diff --git a/Dockerfile b/Dockerfile index 2761ecd..69fe56e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.16.12 as builder +FROM golang:1.23.1 as builder ENV GO111MODULE off WORKDIR /go/src/github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud COPY . . diff --git a/README.md b/README.md index 1b88c6f..13862bb 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ - - # Alibaba Cloud Secrets Manager for Secret Store CSI Driver -Alibaba Cloud Secrets Manager provider for Secrets Store CSI driver allows you to get secret contents stored in [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. +Alibaba Cloud Secrets Manager provider for Secrets Store CSI driver allows you to get secret contents stored in [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) or [Alibaba Cloud OOS Encrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters), and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. ### Prerequisites @@ -24,82 +22,98 @@ The following table lists the configurable parameters of the csi-secrets-store-p > Refer to [doc](https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md) for configurable parameters of the secrets-store-csi-driver chart. -| Parameter | Description | Default | -| ------------------------------------------------------------ | ------------------------------------------------------------ |-------------------------------------------------------------------------------------------------| -| `nameOverride` | String to partially override csi-secrets-store-provider-alibabacloud.fullname template with a string (will prepend the release name) | `""` | -| `fullnameOverride` | String to fully override csi-secrets-store-provider-alibabacloud.fullname template with a string | `""` | -| `imagePullSecrets` | Secrets to be used when pulling images | `[]` | -| `logFormatJSON` | Use JSON logging format | `false` | -| `logVerbosity` | Log level. Uses V logs (klog) | `0` | -| `envVarsFromSecret.ACCESS_KEY_ID` | Set the ACCESS_KEY_ID variable to specify the credential RAM AK for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.SECRET_ACCESS_KEY` | Set the SECRET_ACCESS_KEY variable to specify the credential RAM SK for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_ROLE_ARN` | Set the ALICLOUD_ROLE_ARN variable to specify the RAM role ARN for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_NAME` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session name for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_EXPIRATION` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session expiration for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret. ALICLOUD_OIDC_PROVIDER_ARN` | Set the ALICLOUD_OIDC_PROVIDER_ARN variable to specify the RAM OIDC provider arn for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_OIDC_TOKEN_FILE` | Set the ALICLOUD_OIDC_TOKEN_FILE variable to specify the serviceaccount OIDC token file path for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `rrsa.enable` | Enable RRSA feature, default is false,when enalbe, you need to configure the parametes of `ALICLOUD_ROLE_ARN` and `ALICLOUD_OIDC_PROVIDER_ARN` in `envVarsFromSecret` | false | -| `linux.enabled` | Install alibabacloud provider on linux nodes | true | -| `linux.image.repository` | Linux image repository | `registry.cn-hangzhou.aliyuncs.com/acs/secrets-store-csi-driver-provider-alibaba-cloud` | -| `linux.image.pullPolicy` | Linux image pull policy | `Always` | -| `linux.image.tag` | Alibaba Cloud Secrets Manager Provider Linux image tag | `v1.1.0` | -| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | -| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `{}` | -| `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 100m`
`limits.memory: 500Mi` | -| `linux.podLabels` | Additional pod labels | `{}` | -| `linux.podAnnotations` | Additional pod annotations | `{}` | -| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | -| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | -| `linux.healthzPort` | port for health check | `"8989"` | -| `linux.healthzPath` | path for health check | `"/healthz"` | -| `linux.healthzTimeout` | RPC timeout for health check | `"5s"` | -| `linux.volumes` | Additional volumes to create for the provider pods. | `[]` | -| `linux.volumeMounts` | Additional volumes to mount on the provider pods. | `[]` | -| `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | -| `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | -| `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | -| `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true | -| `secrets-store-csi-driver.fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `secrets-store-csi-driver` | -| `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true | -| `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | ` registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-driver` | -| `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `Always` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.4` | -| `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-livenessprobe` | -| `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `Always` | -| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.10.0` | -| `secrets-store-csi-driver.linux.registrarImage.repository` | Linux node-driver-registrar image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-node-driver-registrar` | -| `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Linux node-driver-registrar image pull policy | `Always` | -| `secrets-store-csi-driver.linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.8.0` | -| `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | -| `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | -| `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` | -| `secrets-store-csi-driver.syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | `false` | -| `rbac.install` | Install default service account | true | +| Parameter | Description | Default | +| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | +| `nameOverride` | String to partially override csi-secrets-store-provider-alibabacloud.fullname template with a string (will prepend the release name) | `""` | +| `fullnameOverride` | String to fully override csi-secrets-store-provider-alibabacloud.fullname template with a string | `""` | +| `imagePullSecrets` | Secrets to be used when pulling images | `[]` | +| `logFormatJSON` | Use JSON logging format | `false` | +| `logVerbosity` | Log level. Uses V logs (klog) | `0` | +| `envVarsFromSecret.ACCESS_KEY_ID` | Set the ACCESS_KEY_ID variable to specify the credential RAM AK for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.SECRET_ACCESS_KEY` | Set the SECRET_ACCESS_KEY variable to specify the credential RAM SK for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_ROLE_ARN` | Set the ALICLOUD_ROLE_ARN variable to specify the RAM role ARN for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_NAME` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session name for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_EXPIRATION` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session expiration for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret. ALICLOUD_OIDC_PROVIDER_ARN` | Set the ALICLOUD_OIDC_PROVIDER_ARN variable to specify the RAM OIDC provider arn for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_OIDC_TOKEN_FILE` | Set the ALICLOUD_OIDC_TOKEN_FILE variable to specify the serviceaccount OIDC token file path for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `rrsa.enable` | Enable RRSA feature, default is false,when enalbe, you need to configure the parametes of `ALICLOUD_ROLE_ARN` and `ALICLOUD_OIDC_PROVIDER_ARN` in `envVarsFromSecret` | false | +| `linux.enabled` | Install alibabacloud provider on linux nodes | true | +| `linux.image.repository` | Linux image repository | `registry.cn-hangzhou.aliyuncs.com/acs/secrets-store-csi-driver-provider-alibaba-cloud` | +| `linux.image.pullPolicy` | Linux image pull policy | `Always` | +| `linux.image.tag` | Alibaba Cloud Secrets Manager Provider Linux image tag | `v1.1.0` | +| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | +| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `{}` | +| `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m
``requests.memory: 100Mi
``limits.cpu: 100m
``limits.memory: 500Mi` | +| `linux.podLabels` | Additional pod labels | `{}` | +| `linux.podAnnotations` | Additional pod annotations | `{}` | +| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | +| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | +| `linux.healthzPort` | port for health check | `"8989"` | +| `linux.healthzPath` | path for health check | `"/healthz"` | +| `linux.healthzTimeout` | RPC timeout for health check | `"5s"` | +| `linux.volumes` | Additional volumes to create for the provider pods. | `[]` | +| `linux.volumeMounts` | Additional volumes to mount on the provider pods. | `[]` | +| `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | +| `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | +| `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | +| `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true | +| `secrets-store-csi-driver.fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `secrets-store-csi-driver` | +| `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true | +| `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | ` registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-driver` | +| `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `Always` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.4` | +| `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-livenessprobe` | +| `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `Always` | +| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.10.0` | +| `secrets-store-csi-driver.linux.registrarImage.repository` | Linux node-driver-registrar image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-node-driver-registrar` | +| `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Linux node-driver-registrar image pull policy | `Always` | +| `secrets-store-csi-driver.linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.8.0` | +| `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | +| `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | +| `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` | +| `secrets-store-csi-driver.syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | `false` | +| `rbac.install` | Install default service account | true | ## Usage -Add your secret data to [Alibaba Cloud Secrets Manager]((https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview)) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. +- KMS Secrets Manager + Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. + Now create a test secret: -Now create a test secret: + ```shell + aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 + ``` -```shell -aliyun kms CreateSecret --SecretName test --SecretData 1234 --VersionId v1 -``` -Create an access policy for the pod scoped down to just the secrets it should have : -```shell -aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": "kms:GetSecretValue","Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test"}],"Version": "1"}' -``` + Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["kms:GetSecretValue", "kms:Decrypt"],"Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test-kms"}],"Version": "1"}' + ``` +- OOS Secret Parameter + Add your secret data to [Alibaba Cloud OOS Encrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your parameter and default region info. + Now create a test secret: + + ```shell + aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos + ``` + + Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["oos:GetSecretParameter"],"Resource": "acs:oos:{region-id}:{aliyun-uid}:secretparameter/test-oos"}],"Version": "1"}' + ``` ### Enable [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) feature -RAM Roles for Service Accounts (RRSA) is the recommended secure authentication method for obtaining secrets in Alibaba Cloud Secrets Manager. For the configuration, please refer to the following steps: +RAM Roles for Service Accounts (RRSA) is the recommended secure authentication method for obtaining secrets in Alibaba Cloud Secrets Manager and OOS Encrypted Parameter. For the configuration, please refer to the following steps: 1. Create the RAM OIDC provider for the cluster with [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) or reference [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) doc if you have not already done so: ```shell ack-ram-tool rrsa enable -c ``` -2. Next create the service account to be used by the pod and associate the above kms RAM policy with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization: + +2. Next create the service account to be used by the pod, and associate the above RAM policy based on the product to synchronize with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization: ```shell ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r -n -s csi-secrets-store-provider-alibabacloud @@ -107,7 +121,6 @@ ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r ``` + Additional information may be available in the provider logs: + ```shell kubectl -n get pods kubectl -n logs pod/ ``` + Where **<PODID>** in this case is the id of the *csi-secrets-store-provider-alibabacloud* pod. ### SecretProviderClass options + The SecretProviderClass has the following format: + ```yaml -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: @@ -184,33 +206,35 @@ spec: provider: alibabacloud # please using fixed value 'alibabacloud' parameters: ``` + The parameters section contains the details of the mount request and contain one of the three fields: + * objects: This is a string containing a YAML declaration (described below) of the secrets to be mounted, For example: - ```yaml - parameters: - objects: | - - objectName: "MySecret" - ``` + ```yaml + parameters: + objects: | + - objectName: "MySecret" + objectType: "kms" # support kms and oos, default is kms + ``` * region: An optional field to specify the Alibaba Cloud region to use when retrieving secrets from Secrets Manage. If this field is missing, the provider will lookup the region from the annotation on the node. This lookup adds overhead to mount requests so clusters using large numbers of pods will benefit from providing the region here. * pathTranslation: An optional field to specify a substitution character to use when the path separator character (slash on Linux) is used in the file name. If a Secret or parameter name contains the path separator failures will occur when the provider tries to create a mounted file using the name. When not specified the underscore character is used, thus My/Path/Secret will be mounted as My_Path_Secret. This pathTranslation value can either be the string "False" or a single character string. When set to "False", no character substitution is performed. The objects field of the SecretProviderClass can contain the following sub-fields: -* objectName: This field is required. It specifies the name of the secret or parameter to be fetched. For Secrets Manager this is the [SecretName](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters) parameter and can be either the friendly name or full ARN of the secret. +* objectName: This field is required. It specifies the name of the secret or parameter to be fetched. For Secrets Manager this is the [SecretName](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters) parameter and can be either the friendly name or full ARN of the secret. +* objectType: This optional field specifies the type of secret. Support `kms` and `oos`, defaults is `kms`. * objectAlias: This optional field specifies the file name under which the secret will be mounted. When not specified the file name defaults to objectName. - -* objectVersion: This field is optional, and generally not recommended since updates to the secret require updating this field. For Secrets Manager this is the [VersionId](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). - -* objectVersionLabel: This optional fields specifies the alias used for the version. Most applications should not use this field since the most recent version of the secret is used by default. For Secrets Manager this is the [VersionStage](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). - +* objectVersion: This field is optional, only for kms secret, and generally not recommended since updates to the secret require updating this field. For Secrets Manager this is the [VersionId](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). +* objectVersionLabel: This optional fields specifies the alias used for the version, only for kms secret. Most applications should not use this field since the most recent version of the secret is used by default. For Secrets Manager this is the [VersionStage](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). * jmesPath: This optional field specifies the specific key-value pairs to extract from a JSON-formatted secret. You can use this field to mount key-value pairs from a properly formatted secret value as individual secrets. For example: Consider a secret "test" with JSON content as follows: - ```shell - { - "username": "testuser", - "password": "testpassword" - } - ``` + ```shell + { + "username": "testuser", + "password": "testpassword" + } + ``` + To mount the username and password key pairs of this secret as individual secrets, use the jmesPath field as follows: ```yaml: @@ -222,16 +246,34 @@ The objects field of the SecretProviderClass can contain the following sub-field - path: "password" objectAlias: "MySecretPassword" ``` + If you use the jmesPath field, you must provide the following two sub-fields: + * path: This required field is the [JMES path](https://jmespath.org/specification.html) to use for retrieval * objectAlias: This required field specifies the file name under which the key-value pair secret will be mounted. +**Tips** +If there is a special scene that requires the same objectName of the object (like the following example, kms and oos have the same secret name), then you need to set different objectAlias of the object, otherwise all the secrets of the previous object mount will be overwritten by the last one. + +```yaml + parameters: + objects: | + - objectName: "MySecret" + objectType: "kms" + objectAlias: "MySecretKMS" + - objectName: "MySecret" + objectType: "oos" + objectAlias: "MySecretOOS" +``` + ## Additional Considerations ### Rotation + When using the optional alpha [rotation reconciler](https://secrets-store-csi-driver.sigs.k8s.io/topics/secret-auto-rotation.html) feature of the Secrets Store CSI driver the driver will periodically remount the secrets in the SecretProviderClass. This will cause additional API calls which results in additional charges. Applications should use a reasonable poll interval that works with their rotation strategy. A one hour poll interval is recommended as a default to reduce excessive API costs. Anyone wishing to test out the rotation reconciler feature can enable it using helm: + ```bash helm upgrade -n csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s ``` @@ -246,11 +288,15 @@ When evaluating this plugin consider the following threats: - When a secret is consumed through **environment variables**, misconfigurations such as enabling a debug endpoint or including dependencies that log process environment details may leak secrets. - When **syncing** secret material to another data store (like Kubernetes Secrets), consider whether the access controls on that data store are sufficiently narrow in scope. -For these reasons, *when possible* we recommend using the [Secrets Manager API](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets) directly. +For these reasons, *when possible* we recommend using the Alibaba Cloud Service API directly. + +- [Key Management Service API](https://www.alibabacloud.com/help/en/kms/key-management-service/developer-reference/api-getsecretvalue) +- [Encrypt Parameter API](https://www.alibabacloud.com/help/en/oos/developer-reference/api-oos-2019-06-01-getsecretparameter) ## Security + Please report vulnerabilities by email to **kubernetes-security@service.aliyun.com**. Also see our [SECURITY.md](./SECURITY.md) file for details. ## License -This project is licensed under the Apache-2.0 License. \ No newline at end of file +This project is licensed under the Apache-2.0 License. diff --git a/charts/csi-secrets-store-provider-alibabacloud-0.3.0.tgz b/charts/csi-secrets-store-provider-alibabacloud-0.3.0.tgz new file mode 100644 index 0000000..885506f Binary files /dev/null and b/charts/csi-secrets-store-provider-alibabacloud-0.3.0.tgz differ diff --git a/charts/csi-secrets-store-provider-alibabacloud/Chart.yaml b/charts/csi-secrets-store-provider-alibabacloud/Chart.yaml index bdddf63..ed15b76 100644 --- a/charts/csi-secrets-store-provider-alibabacloud/Chart.yaml +++ b/charts/csi-secrets-store-provider-alibabacloud/Chart.yaml @@ -1,14 +1,19 @@ apiVersion: v1 name: csi-secrets-store-provider-alibabacloud -version: 0.2.0 -appVersion: 0.2.0 +version: 0.3.0 +appVersion: 0.3.0 kubeVersion: ">=1.16.0-0" -description: A Helm chart to install the Secrets Store CSI Driver and the Alibaba Cloud KMS Secret Manager Provider inside a Kubernetes cluster. +description: A Helm chart to install the Secrets Store CSI Driver, the Alibaba Cloud KMS Secret Manager and OOS Eencrypted Parameter Provider inside a Kubernetes cluster. sources: - https://github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibabacloud home: https://github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibabacloud +keywords: + - releaseName:csi-secrets-store-provider-alibabacloud + - arch:amd64 + - namespace:kube-system + - supportType:ExternalKubernetes,Kubernetes,ManagedKubernetes dependencies: -- name: secrets-store-csi-driver - repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.3.4 - condition: secrets-store-csi-driver.install \ No newline at end of file + - name: secrets-store-csi-driver + repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts + version: 1.4.6 + condition: secrets-store-csi-driver.install diff --git a/charts/csi-secrets-store-provider-alibabacloud/README.md b/charts/csi-secrets-store-provider-alibabacloud/README.md index 92ccb75..05d3a6d 100644 --- a/charts/csi-secrets-store-provider-alibabacloud/README.md +++ b/charts/csi-secrets-store-provider-alibabacloud/README.md @@ -1,8 +1,6 @@ - - # Alibaba Cloud Secrets Manager for Secret Store CSI Driver -Alibaba Cloud Secrets Manager provider for Secrets Store CSI driver allows you to get secret contents stored in [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. +Alibaba Cloud Secrets Manager provider for Secrets Store CSI driver allows you to get secret contents stored in [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) or [Alibaba Cloud OOS Eencrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters), and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. ### Prerequisites @@ -24,82 +22,98 @@ The following table lists the configurable parameters of the csi-secrets-store-p > Refer to [doc](https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md) for configurable parameters of the secrets-store-csi-driver chart. -| Parameter | Description | Default | -| ------------------------------------------------------------ | ------------------------------------------------------------ |-------------------------------------------------------------------------------------------------| -| `nameOverride` | String to partially override csi-secrets-store-provider-alibabacloud.fullname template with a string (will prepend the release name) | `""` | -| `fullnameOverride` | String to fully override csi-secrets-store-provider-alibabacloud.fullname template with a string | `""` | -| `imagePullSecrets` | Secrets to be used when pulling images | `[]` | -| `logFormatJSON` | Use JSON logging format | `false` | -| `logVerbosity` | Log level. Uses V logs (klog) | `0` | -| `envVarsFromSecret.ACCESS_KEY_ID` | Set the ACCESS_KEY_ID variable to specify the credential RAM AK for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.SECRET_ACCESS_KEY` | Set the SECRET_ACCESS_KEY variable to specify the credential RAM SK for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_ROLE_ARN` | Set the ALICLOUD_ROLE_ARN variable to specify the RAM role ARN for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_NAME` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session name for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_EXPIRATION` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session expiration for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret. ALICLOUD_OIDC_PROVIDER_ARN` | Set the ALICLOUD_OIDC_PROVIDER_ARN variable to specify the RAM OIDC provider arn for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| `envVarsFromSecret.ALICLOUD_OIDC_TOKEN_FILE` | Set the ALICLOUD_OIDC_TOKEN_FILE variable to specify the serviceaccount OIDC token file path for building SDK client, which needs to be defined in the secret named **alibaba-credentials** | | -| rrsa.enable | Enable RRSA feature, default is false,when enalbe, you need to configure the parametes of `ALICLOUD_ROLE_ARN` and `ALICLOUD_OIDC_PROVIDER_ARN` in `envVarsFromSecret` | false | -| `linux.enabled` | Install alibabacloud keyvault provider on linux nodes | true | -| `linux.image.repository` | Linux image repository | `registry.cn-hangzhou.aliyuncs.com/acs/secrets-store-csi-driver-provider-alibaba-cloud` | -| `linux.image.pullPolicy` | Linux image pull policy | `Always` | -| `linux.image.tag` | Alibaba Cloud Secrets Manager Provider Linux image tag | `v1.1.0` | -| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | -| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `{}` | -| `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 100m`
`limits.memory: 500Mi` | -| `linux.podLabels` | Additional pod labels | `{}` | -| `linux.podAnnotations` | Additional pod annotations | `{}` | -| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | -| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | -| `linux.healthzPort` | port for health check | `"8989"` | -| `linux.healthzPath` | path for health check | `"/healthz"` | -| `linux.healthzTimeout` | RPC timeout for health check | `"5s"` | -| `linux.volumes` | Additional volumes to create for the KeyVault provider pods. | `[]` | -| `linux.volumeMounts` | Additional volumes to mount on the KeyVault provider pods. | `[]` | -| `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | -| `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | -| `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | -| `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true | -| `secrets-store-csi-driver.fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `secrets-store-csi-driver` | -| `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true | -| `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | ` registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-driver` | -| `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `Always` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.4` | -| `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-livenessprobe` | -| `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `Always` | -| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.10.0` | -| `secrets-store-csi-driver.linux.registrarImage.repository` | Linux node-driver-registrar image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-node-driver-registrar` | -| `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Linux node-driver-registrar image pull policy | `Always` | -| `secrets-store-csi-driver.linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.8.0` | -| `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | -| `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | -| `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` | -| `secrets-store-csi-driver.syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | `false` | -| `rbac.install` | Install default service account | true | +| Parameter | Description | Default | +| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | +| `nameOverride` | String to partially override csi-secrets-store-provider-alibabacloud.fullname template with a string (will prepend the release name) | `""` | +| `fullnameOverride` | String to fully override csi-secrets-store-provider-alibabacloud.fullname template with a string | `""` | +| `imagePullSecrets` | Secrets to be used when pulling images | `[]` | +| `logFormatJSON` | Use JSON logging format | `false` | +| `logVerbosity` | Log level. Uses V logs (klog) | `0` | +| `envVarsFromSecret.ACCESS_KEY_ID` | Set the ACCESS_KEY_ID variable to specify the credential RAM AK for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.SECRET_ACCESS_KEY` | Set the SECRET_ACCESS_KEY variable to specify the credential RAM SK for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_ROLE_ARN` | Set the ALICLOUD_ROLE_ARN variable to specify the RAM role ARN for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_NAME` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session name for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_ROLE_SESSION_EXPIRATION` | Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session expiration for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret. ALICLOUD_OIDC_PROVIDER_ARN` | Set the ALICLOUD_OIDC_PROVIDER_ARN variable to specify the RAM OIDC provider arn for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `envVarsFromSecret.ALICLOUD_OIDC_TOKEN_FILE` | Set the ALICLOUD_OIDC_TOKEN_FILE variable to specify the serviceaccount OIDC token file path for building SDK client, which needs to be defined in the secret named**alibaba-credentials** | | +| `rrsa.enable` | Enable RRSA feature, default is false,when enalbe, you need to configure the parametes of `ALICLOUD_ROLE_ARN` and `ALICLOUD_OIDC_PROVIDER_ARN` in `envVarsFromSecret` | false | +| `linux.enabled` | Install alibabacloud provider on linux nodes | true | +| `linux.image.repository` | Linux image repository | `registry.cn-hangzhou.aliyuncs.com/acs/secrets-store-csi-driver-provider-alibaba-cloud` | +| `linux.image.pullPolicy` | Linux image pull policy | `Always` | +| `linux.image.tag` | Alibaba Cloud Secrets Manager Provider Linux image tag | `v1.1.0` | +| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | +| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `{}` | +| `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m
``requests.memory: 100Mi
``limits.cpu: 100m
``limits.memory: 500Mi` | +| `linux.podLabels` | Additional pod labels | `{}` | +| `linux.podAnnotations` | Additional pod annotations | `{}` | +| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | +| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | +| `linux.healthzPort` | port for health check | `"8989"` | +| `linux.healthzPath` | path for health check | `"/healthz"` | +| `linux.healthzTimeout` | RPC timeout for health check | `"5s"` | +| `linux.volumes` | Additional volumes to create for the provider pods. | `[]` | +| `linux.volumeMounts` | Additional volumes to mount on the provider pods. | `[]` | +| `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | +| `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | +| `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | +| `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true | +| `secrets-store-csi-driver.fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `secrets-store-csi-driver` | +| `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true | +| `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | ` registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-driver` | +| `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `Always` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.4` | +| `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-livenessprobe` | +| `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `Always` | +| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.10.0` | +| `secrets-store-csi-driver.linux.registrarImage.repository` | Linux node-driver-registrar image repository | `registry.cn-hangzhou.aliyuncs.com/acs/csi-node-driver-registrar` | +| `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Linux node-driver-registrar image pull policy | `Always` | +| `secrets-store-csi-driver.linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.8.0` | +| `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | +| `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | +| `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` | +| `secrets-store-csi-driver.syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | `false` | +| `rbac.install` | Install default service account | true | ## Usage -Add your secret data to [Alibaba Cloud Secrets Manager]((https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview)) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. +- KMS Secrets Manager + Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. + Now create a test secret: -Now create a test secret: + ```shell + aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 + ``` -```shell -aliyun kms CreateSecret --SecretName test --SecretData 1234 --VersionId v1 -``` -Create an access policy for the pod scoped down to just the secrets it should have : -```shell -aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": "kms:GetSecretValue","Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test"}],"Version": "1"}' -``` + Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["kms:GetSecretValue", "kms:Decrypt"],"Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test-kms"}],"Version": "1"}' + ``` +- OOS Secret Parameter + Add your secret data to [Alibaba Cloud OOS Eencrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. + Now create a test secret: + + ```shell + aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos + ``` + + Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["oos:GetSecretParameter"],"Resource": "acs:oos:{region-id}:{aliyun-uid}:secretparameter/test-oos"}],"Version": "1"}' + ``` ### Enable [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) feature -RAM Roles for Service Accounts (RRSA) is the recommended secure authentication method for obtaining secrets in Alibaba Cloud Secrets Manager. For the configuration, please refer to the following steps: +RAM Roles for Service Accounts (RRSA) is the recommended secure authentication method for obtaining secrets in Alibaba Cloud Secrets Manager and OOS Eencrypted Parameter. For the configuration, please refer to the following steps: 1. Create the RAM OIDC provider for the cluster with [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) or reference [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) doc if you have not already done so: ```shell ack-ram-tool rrsa enable -c ``` -2. Next create the service account to be used by the pod and associate the above kms RAM policy with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization: + +2. Next create the service account to be used by the pod, and associate the above RAM policy based on the product to synchronize with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization: ```shell ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r -n -s csi-secrets-store-provider-alibabacloud @@ -107,7 +121,6 @@ ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r ``` + Additional information may be available in the provider logs: + ```shell kubectl -n get pods kubectl -n logs pod/ ``` + Where **<PODID>** in this case is the id of the *csi-secrets-store-provider-alibabacloud* pod. ### SecretProviderClass options + The SecretProviderClass has the following format: + ```yaml -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: @@ -184,33 +206,35 @@ spec: provider: alibabacloud # please using fixed value 'alibabacloud' parameters: ``` + The parameters section contains the details of the mount request and contain one of the three fields: + * objects: This is a string containing a YAML declaration (described below) of the secrets to be mounted, For example: - ```yaml - parameters: - objects: | - - objectName: "MySecret" - ``` -* region: An optional field to specify the Alibaba Cloud region to use when retrieving secrets from Secrets Manager or Parameter Store. If this field is missing, the provider will lookup the region from the annotation on the node. This lookup adds overhead to mount requests so clusters using large numbers of pods will benefit from providing the region here. + ```yaml + parameters: + objects: | + - objectName: "MySecret" + objectType: "kms" # support kms and oos, default is kms + ``` +* region: An optional field to specify the Alibaba Cloud region to use when retrieving secrets from Secrets Manage. If this field is missing, the provider will lookup the region from the annotation on the node. This lookup adds overhead to mount requests so clusters using large numbers of pods will benefit from providing the region here. * pathTranslation: An optional field to specify a substitution character to use when the path separator character (slash on Linux) is used in the file name. If a Secret or parameter name contains the path separator failures will occur when the provider tries to create a mounted file using the name. When not specified the underscore character is used, thus My/Path/Secret will be mounted as My_Path_Secret. This pathTranslation value can either be the string "False" or a single character string. When set to "False", no character substitution is performed. The objects field of the SecretProviderClass can contain the following sub-fields: -* objectName: This field is required. It specifies the name of the secret or parameter to be fetched. For Secrets Manager this is the [SecretName](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters) parameter and can be either the friendly name or full ARN of the secret. +* objectName: This field is required. It specifies the name of the secret or parameter to be fetched. For Secrets Manager this is the [SecretName](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters) parameter and can be either the friendly name or full ARN of the secret. +* objectType: This optional field specifies the type of secret. Support `kms` and `oos`, defaults to `kms`. * objectAlias: This optional field specifies the file name under which the secret will be mounted. When not specified the file name defaults to objectName. - -* objectVersion: This field is optional, and generally not recommended since updates to the secret require updating this field. For Secrets Manager this is the [VersionId](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). - -* objectVersionLabel: This optional fields specifies the alias used for the version. Most applications should not use this field since the most recent version of the secret is used by default. For Secrets Manager this is the [VersionStage](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). - +* objectVersion: This field is optional, only for kms secret, and generally not recommended since updates to the secret require updating this field. For Secrets Manager this is the [VersionId](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). +* objectVersionLabel: This optional fields specifies the alias used for the version, only for kms secret. Most applications should not use this field since the most recent version of the secret is used by default. For Secrets Manager this is the [VersionStage](https://www.alibabacloud.com/help/en/key-management-service/latest/getsecretvalue#parameters). * jmesPath: This optional field specifies the specific key-value pairs to extract from a JSON-formatted secret. You can use this field to mount key-value pairs from a properly formatted secret value as individual secrets. For example: Consider a secret "test" with JSON content as follows: - ```shell - { - "username": "testuser", - "password": "testpassword" - } - ``` + ```shell + { + "username": "testuser", + "password": "testpassword" + } + ``` + To mount the username and password key pairs of this secret as individual secrets, use the jmesPath field as follows: ```yaml: @@ -222,16 +246,33 @@ The objects field of the SecretProviderClass can contain the following sub-field - path: "password" objectAlias: "MySecretPassword" ``` + If you use the jmesPath field, you must provide the following two sub-fields: + * path: This required field is the [JMES path](https://jmespath.org/specification.html) to use for retrieval * objectAlias: This required field specifies the file name under which the key-value pair secret will be mounted. +**Tips** +If there is a special scene that requires the same objectName of the object (like the following example, kms and oos have the same secret name), then you need to set different objectAlias of the object, otherwise all the secrets of the previous object mount will be overwritten by the last one. +```yaml + parameters: + objects: | + - objectName: "MySecret" + objectType: "kms" + objectAlias: "MySecretKMS" + - objectName: "MySecret" + objectType: "oos" + objectAlias: "MySecretOOS" +``` + ## Additional Considerations ### Rotation + When using the optional alpha [rotation reconciler](https://secrets-store-csi-driver.sigs.k8s.io/topics/secret-auto-rotation.html) feature of the Secrets Store CSI driver the driver will periodically remount the secrets in the SecretProviderClass. This will cause additional API calls which results in additional charges. Applications should use a reasonable poll interval that works with their rotation strategy. A one hour poll interval is recommended as a default to reduce excessive API costs. Anyone wishing to test out the rotation reconciler feature can enable it using helm: + ```bash helm upgrade -n csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s ``` @@ -246,8 +287,11 @@ When evaluating this plugin consider the following threats: - When a secret is consumed through **environment variables**, misconfigurations such as enabling a debug endpoint or including dependencies that log process environment details may leak secrets. - When **syncing** secret material to another data store (like Kubernetes Secrets), consider whether the access controls on that data store are sufficiently narrow in scope. -For these reasons, *when possible* we recommend using the [Secrets Manager API](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets) directly. +For these reasons, *when possible* we recommend using the Alibaba Cloud Service API directly. + +- [Key Management Service API](https://www.alibabacloud.com/help/en/kms/key-management-service/developer-reference/api-getsecretvalue) +- [Encrypt Parameter API](https://www.alibabacloud.com/help/en/oos/developer-reference/api-oos-2019-06-01-getsecretparameter) ## License -This project is licensed under the Apache-2.0 License. \ No newline at end of file +This project is licensed under the Apache-2.0 License. diff --git a/charts/csi-secrets-store-provider-alibabacloud/charts/secrets-store-csi-driver-1.3.3.tgz b/charts/csi-secrets-store-provider-alibabacloud/charts/secrets-store-csi-driver-1.3.3.tgz deleted file mode 100644 index 50979c8..0000000 Binary files a/charts/csi-secrets-store-provider-alibabacloud/charts/secrets-store-csi-driver-1.3.3.tgz and /dev/null differ diff --git a/charts/csi-secrets-store-provider-alibabacloud/charts/secrets-store-csi-driver-1.4.6.tgz b/charts/csi-secrets-store-provider-alibabacloud/charts/secrets-store-csi-driver-1.4.6.tgz new file mode 100644 index 0000000..7347396 Binary files /dev/null and b/charts/csi-secrets-store-provider-alibabacloud/charts/secrets-store-csi-driver-1.4.6.tgz differ diff --git a/charts/csi-secrets-store-provider-alibabacloud/requirements.lock b/charts/csi-secrets-store-provider-alibabacloud/requirements.lock index 2fac350..5106725 100644 --- a/charts/csi-secrets-store-provider-alibabacloud/requirements.lock +++ b/charts/csi-secrets-store-provider-alibabacloud/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.1.2 -digest: sha256:543dde1cbada9fd6b4851ae330a536d65e0041c966188d70db27bb7eecbbcbc1 -generated: "2022-09-29T11:11:26.118364+08:00" + version: 1.4.6 +digest: sha256:4cca22eafe8fdf6595262f23d7a7b0fef387973298772dc51c618a064c1b0a5e +generated: "2024-11-27T16:22:06.8520173+08:00" diff --git a/charts/csi-secrets-store-provider-alibabacloud/values.yaml b/charts/csi-secrets-store-provider-alibabacloud/values.yaml index a929008..8eea216 100644 --- a/charts/csi-secrets-store-provider-alibabacloud/values.yaml +++ b/charts/csi-secrets-store-provider-alibabacloud/values.yaml @@ -1,6 +1,3 @@ -nameOverride: "" -fullnameOverride: "" - # One or more secrets to be used when pulling images imagePullSecrets: [] # - name: myRegistryKeySecretName @@ -8,10 +5,12 @@ imagePullSecrets: [] # log level. Uses V logs (klog) logVerbosity: 0 +regionId: __ACK_REGION_ID__ + linux: image: - repository: registry.cn-hangzhou.aliyuncs.com/acs/secrets-store-csi-driver-provider-alibaba-cloud - tag: v0.1.0 + repository: registry.__ACK_REGION_ID__.aliyuncs.com/acs/secrets-store-csi-driver-provider-alibaba-cloud + tag: v0.3.0 pullPolicy: Always nodeSelector: {} tolerations: [] @@ -40,11 +39,11 @@ linux: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: type - operator: NotIn - values: - - virtual-kubelet + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet ## Configuration values for the secrets-store-csi-driver dependency. ## ref: https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md @@ -59,24 +58,29 @@ secrets-store-csi-driver: kubeletRootDir: /var/lib/kubelet metricsAddr: ":8080" image: - repository: registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-driver - tag: v1.3.4 + repository: registry.__ACK_REGION_ID__.aliyuncs.com/acs/csi-secrets-store-driver + tag: v1.4.6 pullPolicy: Always providersDir: /var/run/secrets-store-csi-providers registrarImage: - repository: registry.cn-hangzhou.aliyuncs.com/acs/csi-node-driver-registrar - tag: v2.8.0 + repository: registry.__ACK_REGION_ID__.aliyuncs.com/acs/csi-node-driver-registrar + tag: v2.11.1 pullPolicy: Always livenessProbeImage: - repository: registry.cn-hangzhou.aliyuncs.com/acs/csi-secrets-store-livenessprobe - tag: v2.10.0 + repository: registry.__ACK_REGION_ID__.aliyuncs.com/acs/csi-secrets-store-livenessprobe + tag: v2.13.1 pullPolicy: Always + crds: + image: + repository: registry.__ACK_REGION_ID__.aliyuncs.com/acs/csi-secrets-store-driver-crds + tag: v1.4.6 + pullPolicy: Always enableSecretRotation: false rotationPollInterval: 2m # Refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html for more details on actions to take before enabling this feature filteredWatchSecret: true - + syncSecret: enabled: false @@ -106,4 +110,4 @@ rrsa: ## Install default service account rbac: - install: true \ No newline at end of file + install: true diff --git a/charts/index.yaml b/charts/index.yaml index 86dc077..7baa815 100644 --- a/charts/index.yaml +++ b/charts/index.yaml @@ -1,9 +1,29 @@ apiVersion: v1 entries: csi-secrets-store-provider-alibabacloud: + - apiVersion: v1 + appVersion: 0.3.0 + created: "2024-11-27T16:28:49.3196364+08:00" + description: A Helm chart to install the Secrets Store CSI Driver, the Alibaba + Cloud KMS Secret Manager and OOS Eencrypted Parameter Provider inside a Kubernetes + cluster. + digest: 52ff9d0209df271bd5a261ac0a81c6a7086a51b6a98499913ef9d258a27560c4 + home: https://raw.githubusercontent.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/charts + keywords: + - releaseName:csi-secrets-store-provider-alibabacloud + - arch:amd64 + - namespace:kube-system + - supportType:ExternalKubernetes,Kubernetes,ManagedKubernetes + kubeVersion: '>=1.16.0-0' + name: csi-secrets-store-provider-alibabacloud + sources: + - https://github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud + urls: + - https://raw.githubusercontent.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/main/charts/csi-secrets-store-provider-alibabacloud-0.3.0.tgz + version: 0.3.0 - apiVersion: v1 appVersion: 0.2.0 - created: "2023-06-19T15:59:18.815766+08:00" + created: "2024-11-27T16:28:49.3175869+08:00" description: A Helm chart to install the Secrets Store CSI Driver and the Alibaba Cloud KMS Secret Manager Provider inside a Kubernetes cluster. digest: 9d26d57d2e551be3ef0c15efcf22e01cad45f6011f970f624ae78c9c1d9a9382 @@ -17,7 +37,7 @@ entries: version: 0.2.0 - apiVersion: v1 appVersion: 0.1.0 - created: "2023-06-19T15:59:18.811955+08:00" + created: "2024-11-27T16:28:49.315417+08:00" description: A Helm chart to install the Secrets Store CSI Driver and the Alibaba Cloud KMS Secret Manager Provider inside a Kubernetes cluster. digest: 94b65d1ede3dc3143d8385ad76446a8140fd50dc0cf8ce85e088aa2c14e83302 @@ -29,4 +49,4 @@ entries: urls: - https://raw.githubusercontent.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/main/charts/csi-secrets-store-provider-alibabacloud-0.1.0.tgz version: 0.1.0 -generated: "2023-06-19T15:59:18.810129+08:00" +generated: "2024-11-27T16:28:49.3137425+08:00" diff --git a/examples/secretproviderclass.yaml b/examples/secretproviderclass.yaml index ceaf9e5..78b9f15 100644 --- a/examples/secretproviderclass.yaml +++ b/examples/secretproviderclass.yaml @@ -1,10 +1,13 @@ -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: test-secrets namespace: kube-system spec: - provider: alibabacloud # please using fixed value 'alibabacloud' + provider: alibabacloud # please using fixed value 'alibabacloud' parameters: objects: | - - objectName: "test" + - objectName: "test-kms" + objectType: "kms" + - objectName: "test-oos" + objectType: "oos" # support kms and oos, default is kms diff --git a/go.mod b/go.mod index ae8fccb..e17c26a 100644 --- a/go.mod +++ b/go.mod @@ -1,24 +1,59 @@ module github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud -go 1.16 +go 1.18 require ( github.com/AliyunContainerService/ack-secret-manager v0.0.0-20220112125214-d31312f5d710 github.com/alibabacloud-go/darabonba-openapi v0.1.7 + github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.9 github.com/alibabacloud-go/kms-20160120/v2 v2.0.0 - github.com/alibabacloud-go/sts-20150401 v1.1.0 // indirect - github.com/alibabacloud-go/tea v1.1.15 + github.com/alibabacloud-go/oos-20190601/v4 v4.2.2 + github.com/alibabacloud-go/tea v1.2.2 github.com/aliyun/alibaba-cloud-sdk-go v1.61.1473 - github.com/aliyun/credentials-go v1.2.2 + github.com/aliyun/credentials-go v1.3.1 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af github.com/pkg/errors v0.9.1 + golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e google.golang.org/grpc v1.29.1 - k8s.io/api v0.20.2 // indirect - k8s.io/apimachinery v0.20.2 // indirect - k8s.io/client-go v12.0.0+incompatible // indirect k8s.io/klog/v2 v2.8.0 sigs.k8s.io/secrets-store-csi-driver v0.0.22 sigs.k8s.io/yaml v1.2.0 ) +require ( + github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect + github.com/alibabacloud-go/debug v1.0.0 // indirect + github.com/alibabacloud-go/endpoint-util v1.1.0 // indirect + github.com/alibabacloud-go/openapi-util v0.1.0 // indirect + github.com/alibabacloud-go/tea-utils v1.3.9 // indirect + github.com/alibabacloud-go/tea-utils/v2 v2.0.6 // indirect + github.com/alibabacloud-go/tea-xml v1.1.3 // indirect + github.com/clbanning/mxj/v2 v2.5.5 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/go-logr/logr v0.4.0 // indirect + github.com/gogo/protobuf v1.3.1 // indirect + github.com/golang/protobuf v1.4.3 // indirect + github.com/google/gofuzz v1.1.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/tjfoc/gmsm v1.3.2 // indirect + golang.org/x/crypto v0.18.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect + google.golang.org/appengine v1.6.6 // indirect + google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect + google.golang.org/protobuf v1.25.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.66.2 // indirect + gopkg.in/yaml.v2 v2.3.0 // indirect + k8s.io/apimachinery v0.20.2 // indirect + k8s.io/client-go v12.0.0+incompatible // indirect + k8s.io/utils v0.0.0-20210111153108-fddb29f9d009 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.0.2 // indirect +) + replace k8s.io/client-go => k8s.io/client-go v0.20.2 diff --git a/go.sum b/go.sum index 84e292e..e9edde7 100644 --- a/go.sum +++ b/go.sum @@ -97,55 +97,50 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alibabacloud-go/darabonba-openapi v0.0.9/go.mod h1:YGpp3JTSkPwUK5vH/qFWbxTpfgWp44GkN45QcPAaOyc= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= github.com/alibabacloud-go/darabonba-openapi v0.1.4/go.mod h1:j03z4XUkIC9aBj/w5Bt7H0cygmPNt5sug8NXle68+Og= github.com/alibabacloud-go/darabonba-openapi v0.1.7 h1:W0uSIzejswpz02ILRgEMFFkMZGAnfpB6BjrGvbOjCK0= github.com/alibabacloud-go/darabonba-openapi v0.1.7/go.mod h1:6FV1Bt1AItYIlC2rVopPTumrRNtkfPBmrPVAZ8v2bLk= +github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.9 h1:fxMCrZatZfXq5nLcgkmWBXmU3FLC1OR+m/SqVtMqflk= +github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.9/go.mod h1:bb+Io8Sn2RuM3/Rpme6ll86jMyFSrD1bxeV/+v61KeU= github.com/alibabacloud-go/darabonba-string v1.0.0/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA= -github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 h1:NqugFkGxx1TXSh/pBcU00Y6bljgDPaFdh5MUSeJ7e50= github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY= +github.com/alibabacloud-go/debug v1.0.0 h1:3eIEQWfay1fB24PQIEzXAswlVJtdQok8f3EVN5VrBnA= +github.com/alibabacloud-go/debug v1.0.0/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc= github.com/alibabacloud-go/endpoint-util v1.1.0 h1:r/4D3VSw888XGaeNpP994zDUaxdgTSHBbVfZlzf6b5Q= github.com/alibabacloud-go/endpoint-util v1.1.0/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE= -github.com/alibabacloud-go/kms-20160120 v1.1.2 h1:rK8KGzjesUNAskZPmxoovH+5Cpb0SmkyjaK7jz52A9s= -github.com/alibabacloud-go/kms-20160120 v1.1.2/go.mod h1:UYAegRablI0rqUTJeY4Ejqx/ls2ikrBg2qn1+ONO+Aw= github.com/alibabacloud-go/kms-20160120/v2 v2.0.0 h1:WERretZ1mLLchpB+VinDizRZjYDuys6P/jWETSj4ND0= github.com/alibabacloud-go/kms-20160120/v2 v2.0.0/go.mod h1:jYnUb2h6v+wLGwg2CRDks6m9nqQWnAkbN0RFKCewgGY= -github.com/alibabacloud-go/openapi-util v0.0.3/go.mod h1://aHBV5ycAwemHmdZW6H8ZWXN3ZgiQS1eklw30wewH4= +github.com/alibabacloud-go/oos-20190601/v4 v4.2.2 h1:s2MF/pSM8EWzel0jnL09HcnpdvouAbHbebQvb/rJu5c= +github.com/alibabacloud-go/oos-20190601/v4 v4.2.2/go.mod h1:QGhMzt3NhWyM1sMyOR2lP/enXhtT8U7Xszf1IRWqG5M= github.com/alibabacloud-go/openapi-util v0.0.7/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws= -github.com/alibabacloud-go/openapi-util v0.0.8 h1:i5DVcU96IQbQ5vFhpL7KK6tCf8tD4TeEOsH3nxpWWsw= github.com/alibabacloud-go/openapi-util v0.0.8/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws= -github.com/alibabacloud-go/ram-20150501 v1.0.1 h1:ia7RfLikjOFV3HFirV3IjTv5wi3sc8lbXbRVEo7zd/M= -github.com/alibabacloud-go/ram-20150501 v1.0.1/go.mod h1:1yzEwKX3Ao7UT/5mqw4Ja2WlCEkiuBirUquSZoen7/o= -github.com/alibabacloud-go/sts-20150401 v1.1.0 h1:1yVyKz02ES6aKo3xVjmoPLBH1OAmmSqPkhKRdjEkmYs= -github.com/alibabacloud-go/sts-20150401 v1.1.0/go.mod h1:QW4O/c7Hp4krHYt+6xwnoG8EyZW3V9GYkl6EgIBmxJc= +github.com/alibabacloud-go/openapi-util v0.1.0 h1:0z75cIULkDrdEhkLWgi9tnLe+KhAFE/r5Pb3312/eAY= +github.com/alibabacloud-go/openapi-util v0.1.0/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws= github.com/alibabacloud-go/tea v1.1.0/go.mod h1:IkGyUSX4Ba1V+k4pCtJUc6jDpZLFph9QMy2VUPTwukg= github.com/alibabacloud-go/tea v1.1.7/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= -github.com/alibabacloud-go/tea v1.1.10/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= -github.com/alibabacloud-go/tea v1.1.15 h1:IaBC1Mm5Ss+l7cWnOXSxCmnWoWrEdeHEtDgQzoCCgjY= github.com/alibabacloud-go/tea v1.1.15/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= -github.com/alibabacloud-go/tea-rpc v1.1.3 h1:uuxAIT9PB6MMABQfV/EMSnREZjh629WXu+hmPNF1IAs= -github.com/alibabacloud-go/tea-rpc v1.1.3/go.mod h1:uwhvnxPK69jcAYkVyP1WCFhTh1oVLiibUseSUpC7L8g= -github.com/alibabacloud-go/tea-rpc-utils v1.1.0 h1:kIG7+9sMRaDzvCbXfowycEwFRdnLAglRFQ/dnc0/JNE= -github.com/alibabacloud-go/tea-rpc-utils v1.1.0/go.mod h1:rxGY+fLbm3Fj3oJpeU0hBTmz52Ux50nm7JL01tyPv9c= -github.com/alibabacloud-go/tea-utils v1.3.0/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= +github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= +github.com/alibabacloud-go/tea v1.2.1/go.mod h1:qbzof29bM/IFhLMtJPrgTGK3eauV5J2wSyEUo4OEmnA= +github.com/alibabacloud-go/tea v1.2.2 h1:aTsR6Rl3ANWPfqeQugPglfurloyBJY85eFy7Gc1+8oU= +github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk= github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= -github.com/alibabacloud-go/tea-utils v1.3.6/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= -github.com/alibabacloud-go/tea-utils v1.3.8/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= github.com/alibabacloud-go/tea-utils v1.3.9 h1:TtbzxS+BXrisA7wzbAMRtlU8A2eWLg0ufm7m/Tl6fc4= github.com/alibabacloud-go/tea-utils v1.3.9/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= +github.com/alibabacloud-go/tea-utils/v2 v2.0.6 h1:ZkmUlhlQbaDC+Eba/GARMPy6hKdCLiSke5RsN5LcyQ0= +github.com/alibabacloud-go/tea-utils/v2 v2.0.6/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I= +github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0= +github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= github.com/aliyun/alibaba-cloud-sdk-go v1.61.127/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA= github.com/aliyun/alibaba-cloud-sdk-go v1.61.1473 h1:rUoiu7Duq0hr4mjlQWZMORKaCbNXaYvYN2HFJQt228E= github.com/aliyun/alibaba-cloud-sdk-go v1.61.1473/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU= github.com/aliyun/aliyun-oss-go-sdk v2.0.4+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= -github.com/aliyun/credentials-go v1.1.0/go.mod h1:ZXrrxv386Mj6z8NpihLKpexQE550m7j3LlyCvYub9aE= -github.com/aliyun/credentials-go v1.1.2 h1:qU1vwGIBb3UJ8BwunHDRFtAhS6jnQLnde/yk0+Ih2GY= github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= -github.com/aliyun/credentials-go v1.2.1 h1:TrWRFzIyxoNoY6+k+7LXtemV1XHBf7WFX9AERvcf5Zo= -github.com/aliyun/credentials-go v1.2.1/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw= -github.com/aliyun/credentials-go v1.2.2 h1:Od4LtHDmszForEtfLTQXu6iZCYB5VaxUU51VGtwAY4A= -github.com/aliyun/credentials-go v1.2.2/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw= +github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/xWDTE28= +github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= @@ -202,6 +197,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/clbanning/mxj/v2 v2.5.5 h1:oT81vUeEiQQ/DcHbzSytRngP6Ky9O+L+0Bw0zSJag9E= +github.com/clbanning/mxj/v2 v2.5.5/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s= github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= @@ -473,6 +470,7 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= @@ -502,7 +500,6 @@ github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsC github.com/googleapis/gnostic v0.2.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= -github.com/googleapis/gnostic v0.5.1 h1:A8Yhf6EtqTv9RMsU6MQTyrtV1TjWlR6xU9BsZIwuTCM= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/gophercloud/gophercloud v0.2.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gophercloud/gophercloud v0.3.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= @@ -611,8 +608,9 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jsonnet-bundler/jsonnet-bundler v0.2.0/go.mod h1:/by7P/OoohkI3q4CgSFqcoFsVY+IaNbzOVDknEsKDeU= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= @@ -633,6 +631,7 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kshvakov/clickhouse v1.3.5/go.mod h1:DMzX7FxRymoNkVgizH0DWAL8Cur7wHLgx3MUnGwJqpE= github.com/kubernetes-csi/csi-lib-utils v0.7.1/go.mod h1:bze+2G9+cmoHxN6+WyG1qT4MDxgZJMLGwc7V4acPNm0= @@ -707,8 +706,9 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/mozillazg/go-cos v0.13.0/go.mod h1:Zp6DvvXn0RUOXGJ2chmWt2bLEqRAnJnS3DnAZsJsoaE= @@ -727,6 +727,7 @@ github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= @@ -808,6 +809,7 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= @@ -917,6 +919,7 @@ github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzu github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= @@ -934,6 +937,7 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= @@ -968,6 +972,7 @@ github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1: github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= @@ -1039,8 +1044,11 @@ golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1073,6 +1081,8 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1118,8 +1128,15 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1135,6 +1152,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1202,8 +1221,23 @@ golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY= golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1212,8 +1246,13 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1280,9 +1319,12 @@ golang.org/x/tools v0.0.0-20200327195553-82bb89366a1e/go.mod h1:Sl4aGygMT6LrqrWc golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= gomodules.xyz/jsonpatch/v2 v2.1.0/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= @@ -1379,6 +1421,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= @@ -1506,7 +1549,6 @@ k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.3/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.4.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -1556,7 +1598,6 @@ sigs.k8s.io/secrets-store-csi-driver v0.0.22/go.mod h1:5EUKxylOyqtMpaLRw9VHhniMD sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= sigs.k8s.io/structured-merge-diff v0.0.0-20190817042607-6149e4549fca/go.mod h1:IIgPezJWb76P0hotTxzDbWsMYB8APh18qZnxkomBpxA= sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= -sigs.k8s.io/structured-merge-diff v1.0.2 h1:WiMoyniAVAYm03w+ImfF9IE2G23GLR/SwDnQyaNZvPk= sigs.k8s.io/structured-merge-diff v1.0.2/go.mod h1:IIgPezJWb76P0hotTxzDbWsMYB8APh18qZnxkomBpxA= sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= diff --git a/main.go b/main.go index 2f1e3d4..fe5d5ec 100644 --- a/main.go +++ b/main.go @@ -3,8 +3,6 @@ package main import ( "flag" "fmt" - "github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/utils" - "google.golang.org/grpc/health/grpc_health_v1" t "log" "net" "net/url" @@ -14,11 +12,16 @@ import ( "syscall" "time" + "github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/utils" + "google.golang.org/grpc/health/grpc_health_v1" + + "golang.org/x/time/rate" "google.golang.org/grpc" "k8s.io/klog/v2" csidriver "sigs.k8s.io/secrets-store-csi-driver/provider/v1alpha1" "github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/auth" + "github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/provider" "github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/server" ) @@ -28,6 +31,9 @@ var ( healthzPort = flag.Int("healthz-port", 8989, "port for health check") healthzPath = flag.String("healthz-path", "/healthz", "path for health check") healthzTimeout = flag.Duration("healthz-timeout", 5*time.Second, "RPC timeout for health check") + + maxConcurrentKmsSecretPulls = flag.Int("max-concurrent-kms-secret-pulls", 10, "used to control how many kms secrets are pulled at the same time.") + maxConcurrentOosSecretPulls = flag.Int("max-concurrent-oos-secret-pulls", 10, "used to control how many oos secrets are pulled at the same time.") ) // Main entry point for the Secret Store CSI driver Alibaba Cloud provider. This main @@ -40,6 +46,9 @@ func main() { flag.Parse() // Parse command line flags + provider.LimiterInstance.Kms.SecretPullLimiter = rate.NewLimiter(rate.Limit(*maxConcurrentKmsSecretPulls), 1) + provider.LimiterInstance.OOS.SecretPullLimiter = rate.NewLimiter(rate.Limit(*maxConcurrentOosSecretPulls), 1) + signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGINT, os.Interrupt) diff --git a/provider/pull_limit.go b/provider/pull_limit.go new file mode 100644 index 0000000..79aa7aa --- /dev/null +++ b/provider/pull_limit.go @@ -0,0 +1,33 @@ +package provider + +import ( + "context" + "fmt" + "golang.org/x/time/rate" +) + +type PullLimit interface { + Wait(context.Context) error +} + +type KmsLimiter struct { + SecretPullLimiter *rate.Limiter +} + +func (k KmsLimiter) Wait(c context.Context) error { + if k.SecretPullLimiter == nil { + return fmt.Errorf("secret pull limiter is empty") + } + return k.SecretPullLimiter.Wait(c) +} + +type OosLimiter struct { + SecretPullLimiter *rate.Limiter +} + +func (o OosLimiter) Wait(c context.Context) error { + if o.SecretPullLimiter == nil { + return fmt.Errorf("secret pull limiter is empty") + } + return o.SecretPullLimiter.Wait(c) +} diff --git a/provider/secert_object.go b/provider/secert_object.go index 15ad703..edff652 100644 --- a/provider/secert_object.go +++ b/provider/secert_object.go @@ -30,6 +30,9 @@ type SecretObject struct { // Optional version/stage label of the secret (defaults to latest). ObjectVersionLabel string `json:"objectVersionLabel"` + // Optional type of the secret (defaults to kms) + ObjectType string `json:"objectType"` + //Optional array to specify what json key value pairs to extract from a secret and mount as individual secrets JMESPath []JMESPathObject `json:"jmesPath"` @@ -40,7 +43,7 @@ type SecretObject struct { mountDir string `json:"-"` } -//An individual json key value pair to mount +// An individual json key value pair to mount type JMESPathObject struct { //JMES path to use for retrieval Path string `json:"path"` @@ -98,7 +101,7 @@ func NewSecretObjectList(mountDir, translate, objectSpec string) (objects []*Sec objects = append(objects, specObj) // Check for duplicate names - if names[specObj.ObjectName] { + if names[specObj.ObjectName] && names[specObj.ObjectAlias] && ExistsWithSameNameAndType(objects, specObj) { return nil, fmt.Errorf("Name already in use for objectName: %s", specObj.ObjectName) } names[specObj.ObjectName] = true @@ -124,9 +127,25 @@ func NewSecretObjectList(mountDir, translate, objectSpec string) (objects []*Sec } } + return objects, nil } +// check if there exists an object with the same name and type. +func ExistsWithSameNameAndType(objects []*SecretObject, specObj *SecretObject) bool { + for _, obj := range objects { + if obj.ObjectName != specObj.ObjectName { + continue + } + + if obj.ObjectType == specObj.ObjectType || (obj.ObjectType == "" && specObj.ObjectType == ObjectTypeKMS) || (obj.ObjectType == ObjectTypeKMS && specObj.ObjectType == "") { + return true + } + } + + return false +} + // validateSecretObject is used to validate input before it is used by the rest of the plugin. func (s *SecretObject) validateSecretObject() error { diff --git a/provider/secret_manager_provider.go b/provider/secret_manager_provider.go index 70ef1f3..baeeff4 100644 --- a/provider/secret_manager_provider.go +++ b/provider/secret_manager_provider.go @@ -1,16 +1,19 @@ package provider import ( + "context" "fmt" + "io/ioutil" + "math" + "time" + "github.com/AliyunContainerService/ack-secret-manager/pkg/utils" kms "github.com/alibabacloud-go/kms-20160120/v2/client" + oos "github.com/alibabacloud-go/oos-20190601/v4/client" "github.com/alibabacloud-go/tea/tea" sdkErr "github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors" - "io/ioutil" "k8s.io/klog/v2" - "math" "sigs.k8s.io/secrets-store-csi-driver/provider/v1alpha1" - "time" ) const ( @@ -24,8 +27,21 @@ var ( BACKOFF_DEFAULT_CAPACITY = time.Duration(10) * time.Second ) +const ( + ObjectTypeKMS = "kms" + ObjectTypeOOS = "oos" +) + +type Limiter struct { + Kms KmsLimiter + OOS OosLimiter +} + +var LimiterInstance Limiter + type SecretsManagerProvider struct { KmsClient *kms.Client + OosClient *oos.Client } type SecretFile struct { @@ -117,9 +133,34 @@ func (p *SecretsManagerProvider) isCurrent( // // This method builds up the GetSecretValue request using the objectName from // the request and any objectVersion or objectVersionLabel parameters. -// func (smp *SecretsManagerProvider) fetchSecret(secObj *SecretObject) (ver string, val *SecretValue, e error) { + waitTimeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + defer cancel() + switch secObj.ObjectType { + case ObjectTypeKMS, "": + err := LimiterInstance.Kms.Wait(waitTimeoutCtx) + if err != nil { + return "", nil, err + } + if smp.KmsClient == nil { + return "", nil, fmt.Errorf("kms client is empty") + } + return getKMSSecret(smp.KmsClient, secObj) + case ObjectTypeOOS: + err := LimiterInstance.OOS.Wait(waitTimeoutCtx) + if err != nil { + return "", nil, err + } + if smp.OosClient == nil { + return "", nil, fmt.Errorf("oos client is empty") + } + return getOOSSecret(smp.OosClient, secObj) + default: + return "", nil, fmt.Errorf("Secret type %s not support. Only support kms and oos", secObj.ObjectType) + } +} +func getKMSSecret(c *kms.Client, secObj *SecretObject) (string, *SecretValue, error) { request := &kms.GetSecretValueRequest{ SecretName: tea.String(secObj.ObjectName), } @@ -129,14 +170,15 @@ func (smp *SecretsManagerProvider) fetchSecret(secObj *SecretObject) (ver string if secObj.ObjectVersionLabel != "" { request.VersionStage = tea.String(secObj.ObjectVersionLabel) } - response, err := smp.KmsClient.GetSecretValue(request) + response, err := c.GetSecretValue(request) if err != nil { + klog.Error(err, "failed to get %s secret value from kms, err = %s", secObj.ObjectName, err.Error()) if !judgeNeedRetry(err) { klog.Error(err, "failed to get secret value from kms", "key", secObj.ObjectName) return "", nil, fmt.Errorf("Failed fetching secret %s: %s", secObj.ObjectName, err.Error()) } else { time.Sleep(getWaitTimeExponential(1)) - response, err = smp.KmsClient.GetSecretValue(request) + response, err = c.GetSecretValue(request) if err != nil { klog.Error(err, "failed to get secret value from kms", "key", secObj.ObjectName) return "", nil, fmt.Errorf("Failed fetching secret %s: %s", secObj.ObjectName, err.Error()) @@ -148,9 +190,38 @@ func (smp *SecretsManagerProvider) fetchSecret(secObj *SecretObject) (ver string return "", nil, fmt.Errorf("Secret type not support at %s: %s", secObj.ObjectName, err.Error()) } + return *response.Body.VersionId, &SecretValue{Value: []byte(*response.Body.SecretData), SecretObj: *secObj}, nil } +func getOOSSecret(c *oos.Client, secObj *SecretObject) (string, *SecretValue, error) { + request := &oos.GetSecretParameterRequest{ + Name: tea.String(secObj.ObjectName), + WithDecryption: tea.Bool(true), + } + response, err := c.GetSecretParameter(request) + if err != nil { + if !judgeNeedRetry(err) { + klog.Error(err, "failed to get secret value from oos", "key", secObj.ObjectName) + return "", nil, fmt.Errorf("Failed fetching secret %s: %s", secObj.ObjectName, err.Error()) + } else { + time.Sleep(getWaitTimeExponential(1)) + response, err = c.GetSecretParameter(request) + if err != nil { + klog.Error(err, "failed to get secret value from oos", "key", secObj.ObjectName) + return "", nil, fmt.Errorf("Failed fetching secret %s: %s", secObj.ObjectName, err.Error()) + } + } + } + if *response.Body.Parameter.Value == utils.BinaryType { + klog.Error(err, "not support binary type yet", "key", secObj.ObjectName) + return "", nil, fmt.Errorf("Secret type not support at %s: %s", secObj.ObjectName, err.Error()) + + } + + return "v1", &SecretValue{Value: []byte(*response.Body.Parameter.Value), SecretObj: *secObj}, nil +} + func judgeNeedRetry(err error) bool { respErr, is := err.(*sdkErr.ClientError) if is && (respErr.ErrorCode() == REJECTED_THROTTLING || respErr.ErrorCode() == SERVICE_UNAVAILABLE_TEMPORARY || respErr.ErrorCode() == INTERNAL_FAILURE) { diff --git a/server/server.go b/server/server.go index 4f7c0c3..d4f3b7e 100644 --- a/server/server.go +++ b/server/server.go @@ -8,8 +8,11 @@ import ( "github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/provider" "github.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/utils" openapi "github.com/alibabacloud-go/darabonba-openapi/client" + openapiv2 "github.com/alibabacloud-go/darabonba-openapi/v2/client" kms "github.com/alibabacloud-go/kms-20160120/v2/client" + oos "github.com/alibabacloud-go/oos-20190601/v4/client" "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/credentials-go/credentials" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/health/grpc_health_v1" @@ -31,6 +34,7 @@ const ( transAttrib = "pathTranslation" // Path translation char secProvAttrib = "objects" // The attributed used to pass the SecretProviderClass definition (with what to mount) defaultKmsDomain = "kms-vpc.%s.aliyuncs.com" + defaultOosDomain = "oos-vpc.%s.aliyuncs.com" ) // A Secrets Store CSI Driver provider implementation for Alibaba Cloud Secrets Manager. @@ -39,7 +43,6 @@ type CSIDriverProviderServer struct { } // Factory function to create the server to handle incoming mount requests. -// func NewServer() (srv *CSIDriverProviderServer, e error) { return &CSIDriverProviderServer{}, nil @@ -97,26 +100,44 @@ func (s *CSIDriverProviderServer) Mount(ctx context.Context, req *v1alpha1.Mount if err != nil { return nil, err } - domain := defaultKmsDomain - if strings.Contains(domain, "%s") { - domain = fmt.Sprintf(domain, region) - } - kmsClient, err := kms.NewClient(&openapi.Config{ - Endpoint: tea.String(domain), - Credential: cred, - }) + var smProvider provider.SecretsManagerProvider + descriptors, err := provider.NewSecretObjectList(mountDir, translate, attrib[secProvAttrib]) if err != nil { return nil, err } - // Get the list of secrets to mount. These will be grouped together by type - // in a map of slices (map[string][]*SecretDescriptor) keyed by secret type - // so that requests can be batched if the implementation allows it. - descriptors, err := provider.NewSecretObjectList(mountDir, translate, attrib[secProvAttrib]) - if err != nil { - return nil, err + objectTypeMap := make(map[string]bool) + for _, descriptor := range descriptors { + switch descriptor.ObjectType { + case "", provider.ObjectTypeKMS: + objectTypeMap[provider.ObjectTypeKMS] = true + case provider.ObjectTypeOOS: + objectTypeMap[provider.ObjectTypeOOS] = true + default: + return nil, fmt.Errorf("unsupported object type, only support %q and %q", provider.ObjectTypeKMS, provider.ObjectTypeOOS) + } + } + + var kmsClient *kms.Client + var oosClient *oos.Client + if objectTypeMap[provider.ObjectTypeKMS] { + kmsClient, err = newKmsClient(cred, region) + if err != nil { + return nil, err + } } - smProvider := provider.SecretsManagerProvider{KmsClient: kmsClient} + if objectTypeMap[provider.ObjectTypeOOS] { + oosClient, err = newOosClient(cred, region) + if err != nil { + return nil, err + } + } + + smProvider = provider.SecretsManagerProvider{ + KmsClient: kmsClient, + OosClient: oosClient, + } + // Fetch all secrets before saving so we write nothing on failure. var fetchedSecrets []*provider.SecretValue secrets, err := smProvider.GetSecretValues(descriptors, curVerMap) @@ -143,8 +164,33 @@ func (s *CSIDriverProviderServer) Mount(ctx context.Context, req *v1alpha1.Mount } +func newKmsClient(cred credentials.Credential, region string) (*kms.Client, error) { + domain := defaultKmsDomain + if strings.Contains(domain, "%s") { + domain = fmt.Sprintf(domain, region) + } + kmsClient, err := kms.NewClient(&openapi.Config{ + Endpoint: tea.String(domain), + Credential: cred, + }) + + return kmsClient, err +} + +func newOosClient(cred credentials.Credential, region string) (*oos.Client, error) { + domain := defaultOosDomain + if strings.Contains(domain, "%s") { + domain = fmt.Sprintf(domain, region) + } + oosClient, err := oos.NewClient(&openapiv2.Config{ + Endpoint: tea.String(domain), + Credential: cred, + }) + + return oosClient, err +} + // Return the provider plugin version information to the driver. -// func (s *CSIDriverProviderServer) Version(ctx context.Context, req *v1alpha1.VersionRequest) (*v1alpha1.VersionResponse, error) { return &v1alpha1.VersionResponse{ Version: "v1alpha1",