handle agent certs with clusterid only in vault

add api auth enabled log
kube-tarian · Aug 20, 2023 · 653c02a · 653c02a
1 parent 94c8d25
commit 653c02a
Show file tree

Hide file tree

Showing 17 changed files with 320 additions and 73 deletions.
diff --git a/capten/agent/cmd/agent/main.go b/capten/agent/cmd/agent/main.go
@@ -46,8 +46,10 @@ func main() {
 
 	var grpcServer *grpc.Server
 	if cfg.AuthEnabled {
+		log.Info("Agent Authentication enabled")
 		grpcServer = grpc.NewServer(grpc.UnaryInterceptor(s.AuthInterceptor))
 	} else {
+		log.Info("Agent Authentication disabled")
 		grpcServer = grpc.NewServer()
 	}
 	agentpb.RegisterAgentServer(grpcServer, s)

diff --git a/server/captenserver_vs.yaml b/server/captenserver_vs.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: server-envoy-capten
+  namespace: intelops
+spec:
+  gateways:
+  - istio-system/intelops-gateway
+  hosts:
+  - captenenvoy.alpha.optimizor.app
+  http:
+  - corsPolicy:
+      allowCredentials: true
+      allowHeaders:
+      - '*'
+      allowMethods:
+      - GET
+      - OPTIONS
+      - PUT
+      - DELETE
+      - POST
+      allowOrigins:
+      - regex: .*
+    route:
+    - destination:
+        host: capten-server
+        port:
+          number: 8081
+    timeout: 30s
diff --git a/server/examples/agent1/agent_client1.go b/server/examples/agent1/agent_client1.go
@@ -0,0 +1,106 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/intelops/go-common/credentials"
+	"github.com/intelops/go-common/logging"
+	"github.com/kube-tarian/kad/server/pkg/agent"
+	"github.com/kube-tarian/kad/server/pkg/pb/agentpb"
+)
+
+func main() {
+	log := logging.NewLogger()
+	cfg, err := getAgentConfig("https://captenagent.dev.optimizor.app")
+	if err != nil {
+		log.Fatalf("failed to load agent config: ", err)
+	}
+
+	ac, err := agent.NewAgent(log, cfg, nil)
+	if err != nil {
+		log.Fatalf("failed to connect to agent: ", err)
+		return
+	}
+	//storeServiceCred(ac.GetClient())
+	//storeGenericCred(ac.GetClient())
+	getLaunchUIApps(ac.GetClient())
+}
+
+func storeServiceCred(ac agentpb.AgentClient) {
+	serviceCred := credentials.ServiceCredential{
+		UserName: "testuser",
+		Password: "password2",
+	}
+	serviceCredMap := credentials.PrepareServiceCredentialMap(serviceCred)
+	_, err := ac.StoreCredential(context.Background(), &agentpb.StoreCredentialRequest{
+		CredentialType: credentials.ServiceUserCredentialType,
+		CredEntityName: "testentity",
+		CredIdentifier: "testentityuser",
+		Credential:     serviceCredMap,
+	})
+	if err != nil {
+		fmt.Println("store error: ", err)
+		return
+	}
+	fmt.Println("successful")
+}
+
+func storeGenericCred(ac agentpb.AgentClient) {
+	cred := map[string]string{
+		"UserName": "gentestuser",
+		"Password": "password3",
+	}
+
+	_, err := ac.StoreCredential(context.Background(), &agentpb.StoreCredentialRequest{
+		CredentialType: credentials.GenericCredentialType,
+		CredEntityName: "gentestentity",
+		CredIdentifier: "gentestentityuser",
+		Credential:     cred,
+	})
+	if err != nil {
+		fmt.Println("store error: ", err)
+		return
+	}
+	fmt.Println("successful")
+}
+
+func getLaunchUIApps(ac agentpb.AgentClient) {
+	resp, err := ac.GetClusterAppLaunches(context.Background(), &agentpb.GetClusterAppLaunchesRequest{})
+	if err != nil {
+		fmt.Println("get app launch error: ", err)
+		return
+	}
+	if resp.Status != agentpb.StatusCode_OK {
+		fmt.Println("get app launch error: ", resp.StatusMessage)
+		return
+	}
+
+	for _, app := range resp.LaunchConfigList {
+		fmt.Printf("app launch %s : %s, '%s', %s\n", app.ReleaseName, app.Category, app.Description, app.LaunchURL)
+		fmt.Printf("app launch icon %s : %s\n", app.ReleaseName, string(app.Icon))
+
+		dat, _ := json.Marshal(app)
+		fmt.Printf("%s", string(dat))
+	}
+
+	fmt.Println("successful")
+}
+
+func getAgentConfig(address string) (*agent.Config, error) {
+	cadata, err := os.ReadFile("/home/venkatk/dev/capten/cert/ca.crt")
+	if err != nil {
+		return nil, fmt.Errorf("ca failed, %v", err)
+	}
+	cdata, err := os.ReadFile("/home/venkatk/dev/capten/cert/client.crt")
+	if err != nil {
+		return nil, fmt.Errorf("client failed, %v", err)
+	}
+	ckey, err := os.ReadFile("/home/venkatk/dev/capten/cert/client.key")
+	if err != nil {
+		return nil, fmt.Errorf("key failed, %v", err)
+	}
+	return &agent.Config{Address: address, CaCert: string(cadata), Cert: string(cdata), Key: string(ckey)}, nil
+}
diff --git a/server/examples/server1/server_client.go b/server/examples/server1/server_client.go
@@ -0,0 +1,126 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"os"
+
+	"github.com/kube-tarian/kad/server/pkg/pb/serverpb"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
+)
+
+func main() {
+	fmt.Println("Registration testing")
+	gr, err := grpc.Dial("capten.alpha.optimizor.app:80", grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		fmt.Println("GRPC failed", err)
+		return
+	}
+	sc := serverpb.NewServerClient(gr)
+	ctx := context.TODO()
+	ctx = metadata.AppendToOutgoingContext(ctx, "organizationID", "52faf15b-a2e5-4398-98d1-a053e22b536b")
+
+	resp1, err := sc.GetClusters(ctx, &serverpb.GetClustersRequest{})
+	if err != nil {
+		fmt.Println("error with get registrations ", err)
+	} else {
+		fmt.Println("registrations fetch done", resp1.Status, resp1.StatusMessage, len(resp1.Data))
+		for _, cluster := range resp1.Data {
+			fmt.Printf("cluster: %+v\n", *cluster)
+		}
+	}
+
+	cadata, err := os.ReadFile("/home/venkatk/dev/capten/cert/ca.crt")
+	if err != nil {
+		fmt.Println("ca failed", err)
+		return
+	}
+
+	cdata, err := os.ReadFile("/home/venkatk/dev/capten/cert/client.crt")
+	if err != nil {
+		fmt.Println("client failed", err)
+		return
+	}
+
+	ckey, err := os.ReadFile("/home/venkatk/dev/capten/cert/client.key")
+	if err != nil {
+		fmt.Println("key failed", err)
+		return
+	}
+
+	cadataStr := base64.StdEncoding.EncodeToString(cadata)
+	cdataStr := base64.StdEncoding.EncodeToString(cdata)
+	ckeyStr := base64.StdEncoding.EncodeToString(ckey)
+
+	nresp, err := sc.NewClusterRegistration(ctx, &serverpb.NewClusterRegistrationRequest{
+		AgentEndpoint:     "https://captenagent.dev.optimizor.app",
+		ClusterName:       "awscluster-t1",
+		ClientKeyData:     string(ckeyStr),
+		ClientCertData:    string(cdataStr),
+		ClientCAChainData: string(cadataStr),
+	})
+	if err != nil {
+		fmt.Println("error with registration ", err)
+	} else {
+		fmt.Println("Server testing done", nresp.Status, nresp.StatusMessage, nresp.ClusterID)
+	}
+
+	/*nresp1, err := sc.NewClusterRegistration(ctx, &serverpb.NewClusterRegistrationRequest{
+		AgentEndpoint:     "https://captenagent.dev.test.app",
+		ClusterName:       "awscluster-4",
+		ClientKeyData:     "fsdfgsdfsdf",
+		ClientCertData:    "bcvbvcbhhhfh",
+		ClientCAChainData: "tyrytertyeyeyey",
+	})
+	if err != nil {
+		fmt.Println("error with registration ", err)
+	} else {
+		fmt.Println("Server testing done", nresp1.Status, nresp1.StatusMessage, nresp1.ClusterID)
+	}*/
+
+	gresp2, err := sc.GetClusters(ctx, &serverpb.GetClustersRequest{})
+	if err != nil {
+		fmt.Println("error with get registrations ", err)
+	} else {
+		fmt.Println("registrations fetch done", gresp2.Status, gresp2.StatusMessage, len(gresp2.Data))
+		for _, cluster := range gresp2.Data {
+			fmt.Printf("cluster: %+v\n", *cluster)
+		}
+	}
+
+	/*uresp, err := sc.UpdateClusterRegistration(ctx, &serverpb.UpdateClusterRegistrationRequest{
+		ClusterID:         nresp.ClusterID,
+		AgentEndpoint:     "https://captenagent.dev.test.app1",
+		ClusterName:       "awscluster-3-update",
+		ClientKeyData:     string(ckeyStr),
+		ClientCertData:    string(cdataStr),
+		ClientCAChainData: string(cadataStr),
+	})
+	if err != nil {
+		fmt.Println("error with get registrations ", err)
+	} else {
+		fmt.Println("registrations fetch done", uresp.Status, uresp.StatusMessage)
+	}*/
+
+	gresp3, err := sc.GetClusters(ctx, &serverpb.GetClustersRequest{})
+	if err != nil {
+		fmt.Println("error with get registrations ", err)
+	} else {
+		fmt.Println("registrations fetch done", gresp3.Status, gresp3.StatusMessage, len(gresp3.Data))
+		for _, cluster := range gresp3.Data {
+			fmt.Printf("cluster: %+v\n", *cluster)
+		}
+	}
+
+	for _, cluster := range gresp3.Data {
+		dresp, err := sc.DeleteClusterRegistration(ctx, &serverpb.DeleteClusterRegistrationRequest{ClusterID: cluster.ClusterID})
+		if err != nil {
+			fmt.Println("error with get registrations ", err, cluster.ClusterID)
+		} else {
+			fmt.Println("registrations delete done", dresp.Status, dresp.StatusMessage, cluster.ClusterID)
+		}
+	}
+}
diff --git a/server/pkg/agent/agent_handler.go b/server/pkg/agent/agent_handler.go
@@ -24,9 +24,8 @@ func NewAgentHandler(log logging.Logger, serverStore store.ServerStore, oryClien
 	return &AgentHandler{log: log, serverStore: serverStore, agents: map[string]*Agent{}, oryClient: oryClient}
 }
 
-func (s *AgentHandler) AddAgent(orgId, clusterID string, agentCfg *Config) error {
-	clusterKey := getClusterAgentKey(orgId, clusterID)
-	if _, ok := s.agents[clusterKey]; ok {
+func (s *AgentHandler) AddAgent(clusterID string, agentCfg *Config) error {
+	if _, ok := s.agents[clusterID]; ok {
 		return nil
 	}
 
@@ -37,66 +36,62 @@ func (s *AgentHandler) AddAgent(orgId, clusterID string, agentCfg *Config) error
 
 	s.agentMutex.Lock()
 	defer s.agentMutex.Unlock()
-	s.agents[clusterKey] = agent
+	s.agents[clusterID] = agent
 	return err
 }
 
-func (s *AgentHandler) UpdateAgent(orgId, clusterID string, agentCfg *Config) error {
-	clusterKey := getClusterAgentKey(orgId, clusterID)
-	if _, ok := s.agents[clusterKey]; !ok {
-		return s.AddAgent(orgId, clusterID, agentCfg)
+func (s *AgentHandler) UpdateAgent(clusterID string, agentCfg *Config) error {
+	if _, ok := s.agents[clusterID]; !ok {
+		return s.AddAgent(clusterID, agentCfg)
 	}
 
-	s.RemoveAgent(orgId, clusterID)
-	return s.AddAgent(orgId, clusterID, agentCfg)
+	s.RemoveAgent(clusterID)
+	return s.AddAgent(clusterID, agentCfg)
 }
 
-func (s *AgentHandler) GetAgent(orgId, clusterID string) (*Agent, error) {
-	agent := s.getAgent(orgId, clusterID)
+func (s *AgentHandler) GetAgent(clusterID string) (*Agent, error) {
+	agent := s.getAgent(clusterID)
 	if agent != nil {
 		return agent, nil
 	}
 
-	cfg, err := s.getAgentConfig(orgId, clusterID)
+	cfg, err := s.getAgentConfig(clusterID)
 	if err != nil {
 		return nil, err
 	}
 
-	if err := s.AddAgent(orgId, clusterID, cfg); err != nil {
+	if err := s.AddAgent(clusterID, cfg); err != nil {
 		return nil, err
 	}
 
-	agent = s.getAgent(orgId, clusterID)
+	agent = s.getAgent(clusterID)
 	if agent != nil {
 		return agent, nil
 	}
 	return nil, fmt.Errorf("failed to get agent")
 }
 
-func (s *AgentHandler) GetAgentClusterDetail(orgId, clusterID string) *Config {
+func (s *AgentHandler) GetAgentClusterDetail(clusterID string) *Config {
 	s.agentMutex.RLock()
 	defer s.agentMutex.RUnlock()
-	clusterKey := getClusterAgentKey(orgId, clusterID)
-	if agent, ok := s.agents[clusterKey]; ok && agent != nil {
+	if agent, ok := s.agents[clusterID]; ok && agent != nil {
 		return agent.cfg
 	}
 
 	return &Config{}
 }
 
-func (s *AgentHandler) getAgent(orgId, clusterID string) *Agent {
+func (s *AgentHandler) getAgent(clusterID string) *Agent {
 	s.agentMutex.RLock()
 	defer s.agentMutex.RUnlock()
-	clusterKey := getClusterAgentKey(orgId, clusterID)
-	if agent, ok := s.agents[clusterKey]; ok && agent != nil {
+	if agent, ok := s.agents[clusterID]; ok && agent != nil {
 		return agent
 	}
 	return nil
 }
 
-func (s *AgentHandler) RemoveAgent(orgId, clusterID string) {
-	clusterKey := getClusterAgentKey(orgId, clusterID)
-	s.removeAgentEntry(clusterKey)
+func (s *AgentHandler) RemoveAgent(clusterID string) {
+	s.removeAgentEntry(clusterID)
 }
 
 func (s *AgentHandler) removeAgentEntry(clusterKey string) {
@@ -117,7 +112,7 @@ func (s *AgentHandler) Close() {
 	}
 }
 
-func (s *AgentHandler) getAgentConfig(orgId, clusterID string) (*Config, error) {
+func (s *AgentHandler) getAgentConfig(clusterID string) (*Config, error) {
 	agentCfg := &Config{}
 
 	clusterDetail, err := s.serverStore.GetClusterDetails(clusterID)
@@ -128,17 +123,14 @@ func (s *AgentHandler) getAgentConfig(orgId, clusterID string) (*Config, error)
 	agentCfg.Address = clusterDetail.Endpoint
 	agentCfg.ClusterName = clusterDetail.ClusterName
 
-	certData, err := credential.GetClusterCerts(context.TODO(), orgId, clusterID)
+	certData, err := credential.GetClusterCerts(context.TODO(), clusterID)
 	if err != nil {
 		return nil, errors.WithMessage(err, "failed get cert from vault")
 	}
 
 	agentCfg.CaCert = certData.CACert
 	agentCfg.Key = certData.Key
 	agentCfg.Cert = certData.Cert
+	s.log.Info("loaded agent certs for cluster %s", clusterID)
 	return agentCfg, err
 }
-
-func getClusterAgentKey(orgId, clusterID string) string {
-	return fmt.Sprintf("%s-%s", orgId, clusterID)
-}