Deployment barbican-kms-plugin

Implement Makefile, Dockefile, pod manifests

Author: adisky

Gopkg.lock

@@ -59,7 +59,7 @@ endif
 depend-update: work
 	dep ensure -update -v
 
-build: openstack-cloud-controller-manager cinder-provisioner cinder-flex-volume-driver cinder-csi-plugin k8s-keystone-auth client-keystone-auth octavia-ingress-controller manila-provisioner
+build: openstack-cloud-controller-manager cinder-provisioner cinder-flex-volume-driver cinder-csi-plugin k8s-keystone-auth client-keystone-auth octavia-ingress-controller manila-provisioner barbican-kms-plugin
 
 openstack-cloud-controller-manager: depend $(SOURCES)
 	CGO_ENABLED=0 GOOS=$(GOOS) go build \
@@ -109,6 +109,12 @@ manila-provisioner: depend $(SOURCES)
 		-o manila-provisioner \
 		cmd/manila-provisioner/main.go
 
+barbican-kms-plugin: depend $(SOURCES)
+	cd $(DEST) && CGO_ENABLED=0 GOOS=$(GOOS) go build \
+		-ldflags $(LDFLAGS) \
+		-o barbican-kms-plugin \
+		cmd/barbican-kms-plugin/main.go
+
 test: unit functional
 
 check: depend fmt vet lint import-boss
@@ -193,7 +199,7 @@ realclean: clean
 shell:
 	$(SHELL) -i
 
-images: image-controller-manager image-flex-volume-driver image-provisioner image-csi-plugin image-k8s-keystone-auth image-octavia-ingress-controller image-manila-provisioner
+images: image-controller-manager image-flex-volume-driver image-provisioner image-csi-plugin image-k8s-keystone-auth image-octavia-ingress-controller image-manila-provisioner image-kms-plugin
 
 image-controller-manager: depend openstack-cloud-controller-manager
 ifeq ($(GOOS),linux)
@@ -258,6 +264,15 @@ else
 	$(error Please set GOOS=linux for building the image)
 endif
 
+image-kms-plugin: depend barbican-kms-plugin
+ifeq ($(GOOS), linux)
+	cp barbican-kms-plugin cluster/images/barbican-kms-plugin
+	docker build -t $(REGISTRY)/barbican-kms-plugin:$(VERSION) cluster/images/barbican-kms-plugin
+	rm cluster/images/barbican-kms-plugin/barbican-kms-plugin
+else
+	$(error Please set GOOS=linux for building the image)
+endif
+
 upload-images: images
 	@echo "push images to $(REGISTRY)"
 	docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)";

Makefile

@@ -0,0 +1,7 @@
+FROM alpine:3.7
+LABEL maintainers="Kubernetes Authors"
+LABEL description="Barbican KMS Plugin"
+
+ADD barbican-kms-plugin /bin/
+
+CMD ["sh", "-c", "/bin/barbican-kms-plugin --socketpath ${socketpath} --cloud-config ${cloudconfig}"]

cluster/images/barbican-kms-plugin/Dockerfile

@@ -0,0 +1,11 @@
+kind: EncryptionConfig
+apiVersion: v1
+resources:
+  - resources:
+    - secrets
+    providers:
+    - kms:
+        name : barbican
+        endpoint: unix:///var/lib/kms/kms.sock
+        cachesize: 20
+    - identity: {}

manifests/barbican-kms/encryption-config.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1 
+kind: Pod 
+metadata: 
+ name: barbican-kms
+spec: 
+  containers: 
+    - name: barbican-kms 
+      image: docker.io/k8scloudprovider/barbican-kms-plugin:latest
+      args:
+        - "--socketpath=/kms/kms.sock"
+        - "--cloud-config=/etc/kubernetes/cloud-config"
+      volumeMounts:
+        - name: cloud-config
+          mountPath: /etc/kubernetes/
+        - name: socket-dir
+          mountPath: /kms/
+  volumes:
+  - name: config
+    hostPath:
+      path: /etc/kubernetes    
+  - name: socket-dir
+    hostPath:
+      path: /var/lib/kms/
+      type: DirectoryOrCreate

manifests/barbican-kms/pod.yaml

@@ -8,7 +8,7 @@ import (
 )
 
 type BarbicanService interface {
-	GetSecret(cfg *Config) ([]byte, error)
+	GetSecret(cfg Config) ([]byte, error)
 }
 
 type KMSOpts struct {
@@ -52,7 +52,7 @@ func (cfg Config) toAuthOptions() gophercloud.AuthOptions {
 }
 
 // NewBarbicanClient creates new BarbicanClient
-func newBarbicanClient(cfg *Config) (client *gophercloud.ServiceClient, err error) {
+func newBarbicanClient(cfg Config) (client *gophercloud.ServiceClient, err error) {
 
 	provider, err := openstack.AuthenticatedClient(cfg.toAuthOptions())
 
@@ -71,7 +71,7 @@ func newBarbicanClient(cfg *Config) (client *gophercloud.ServiceClient, err erro
 }
 
 // GetSecret gets unencrypted secret
-func (barbican *Barbican) GetSecret(cfg *Config) ([]byte, error) {
+func (barbican *Barbican) GetSecret(cfg Config) ([]byte, error) {
 
 	client, err := newBarbicanClient(cfg)
 

pkg/kms/barbican/barbican.go

@@ -5,7 +5,7 @@ import "encoding/hex"
 type FakeBarbican struct {
 }
 
-func (client *FakeBarbican) GetSecret(cfg *Config) ([]byte, error) {
+func (client *FakeBarbican) GetSecret(cfg Config) ([]byte, error) {
 	return hex.DecodeString("6368616e676520746869732070617373")
 
 }

pkg/kms/barbican/fake_barbican.go

@@ -12,7 +12,7 @@ import (
 
 func main() {
 
-	connection, err := grpc.Dial("unix:///tmp/socketfile.sock", grpc.WithInsecure())
+	connection, err := grpc.Dial("unix:///var/lib/kms/kms.sock", grpc.WithInsecure())
 	defer connection.Close()
 	if err != nil {
 		fmt.Printf("\nConnection to KMS plugin failed, error: %v", err)

pkg/kms/client/client.go

@@ -24,30 +24,30 @@ const (
 
 // KMSserver struct
 type KMSserver struct {
-	cfg      *barbican.Config
+	cfg      barbican.Config
 	barbican barbican.BarbicanService
 }
 
-func initConfig(configFilePath string) (cfg *barbican.Config, err error) {
+func initConfig(configFilePath string, cfg *barbican.Config) error {
 
 	config, err := os.Open(configFilePath)
 	defer config.Close()
 	if err != nil {
-		return nil, err
+		return err
 	}
 	err = gcfg.FatalOnly(gcfg.ReadInto(cfg, config))
 	if err != nil {
-		return nil, err
+		return err
 	}
-	return cfg, nil
+	return nil
 }
 
 // Run Grpc server for barbican KMS
 func Run(configFilePath string, socketpath string, sigchan <-chan os.Signal) (err error) {
 
 	glog.Infof("Barbican KMS Plugin Starting Version: %s, RunTimeVersion: %s", version, runtimeversion)
 	s := new(KMSserver)
-	s.cfg, err = initConfig(configFilePath)
+	err = initConfig(configFilePath, &s.cfg)
 	s.barbican = &barbican.Barbican{}
 	if err != nil {
 		glog.V(4).Infof("Error in Getting Config File: %v", err)