Support for synchronizing secrets from tenant to LB cluster (#42)

* Support for synchronizing secrets from tenant to LB cluster

Signed-off-by: Waleed Malik <[email protected]>

* Manager: Process and consume sync secrets

Signed-off-by: Waleed Malik <[email protected]>

* Fixes

Signed-off-by: Waleed Malik <[email protected]>

---------

Signed-off-by: Waleed Malik <[email protected]>

Makefile

@@ -72,6 +72,7 @@ manifests: generate controller-gen ## Generate WebhookConfiguration, ClusterRole
 	$(CONTROLLER_GEN) rbac:roleName=kubelb-ccm paths="./internal/controllers/ccm/..." output:artifacts:config=config/ccm/rbac
 	$(CONTROLLER_GEN) rbac:roleName=kubelb paths="./internal/controllers/kubelb/..." output:artifacts:config=config/kubelb/rbac
 	$(CONTROLLER_GEN) crd webhook paths="./..." output:crd:artifacts:config=charts/kubelb-manager/crds
+	cp charts/kubelb-manager/crds/kubelb.k8c.io_syncsecrets.yaml charts/kubelb-ccm/crds/kubelb.k8c.io_syncsecrets.yaml
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

PROJECT

@@ -35,11 +35,29 @@ resources:
   version: v1alpha1
 - api:
     crdVersion: v1
-    namespaced: true
+    namespaced: false
   controller: true
   domain: k8c.io
   group: kubelb.k8c.io
   kind: Tenant
   path: github.com/kubermatic/kubelb/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: k8c.io
+  group: kubelb.k8c.io
+  kind: Addresses
+  path: github.com/kubermatic/kubelb/api/kubelb.k8c.io/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: k8c.io
+  group: kubelb.k8c.io
+  kind: SyncSecret
+  path: github.com/kubermatic/kubelb/api/kubelb.k8c.io/v1alpha1
+  version: v1alpha1
 version: "3"

api/kubelb.k8c.io/v1alpha1/sync_secret_types.go

@@ -0,0 +1,56 @@
+/*
+Copyright 2024 The KubeLB Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// SyncSecret is a wrapper over Kubernetes Secret object. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.
+type SyncSecret struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Source: https://pkg.go.dev/k8s.io/api/core/v1#Secret
+
+	// +optional
+	Data map[string][]byte `json:"data,omitempty" protobuf:"bytes,2,rep,name=data"`
+
+	// +k8s:conversion-gen=false
+	// +optional
+	StringData map[string]string `json:"stringData,omitempty" protobuf:"bytes,4,rep,name=stringData"`
+
+	// +optional
+	Type corev1.SecretType `json:"type,omitempty" protobuf:"bytes,3,opt,name=type,casttype=SecretType"`
+}
+
+// +kubebuilder:object:root=true
+
+// SyncSecretList contains a list of SyncSecrets
+type SyncSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SyncSecret `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&SyncSecret{}, &SyncSecretList{})
+}

charts/kubelb-ccm/README.md

@@ -54,6 +54,7 @@ helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml --create-na
 | kubelb.disableHTTPRouteController | bool | `false` | disableHTTPRouteController specifies whether to disable the HTTPRoute Controller. |
 | kubelb.disableIngressController | bool | `false` | disableIngressController specifies whether to disable the Ingress Controller. |
 | kubelb.enableLeaderElection | bool | `true` | Enable the leader election. |
+| kubelb.enableSecretSynchronizer | bool | `false` | Enable to automatically convert Secrets labelled with `kubelb.k8c.io/managed-by: kubelb` to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way. |
 | kubelb.nodeAddressType | string | `"InternalIP"` |  |
 | kubelb.tenantName | string | `nil` | Name of the tenant, must be unique against a load balancer cluster. |
 | kubelb.useGatewayClass | bool | `true` | useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources. |
@@ -70,8 +71,8 @@ helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml --create-na
 | rbac.allowProxyRole | bool | `true` |  |
 | rbac.enabled | bool | `true` |  |
 | replicaCount | int | `1` |  |
-| resources.limits.cpu | string | `"100m"` |  |
-| resources.limits.memory | string | `"128Mi"` |  |
+| resources.limits.cpu | string | `"500m"` |  |
+| resources.limits.memory | string | `"512Mi"` |  |
 | resources.requests.cpu | string | `"100m"` |  |
 | resources.requests.memory | string | `"128Mi"` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |

charts/kubelb-ccm/crds/kubelb.k8c.io_syncsecrets.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: syncsecrets.kubelb.k8c.io
+spec:
+  group: kubelb.k8c.io
+  names:
+    kind: SyncSecret
+    listKind: SyncSecretList
+    plural: syncsecrets
+    singular: syncsecret
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: SyncSecret is a wrapper over Kubernetes Secret object. This is
+          used to sync secrets from tenants to the LB cluster in a controlled and
+          secure way.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          data:
+            additionalProperties:
+              format: byte
+              type: string
+            type: object
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          stringData:
+            additionalProperties:
+              type: string
+            type: object
+          type:
+            type: string
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

charts/kubelb-ccm/templates/clusterrole.yaml

@@ -75,6 +75,32 @@ rules:
   - list
   - watch
 {{- end }}
+{{ if .Values.kubelb.enableSecretSynchronizer -}}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
+- apiGroups:
+  - kubelb.k8c.io
+  resources:
+  - syncsecrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 {{- if .Values.rbac.allowProxyRole }}
 apiVersion: rbac.authorization.k8s.io/v1

charts/kubelb-ccm/templates/deployment.yaml

@@ -72,6 +72,9 @@ spec:
             {{ if .Values.kubelb.disableGatewayAPI -}}
             - --disable-gateway-api=true
             {{ end -}}
+            {{ if .Values.kubelb.enableSecretSynchronizer -}}
+            - --enable-secret-synchronizer=true
+            {{ end -}}
             - --cluster-name={{ required "A valid .Values.kubelb.tenantName to specify the tenant name is required!" .Values.kubelb.tenantName }}
           env:
           - name: NAMESPACE

charts/kubelb-ccm/values.yaml

@@ -16,6 +16,8 @@ kubelb:
   # -- Enable the leader election.
   enableLeaderElection: true
   nodeAddressType: InternalIP
+  # -- Enable to automatically convert Secrets labelled with `kubelb.k8c.io/managed-by: kubelb` to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.
+  enableSecretSynchronizer: false
   # -- useIngressClass specifies whether to target resources with `kubelb` ingress class or all resources.
   useIngressClass: true
   # -- useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources.
@@ -76,12 +78,11 @@ service:
 
 resources:
   limits:
-    cpu: 100m
-    memory: 128Mi
+    cpu: 500m
+    memory: 512Mi
   requests:
     cpu: 100m
     memory: 128Mi
-
 autoscaling:
   enabled: false
   minReplicas: 1

charts/kubelb-manager/README.md

@@ -59,8 +59,8 @@ helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml --c
 | rbac.allowProxyRole | bool | `true` |  |
 | rbac.enabled | bool | `true` |  |
 | replicaCount | int | `1` |  |
-| resources.limits.cpu | string | `"100m"` |  |
-| resources.limits.memory | string | `"128Mi"` |  |
+| resources.limits.cpu | string | `"500m"` |  |
+| resources.limits.memory | string | `"512Mi"` |  |
 | resources.requests.cpu | string | `"100m"` |  |
 | resources.requests.memory | string | `"128Mi"` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |

charts/kubelb-manager/crds/kubelb.k8c.io_syncsecrets.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: syncsecrets.kubelb.k8c.io
+spec:
+  group: kubelb.k8c.io
+  names:
+    kind: SyncSecret
+    listKind: SyncSecretList
+    plural: syncsecrets
+    singular: syncsecret
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: SyncSecret is a wrapper over Kubernetes Secret object. This is
+          used to sync secrets from tenants to the LB cluster in a controlled and
+          secure way.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          data:
+            additionalProperties:
+              format: byte
+              type: string
+            type: object
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          stringData:
+            additionalProperties:
+              type: string
+            type: object
+          type:
+            type: string
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}