diff --git a/manifests/function/generate-secrets/generate-certificates-template.yaml b/manifests/function/generate-secrets/generate-certificates-template.yaml new file mode 100644 index 000000000..d98a69525 --- /dev/null +++ b/manifests/function/generate-secrets/generate-certificates-template.yaml @@ -0,0 +1,41 @@ +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: generate-certificates-template + annotations: + config.kubernetes.io/function: |- + container: + image: quay.io/airshipit/templater:latest +values: + certificates: +template: | + {{- range $key, $val := .certificates }} + {{- $secretName := $key }} + {{- $secret := $val }} + {{- $ca := "" }} + {{- if not .validity }} + {{- $_ := set . "validity" 365 }} + {{- end }} + {{- if not .cn }} + {{- $_ := set . "cn" "kubernetes" }} + {{- end }} + {{- if .keyEncoding }} + {{- $ca = genCAWithKey .cn .validity (genPrivateKey .keyEncoding)}} + {{- else}} + {{- $ca = genCA .cn .validity }} + {{end -}} + --- + apiVersion: v1 + kind: Secret + metadata: + name: {{ $secretName }} + {{- if $secret.deployk8s }} + namespace: {{ $secret.namespace | default "default" }} + {{- end }} + labels: + airshipit.org/deploy-k8s: {{ $secret.deployk8s | default "false" }} + data: + tls.crt: {{ $ca.Cert|b64enc|quote }} + tls.key: {{ $ca.Key|b64enc|quote }} + type: kubernetes.io/tls + {{ end -}} \ No newline at end of file diff --git a/manifests/function/generate-secrets/generate-passphrases-template.yaml b/manifests/function/generate-secrets/generate-passphrases-template.yaml new file mode 100644 index 000000000..456839986 --- /dev/null +++ b/manifests/function/generate-secrets/generate-passphrases-template.yaml @@ -0,0 +1,53 @@ +apiVersion: airshipit.org/v1alpha1 +kind: Templater +metadata: + name: generate-passphrases-template + annotations: + config.kubernetes.io/function: |- + container: + image: quay.io/airshipit/templater:latest +values: + passphrases: +template: | + {{- range $key, $val := .passphrases }} + {{- $secretName := $key }} + {{- $secret := $val }} + --- + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: {{ $secretName }} + {{- if $secret.deployk8s }} + namespace: {{ $secret.namespace | default "default" }} + {{- end }} + labels: + airshipit.org/deploy-k8s: {{ $secret.deployk8s | default "false" }} + data: + {{range $secret.values -}} + {{- if not .keyName }} + {{- $_ := set . "keyName" "password" }} + {{- end }} + {{ if not .generationType -}} + {{- fail "no valid generationType specified!" }} + {{ end -}} + {{if eq .generationType "static" -}} + {{ .keyName }}: {{ .value | b64enc }} + {{else if eq .generationType "randAscii" -}} + {{ .keyName }}: {{ randAscii .length | b64enc }} + {{else if eq .generationType "randAlpha" -}} + {{ .keyName }}: {{ randAlpha .length | b64enc }} + {{else if eq .generationType "randAlphaNum" -}} + {{ .keyName }}: {{ randAlphaNum .length | b64enc }} + {{else if eq .generationType "randNumeric" -}} + {{ .keyName }}: {{ randNumeric .length | b64enc }} + {{else if eq .generationType "regexGen" -}} + {{ .keyName }}: {{ regexGen .regex (.limit | int) | b64enc }} + {{else if eq .generationType "derivePassword" -}} + {{ .keyName }}: {{ derivePassword (.length | toUint32) .passwordType .masterPassword .user .site | b64enc }} + {{else -}} + {{ $error := printf "%s is not a valid generationType!" .generationType }} + {{- fail $error }} + {{end}} + {{end -}} + {{end -}} diff --git a/manifests/function/generate-secrets/kustomization.yaml b/manifests/function/generate-secrets/kustomization.yaml new file mode 100644 index 000000000..f938b4334 --- /dev/null +++ b/manifests/function/generate-secrets/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - generate-passphrases-template.yaml + - generate-certificates-template.yaml diff --git a/manifests/function/generate-secrets/replacements/kustomization.yaml b/manifests/function/generate-secrets/replacements/kustomization.yaml new file mode 100644 index 000000000..e2740c9c9 --- /dev/null +++ b/manifests/function/generate-secrets/replacements/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secrets.yaml diff --git a/manifests/function/generate-secrets/replacements/secrets.yaml b/manifests/function/generate-secrets/replacements/secrets.yaml new file mode 100644 index 000000000..76444ce05 --- /dev/null +++ b/manifests/function/generate-secrets/replacements/secrets.yaml @@ -0,0 +1,27 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: generate-secret-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: quay.io/airshipit/replacement-transformer:latest +replacements: +- source: + objref: + name: generate-secret-catalogue + fieldref: "{.generate.passphrases}" + target: + objref: + kind: Templater + name: generate-passphrases-template + fieldrefs: ["{.values.passphrases}"] +- source: + objref: + name: generate-secret-catalogue + fieldref: "{.generate.certificates}" + target: + objref: + kind: Templater + name: generate-certificates-template + fieldrefs: ["{.values.certificates}"] diff --git a/manifests/function/generatesecrets-example/README.md b/manifests/function/generatesecrets-example/README.md new file mode 100644 index 000000000..373455499 --- /dev/null +++ b/manifests/function/generatesecrets-example/README.md @@ -0,0 +1,28 @@ +Function: generatesecrets-example +================================= + +This function defines a secrets variable catalogue profile that +can be consumed by the generate-secrets function to generate secrets. +Using this example we can build other catalogues to generate passphrases +and certificates. + +In the `example` defined passphrases and certificates fields are defined. +Sprig library templater functions and other custom defined functions +will be called to generate the respective passphrases and certificates. + +In passphrases catalogue the `generationType` field has to be specified, so that the +passphrase generation happens based on the function. Here is the list of valid +`generationType` functions supported as of now: `randAscii`, `randAlpha`, +`randAlphaNum`, `randNumeric`, `derivePassword`, `regexGen`. Along with the +`generationType` the corresponding fields for that function has to be specified. +Refer to the `example` for the required fields for specific `generationType`. +If no `generationType` or inavlid type is specified an appropriate +error will be thrown and execution fails. + +For certificate generation, commonName(`cn`), `validity`, `keyEncoding` are +the valid fields that are to be specified. If `cn` and `validity` are not +specified they take "kubernetes" and "365" days as default values. + +The `/replacements` kustomization contains a substitution rule that injects +the variables specified into the generate-secrets function template, which will be +used to generate the respective passphrases and certificates based on the variables. diff --git a/manifests/function/generatesecrets-example/certificates.yaml b/manifests/function/generatesecrets-example/certificates.yaml new file mode 100644 index 000000000..d6a6da195 --- /dev/null +++ b/manifests/function/generatesecrets-example/certificates.yaml @@ -0,0 +1,20 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + # NOTE: change this when copying this example + name: certificates-example + labels: + airshipit.org/deploy-k8s: "false" +generate: + certificates: + ca-cert: + namespace: dummy + cn: kubernetes + validity: 20 + ca-cert-key: + deployk8s: true + keyEncoding: "rsa" + namespace: test + cn: k8 + validity: 365 + diff --git a/manifests/function/generatesecrets-example/kustomization.yaml b/manifests/function/generatesecrets-example/kustomization.yaml new file mode 100644 index 000000000..c3fc341b0 --- /dev/null +++ b/manifests/function/generatesecrets-example/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - passphrases.yaml + - certificates.yaml diff --git a/manifests/function/generatesecrets-example/passphrases.yaml b/manifests/function/generatesecrets-example/passphrases.yaml new file mode 100644 index 000000000..cae802c70 --- /dev/null +++ b/manifests/function/generatesecrets-example/passphrases.yaml @@ -0,0 +1,40 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + # NOTE: change this when copying this example + name: passphrases-example + labels: + airshipit.org/deploy-k8s: "false" +generate: + passphrases: + secret1: + namespace: ns1 + deployk8s: true + values: + - keyName: key1 + generationType: derivePassword + passwordType: long + user: test + site: example.com + masterPassword: master + length: 2 + - generationType: randAlpha + length: 3 + - keyName: key3 + generationType: static + value: mypass + - keyName: key4 + generationType: randAlphaNum + length: 4 + - keyName: key5 + generationType: randNumeric + length: 5 + secret2: + namespace: test + values: + - generationType: randAscii + length: 3 + - keyName: key2 + generationType: regexGen + regex: "[efghul][a-z]{2,3}[0-9]{2,8}" + limit: 10 diff --git a/manifests/function/generatesecrets-example/replacements/kustomization.yaml b/manifests/function/generatesecrets-example/replacements/kustomization.yaml new file mode 100644 index 000000000..cdaa6406c --- /dev/null +++ b/manifests/function/generatesecrets-example/replacements/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secrets-replace.yaml diff --git a/manifests/function/generatesecrets-example/replacements/secrets-replace.yaml b/manifests/function/generatesecrets-example/replacements/secrets-replace.yaml new file mode 100644 index 000000000..d70e7fcff --- /dev/null +++ b/manifests/function/generatesecrets-example/replacements/secrets-replace.yaml @@ -0,0 +1,33 @@ +# These rules inject passphrases and certificate variable values +# from the `generate-secret-catalogue` into the `generate-passphrases-template` +# and `generate-certificates-template` function's Template plugin configs respectively. +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + # NOTE: change this when copying this example + name: generatesecrets-example-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: quay.io/airshipit/replacement-transformer:latest +replacements: +- source: + objref: + # NOTE: change this to match your passphrases's metadata.name + name: passphrases-example + fieldref: "{.generate.passphrases}" + target: + objref: + kind: Templater + name: generate-passphrases-template + fieldrefs: ["{.values.passphrases}"] +- source: + objref: + # NOTE: change this to match your certificates's metadata.name + name: certificates-example + fieldref: "{.generate.certificates}" + target: + objref: + kind: Templater + name: generate-certificates-template + fieldrefs: ["{.values.certificates}"]