Skip to content

Implement Secret storage backend as gRPC server #644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pkosiec merged 10 commits into from
Feb 28, 2022
Merged

Implement Secret storage backend as gRPC server #644

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
795dd28
Implement Secret storage backend as gRPC server
pkosiec Feb 17, 2022
3864019
Move the Go gRPC client example to `pkg/hub/api/grpc` and fix lint is…
pkosiec Feb 24, 2022
6474795
Update teller and example
pkosiec Feb 24, 2022
90d53dc
Include secret storage backend in build
pkosiec Feb 24, 2022
591b543
Add additional value printing to example
pkosiec Feb 24, 2022
bc2b57b
Fix tests
pkosiec Feb 24, 2022
fcdccf3
Increase lint timeout, update Teller
pkosiec Feb 25, 2022
0f3c7b2
Install missing binaries for gRPC generation
pkosiec Feb 25, 2022
397b49f
Introduce improvements requested in review
pkosiec Feb 25, 2022
20c0480
Prevent caching test result for gRPC client
pkosiec Feb 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ all: generate build-all-images test-unit test-lint ## Default: generate all, bui
# Building #
############

APPS = gateway k8s-engine hub-js argo-runner helm-runner cloudsql-runner populator terraform-runner argo-actions gitlab-api-runner
APPS = gateway k8s-engine hub-js argo-runner helm-runner cloudsql-runner populator terraform-runner argo-actions gitlab-api-runner secret-storage-backend
TESTS = e2e
INFRA = json-go-gen graphql-schema-linter jinja2 merger

Expand Down Expand Up @@ -148,7 +148,7 @@ image-security-scan: build-all-images ## Build the docker images and check for v
# Generating #
##############

generate: gen-go-api-from-ocf-spec gen-k8s-resources gen-graphql-resources gen-go-source-code gen-docs ## Run all generators
generate: gen-go-api-from-ocf-spec gen-k8s-resources gen-graphql-resources gen-go-source-code gen-docs gen-grpc-resources ## Run all generators
.PHONY: generate

gen-go-api-from-ocf-spec: ## Generate Go code from OCF JSON Schemas
Expand All @@ -163,6 +163,10 @@ gen-graphql-resources: ## Generate code from GraphQL schema
./hack/gen-graphql-resources.sh
.PHONY: gen-graphql-resources

gen-grpc-resources: ## Generate gRPC + ProtoBuf Go code for client and server
./hack/gen-grpc-resources.sh
.PHONY: gen-proto-source-code

gen-go-source-code:
go generate -x ./...
.PHONY: gen-go-source-code
Expand Down
40 changes: 20 additions & 20 deletions cmd/k8s-engine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,26 +41,26 @@ query {

## Configuration

| Name | Required | Default | Description |
|---------------------------------|----------|----------------------------------|--------------------------------------------------------------------------------------------------------------|
| APP_ENABLE_LEADER_ELECTION | no | `false` | Enable leader election for Kubernetes controller. This ensures only 1 controller is active at any time point |
| APP_LEADER_ELECTION_NAMESPACE | no | | Set the Kubernetes namespace, in which the leader election ConfigMap is created |
| APP_GRAPHQL_ADDR | no | `:8080` | TCP address the metrics endpoint binds to |
| APP_GRAPHQL_ADDR | no | `8081` | TCP address the metrics endpoint binds to |
| APP_HEALTHZ_ADDR | no | `:8082` | TCP address the health probes endpoint binds to |
| APP_LOGGER_DEV_MODE | no | `false` | Enable development mode logging |
| APP_MAX_CONCURRENT_RECONCILES | no | `1` | Maximum number of concurrent reconcile loops in the controller |
| APP_MAX_RETRY_FOR_FAILED_ACTION | no | `15` | Maximum number of retries for failed Action reconcile process |
| APP_GRAPHQLGATEWAY_ENDPOINT | no | `http://capact-gateway/graphql` | Endpoint of the Capact Gateway |
| APP_GRAPHQLGATEWAY_USERNAME | yes | | Basic auth username used to authenticate at the Capact Gateway |
| APP_GRAPHQLGATEWAY_PASSWORD | yes | | Basic auth password used to authenticate at the Capact Gateway |
| APP_BUILTIN_RUNNER_TIMEOUT | no | `30m` | Set the timeout for the workflow execution of the builtin runners |
| APP_BUILTIN_RUNNER_IMAGE | yes | | Set the image of the builtin runner |
| APP_CLUSTER_POLICY_NAME | no | `capact-engine-cluster-policy` | Name of the ConfigMap with cluster policy |
| APP_CLUSTER_POLICY_NAMESPACE | no | `capact-system` | Namespace of the ConfigMap with cluster policy |
| APP_RENDERER_RENDER_TIMEOUT | no | `10m` | Maximum time for rendering process. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
| APP_RENDERER_MAX_DEPTH | no | `50` | Maximum number of allowed nested workflows to be processed. |
| KUBECONFIG | no | `~/.kube/config` | Path to kubeconfig file |
| Name | Required | Default | Description |
|---------------------------------|----------|---------------------------------|--------------------------------------------------------------------------------------------------------------|
| APP_ENABLE_LEADER_ELECTION | no | `false` | Enable leader election for Kubernetes controller. This ensures only 1 controller is active at any time point |
| APP_LEADER_ELECTION_NAMESPACE | no | | Set the Kubernetes namespace, in which the leader election ConfigMap is created |
| APP_GRAPHQL_ADDR | no | `:8080` | TCP address the GraphQL endpoint binds to |
| APP_METRICS_ADDR | no | `:8081` | TCP address the metrics endpoint binds to |
| APP_HEALTHZ_ADDR | no | `:8082` | TCP address the health probes endpoint binds to |
| APP_LOGGER_DEV_MODE | no | `false` | Enable development mode logging |
| APP_MAX_CONCURRENT_RECONCILES | no | `1` | Maximum number of concurrent reconcile loops in the controller |
| APP_MAX_RETRY_FOR_FAILED_ACTION | no | `15` | Maximum number of retries for failed Action reconcile process |
| APP_GRAPHQLGATEWAY_ENDPOINT | no | `http://capact-gateway/graphql` | Endpoint of the Capact Gateway |
| APP_GRAPHQLGATEWAY_USERNAME | yes | | Basic auth username used to authenticate at the Capact Gateway |
| APP_GRAPHQLGATEWAY_PASSWORD | yes | | Basic auth password used to authenticate at the Capact Gateway |
| APP_BUILTIN_RUNNER_TIMEOUT | no | `30m` | Set the timeout for the workflow execution of the builtin runners |
| APP_BUILTIN_RUNNER_IMAGE | yes | | Set the image of the builtin runner |
| APP_CLUSTER_POLICY_NAME | no | `capact-engine-cluster-policy` | Name of the ConfigMap with cluster policy |
| APP_CLUSTER_POLICY_NAMESPACE | no | `capact-system` | Namespace of the ConfigMap with cluster policy |
| APP_RENDERER_RENDER_TIMEOUT | no | `10m` | Maximum time for rendering process. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
| APP_RENDERER_MAX_DEPTH | no | `50` | Maximum number of allowed nested workflows to be processed. |
| KUBECONFIG | no | `~/.kube/config` | Path to kubeconfig file |

## Development

Expand Down
57 changes: 57 additions & 0 deletions cmd/secret-storage-backend/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Secret Storage Backend

## Overview

Secret Storage Backend is a service which handles multiple secret storages for TypeInstances.

## Prerequisites

- [Go](https://golang.org)
- (Optional - if AWS Secrets Manager provider should be used) an AWS account with **AdministratorAccess** permissions on it

Comment thread
pkosiec marked this conversation as resolved.
## Usage

### AWS Secrets Manager provider

By default, the Secret Storage Backend has the `aws_secretsmanager` provider enabled.

1. Create AWS security credentials with `SecretsManagerReadWrite` policy.
2. Export environment variables:

```bash
export AWS_ACCESS_KEY_ID="{accessKey}"
export AWS_SECRET_ACCESS_KEY="{secretKey}"
```
3. Run the server:

```bash
APP_LOGGER_DEV_MODE=true go run ./cmd/secret-storage-backend/main.go
```

The server listens to gRPC calls according to the [Storage Backend Protocol Buffers schema](../../pkg/hub/api/grpc/storage_backend.proto).
To perform such calls, you can use e.g. [Insomnia](https://insomnia.rest/) tool.

### Dotenv provider

To run the server with `dotenv` provider enabled, which stores data in files, execute:

```bash
APP_SUPPORTED_PROVIDERS=dotenv,aws_secretsmanager APP_LOGGER_DEV_MODE=true go run ./cmd/secret-storage-backend/main.go
```

> **NOTE:** You can enable multiple providers, separating them by comma, such as: `APP_SUPPORTED_PROVIDERS=aws_secretsmanager,dotenv`.

## Configuration

| Name | Required | Default | Description |
Comment thread
pkosiec marked this conversation as resolved.
|-------------------------|----------|----------------------|-------------------------------------------------------------------------------------------------------------------------------|
| APP_GRPC_ADDR | no | `:50051` | TCP address the gRPC server binds to. |
| APP_HEALTHZ_ADDR | no | `:8082` | TCP address the health probes endpoint binds to. |
| APP_SUPPORTED_PROVIDERS | no | `aws_secretsmanager` | Supported secret providers separated by `,`. A given provider must be passed in additional parameters of gRPC request inputs. |
| APP_LOGGER_DEV_MODE | no | `false` | Enable development mode logging. |

To configure providers, use environmental variables described in the [Providers](https://github.com/SpectralOps/teller#providers) paragraph for Teller's Readme.

## Development

To read more about development, see the [Development guide](https://capact.io/community/development/development-guide).
104 changes: 104 additions & 0 deletions cmd/secret-storage-backend/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
package main

import (
"log"
"net"

"capact.io/capact/internal/healthz"
"capact.io/capact/internal/logger"
secret_storage_backend "capact.io/capact/internal/secret-storage-backend"
"capact.io/capact/pkg/hub/api/grpc/storage_backend"
"github.com/pkg/errors"
tellerpkg "github.com/spectralops/teller/pkg"
tellercore "github.com/spectralops/teller/pkg/core"
"github.com/vrischmann/envconfig"
"go.uber.org/zap"
"golang.org/x/sync/errgroup"
"google.golang.org/grpc"
"sigs.k8s.io/controller-runtime/pkg/manager/signals"
)

// Config holds application related configuration.
type Config struct {
// GRPCAddr is the TCP address the gRPC server binds to.
GRPCAddr string `envconfig:"default=:50051"`

// HealthzAddr is the TCP address the health probes endpoint binds to.
HealthzAddr string `envconfig:"default=:8082"`

// SupportedProviders holds enabled secret providers separated by comma.
SupportedProviders []string `envconfig:"default=aws_secretsmanager"`
Comment thread
pkosiec marked this conversation as resolved.

Logger logger.Config
}

const appName = "secret-storage-backend"

func main() {
var cfg Config
err := envconfig.InitWithPrefix(&cfg, "APP")
exitOnError(err, "while loading configuration")

ctx := signals.SetupSignalHandler()

// setup logger
unnamedLogger, err := logger.New(cfg.Logger)
exitOnError(err, "while creating zap logger")

logger := unnamedLogger.Named(appName)

// setup servers
parallelServers := new(errgroup.Group)

healthzServer := healthz.NewHTTPServer(logger, cfg.HealthzAddr, appName)
parallelServers.Go(func() error { return healthzServer.Start(ctx) })

providers, err := loadProviders(cfg.SupportedProviders)
exitOnError(err, "while loading providers")

handler := secret_storage_backend.NewHandler(logger, providers)
exitOnError(err, "while creating new handler")

listenCfg := net.ListenConfig{}
listener, err := listenCfg.Listen(ctx, "tcp", cfg.GRPCAddr)
exitOnError(err, "while listening")

srv := grpc.NewServer()
storage_backend.RegisterStorageBackendServer(srv, handler)

go func() {
<-ctx.Done()
logger.Info("Stopping server gracefully")
srv.GracefulStop()
}()

parallelServers.Go(func() error {
logger.Info("Starting TCP server", zap.String("addr", cfg.GRPCAddr))
return srv.Serve(listener)
})

err = parallelServers.Wait()
exitOnError(err, "while waiting for servers to finish gracefully")
}

func exitOnError(err error, context string) {
if err != nil {
log.Fatalf("%s: %v", context, err)
}
}

func loadProviders(providerNames []string) (map[string]tellercore.Provider, error) {
builtInProviders := tellerpkg.BuiltinProviders{}
providersMap := map[string]tellercore.Provider{}

for _, providerName := range providerNames {
provider, err := builtInProviders.GetProvider(providerName)
if err != nil {
return nil, errors.Wrapf(err, "while loading provider %q", provider)
}

providersMap[providerName] = provider
}

return providersMap, nil
}
Loading