Refactoring and bugfixing

- Small refactorings
- Bugfixing azure client
- Implement kubernetes deployment
- Cleanup

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

Author: mblaschke

bootstraptoken/token.go

@@ -37,7 +37,7 @@ func (t *BootstrapToken) SetExpirationUnixTime(val date.UnixTime) {
 	t.expirationTime = &expirationTime
 }
 
-func (t *BootstrapToken) GetExpirationTime() *time.Time {
+func (t *BootstrapToken) ExpirationTime() *time.Time {
 	return t.expirationTime
 }
 
@@ -54,7 +54,7 @@ func (t *BootstrapToken) ExpirationString() (expiration string) {
 	return
 }
 
-func (t *BootstrapToken) GetExpirationUnixTime() (val *date.UnixTime) {
+func (t *BootstrapToken) ExpirationUnixTime() (val *date.UnixTime) {
 	if t.expirationTime != nil {
 		unixTime := date.NewUnixTimeFromDuration(t.expirationTime.Sub(date.UnixEpoch()))
 		val = &unixTime
@@ -71,11 +71,11 @@ func (t *BootstrapToken) SetCreationUnixTime(val date.UnixTime) {
 	t.creationTime = &creationTime
 }
 
-func (t *BootstrapToken) GetCreationTime() *time.Time {
+func (t *BootstrapToken) CreationTime() *time.Time {
 	return t.creationTime
 }
 
-func (t *BootstrapToken) GetCreationUnixTime() (val *date.UnixTime) {
+func (t *BootstrapToken) CreationUnixTime() (val *date.UnixTime) {
 	if t.creationTime != nil {
 		unixTime := date.NewUnixTimeFromDuration(t.creationTime.Sub(date.UnixEpoch()))
 		val = &unixTime

cloudprovider/azure.go

@@ -10,6 +10,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/webdevops/kube-bootstrap-token-manager/bootstraptoken"
 	"github.com/webdevops/kube-bootstrap-token-manager/config"
+	"os"
 )
 
 type (
@@ -33,10 +34,12 @@ func (m *CloudProviderAzure) Init(ctx context.Context, opts config.Opts) {
 	m.opts = opts
 	m.log = log.WithField("cloudprovider", "azure")
 
-	// environment
 	if m.opts.CloudProvider.Config != nil {
-		m.environment, err = azure.EnvironmentFromFile(*m.opts.CloudProvider.Config)
-	} else if m.opts.CloudProvider.Azure.Environment != nil {
+		os.Setenv("AZURE_AUTH_LOCATION", *m.opts.CloudProvider.Config)
+	}
+
+	// environment
+	if m.opts.CloudProvider.Azure.Environment != nil {
 		m.environment, err = azure.EnvironmentFromName(*m.opts.CloudProvider.Azure.Environment)
 	} else {
 		m.environment, err = azure.EnvironmentFromName("AZUREPUBLICCLOUD")
@@ -47,13 +50,18 @@ func (m *CloudProviderAzure) Init(ctx context.Context, opts config.Opts) {
 
 	// auth
 	if m.opts.CloudProvider.Config != nil {
-		m.authorizer, err = auth.NewAuthorizerFromFile(m.environment.ResourceIdentifiers.KeyVault)
+		m.authorizer, err = auth.NewAuthorizerFromFileWithResource(m.environment.ResourceIdentifiers.KeyVault)
 	} else {
 		m.authorizer, err = auth.NewAuthorizerFromEnvironmentWithResource(m.environment.ResourceIdentifiers.KeyVault)
 	}
 	if err != nil {
 		m.log.Panic(err)
 	}
+
+	// keyvault client
+	client := keyvault.New()
+	client.Authorizer = m.authorizer
+	m.keyvaultClient = &client
 }
 
 func (m *CloudProviderAzure) FetchToken() (token *bootstraptoken.BootstrapToken) {
@@ -67,7 +75,8 @@ func (m *CloudProviderAzure) FetchToken() (token *bootstraptoken.BootstrapToken)
 		)
 
 		log.Infof("fetching newest token from Azure KeyVault \"%s\" secret \"%s\"", vaultName, secretName)
-		secret, err := m.azureKeyvaultClient().GetSecret(m.ctx, vaultUrl, secretName, "")
+		secret, err := m.keyvaultClient.GetSecret(m.ctx, vaultUrl, secretName, "")
+		// ignore if not found as "non error"
 		if !secret.IsHTTPStatus(404) && err != nil {
 			log.Panic(err)
 		}
@@ -89,6 +98,8 @@ func (m *CloudProviderAzure) FetchToken() (token *bootstraptoken.BootstrapToken)
 	if token != nil {
 		contextLogger := log.WithFields(log.Fields{"token": token.Id()})
 		contextLogger.Infof("found cloud token with id \"%s\" and expiration %s", token.Id(), token.ExpirationString())
+	} else {
+		log.Infof("no cloud token found")
 	}
 
 	return
@@ -115,28 +126,13 @@ func (m *CloudProviderAzure) StoreToken(token *bootstraptoken.BootstrapToken) {
 			},
 			ContentType: stringPtr("kube-bootstrap-token"),
 			SecretAttributes: &keyvault.SecretAttributes{
-				NotBefore: token.GetCreationUnixTime(),
-				Expires:   token.GetExpirationUnixTime(),
+				NotBefore: token.CreationUnixTime(),
+				Expires:   token.ExpirationUnixTime(),
 			},
 		}
-		_, err := m.azureKeyvaultClient().SetSecret(m.ctx, vaultUrl, secretName, secretParameters)
-		if err != nil {
-			log.Panic(err)
-		}
-	}
-}
-
-func (m *CloudProviderAzure) azureKeyvaultClient() *keyvault.BaseClient {
-	if m.keyvaultClient == nil {
-		auth, err := auth.NewAuthorizerFromEnvironmentWithResource(m.environment.ResourceIdentifiers.KeyVault)
+		_, err := m.keyvaultClient.SetSecret(m.ctx, vaultUrl, secretName, secretParameters)
 		if err != nil {
 			log.Panic(err)
 		}
-
-		client := keyvault.New()
-		client.Authorizer = auth
-		m.keyvaultClient = &client
 	}
-
-	return m.keyvaultClient
 }

config/opts.go

@@ -16,7 +16,8 @@ type (
 		}
 
 		BootstrapToken struct {
-			TemplateId                   string         `long:"bootstraptoken.template-id"                     env:"BOOTSTRAPTOKEN_TEMPLATE_ID"                        description:"Name for bootstrap tokens" default:"{{.Date}}"`
+			IdTemplate                   string         `long:"bootstraptoken.id-template"                     env:"BOOTSTRAPTOKEN_ID_TEMPLATE"                        description:"Template for token ID for bootstrap tokens" default:"{{.Date}}"`
+			IdValidation                 string         `long:"bootstraptoken.id-validation"                   env:"BOOTSTRAPTOKEN_ID_VALIDATION"                      description:"Regexp for validation of bootstrap token IDs" default:"^[a-z0-9]{6}\\.[a-z0-9]{16}$"`
 			Name                         string         `long:"bootstraptoken.name"                            env:"BOOTSTRAPTOKEN_NAME"                               description:"Name for bootstrap tokens" default:"bootstrap-token-%s"`
 			Label                        string         `long:"bootstraptoken.label"                           env:"BOOTSTRAPTOKEN_LABEL"                              description:"Label for bootstrap tokens" default:"webdevops.kubernetes.io/bootstraptoken-managed"`
 			Namespace                    string         `long:"bootstraptoken.namespace"                       env:"BOOTSTRAPTOKEN_NAMESPACE"                          description:"Namespace for bootstrap tokens" default:"kube-system"`
@@ -41,7 +42,7 @@ type (
 			Azure struct {
 				Environment        *string `long:"azure-environment"            env:"AZURE_ENVIRONMENT"                description:"Azure environment name"`
 				KeyVaultName       *string `long:"azure.keyvault-name"          env:"AZURE_KEYVAULT_NAME"              description:"Name of Keyvault to sync token"`
-				KeyVaultSecretName *string `long:"azure.keyvault-secret-name"   env:"AZURE_KEYVAULT_SECRET_NAME"       description:"Name of Keyvault secret to sync token"`
+				KeyVaultSecretName *string `long:"azure.keyvault-secret-name"   env:"AZURE_KEYVAULT_SECRET_NAME"       description:"Name of Keyvault secret to sync token" default:"kube-bootstrapt-token"`
 			}
 		}
 

deployment/config.yaml

@@ -2,32 +2,40 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: kube-pool-manager
+  name: kube-bootstrap-token-manager
   namespace: kube-system
   labels:
-    app: kube-pool-manager
+    app: kube-bootstrap-token-manager
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: kube-pool-manager
+      app: kube-bootstrap-token-manager
   template:
     metadata:
       labels:
-        app: kube-pool-manager
+        app: kube-bootstrap-token-manager
       annotations:
         prometheus.io/scrape: "true"
         prometheus.io/path: /metrics
         prometheus.io/port: "8080"
     spec:
-      serviceAccountName: kube-pool-manager
+      serviceAccountName: kube-bootstrap-token-manager
       containers:
-        - name: kube-pool-manager
-          image: webdevops/kube-pool-manager:development
+        - name: kube-bootstrap-token-manager
+          image: webdevops/kube-bootstrap-token-manager:development
           imagePullPolicy: Always
           env:
-            - name: CONFIG
-              value: "/config/pools.yaml"
+            - name: CLOUD_PROVIDER
+              value: "azure"
+            ###########################
+            # CloudProvider: Azure
+            - name: CLOUD_CONFIG
+              value: "/config/cloudprovider-azure.json"
+            - name: AZURE_ENVIRONMENT
+              value: "AzurePublicCloud"
+            - name: AZURE_KEYVAULT_NAME
+              value: "mblaschke-k8s"
           securityContext:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
@@ -47,9 +55,11 @@ spec:
           volumeMounts:
             - name: config
               mountPath: /config
+              readOnly: true
       volumes:
         - name: config
-          configMap:
-            name: kube-pool-manager
+          secret:
+            secretName: kube-bootstrap-token-manager
+
 
 

deployment/deployment.yaml

@@ -1,36 +1,24 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: kube-pool-manager
+  name: kube-bootstrap-token-manager
+  namespace: kube-system
 rules:
   - apiGroups: [""]
-    resources: ["nodes"]
-    verbs:     ["get", "list", "patch", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kube-pool-manager
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kube-pool-manager
-subjects:
-  - kind: ServiceAccount
-    name: kube-pool-manager
-    namespace: kube-system
+    resources: ["secrets"]
+    verbs:     ["get", "list", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  name: kube-bootstrap-token-manager
   namespace: kube-system
-  name: kube-pool-manager
 subjects:
   - kind: ServiceAccount
     namespace: kube-system
-    name: kube-pool-manager
+    name: kube-bootstrap-token-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: kube-pool-manager
+  name: kube-bootstrap-token-manager

deployment/rbac.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kube-bootstrap-token-manager
+  namespace: kube-system
+type: Opaque
+data:
+  #####################################
+  # CloudProvider: azure
+  cloudprovider-azure.json: e30=
+#    {
+#      "tenantId": "01234abc-de56-ff78-abc1-234567890def",
+#      "subscriptionId": "01234abc-de56-ff78-abc1-234567890def",
+#      "resourceGroup": "resource-group",
+#      "aadClientId": "01234abc-de56-ff78-abc1-234567890def",
+#      "aadClientSecret": "uKiuXeiwui4jo9quae9o"
+#    }

deployment/secret.yaml

@@ -2,5 +2,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kube-pool-manager
+  name: kube-bootstrap-token-manager
   namespace: kube-system