support secretRef

Signed-off-by: Frank Jogeleit <[email protected]>
kyverno · Sep 6, 2023 · cb4f4a0 · cb4f4a0
1 parent ad233f3
commit cb4f4a0
Show file tree

Hide file tree

Showing 13 changed files with 81 additions and 9 deletions.
diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml b/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml
@@ -75,16 +75,30 @@ spec:
             mountPath: /app/config.yaml
             subPath: config.yaml
             readOnly: true
-          {{- if or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
           env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- if or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
           - name: POD_NAME
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-          - name: POD_NAMESPACE
+          {{- end }}
+          {{- if .Values.global.basicAuth.secretRef }}
+          - name: API_AUTH_USERNAME
             valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
+              secretKeyRef:
+                name: {{ .Values.global.basicAuth.secretRef }}
+                key: username
+                optional: false
+          - name: API_AUTH_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.global.basicAuth.secretRef }}
+                key: password
+                optional: false
           {{- end }}
       volumes:
       - name: config-file

diff --git a/charts/policy-reporter/charts/kyvernoPlugin/values.yaml b/charts/policy-reporter/charts/kyvernoPlugin/values.yaml
@@ -201,4 +201,6 @@ global:
     username: ""
     # HTTP BasicAuth password
     password: ""
+    # read credentials from secret
+    secretRef: ""
 
diff --git a/charts/policy-reporter/charts/monitoring/templates/kyverno-servicemonitor.yaml b/charts/policy-reporter/charts/monitoring/templates/kyverno-servicemonitor.yaml
@@ -31,6 +31,14 @@ spec:
       username:
         name: {{ include "monitoring.fullname" . }}-auth
         key: username
+    {{- else if .Values.global.basicAuth.secretRef }}
+    basicAuth:
+      password:
+        name: {{ .Values.global.basicAuth.secretRef }}
+        key: password
+      username:
+        name: {{ .Values.global.basicAuth.secretRef }}
+        key: username
     {{- end }}
     honorLabels: {{ .Values.kyverno.serviceMonitor.honorLabels }}
     {{- if .Values.kyverno.serviceMonitor.scrapeTimeout }}

diff --git a/charts/policy-reporter/charts/monitoring/templates/servicemonitor.yaml b/charts/policy-reporter/charts/monitoring/templates/servicemonitor.yaml
@@ -30,6 +30,15 @@ spec:
       username:
         name: {{ include "monitoring.fullname" . }}-auth
         key: username
+        key: username
+    {{- else if .Values.global.basicAuth.secretRef }}
+    basicAuth:
+      password:
+        name: {{ .Values.global.basicAuth.secretRef }}
+        key: password
+      username:
+        name: {{ .Values.global.basicAuth.secretRef }}
+        key: username
     {{- end }}
     honorLabels: {{ .Values.serviceMonitor.honorLabels }}
     {{- if .Values.serviceMonitor.scrapeTimeout }}

diff --git a/charts/policy-reporter/charts/monitoring/values.yaml b/charts/policy-reporter/charts/monitoring/values.yaml
@@ -137,3 +137,5 @@ global:
     username: ""
     # HTTP BasicAuth password
     password: ""
+    # read credentials from secret
+    secretRef: ""
diff --git a/charts/policy-reporter/charts/ui/templates/deployment.yaml b/charts/policy-reporter/charts/ui/templates/deployment.yaml
@@ -78,6 +78,21 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.global.basicAuth.secretRef }}
+          env:
+          - name: API_AUTH_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.global.basicAuth.secretRef }}
+                key: username
+                optional: false
+          - name: API_AUTH_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.global.basicAuth.secretRef }}
+                key: password
+                optional: false
+          {{- end }}
       volumes:
       - name: config-file
         configMap:

diff --git a/charts/policy-reporter/charts/ui/values.yaml b/charts/policy-reporter/charts/ui/values.yaml
@@ -229,3 +229,5 @@ global:
     username: ""
     # HTTP BasicAuth password
     password: ""
+    # read credentials from secret
+    secretRef: ""
diff --git a/charts/policy-reporter/config.yaml b/charts/policy-reporter/config.yaml
@@ -378,6 +378,7 @@ api:
   basicAuth:
     username: {{ .Values.global.basicAuth.username }}
     password: {{ .Values.global.basicAuth.password }}
+    secretRef: {{ .Values.global.basicAuth.secretRef }}
 
 database:
   type: {{ .Values.database.type }}

diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml
@@ -207,6 +207,8 @@ global:
     username: ""
     # HTTP BasicAuth password
     password: ""
+    # read credentials from secret
+    secretRef: ""
 
 # configure mappings from policy to priority
 # you can use default to configure a default priority for fail results

diff --git a/cmd/run.go b/cmd/run.go
@@ -52,7 +52,7 @@ func newRunCMD(version string) *cobra.Command {
 				return err
 			}
 
-			server := resolver.APIServer(client.HasSynced)
+			server := resolver.APIServer(cmd.Context(), client.HasSynced)
 
 			g := &errgroup.Group{}
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -249,8 +249,9 @@ type EmailReports struct {
 
 // BasicAuth configuration
 type BasicAuth struct {
-	Username string `mapstructure:"username"`
-	Password string `mapstructure:"password"`
+	Username  string `mapstructure:"username"`
+	Password  string `mapstructure:"password"`
+	SecretRef string `mapstructure:"secretRef"`
 }
 
 // API configuration

diff --git a/pkg/config/resolver.go b/pkg/config/resolver.go
@@ -52,18 +52,34 @@ type Resolver struct {
 }
 
 // APIServer resolver method
-func (r *Resolver) APIServer(synced func() bool) api.Server {
+func (r *Resolver) APIServer(ctx context.Context, synced func() bool) api.Server {
 	var logger *zap.Logger
 	if r.config.API.Logging {
 		logger, _ = r.Logger()
 	}
 
+	if r.config.API.BasicAuth.SecretRef != "" {
+		values, err := r.SecretClient().Get(ctx, r.config.API.BasicAuth.SecretRef)
+		if err != nil {
+			zap.L().Error("failed to load basic auth secret", zap.Error(err))
+		}
+
+		if values.Username != "" {
+			r.config.API.BasicAuth.Username = values.Username
+		}
+		if values.Password != "" {
+			r.config.API.BasicAuth.Password = values.Password
+		}
+	}
+
 	var auth *api.BasicAuth
 	if r.config.API.BasicAuth.Username != "" && r.config.API.BasicAuth.Password != "" {
 		auth = &api.BasicAuth{
 			Username: r.config.API.BasicAuth.Username,
 			Password: r.config.API.BasicAuth.Password,
 		}
+
+		zap.L().Info("API BasicAuth enabled")
 	}
 
 	return api.NewServer(

diff --git a/pkg/config/resolver_test.go b/pkg/config/resolver_test.go
@@ -292,7 +292,7 @@ func Test_ResolvePolicyStore(t *testing.T) {
 func Test_ResolveAPIServer(t *testing.T) {
 	resolver := config.NewResolver(&config.Config{}, &rest.Config{})
 
-	server := resolver.APIServer(func() bool { return true })
+	server := resolver.APIServer(context.Background(), func() bool { return true })
 	if server == nil {
 		t.Error("Error: Should return API Server")
 	}