Implement modular cloudprovider

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

Author: mblaschke

manager/token.go bootstraptoken/token.gomanager/token.go renamed to bootstraptoken/token.go

@@ -1,4 +1,4 @@
-package manager
+package bootstraptoken
 
 import (
 	"fmt"
@@ -8,40 +8,40 @@ import (
 )
 
 type (
-	bootstrapToken struct {
+	BootstrapToken struct {
 		id             string
 		secret         string
 		creationTime   *time.Time
 		expirationTime *time.Time
 	}
 )
 
-func (t *bootstrapToken) Id() string {
+func (t *BootstrapToken) Id() string {
 	return t.id
 }
 
-func (t *bootstrapToken) Secret() string {
+func (t *BootstrapToken) Secret() string {
 	return t.secret
 }
 
-func (t *bootstrapToken) FullToken() string {
+func (t *BootstrapToken) FullToken() string {
 	return fmt.Sprintf("%s.%s", t.id, t.secret)
 }
 
-func (t *bootstrapToken) SetExpirationTime(val time.Time) {
+func (t *BootstrapToken) SetExpirationTime(val time.Time) {
 	t.expirationTime = &val
 }
 
-func (t *bootstrapToken) SetExpirationUnixTime(val date.UnixTime) {
+func (t *BootstrapToken) SetExpirationUnixTime(val date.UnixTime) {
 	expirationTime := date.UnixEpoch().Add(val.Duration())
 	t.expirationTime = &expirationTime
 }
 
-func (t *bootstrapToken) GetExpirationTime() *time.Time {
+func (t *BootstrapToken) GetExpirationTime() *time.Time {
 	return t.expirationTime
 }
 
-func (t *bootstrapToken) ExpirationString() (expiration string) {
+func (t *BootstrapToken) ExpirationString() (expiration string) {
 	expiration = "<not set>"
 	if t.expirationTime != nil {
 		expiration = fmt.Sprintf(
@@ -54,47 +54,47 @@ func (t *bootstrapToken) ExpirationString() (expiration string) {
 	return
 }
 
-func (t *bootstrapToken) GetExpirationUnixTime() (val *date.UnixTime) {
+func (t *BootstrapToken) GetExpirationUnixTime() (val *date.UnixTime) {
 	if t.expirationTime != nil {
 		unixTime := date.NewUnixTimeFromDuration(t.expirationTime.Sub(date.UnixEpoch()))
 		val = &unixTime
 	}
 	return
 }
 
-func (t *bootstrapToken) SetCreationTime(val time.Time) {
+func (t *BootstrapToken) SetCreationTime(val time.Time) {
 	t.creationTime = &val
 }
 
-func (t *bootstrapToken) SetCreationUnixTime(val date.UnixTime) {
+func (t *BootstrapToken) SetCreationUnixTime(val date.UnixTime) {
 	creationTime := date.UnixEpoch().Add(val.Duration())
 	t.creationTime = &creationTime
 }
 
-func (t *bootstrapToken) GetCreationTime() *time.Time {
+func (t *BootstrapToken) GetCreationTime() *time.Time {
 	return t.creationTime
 }
 
-func (t *bootstrapToken) GetCreationUnixTime() (val *date.UnixTime) {
+func (t *BootstrapToken) GetCreationUnixTime() (val *date.UnixTime) {
 	if t.creationTime != nil {
 		unixTime := date.NewUnixTimeFromDuration(t.creationTime.Sub(date.UnixEpoch()))
 		val = &unixTime
 	}
 	return
 }
 
-func newBootstrapToken(id, secret string) *bootstrapToken {
-	token := bootstrapToken{
+func NewBootstrapToken(id, secret string) *BootstrapToken {
+	token := BootstrapToken{
 		id:     id,
 		secret: secret,
 	}
 	return &token
 }
 
-func parseBootstrapTokenFromString(value string) *bootstrapToken {
+func ParseFromString(value string) *BootstrapToken {
 	tokenParts := strings.SplitN(value, ".", 2)
 	if len(tokenParts) == 2 {
-		token := bootstrapToken{
+		token := BootstrapToken{
 			id:     tokenParts[0],
 			secret: tokenParts[1],
 		}

cloudprovider/azure.go

@@ -0,0 +1,142 @@
+package cloudprovider
+
+import (
+	"context"
+	"fmt"
+	"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/azure"
+	"github.com/Azure/go-autorest/autorest/azure/auth"
+	log "github.com/sirupsen/logrus"
+	"github.com/webdevops/kube-bootstrap-token-manager/bootstraptoken"
+	"github.com/webdevops/kube-bootstrap-token-manager/config"
+)
+
+type (
+	CloudProviderAzure struct {
+		CloudProvider
+
+		opts config.Opts
+		ctx  context.Context
+
+		log         *log.Entry
+		environment azure.Environment
+		authorizer  autorest.Authorizer
+
+		keyvaultClient *keyvault.BaseClient
+	}
+)
+
+func (m *CloudProviderAzure) Init(ctx context.Context, opts config.Opts) {
+	var err error
+	m.ctx = ctx
+	m.opts = opts
+	m.log = log.WithField("cloudprovider", "azure")
+
+	// environment
+	if m.opts.CloudProvider.Config != nil {
+		m.environment, err = azure.EnvironmentFromFile(*m.opts.CloudProvider.Config)
+	} else if m.opts.CloudProvider.Azure.Environment != nil {
+		m.environment, err = azure.EnvironmentFromName(*m.opts.CloudProvider.Azure.Environment)
+	} else {
+		m.environment, err = azure.EnvironmentFromName("AZUREPUBLICCLOUD")
+	}
+	if err != nil {
+		m.log.Panic(err)
+	}
+
+	// auth
+	if m.opts.CloudProvider.Config != nil {
+		m.authorizer, err = auth.NewAuthorizerFromFile(m.environment.ResourceIdentifiers.KeyVault)
+	} else {
+		m.authorizer, err = auth.NewAuthorizerFromEnvironmentWithResource(m.environment.ResourceIdentifiers.KeyVault)
+	}
+	if err != nil {
+		m.log.Panic(err)
+	}
+}
+
+func (m *CloudProviderAzure) FetchToken() (token *bootstraptoken.BootstrapToken) {
+	if m.opts.CloudProvider.Azure.KeyVaultName != nil && m.opts.CloudProvider.Azure.KeyVaultSecretName != nil {
+		vaultName := *m.opts.CloudProvider.Azure.KeyVaultName
+		secretName := *m.opts.CloudProvider.Azure.KeyVaultSecretName
+		vaultUrl := fmt.Sprintf(
+			"https://%s.%s",
+			vaultName,
+			m.environment.KeyVaultDNSSuffix,
+		)
+
+		log.Infof("fetching newest token from Azure KeyVault \"%s\" secret \"%s\"", vaultName, secretName)
+		secret, err := m.azureKeyvaultClient().GetSecret(m.ctx, vaultUrl, secretName, "")
+		if !secret.IsHTTPStatus(404) && err != nil {
+			log.Panic(err)
+		}
+
+		if secret.Value != nil {
+			token = bootstraptoken.ParseFromString(*secret.Value)
+			if token != nil {
+				if secret.Attributes.Created != nil {
+					token.SetCreationUnixTime(*secret.Attributes.Created)
+				}
+
+				if secret.Attributes.Expires != nil {
+					token.SetExpirationUnixTime(*secret.Attributes.Expires)
+				}
+			}
+		}
+	}
+
+	if token != nil {
+		contextLogger := log.WithFields(log.Fields{"token": token.Id()})
+		contextLogger.Infof("found cloud token with id \"%s\" and expiration %s", token.Id(), token.ExpirationString())
+	}
+
+	return
+}
+
+func (m *CloudProviderAzure) StoreToken(token *bootstraptoken.BootstrapToken) {
+	contextLogger := m.log.WithFields(log.Fields{"token": token.Id()})
+	if m.opts.CloudProvider.Azure.KeyVaultName != nil && m.opts.CloudProvider.Azure.KeyVaultSecretName != nil {
+		vaultName := *m.opts.CloudProvider.Azure.KeyVaultName
+		secretName := *m.opts.CloudProvider.Azure.KeyVaultSecretName
+		vaultUrl := fmt.Sprintf(
+			"https://%s.%s",
+			vaultName,
+			m.environment.KeyVaultDNSSuffix,
+		)
+
+		contextLogger.Infof("storing token to Azure KeyVault \"%s\" secret \"%s\" with expiration %s", vaultName, secretName, token.ExpirationString())
+
+		secretParameters := keyvault.SecretSetParameters{
+			Value: stringPtr(token.FullToken()),
+			Tags: map[string]*string{
+				"managed-by": stringPtr("kube-bootstrap-token-manager"),
+				"token":      stringPtr(token.Id()),
+			},
+			ContentType: stringPtr("kube-bootstrap-token"),
+			SecretAttributes: &keyvault.SecretAttributes{
+				NotBefore: token.GetCreationUnixTime(),
+				Expires:   token.GetExpirationUnixTime(),
+			},
+		}
+		_, err := m.azureKeyvaultClient().SetSecret(m.ctx, vaultUrl, secretName, secretParameters)
+		if err != nil {
+			log.Panic(err)
+		}
+	}
+}
+
+func (m *CloudProviderAzure) azureKeyvaultClient() *keyvault.BaseClient {
+	if m.keyvaultClient == nil {
+		auth, err := auth.NewAuthorizerFromEnvironmentWithResource(m.environment.ResourceIdentifiers.KeyVault)
+		if err != nil {
+			log.Panic(err)
+		}
+
+		client := keyvault.New()
+		client.Authorizer = auth
+		m.keyvaultClient = &client
+	}
+
+	return m.keyvaultClient
+}

cloudprovider/base.go

@@ -0,0 +1,26 @@
+package cloudprovider
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	"github.com/webdevops/kube-bootstrap-token-manager/bootstraptoken"
+	"github.com/webdevops/kube-bootstrap-token-manager/config"
+)
+
+type (
+	CloudProvider interface {
+		Init(ctx context.Context, opts config.Opts)
+		FetchToken() (token *bootstraptoken.BootstrapToken)
+		StoreToken(token *bootstraptoken.BootstrapToken)
+	}
+)
+
+func NewCloudProvider(provider string) CloudProvider {
+	switch provider {
+	case "azure":
+		return &CloudProviderAzure{}
+	}
+
+	log.Panicf("Cloud provider \"%s\" not available", provider)
+	return nil
+}

manager/misc.go cloudprovider/misc.gomanager/misc.go renamed to cloudprovider/misc.go

@@ -1,4 +1,4 @@
-package manager
+package cloudprovider
 
 func stringPtr(val string) *string {
 	return &val

config/opts.go

@@ -16,6 +16,7 @@ type (
 		}
 
 		BootstrapToken struct {
+			TemplateId                   string         `long:"bootstraptoken.template-id"                     env:"BOOTSTRAPTOKEN_TEMPLATE_ID"                        description:"Name for bootstrap tokens" default:"{{.Date}}"`
 			Name                         string         `long:"bootstraptoken.name"                            env:"BOOTSTRAPTOKEN_NAME"                               description:"Name for bootstrap tokens" default:"bootstrap-token-%s"`
 			Label                        string         `long:"bootstraptoken.label"                           env:"BOOTSTRAPTOKEN_LABEL"                              description:"Label for bootstrap tokens" default:"webdevops.kubernetes.io/bootstraptoken-managed"`
 			Namespace                    string         `long:"bootstraptoken.namespace"                       env:"BOOTSTRAPTOKEN_NAMESPACE"                          description:"Namespace for bootstrap tokens" default:"kube-system"`