Merge pull request #13 from appuio/s3-store

Initial S3 Store functionality
appuio · Dec 21, 2023 · 9f3ac94 · 9f3ac94
2 parents a95c146 + c7224bc
commit 9f3ac94
Show file tree

Hide file tree

Showing 10 changed files with 670 additions and 6 deletions.
diff --git a/api/v1beta1/emergencyaccount_types.go b/api/v1beta1/emergencyaccount_types.go
@@ -52,10 +52,10 @@ type TokenStoreSpec struct {
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 	// Type defines the type of the store to use.
-	// Currently `secret`` and `log` stores are supported.
+	// Currently `secret`, `s3`, and `log` stores are supported.
 	// The stores can be further configured in the corresponding storeSpec.
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Enum=secret;log
+	// +kubebuilder:validation:Enum=secret;log;s3
 	Type string `json:"type"`
 
 	// SecretSpec configures the secret store.
@@ -64,6 +64,58 @@ type TokenStoreSpec struct {
 	// LogSpec configures the log store.
 	// The log store outputs the token to the log but does not store it anywhere.
 	LogSpec LogStoreSpec `json:"logStore,omitempty"`
+	// S3Spec configures the S3 store.
+	// The S3 store saves the tokens in an S3 bucket.
+	S3Spec S3StoreSpec `json:"s3Store,omitempty"`
+}
+
+// S3StoreSpec configures the S3 store.
+// The S3 store saves the tokens in an S3 bucket with optional encryption using PGP public keys.
+type S3StoreSpec struct {
+	// ObjectNameTemplate is the template for the object name to use.
+	// Sprig functions can be used to generate the object name.
+	// If not set, the object name is the name of the EmergencyAccount.
+	// The name of the EmergencyAccount can be accessed with `{{ .Name }}`.
+	// The namespace of the EmergencyAccount can be accessed with `{{ .Namespace }}`.
+	// The full EmergencyAccount object can be accessed with `{{ .EmergencyAccount }}`.
+	// Additional context can be passed with the `objectNameTemplateContext` field and is accessible with `{{ .Context.<key> }}`.
+	// +kubebuilder:validation:Optional
+	ObjectNameTemplate string `json:"objectNameTemplate,omitempty"`
+	// ObjectNameTemplateContext is the additional context to use for the object name template.
+	// +kubebuilder:validation:Optional
+	ObjectNameTemplateContext map[string]string `json:"objectNameTemplateContext,omitempty"`
+
+	S3 S3Spec `json:"s3"`
+	// Encryption defines the encryption settings for the S3 store.
+	// If not set, the tokens are stored unencrypted.
+	// +kubebuilder:validation:Optional
+	Encryption S3EncryptionSpec `json:"encryption,omitempty"`
+}
+
+type S3Spec struct {
+	// Endpoint is the S3 endpoint to use.
+	Endpoint string `json:"endpoint"`
+	// Bucket is the S3 bucket to use.
+	Bucket string `json:"bucket"`
+
+	// AccessKeyId and SecretAccessKey are the S3 credentials to use.
+	AccessKeyId string `json:"accessKeyId"`
+	// SecretAccessKey is the S3 secret access key to use.
+	SecretAccessKey string `json:"secretAccessKey"`
+
+	// Region is the AWS region to use.
+	Region string `json:"region,omitempty"`
+	// Insecure allows to use an insecure connection to the S3 endpoint.
+	Insecure bool `json:"insecure,omitempty"`
+}
+
+type S3EncryptionSpec struct {
+	// Encrypt defines if the tokens should be encrypted.
+	// If not set, the tokens are stored unencrypted.
+	Encrypt bool `json:"encrypt,omitempty"`
+	// PGPKeys is a list of PGP public keys to encrypt the tokens with.
+	// At least one key must be given if encryption is enabled.
+	PGPKeys []string `json:"pgpKeys,omitempty"`
 }
 
 // SecretStoreSpec configures the secret store.

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/cluster.appuio.io_emergencyaccounts.yaml b/config/crd/bases/cluster.appuio.io_emergencyaccounts.yaml
@@ -68,18 +68,89 @@ spec:
                       description: Name is the name of the store. Must be unique within
                         the EmergencyAccount
                       type: string
+                    s3Store:
+                      description: S3Spec configures the S3 store. The S3 store saves
+                        the tokens in an S3 bucket.
+                      properties:
+                        encryption:
+                          description: Encryption defines the encryption settings
+                            for the S3 store. If not set, the tokens are stored unencrypted.
+                          properties:
+                            encrypt:
+                              description: Encrypt defines if the tokens should be
+                                encrypted. If not set, the tokens are stored unencrypted.
+                              type: boolean
+                            pgpKeys:
+                              description: PGPKeys is a list of PGP public keys to
+                                encrypt the tokens with. At least one key must be
+                                given if encryption is enabled.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        objectNameTemplate:
+                          description: ObjectNameTemplate is the template for the
+                            object name to use. Sprig functions can be used to generate
+                            the object name. If not set, the object name is the name
+                            of the EmergencyAccount. The name of the EmergencyAccount
+                            can be accessed with `{{ .Name }}`. The namespace of the
+                            EmergencyAccount can be accessed with `{{ .Namespace }}`.
+                            The full EmergencyAccount object can be accessed with
+                            `{{ .EmergencyAccount }}`. Additional context can be passed
+                            with the `objectNameTemplateContext` field and is accessible
+                            with `{{ .Context.<key> }}`.
+                          type: string
+                        objectNameTemplateContext:
+                          additionalProperties:
+                            type: string
+                          description: ObjectNameTemplateContext is the additional
+                            context to use for the object name template.
+                          type: object
+                        s3:
+                          properties:
+                            accessKeyId:
+                              description: AccessKeyId and SecretAccessKey are the
+                                S3 credentials to use.
+                              type: string
+                            bucket:
+                              description: Bucket is the S3 bucket to use.
+                              type: string
+                            endpoint:
+                              description: Endpoint is the S3 endpoint to use.
+                              type: string
+                            insecure:
+                              description: Insecure allows to use an insecure connection
+                                to the S3 endpoint.
+                              type: boolean
+                            region:
+                              description: Region is the AWS region to use.
+                              type: string
+                            secretAccessKey:
+                              description: SecretAccessKey is the S3 secret access
+                                key to use.
+                              type: string
+                          required:
+                          - accessKeyId
+                          - bucket
+                          - endpoint
+                          - secretAccessKey
+                          type: object
+                      required:
+                      - s3
+                      type: object
                     secretStore:
                       description: SecretSpec configures the secret store. The secret
                         store saves the tokens in a secret in the same namespace as
                         the EmergencyAccount.
                       type: object
                     type:
                       description: Type defines the type of the store to use. Currently
-                        `secret`` and `log` stores are supported. The stores can be
-                        further configured in the corresponding storeSpec.
+                        `secret`, `s3`, and `log` stores are supported. The stores
+                        can be further configured in the corresponding storeSpec.
                       enum:
                       - secret
                       - log
+                      - s3
                       type: string
                   required:
                   - name

diff --git a/controllers/stores/s3_store.go b/controllers/stores/s3_store.go
@@ -0,0 +1,146 @@
+package stores
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+	"text/template"
+
+	"github.com/Masterminds/sprig/v3"
+	"github.com/ProtonMail/gopenpgp/v2/helper"
+	"github.com/appuio/emergency-credentials-controller/pkg/utils"
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+	"go.uber.org/multierr"
+
+	emcv1beta1 "github.com/appuio/emergency-credentials-controller/api/v1beta1"
+)
+
+// MinioClient partially implements the minio.Client interface.
+type MinioClient interface {
+	PutObject(ctx context.Context, bucketName string, objectName string, reader io.Reader, objectSize int64, opts minio.PutObjectOptions) (info minio.UploadInfo, err error)
+}
+
+type S3Store struct {
+	minioClientFactory func(emcv1beta1.S3StoreSpec) (MinioClient, error)
+	spec               emcv1beta1.S3StoreSpec
+}
+
+var _ TokenStorer = &S3Store{}
+
+// NewS3Store creates a new S3Store
+func NewS3Store(spec emcv1beta1.S3StoreSpec) *S3Store {
+	return NewS3StoreWithClientFactory(spec, DefaultClientFactory)
+}
+
+// NewS3StoreWithClientFactory creates a new S3Store with the given client factory.
+func NewS3StoreWithClientFactory(spec emcv1beta1.S3StoreSpec, minioClientFactory func(emcv1beta1.S3StoreSpec) (MinioClient, error)) *S3Store {
+	return &S3Store{spec: spec, minioClientFactory: minioClientFactory}
+}
+
+// DefaultClientFactory is the default factory for creating a MinioClient.
+func DefaultClientFactory(spec emcv1beta1.S3StoreSpec) (MinioClient, error) {
+	return minio.New(spec.S3.Endpoint, &minio.Options{
+		Creds:  credentials.NewStaticV4(spec.S3.AccessKeyId, spec.S3.SecretAccessKey, ""),
+		Secure: !spec.S3.Insecure,
+		Region: spec.S3.Region,
+	})
+}
+
+// StoreToken stores the token in the S3 bucket.
+// If encryption is enabled, the token is encrypted with the given PGP public keys.
+func (ss *S3Store) StoreToken(ctx context.Context, ea emcv1beta1.EmergencyAccount, token string) (string, error) {
+	objectname := ea.Name
+	if ss.spec.ObjectNameTemplate != "" {
+		t, err := template.New("fileName").Funcs(sprig.TxtFuncMap()).Parse(ss.spec.ObjectNameTemplate)
+		if err != nil {
+			return "", fmt.Errorf("unable to parse file name template: %w", err)
+		}
+		buf := new(strings.Builder)
+		if err := t.Execute(buf, struct {
+			Name             string
+			Namespace        string
+			EmergencyAccount emcv1beta1.EmergencyAccount
+			Context          map[string]string
+		}{
+			Name:             ea.Name,
+			Namespace:        ea.Namespace,
+			EmergencyAccount: ea,
+			Context:          ss.spec.ObjectNameTemplateContext,
+		}); err != nil {
+			return "", fmt.Errorf("unable to execute file name template: %w", err)
+		}
+		objectname = buf.String()
+	}
+
+	cli, err := ss.minioClientFactory(ss.spec)
+	if err != nil {
+		return "", fmt.Errorf("unable to create S3 client: %w", err)
+	}
+
+	if ss.spec.Encryption.Encrypt {
+		token, err = encrypt(token, ss.spec.Encryption.PGPKeys)
+		if err != nil {
+			return "", fmt.Errorf("unable to encrypt token: %w", err)
+		}
+	}
+
+	tr := strings.NewReader(token)
+	info, err := cli.PutObject(ctx, ss.spec.S3.Bucket, objectname, tr, int64(tr.Len()), minio.PutObjectOptions{})
+	if err != nil {
+		return "", fmt.Errorf("unable to store token: %w", err)
+	}
+
+	return info.Key, nil
+}
+
+// EncryptedToken is the JSON structure of an encrypted token.
+type EncryptedToken struct {
+	Secrets []EncryptedTokenSecret `json:"secrets"`
+}
+
+// EncryptedTokenSecret is the JSON structure of an encrypted token secret.
+type EncryptedTokenSecret struct {
+	Data string `json:"data"`
+}
+
+// encrypt encrypts the token with the given PGP public keys.
+// The token is encrypted with each key and the resulting encrypted tokens are returned as a JSON array.
+func encrypt(token string, pgpKeys []string) (string, error) {
+	if len(pgpKeys) == 0 {
+		return "", fmt.Errorf("no PGP public keys given")
+	}
+	keys := []string{}
+	for _, key := range pgpKeys {
+		sk, err := utils.SplitPublicKeyBlocks(key)
+		if err != nil {
+			return "", fmt.Errorf("unable to parse PGP public key: %w", err)
+		}
+		keys = append(keys, sk...)
+	}
+
+	encrypted := make([]EncryptedTokenSecret, 0, len(keys))
+	errs := []error{}
+	for _, key := range keys {
+		enc, err := helper.EncryptMessageArmored((key), token)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		encrypted = append(encrypted, EncryptedTokenSecret{Data: enc})
+	}
+	if multierr.Combine(errs...) != nil {
+		return "", fmt.Errorf("unable to fully encrypt token: %w", multierr.Combine(errs...))
+	}
+
+	s, err := json.Marshal(EncryptedToken{
+		Secrets: encrypted,
+	})
+	if err != nil {
+		return "", fmt.Errorf("unable to marshal encrypted token: %w", err)
+	}
+
+	return string(s), nil
+}