Introducing secret generation template

This patchset contains the function-manifests containing the template
to generate secrets. The secrets include both certificates and
passphrases.

Change-Id: Ie26fac9fe7f3918c8ebb746259d1d9bc0b423489

manifests/function/generate-secrets/generate-certificates-template.yaml

@@ -0,0 +1,41 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Templater
+metadata:
+  name: generate-certificates-template
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/templater:latest
+values:
+  certificates:
+template: |
+  {{- range $key, $val := .certificates }}
+  {{- $secretName := $key }}
+  {{- $secret := $val }}
+  {{- $ca := "" }}
+  {{- if not .validity }}
+    {{- $_ := set . "validity" 365 }}
+  {{- end }}
+  {{- if not .cn }}
+    {{- $_ := set . "cn" "kubernetes" }}
+  {{- end }}
+  {{- if .keyEncoding }}
+    {{- $ca = genCAWithKey .cn .validity (genPrivateKey .keyEncoding)}}
+  {{- else}}
+    {{- $ca = genCA .cn .validity }}
+  {{end -}}
+  ---
+  apiVersion: v1
+  kind: Secret
+  metadata:
+    name: {{ $secretName }}
+    {{- if $secret.deployk8s }}
+    namespace: {{ $secret.namespace | default "default" }}
+    {{- end }}
+    labels:
+      airshipit.org/deploy-k8s: {{ $secret.deployk8s | default "false" }}
+  data:
+    tls.crt: {{ $ca.Cert|b64enc|quote }}
+    tls.key: {{ $ca.Key|b64enc|quote }}
+  type: kubernetes.io/tls
+  {{ end -}}

manifests/function/generate-secrets/generate-passphrases-template.yaml

@@ -0,0 +1,53 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Templater
+metadata:
+  name: generate-passphrases-template
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/templater:latest
+values:
+  passphrases:
+template: |
+  {{- range $key, $val := .passphrases }}
+  {{- $secretName := $key }}
+  {{- $secret := $val }}
+  ---
+  apiVersion: v1
+  kind: Secret
+  type: Opaque
+  metadata:
+    name: {{ $secretName }}
+    {{- if $secret.deployk8s }}
+    namespace: {{ $secret.namespace | default "default" }}
+    {{- end }}
+    labels:
+      airshipit.org/deploy-k8s: {{ $secret.deployk8s | default "false" }}
+  data:
+    {{range $secret.values -}}
+      {{- if not .keyName }}
+      {{- $_ := set . "keyName" "password" }}
+      {{- end }}
+      {{ if not .generationType -}}
+        {{- fail "no valid generationType specified!" }}
+      {{ end -}}
+      {{if eq .generationType "static" -}}
+        {{ .keyName }}: {{ .value | b64enc }}
+      {{else if eq .generationType "randAscii" -}}
+        {{ .keyName }}: {{ randAscii .length | b64enc }}
+      {{else if eq .generationType "randAlpha" -}}
+        {{ .keyName }}: {{ randAlpha .length | b64enc }}
+      {{else if eq .generationType "randAlphaNum" -}}
+        {{ .keyName }}: {{ randAlphaNum .length | b64enc }}
+      {{else if eq .generationType "randNumeric" -}}
+        {{ .keyName }}: {{ randNumeric .length | b64enc }}
+      {{else if eq .generationType "regexGen" -}}
+        {{ .keyName }}: {{ regexGen .regex (.limit | int) | b64enc }}
+      {{else if eq .generationType "derivePassword" -}}
+        {{ .keyName }}: {{ derivePassword (.length | toUint32) .passwordType .masterPassword .user .site | b64enc }}
+      {{else -}}
+        {{ $error := printf "%s is not a valid generationType!" .generationType }}
+        {{- fail $error }}
+      {{end}}
+    {{end -}}
+  {{end -}}

manifests/function/generate-secrets/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - generate-passphrases-template.yaml
+  - generate-certificates-template.yaml

manifests/function/generate-secrets/replacements/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - secrets.yaml

manifests/function/generate-secrets/replacements/secrets.yaml

@@ -0,0 +1,27 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: generate-secret-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:latest
+replacements:
+- source:
+    objref:
+      name: generate-secret-catalogue
+    fieldref: "{.generate.passphrases}"
+  target:
+    objref:
+      kind: Templater
+      name: generate-passphrases-template
+    fieldrefs: ["{.values.passphrases}"]
+- source:
+    objref:
+      name: generate-secret-catalogue
+    fieldref: "{.generate.certificates}"
+  target:
+    objref:
+      kind: Templater
+      name: generate-certificates-template
+    fieldrefs: ["{.values.certificates}"]

manifests/function/generatesecrets-example/README.md

@@ -0,0 +1,28 @@
+Function: generatesecrets-example
+=================================
+
+This function defines a secrets variable catalogue profile that
+can be consumed by the generate-secrets function to generate secrets.
+Using this example we can build other catalogues to generate passphrases
+and certificates.
+
+In the `example` defined passphrases and certificates fields are defined.
+Sprig library templater functions and other custom defined functions
+will be called to generate the respective passphrases and certificates.
+
+In passphrases catalogue the `generationType` field has to be specified, so that the
+passphrase generation happens based on the function. Here is the list of valid
+`generationType` functions supported as of now: `randAscii`, `randAlpha`,
+`randAlphaNum`, `randNumeric`, `derivePassword`, `regexGen`. Along with the
+`generationType` the corresponding fields for that function has to be specified.
+Refer to the `example` for the required fields for specific `generationType`.
+If no `generationType` or inavlid type is specified an appropriate
+error will be thrown and execution fails.
+
+For certificate generation, commonName(`cn`), `validity`, `keyEncoding` are
+the valid fields that are to be specified. If `cn` and `validity` are not
+specified they take "kubernetes" and "365" days as default values.
+
+The `/replacements` kustomization contains a substitution rule that injects
+the variables specified into the generate-secrets function template, which will be
+used to generate the respective passphrases and certificates based on the variables.

manifests/function/generatesecrets-example/certificates.yaml

@@ -0,0 +1,20 @@
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  # NOTE: change this when copying this example
+  name: certificates-example
+  labels:
+    airshipit.org/deploy-k8s: "false"
+generate:
+  certificates:
+    ca-cert:
+      namespace: dummy
+      cn: kubernetes
+      validity: 20
+    ca-cert-key:
+      deployk8s: true
+      keyEncoding: "rsa"
+      namespace: test
+      cn: k8
+      validity: 365
+

manifests/function/generatesecrets-example/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - passphrases.yaml
+  - certificates.yaml

manifests/function/generatesecrets-example/passphrases.yaml

@@ -0,0 +1,40 @@
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  # NOTE: change this when copying this example
+  name: passphrases-example
+  labels:
+    airshipit.org/deploy-k8s: "false"
+generate:
+  passphrases:
+    secret1:
+      namespace: ns1
+      deployk8s: true
+      values:
+      - keyName: key1
+        generationType: derivePassword
+        passwordType: long
+        user: test
+        site: example.com
+        masterPassword: master
+        length: 2
+      - generationType: randAlpha
+        length: 3
+      - keyName: key3
+        generationType: static
+        value: mypass
+      - keyName: key4
+        generationType: randAlphaNum
+        length: 4
+      - keyName: key5
+        generationType: randNumeric
+        length: 5
+    secret2:
+      namespace: test
+      values:
+      - generationType: randAscii
+        length: 3
+      - keyName: key2
+        generationType: regexGen
+        regex: "[efghul][a-z]{2,3}[0-9]{2,8}"
+        limit: 10

manifests/function/generatesecrets-example/replacements/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - secrets-replace.yaml

manifests/function/generatesecrets-example/replacements/secrets-replace.yaml

@@ -0,0 +1,33 @@
+# These rules inject passphrases and certificate variable values
+# from the `generate-secret-catalogue` into the `generate-passphrases-template`
+# and `generate-certificates-template` function's Template plugin configs respectively.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  # NOTE: change this when copying this example
+  name: generatesecrets-example-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:latest
+replacements:
+- source:
+    objref:
+      # NOTE: change this to match your passphrases's metadata.name
+      name: passphrases-example
+    fieldref: "{.generate.passphrases}"
+  target:
+    objref:
+      kind: Templater
+      name: generate-passphrases-template
+    fieldrefs: ["{.values.passphrases}"]
+- source:
+    objref:
+      # NOTE: change this to match your certificates's metadata.name
+      name: certificates-example
+    fieldref: "{.generate.certificates}"
+  target:
+    objref:
+      kind: Templater
+      name: generate-certificates-template
+    fieldrefs: ["{.values.certificates}"]