Vault independence (#103)

.vscode/launch.json

@@ -27,11 +27,15 @@
             ],
             "env": {
                 "AZURE_LOCATION": "West Europe",
+                //"VAULT_ENABLED": "false",
                 "VAULT_ADDR": "http://localhost:54969/",
                 //"VAULT_TOKEN": "PLEASE_ADD_VAULT_TOKEN",
                 "AZURE_MANAGED_IDENTITY_RG": "global",
                 "AZURE_MANAGED_IDENTITY_NAME": "scriptidentity",
                 "AZURE_ENABLED": "true",
+                "AWS_PROFILE": "minio",
+                // "PULUMI_CONFIG_PASSPHRASE": "PLEASE_ADD_VAULT_TOKEN",
+                // "PULUMI_BACKEND_URL": "s3://BUCKET_NAME?region=ro&endpoint=http://MINIO_HOST:9000&disableSSL=true&s3ForcePathStyle=true"
                 //"RUSI_ENABLED": "true"
                 //"PULUMI_SKIP_REFRESH": "true",
             },
@@ -52,7 +56,8 @@
             "program": "./cmd/configuration-domain-controller",
             "args": ["-v", "4"],
             "env": {
-                "VAULT_ADDR": "http://localhost:65455/",
+                //"VAULT_ENABLED": "false",
+                "VAULT_ADDR": "http://localhost:54969",
                 //"VAULT_TOKEN": "PLEASE_ADD_VAULT_TOKEN"",
                 //"RUSI_ENABLED": "true",
                 "RUSI_GRPC_PORT": "7777"

helm/templates/configuration-domain-controller-deployment.yaml

@@ -31,8 +31,12 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: VAULT_ENABLED
+          value: {{ .Values.global.vault.enabled | quote }}
+        {{- if .Values.global.vault.enabled }}
         - name: VAULT_ADDR
           value: "{{ .Values.global.vault.address }}"
+        {{- end }}
         - name: RUSI_ENABLED
           value: "{{ .Values.global.rusi.enabled }}"
         command:

helm/templates/provisioner-deployment.yaml

@@ -106,6 +106,8 @@ spec:
               name: provisioner-secrets
               key: pulumiConfigPassphrase
         {{- end }}
+        - name: VAULT_ENABLED
+          value: {{ .Values.global.vault.enabled | quote }}
         {{- if .Values.global.vault.enabled }}
         - name: VAULT_ADDR
           value: "{{ .Values.global.vault.address }}"

internal/controllers/configuration-domain/configuration_domain_controller.go

@@ -3,7 +3,9 @@ package configuration
 import (
 	"context"
 	"fmt"
+	"os"
 	"reflect"
+	"strconv"
 	"strings"
 	"time"
 
@@ -63,6 +65,8 @@ const (
 	ReadyCondition = "Ready"
 
 	syncedSuccessfullyTopic = "PlatformControllers.ConfigurationDomainController.SyncedSuccessfully"
+
+	EnvVaultEnabled = "VAULT_ENABLED"
 )
 
 var requeueInterval time.Duration = 2 * time.Minute
@@ -102,6 +106,8 @@ type ConfigurationDomainController struct {
 	kubeSecretsHandler   *kubeSecretsHandler
 	vaultSecretsHandler  *secretsHandler
 	messagingPublisher   messaging.MessagingPublisher
+
+	vaultEnabled bool
 }
 
 func NewConfigurationDomainController(
@@ -118,6 +124,12 @@ func NewConfigurationDomainController(
 	eventBroadcaster record.EventBroadcaster,
 	messagingPublisher messaging.MessagingPublisher,
 ) *ConfigurationDomainController {
+
+	vaultEnabled, err := strconv.ParseBool(os.Getenv(EnvVaultEnabled))
+	if err != nil {
+		vaultEnabled = true
+	}
+
 	controller := &ConfigurationDomainController{
 		platformClientset: platformClientset,
 		kubeClientset:     kubeClientset,
@@ -138,13 +150,17 @@ func NewConfigurationDomainController(
 		kubeSecretsLister:  kubeSecretInformer.Lister(),
 		kubeSecretsSynced:  kubeSecretInformer.Informer().HasSynced,
 
-		spcInformer: spcInformer,
-		spcLister:   spcInformer.Lister(),
-		spcSynced:   spcInformer.Informer().HasSynced,
-
 		recorder:           &record.FakeRecorder{},
 		workqueue:          workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "configuration-domain"),
 		messagingPublisher: messagingPublisher,
+
+		vaultEnabled: vaultEnabled,
+	}
+
+	if vaultEnabled {
+		controller.spcInformer = spcInformer
+		controller.spcLister = spcInformer.Lister()
+		controller.spcSynced = spcInformer.Informer().HasSynced
 	}
 
 	utilruntime.Must(clientsetScheme.AddToScheme(scheme.Scheme))
@@ -154,16 +170,21 @@ func NewConfigurationDomainController(
 
 	controller.configurationHandler = newConfigurationHandler(kubeClientset, configMapInformer.Lister(), controller.recorder)
 	controller.kubeSecretsHandler = newKubeSecretsHandler(kubeClientset, kubeSecretInformer.Lister(), controller.recorder)
-	controller.vaultSecretsHandler = newVaultSecretsHandler(csiClientset, spcInformer.Lister(), controller.recorder)
+
+	if vaultEnabled {
+		controller.vaultSecretsHandler = newVaultSecretsHandler(csiClientset, spcInformer.Lister(), controller.recorder)
+	}
 
 	klog.Info("Setting up event handlers")
 
 	// Set up an event handler for when ConfigAggregate resources change
 	addPlatformHandlers(platformInformer)
 	addConfigurationDomainHandlers(configDomainInformer, controller.enqueueConfigurationDomain)
 	addConfigMapHandlers(configMapInformer, controller.handleKubeResource)
-	addKubeSecretsHandlers(kubeSecretInformer, controller.handleKubeResource)
-	addSPCHandlers(spcInformer, controller.enqueueConfigurationDomain)
+	if vaultEnabled {
+		addKubeSecretsHandlers(kubeSecretInformer, controller.handleKubeResource)
+		addSPCHandlers(spcInformer, controller.enqueueConfigurationDomain)
+	}
 
 	return controller
 }
@@ -181,7 +202,12 @@ func (c *ConfigurationDomainController) Run(workers int, stopCh <-chan struct{})
 
 	// Wait for the caches to be synced before starting workers
 	klog.Info("Waiting for informer caches to sync")
-	if ok := cache.WaitForCacheSync(stopCh, c.platformsSynced, c.configDomainsSynced, c.configMapsSynced, c.kubeSecretsSynced, c.spcSynced); !ok {
+
+	cacheSyncs := []cache.InformerSynced{c.platformsSynced, c.configDomainsSynced, c.configMapsSynced, c.kubeSecretsSynced}
+	if c.vaultEnabled {
+		cacheSyncs = append(cacheSyncs, c.spcSynced)
+	}
+	if ok := cache.WaitForCacheSync(stopCh, cacheSyncs...); !ok {
 		return fmt.Errorf("failed to wait for caches to sync")
 	}
 
@@ -299,9 +325,12 @@ func (c *ConfigurationDomainController) syncHandler(key string) error {
 
 	cleanupSecrets := platformNotOk || !configDomain.Spec.AggregateSecrets
 	if cleanupSecrets {
-		err = c.vaultSecretsHandler.Cleanup(namespace, domain)
-		if err != nil {
-			return err
+
+		if c.vaultEnabled {
+			err = c.vaultSecretsHandler.Cleanup(namespace, domain)
+			if err != nil {
+				return err
+			}
 		}
 
 		err = c.kubeSecretsHandler.Cleanup(namespace, domain)
@@ -328,10 +357,13 @@ func (c *ConfigurationDomainController) syncHandler(key string) error {
 	}
 
 	if !cleanupSecrets {
-		err = c.vaultSecretsHandler.Sync(platformObj, configDomain)
-		if err != nil {
-			c.updateStatus(configDomain, false, "Aggregation failed"+err.Error())
-			return err
+
+		if c.vaultEnabled {
+			err = c.vaultSecretsHandler.Sync(platformObj, configDomain)
+			if err != nil {
+				c.updateStatus(configDomain, false, "Aggregation failed"+err.Error())
+				return err
+			}
 		}
 
 		err = c.kubeSecretsHandler.Sync(platformObj, configDomain)

internal/controllers/configuration-domain/kube_secrets_handler.go

@@ -68,7 +68,7 @@ func (h *kubeSecretsHandler) Sync(platformObj *platformv1.Platform, configDomain
 
 	aggregatedSecret := h.aggregateSecrets(configDomain, secrets, outputSecretName)
 
-	// Get the output config map for this namespace::domain
+	// Get the output secret for this namespace::domain
 	outputSecret, err := h.secretsLister.Secrets(configDomain.Namespace).Get(outputSecretName)
 	// If the resource doesn't exist, we'll create it
 	if k8serrors.IsNotFound(err) {
@@ -174,7 +174,7 @@ func (h *kubeSecretsHandler) aggregateSecrets(configurationDomain *v1alpha1.Conf
 
 		for k, v := range secret.Data {
 			if existingValue, ok := mergedData[k]; ok {
-				klog.V(4).Infof("Key %s already exists with value %s. It will be replaced by config map %s with value %s", k, existingValue, secret.Name, v)
+				klog.V(4).Infof("Key %s already exists with value %s. It will be replaced in secret %s with value %s", k, existingValue, secret.Name, v)
 			}
 			mergedData[k] = v
 		}

internal/controllers/provisioning/provisioners/pulumi/exporters.go

@@ -2,6 +2,9 @@ package pulumi
 
 import (
 	"encoding/json"
+	"fmt"
+	"os"
+	"strconv"
 	"strings"
 
 	vault "github.com/pulumi/pulumi-vault/sdk/v5/go/vault/generic"
@@ -18,8 +21,9 @@ import (
 )
 
 const (
-	DomainLabel   = "platform.totalsoft.ro/domain"
-	PlatformLabel = "platform.totalsoft.ro/platform"
+	DomainLabel     = "platform.totalsoft.ro/domain"
+	PlatformLabel   = "platform.totalsoft.ro/platform"
+	EnvVaultEnabled = "VAULT_ENABLED"
 )
 
 type ValueExporterFunc func(exportContext ExportContext, values map[string]exportTemplateWithValue, opts ...pulumi.ResourceOption) error
@@ -51,9 +55,18 @@ func newExportContext(pulumiContext *pulumi.Context, domain, objectName string,
 func handleValueExport(target provisioning.ProvisioningTarget) ValueExporterFunc {
 	templateContext := provisioning.GetTemplateContext(target)
 
+	vaultEnabled, err := strconv.ParseBool(os.Getenv(EnvVaultEnabled))
+	if err != nil {
+		vaultEnabled = true
+	}
+
 	return func(exportContext ExportContext, values map[string]exportTemplateWithValue, opts ...pulumi.ResourceOption) error {
 		v := onlyVaultValues(values)
 		if len(v) > 0 {
+			if !vaultEnabled {
+				return fmt.Errorf("vault is not enabled, but there are values to be exported to the vault")
+			}
+
 			path := provisioning.MatchTarget(target,
 				func(tenant *platformv1.Tenant) string {
 					return strings.Join([]string{tenant.Spec.PlatformRef, exportContext.ownerMeta.Namespace, exportContext.domain, tenant.GetName(), exportContext.objectName}, "/")