823
github.com/gemalto/kmip-go v0.0.10
19-
github.com/google/uuid v1.4.0
24+
github.com/google/uuid v1.5.0
2025
github.com/kedacore/keda/v2 v2.7.0
2126
github.com/kube-object-storage/lib-bucket-provisioner v0.0.0-20221122204822-d1a8c34382f1
2227
github.com/libopenstorage/secrets v0.0.0-20231011182615-5f4b25ceede1
@@ -59,12 +64,24 @@ require (
5964
)
6065

6166
require (
67+
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
68+
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
69+
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
70+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 // indirect
71+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
72+
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
6273
github.com/containernetworking/cni v1.1.2 // indirect
6374
github.com/evanphx/json-patch v5.7.0+incompatible // indirect
6475
github.com/go-errors/errors v1.5.1 // indirect
6576
github.com/go-logr/zapr v1.3.0 // indirect
77+
github.com/go-test/deep v1.1.0 // indirect
78+
github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
79+
github.com/gorilla/websocket v1.5.0 // indirect
80+
github.com/hashicorp/vault/api/auth/kubernetes v0.5.0 // indirect
6681
github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 // indirect
82+
github.com/kylelemons/godebug v1.1.0 // indirect
6783
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
84+
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
6885
golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect
6986
golang.org/x/sync v0.5.0 // indirect
7087
)
@@ -84,7 +101,6 @@ require (
84101
github.com/MakeNowJust/heredoc v1.0.0 // indirect
85102
github.com/ansel1/merry v1.8.0 // indirect
86103
github.com/ansel1/merry/v2 v2.2.0 // indirect
87-
github.com/armon/go-metrics v0.4.1 // indirect
88104
github.com/beorn7/perks v1.0.1 // indirect
89105
github.com/bytedance/sonic v1.10.0 // indirect
90106
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
@@ -106,7 +122,6 @@ require (
106122
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
107123
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
108124
github.com/golang/protobuf v1.5.3 // indirect
109-
github.com/golang/snappy v0.0.4 // indirect
110125
github.com/google/gnostic-models v0.6.8 // indirect
111126
github.com/google/go-cmp v0.6.0 // indirect
112127
github.com/google/gofuzz v1.2.0 // indirect
@@ -116,19 +131,15 @@ require (
116131
github.com/hashicorp/errwrap v1.1.0 // indirect
117132
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
118133
github.com/hashicorp/go-hclog v1.5.0 // indirect
119-
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
120134
github.com/hashicorp/go-multierror v1.1.1 // indirect
121135
github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
122136
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
123137
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
124138
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
125139
github.com/hashicorp/go-sockaddr v1.0.6 // indirect
126-
github.com/hashicorp/golang-lru v1.0.2 // indirect
127140
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
128-
github.com/hashicorp/vault v1.13.12 // indirect
129141
github.com/hashicorp/vault/api v1.10.0 // indirect
130142
github.com/hashicorp/vault/api/auth/approle v0.5.0 // indirect
131-
github.com/hashicorp/vault/sdk v0.9.2 // indirect
132143
github.com/imdario/mergo v0.3.16 // indirect
133144
github.com/inconshreveable/mousetrap v1.1.0 // indirect
134145
github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -156,7 +167,6 @@ require (
156167
github.com/nxadm/tail v1.4.8 // indirect
157168
github.com/opencontainers/go-digest v1.0.0 // indirect
158169
github.com/pelletier/go-toml/v2 v2.0.9 // indirect
159-
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
160170
github.com/portworx/sched-ops v1.20.4-rc1.0.20220208024433-611d861089d4 // indirect
161171
github.com/prometheus/client_golang v1.17.0 // indirect
162172
github.com/prometheus/client_model v0.5.0 // indirect
@@ -200,13 +210,13 @@ require (
200210
)
201211

202212
// see https://github.com/rook/rook/blob/master/go.mod#L42-L43
203-
replace github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
213+
//replace github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
204214

205215
// we need to get rid of "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage" in azure utils.go
206216
replace github.com/Azure/azure-sdk-for-go => github.com/Azure/azure-sdk-for-go v62.0.0+incompatible
207217

208218
// TODO fix the KNS
209-
replace github.com/libopenstorage/secrets => github.com/libopenstorage/secrets v0.0.0-20230117230814-885ae38d82f8
219+
// replace github.com/libopenstorage/secrets => github.com/libopenstorage/secrets v0.0.0-20230117230814-885ae38d82f8
210220

211221
// https://github.com/rook/rook/blob/master/go.mod#L47-L49
212222
exclude (

0 commit comments

Comments
 (0)