Azure kms handling for noobaa

This patch provides the support for azure keyvault. We are using "libopenstorage/secrets" as the wrapper package to integrate with different kms and package provides the abstraction over several kms. It also provides the integraton support for azure and helps communication with azure key vault. We are required to provide the definition for house keeping calls registered calls with libopenstorage/secrets. "libopenstorage/secrets" does the creation of client handle based on the details provided in configmap. The certificate details present in the secret are preserved inside a temp file and used to establish the connection with azure key vault as of now. Below are the connection details that are going to be populated on Noobaa CR by `noobaa_system_reconciler` at ocs side and this is the ocs code where connectiondetails on Noobaa CR are built: https://github.com/red-hat-storage/ocs-operator/blob/2d082fc4c1ac4cec961406053cece448f4b07684/controllers/storagecluster/noobaa_system_reconciler.go#L249 ex: configmap data: ``` data: AZURE_CERT_SECRET_NAME: azure-ocs-ffwc9o1j AZURE_CLIENT_ID: az-client-id1 AZURE_TENANT_ID: az-tenant-id1 AZURE_VAULT_URL: az-valut-url1 KMS_PROVIDER: azure-kv KMS_SERVICE_NAME: kms-conn-azure1 ``` Signed-off-by: Vinayakswami Hariharmath <[email protected]>
noobaa · Mar 15, 2024 · f94e3f9 · f94e3f9
1 parent 489d361
commit f94e3f9
Show file tree

Hide file tree

Showing 12 changed files with 467 additions and 1,351 deletions.
diff --git a/.github/workflows/run_kms_azure_vault_test.yml b/.github/workflows/run_kms_azure_vault_test.yml
@@ -0,0 +1,43 @@
+name: KMS Test - Azure Vault
+on: [push, pull_request, workflow_dispatch]
+
+jobs:
+  run-azure-vault-test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 90
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.20"
+
+      - name: Set environment variables
+        run: |
+          echo PATH=$PATH:$HOME/go/bin                                          >> $GITHUB_ENV
+          echo OPERATOR_IMAGE=localhost:5000/noobaa/noobaa-operator:integration >> $GITHUB_ENV
+
+      - name: Deploy Dependencies
+        run: |
+          set -x
+          bash .travis/install-5nodes-kind-cluster.sh
+          go get -v github.com/onsi/ginkgo/ginkgo
+          go install -mod=mod -v github.com/onsi/ginkgo/ginkgo
+          ginkgo version
+
+      - name: Build NooBaa
+        run: |
+          make cli
+          make image
+          docker tag noobaa/noobaa-operator:$(go run cmd/version/main.go) $OPERATOR_IMAGE
+          docker push $OPERATOR_IMAGE
+
+      - name: Install NooBaa
+        run: |
+          bash  .travis/install-noobaa-pull-azure-parameters.sh
+
+      - name: Run KMS Azure test
+        run: make test-kms-azure-vault
diff --git a/.travis/install-noobaa-pull-azure-parameters.sh b/.travis/install-noobaa-pull-azure-parameters.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -o errexit
+
+
+# TODO: Replace it with azure key vault URL once we have Azure key vault
+# account is created
+echo AZURE_VAULT_URL="https://noobaa-vault.vault.azure.net/" >> $GITHUB_ENV
+
+echo "💬 Install NooBaa CRD"
+./build/_output/bin/noobaa-operator-local crd create
+
+echo "💬 Create NooBaa operator deployment"
+./build/_output/bin/noobaa-operator-local operator --operator-image=$OPERATOR_IMAGE install
diff --git a/Makefile b/Makefile
@@ -240,6 +240,11 @@ test-kms-tls-token: vendor
 	@echo "✅ test-kms-tls-token"
 .PHONY: test-kms-tls-token
 
+test-kms-azure-vault: vendor
+	ginkgo -v pkg/util/kms/test/azure-vault
+	@echo "✅ test-kms-azure-vault"
+.PHONY: test-kms-azure-vault
+
 test-kms-ibm-kp: vendor
 	ginkgo -v pkg/util/kms/test/ibm-kp
 	@echo "✅ test-kms-ibm-kp"

diff --git a/go.mod b/go.mod
@@ -2,6 +2,12 @@ module github.com/noobaa/noobaa-operator/v5
 
 go 1.20
 
+replace (
+	// TODO: remove this replace once https://github.com/libopenstorage/secrets/pull/83 is merged
+	github.com/libopenstorage/secrets => github.com/rook/secrets v0.0.0-20240315053144-3195f6906937
+	github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
+)
+
 require (
 	cloud.google.com/go/storage v1.30.1
 	github.com/Azure/azure-sdk-for-go v67.2.0+incompatible
@@ -16,7 +22,7 @@ require (
 	github.com/coreos/go-semver v0.3.1
 	github.com/docker/distribution v2.8.2+incompatible
 	github.com/gemalto/kmip-go v0.0.10
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.5.0
 	github.com/kedacore/keda/v2 v2.7.0
 	github.com/kube-object-storage/lib-bucket-provisioner v0.0.0-20221122204822-d1a8c34382f1
 	github.com/libopenstorage/secrets v0.0.0-20231011182615-5f4b25ceede1
@@ -59,12 +65,24 @@ require (
 )
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
 	github.com/containernetworking/cni v1.1.2 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-test/deep v1.1.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hashicorp/vault/api/auth/kubernetes v0.5.0 // indirect
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect
 	golang.org/x/sync v0.5.0 // indirect
 )
@@ -84,7 +102,6 @@ require (
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/ansel1/merry v1.8.0 // indirect
 	github.com/ansel1/merry/v2 v2.2.0 // indirect
-	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bytedance/sonic v1.10.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
@@ -106,7 +123,6 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -116,19 +132,15 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.5.0 // indirect
-	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.6 // indirect
-	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
-	github.com/hashicorp/vault v1.13.12 // indirect
 	github.com/hashicorp/vault/api v1.10.0 // indirect
 	github.com/hashicorp/vault/api/auth/approle v0.5.0 // indirect
-	github.com/hashicorp/vault/sdk v0.9.2 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -156,7 +168,6 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
-	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/portworx/sched-ops v1.20.4-rc1.0.20220208024433-611d861089d4 // indirect
 	github.com/prometheus/client_golang v1.17.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
@@ -200,13 +211,13 @@ require (
 )
 
 // see https://github.com/rook/rook/blob/master/go.mod#L42-L43
-replace github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
+//replace github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
 
 // we need to get rid of "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage" in azure utils.go
 replace github.com/Azure/azure-sdk-for-go => github.com/Azure/azure-sdk-for-go v62.0.0+incompatible
 
 // TODO fix the KNS
-replace github.com/libopenstorage/secrets => github.com/libopenstorage/secrets v0.0.0-20230117230814-885ae38d82f8
+// replace github.com/libopenstorage/secrets => github.com/libopenstorage/secrets v0.0.0-20230117230814-885ae38d82f8
 
 // https://github.com/rook/rook/blob/master/go.mod#L47-L49
 exclude (