mirror of
https://github.com/kubevela/kubevela.git
synced 2026-05-18 23:38:11 +00:00
305a90f428
* feat(addon): Store addon registry tokens in Secrets Previously, addon registry tokens were stored in plaintext within the 'vela-addon-registry' ConfigMap. This is not a secure practice for sensitive data. This commit refactors the addon registry functionality to store tokens in Kubernetes Secrets. The ConfigMap now only contains a reference to the secret name, while the token itself is stored securely. This change includes: - Creating/updating secrets when a registry is added/updated. - Loading tokens from secrets when a registry is listed/retrieved. - Deleting secrets when a registry is deleted. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * test(addon): Add tests for registry token secret storage This commit introduces a comprehensive test suite for the addon registry feature. It includes: - Isolated unit tests for each CRUD operation (Add, Update, List, Get, Delete) to ensure each function works correctly in isolation. - A stateful integration test to validate the complete lifecycle of an addon registry from creation to deletion. The tests verify that tokens are handled correctly via Kubernetes Secrets, confirming the implementation of the secure token storage feature. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * feat(addon): improve addon registry robustness and fix bugs This commit introduces several improvements to the addon registry to make it more robust and fixes several bugs. - When updating a secret, the existing secret is now fetched and updated to avoid potential conflicts. - Deleting a non-existent registry now returns no error, making the operation idempotent. - Getting a non-existent registry now returns a structured not-found error. - Loading a token from a non-existent secret is now handled gracefully. - When setting a token directly on a git-based addon source, the token secret reference is now cleared. - The token secret reference is now correctly copied in `SafeCopy`. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * Refactor(addon): Fix secret deletion and improve registry logic This commit refactors the addon registry data store to fix a critical bug where deleting an addon registry would not delete its associated token secret. The root cause was that the `GetRegistry` function, which was used by `DeleteRegistry`, would load the token from the secret and then clear the `TokenSecretRef` field on the in-memory object. This meant that when `DeleteRegistry` tried to find the secret to delete, the reference was already gone. This has been fixed by: 1. Introducing a central `getRegistries` helper function to read the raw registry data from the ConfigMap. 2. Refactoring all data store methods (`List`, `Get`, `Add`, `Update`, `Delete`) to use this central helper, removing duplicate code. 3. Ensuring `DeleteRegistry` uses the raw, unmodified registry data so that the `TokenSecretRef` is always available for deletion. Additionally, comprehensive unit tests for the new helper functions (`getRegistries`, `loadTokenFromSecret`, `createOrUpdateTokenSecret`) have been added to verify the fix and improve overall code quality and stability. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * feat(addon): improve addon registry token security and logging This commit enhances the security and observability of addon registry token handling. - Adds a warning message to users when an insecure inline token is detected in an addon registry configuration, prompting them to migrate to a more secure secret-based storage. - Implements info-level logging to create an audit trail for token migrations, providing administrators with visibility into security-related events. - Refactors the token migration logic into a new `migrateInlineTokenToSecret` function, improving code clarity and maintainability. - Introduces unit tests for the `TokenSource` interface methods and the `GetTokenSource` function to ensure correctness and prevent regressions. Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> * Chore: remove comments to triger ci Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com> --------- Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
481 lines
13 KiB
Go
481 lines
13 KiB
Go
/*
|
|
Copyright 2021 The KubeVela Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package addon
|
|
|
|
import (
|
|
"fmt"
|
|
"net/url"
|
|
"path"
|
|
"strings"
|
|
|
|
"github.com/go-resty/resty/v2"
|
|
"github.com/pkg/errors"
|
|
gitlab "gitlab.com/gitlab-org/api/client-go"
|
|
|
|
"github.com/oam-dev/kubevela/pkg/utils"
|
|
)
|
|
|
|
const (
|
|
// EOFError is error returned by xml parse
|
|
EOFError string = "EOF"
|
|
// DirType means a directory
|
|
DirType = "dir"
|
|
// FileType means a file
|
|
FileType = "file"
|
|
// BlobType means a blob
|
|
BlobType = "blob"
|
|
// TreeType means a tree
|
|
TreeType = "tree"
|
|
|
|
bucketTmpl = "%s://%s.%s"
|
|
singleOSSFileTmpl = "%s/%s"
|
|
listOSSFileTmpl = "%s?max-keys=1000&prefix=%s"
|
|
)
|
|
|
|
// Source is where to get addons, Registry implement this interface
|
|
type Source interface {
|
|
GetUIData(meta *SourceMeta, opt ListOptions) (*UIData, error)
|
|
ListUIData(registryAddonMeta map[string]SourceMeta, opt ListOptions) ([]*UIData, error)
|
|
GetInstallPackage(meta *SourceMeta, uiData *UIData) (*InstallPackage, error)
|
|
ListAddonMeta() (map[string]SourceMeta, error)
|
|
}
|
|
|
|
// GitAddonSource defines the information about the Git as addon source
|
|
type GitAddonSource struct {
|
|
URL string `json:"url,omitempty" validate:"required"`
|
|
Path string `json:"path,omitempty"`
|
|
Token string `json:"token,omitempty"`
|
|
TokenSecretRef string `json:"tokenSecretRef,omitempty"`
|
|
}
|
|
|
|
// GetToken returns the token of the source
|
|
func (g *GitAddonSource) GetToken() string {
|
|
return g.Token
|
|
}
|
|
|
|
// SetToken set the token of the source
|
|
func (g *GitAddonSource) SetToken(token string) {
|
|
g.Token = token
|
|
g.TokenSecretRef = ""
|
|
}
|
|
|
|
// SetTokenSecretRef set the token secret ref to the source
|
|
func (g *GitAddonSource) SetTokenSecretRef(secretName string) {
|
|
g.Token = ""
|
|
g.TokenSecretRef = secretName
|
|
}
|
|
|
|
// GetTokenSecretRef return the token secret ref of the source
|
|
func (g *GitAddonSource) GetTokenSecretRef() string {
|
|
return g.TokenSecretRef
|
|
}
|
|
|
|
// SafeCopy hides field Token
|
|
func (g *GitAddonSource) SafeCopy() *GitAddonSource {
|
|
if g == nil {
|
|
return nil
|
|
}
|
|
return &GitAddonSource{
|
|
URL: g.URL,
|
|
Path: g.Path,
|
|
TokenSecretRef: g.TokenSecretRef,
|
|
}
|
|
}
|
|
|
|
// GiteeAddonSource defines the information about the Gitee as addon source
|
|
type GiteeAddonSource struct {
|
|
URL string `json:"url,omitempty" validate:"required"`
|
|
Path string `json:"path,omitempty"`
|
|
Token string `json:"token,omitempty"`
|
|
TokenSecretRef string `json:"tokenSecretRef,omitempty"`
|
|
}
|
|
|
|
// GetToken return the token of the source
|
|
func (g *GiteeAddonSource) GetToken() string {
|
|
return g.Token
|
|
}
|
|
|
|
// SetToken set the token of the source
|
|
func (g *GiteeAddonSource) SetToken(token string) {
|
|
g.Token = token
|
|
g.TokenSecretRef = ""
|
|
}
|
|
|
|
// SetTokenSecretRef set the token secret ref to the source
|
|
func (g *GiteeAddonSource) SetTokenSecretRef(secretName string) {
|
|
g.Token = ""
|
|
g.TokenSecretRef = secretName
|
|
}
|
|
|
|
// GetTokenSecretRef return the token secret ref of the source
|
|
func (g *GiteeAddonSource) GetTokenSecretRef() string {
|
|
return g.TokenSecretRef
|
|
}
|
|
|
|
// SafeCopy hides field Token
|
|
func (g *GiteeAddonSource) SafeCopy() *GiteeAddonSource {
|
|
if g == nil {
|
|
return nil
|
|
}
|
|
return &GiteeAddonSource{
|
|
URL: g.URL,
|
|
Path: g.Path,
|
|
TokenSecretRef: g.TokenSecretRef,
|
|
}
|
|
}
|
|
|
|
// GitlabAddonSource defines the information about Gitlab as an addon source
|
|
type GitlabAddonSource struct {
|
|
URL string `json:"url,omitempty" validate:"required"`
|
|
Repo string `json:"repo,omitempty" validate:"required"`
|
|
Path string `json:"path,omitempty"`
|
|
Token string `json:"token,omitempty"`
|
|
TokenSecretRef string `json:"tokenSecretRef,omitempty"`
|
|
}
|
|
|
|
// GetToken return the token of the source
|
|
func (g *GitlabAddonSource) GetToken() string {
|
|
return g.Token
|
|
}
|
|
|
|
// SetToken set the token of the source
|
|
func (g *GitlabAddonSource) SetToken(token string) {
|
|
g.Token = token
|
|
g.TokenSecretRef = ""
|
|
}
|
|
|
|
// SetTokenSecretRef set the token secret ref to the source
|
|
func (g *GitlabAddonSource) SetTokenSecretRef(secretName string) {
|
|
g.Token = ""
|
|
g.TokenSecretRef = secretName
|
|
}
|
|
|
|
// GetTokenSecretRef return the token secret ref of the source
|
|
func (g *GitlabAddonSource) GetTokenSecretRef() string {
|
|
return g.TokenSecretRef
|
|
}
|
|
|
|
// SafeCopy hides field Token
|
|
func (g *GitlabAddonSource) SafeCopy() *GitlabAddonSource {
|
|
if g == nil {
|
|
return nil
|
|
}
|
|
return &GitlabAddonSource{
|
|
URL: g.URL,
|
|
Repo: g.Repo,
|
|
Path: g.Path,
|
|
}
|
|
}
|
|
|
|
// HelmSource defines the information about the helm repo addon source
|
|
type HelmSource struct {
|
|
URL string `json:"url,omitempty" validate:"required"`
|
|
InsecureSkipTLS bool `json:"insecureSkipTLS,omitempty"`
|
|
Username string `json:"username,omitempty"`
|
|
Password string `json:"password,omitempty"`
|
|
}
|
|
|
|
// SafeCopier is an interface to copy struct without sensitive fields, such as Token, Username, Password
|
|
type SafeCopier interface {
|
|
SafeCopy() interface{}
|
|
}
|
|
|
|
// SafeCopy hides field Username, Password
|
|
func (h *HelmSource) SafeCopy() *HelmSource {
|
|
if h == nil {
|
|
return nil
|
|
}
|
|
return &HelmSource{
|
|
URL: h.URL,
|
|
}
|
|
}
|
|
|
|
// Item is a partial interface for github.RepositoryContent
|
|
type Item interface {
|
|
// GetType return "dir" or "file"
|
|
GetType() string
|
|
GetPath() string
|
|
GetName() string
|
|
}
|
|
|
|
// SourceMeta record the whole metadata of an addon
|
|
type SourceMeta struct {
|
|
Name string
|
|
Items []Item
|
|
}
|
|
|
|
// ClassifyItemByPattern will filter and classify addon data, data will be classified by pattern it meets
|
|
func ClassifyItemByPattern(meta *SourceMeta, r AsyncReader) map[string][]Item {
|
|
var p = make(map[string][]Item)
|
|
for _, it := range meta.Items {
|
|
pt := GetPatternFromItem(it, r, meta.Name)
|
|
if pt == "" {
|
|
continue
|
|
}
|
|
items := p[pt]
|
|
items = append(items, it)
|
|
p[pt] = items
|
|
}
|
|
return p
|
|
}
|
|
|
|
// AsyncReader helps async read files of addon
|
|
type AsyncReader interface {
|
|
// ListAddonMeta will return directory tree contain addon metadata only
|
|
ListAddonMeta() (addonCandidates map[string]SourceMeta, err error)
|
|
|
|
// ReadFile should accept relative path to github repo/path or OSS bucket, and report the file content
|
|
ReadFile(path string) (content string, err error)
|
|
|
|
// RelativePath return a relative path to GitHub repo/path or OSS bucket/path
|
|
RelativePath(item Item) string
|
|
}
|
|
|
|
// pathWithParent joins path with its parent directory, suffix slash is reserved
|
|
func pathWithParent(subPath, parent string) string {
|
|
actualPath := path.Join(parent, subPath)
|
|
if strings.HasSuffix(subPath, "/") {
|
|
actualPath += "/"
|
|
}
|
|
return actualPath
|
|
}
|
|
|
|
// ReaderType marks where to read addon files
|
|
type ReaderType string
|
|
|
|
const (
|
|
gitType ReaderType = "git"
|
|
ossType ReaderType = "oss"
|
|
giteeType ReaderType = "gitee"
|
|
gitlabType ReaderType = "gitlab"
|
|
)
|
|
|
|
// NewAsyncReader create AsyncReader from
|
|
// 1. GitHub url and directory
|
|
// 2. OSS endpoint and bucket
|
|
func NewAsyncReader(baseURL, bucket, repo, subPath, token string, rdType ReaderType) (AsyncReader, error) {
|
|
|
|
switch rdType {
|
|
case gitType:
|
|
baseURL = strings.TrimSuffix(baseURL, ".git")
|
|
u, err := url.Parse(baseURL)
|
|
if err != nil {
|
|
return nil, errors.New("addon registry invalid")
|
|
}
|
|
u.Path = path.Join(u.Path, subPath)
|
|
_, content, err := utils.Parse(u.String())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
gith := createGitHelper(content, token)
|
|
return &gitReader{
|
|
h: gith,
|
|
}, nil
|
|
case ossType:
|
|
ossURL, err := url.Parse(baseURL)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var bucketEndPoint string
|
|
if bucket == "" {
|
|
bucketEndPoint = ossURL.String()
|
|
} else {
|
|
if ossURL.Scheme == "" {
|
|
ossURL.Scheme = "https"
|
|
}
|
|
bucketEndPoint = fmt.Sprintf(bucketTmpl, ossURL.Scheme, bucket, ossURL.Host)
|
|
}
|
|
return &ossReader{
|
|
bucketEndPoint: bucketEndPoint,
|
|
path: subPath,
|
|
client: resty.New(),
|
|
}, nil
|
|
case giteeType:
|
|
baseURL = strings.TrimSuffix(baseURL, ".git")
|
|
u, err := url.Parse(baseURL)
|
|
if err != nil {
|
|
return nil, errors.New("addon registry invalid")
|
|
}
|
|
u.Path = path.Join(u.Path, subPath)
|
|
_, content, err := utils.Parse(u.String())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
gitee := createGiteeHelper(content, token)
|
|
return &giteeReader{
|
|
h: gitee,
|
|
}, nil
|
|
case gitlabType:
|
|
baseURL = strings.TrimSuffix(baseURL, ".git")
|
|
u, err := url.Parse(baseURL)
|
|
if err != nil {
|
|
return nil, errors.New("addon registry invalid")
|
|
}
|
|
_, content, err := utils.ParseGitlab(u.String(), repo)
|
|
content.GitlabContent.Path = subPath
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
gitlabHelper, err := createGitlabHelper(content, token)
|
|
if err != nil {
|
|
return nil, errors.New("addon registry connect fail")
|
|
}
|
|
|
|
err = gitlabHelper.getGitlabProject(content)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &gitlabReader{
|
|
h: gitlabHelper,
|
|
}, nil
|
|
}
|
|
return nil, fmt.Errorf("invalid addon registry type '%s'", rdType)
|
|
}
|
|
|
|
// getGitlabProject get gitlab project , set project id
|
|
func (h *gitlabHelper) getGitlabProject(content *utils.Content) error {
|
|
projectURL := content.GitlabContent.Owner + "/" + content.GitlabContent.Repo
|
|
projects, _, err := h.Client.Projects.GetProject(projectURL, &gitlab.GetProjectOptions{})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
content.GitlabContent.PId = projects.ID
|
|
|
|
return nil
|
|
}
|
|
|
|
// BuildReader will build a AsyncReader from registry, AsyncReader are needed to read addon files
|
|
func (r *Registry) BuildReader() (AsyncReader, error) {
|
|
if r.OSS != nil {
|
|
o := r.OSS
|
|
return NewAsyncReader(o.Endpoint, o.Bucket, "", o.Path, "", ossType)
|
|
}
|
|
if r.Git != nil {
|
|
g := r.Git
|
|
return NewAsyncReader(g.URL, "", "", g.Path, g.Token, gitType)
|
|
}
|
|
if r.Gitee != nil {
|
|
g := r.Gitee
|
|
return NewAsyncReader(g.URL, "", "", g.Path, g.Token, giteeType)
|
|
}
|
|
if r.Gitlab != nil {
|
|
g := r.Gitlab
|
|
return NewAsyncReader(g.URL, "", g.Repo, g.Path, g.Token, gitlabType)
|
|
}
|
|
return nil, errors.New("registry don't have enough info to build a reader")
|
|
}
|
|
|
|
// GetUIData get UIData of an addon
|
|
func (r *Registry) GetUIData(meta *SourceMeta, opt ListOptions) (*UIData, error) {
|
|
reader, err := r.BuildReader()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
addon, err := GetUIDataFromReader(reader, meta, opt)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(addon.GlobalParameters) != 0 {
|
|
addon.Parameters = addon.GlobalParameters
|
|
}
|
|
addon.RegistryName = r.Name
|
|
return addon, nil
|
|
}
|
|
|
|
// ListUIData list UI data from addon registry
|
|
func (r *Registry) ListUIData(registryAddonMeta map[string]SourceMeta, opt ListOptions) ([]*UIData, error) {
|
|
reader, err := r.BuildReader()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return ListAddonUIDataFromReader(reader, registryAddonMeta, r.Name, opt)
|
|
}
|
|
|
|
// GetInstallPackage get install package which is all needed to enable an addon from addon registry
|
|
func (r *Registry) GetInstallPackage(meta *SourceMeta, uiData *UIData) (*InstallPackage, error) {
|
|
reader, err := r.BuildReader()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return GetInstallPackageFromReader(reader, meta, uiData)
|
|
}
|
|
|
|
// ListAddonMeta list addon file meta(path and name) from a registry
|
|
func (r *Registry) ListAddonMeta() (map[string]SourceMeta, error) {
|
|
reader, err := r.BuildReader()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return reader.ListAddonMeta()
|
|
}
|
|
|
|
// ItemInfo contains summary information about an addon
|
|
type ItemInfo struct {
|
|
Name string
|
|
Description string
|
|
AvailableVersions []string
|
|
}
|
|
|
|
type itemInfoMap map[string]ItemInfo
|
|
|
|
// ListAddonInfo lists addon info (name, versions, etc.) from a registry
|
|
func (r *Registry) ListAddonInfo() (map[string]ItemInfo, error) {
|
|
addonInfoMap := make(map[string]ItemInfo)
|
|
|
|
// local registry doesn't support listing addons
|
|
if IsLocalRegistry(*r) {
|
|
return addonInfoMap, nil
|
|
}
|
|
|
|
if IsVersionRegistry(*r) {
|
|
versionedRegistry, err := ToVersionedRegistry(*r)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
addonList, err := versionedRegistry.ListAddon()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for _, a := range addonList {
|
|
addonInfoMap[a.Name] = ItemInfo{
|
|
Name: a.Name,
|
|
Description: a.Description,
|
|
AvailableVersions: a.AvailableVersions,
|
|
}
|
|
}
|
|
} else {
|
|
meta, err := r.ListAddonMeta()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
addonList, err := r.ListUIData(meta, ListOptions{})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for _, a := range addonList {
|
|
addonInfoMap[a.Name] = ItemInfo{
|
|
Name: a.Name,
|
|
Description: a.Description,
|
|
AvailableVersions: a.AvailableVersions,
|
|
}
|
|
}
|
|
}
|
|
|
|
return addonInfoMap, nil
|
|
}
|