s3: add Kubernetes Secrets credentials provider

ahouene · ahouene · commit 22baee0da252 · 2023-09-04T14:06:18.000+02:00
diff --git a/backends/s3/credentials.go b/backends/s3/credentials.go
@@ -0,0 +1,50 @@
+package s3
+
+import (
+	"errors"
+	"os"
+
+	"github.com/minio/minio-go/v7/pkg/credentials"
+)
+
+// K8sSecretProvider is an implementation of Minio's credentials.Provider,
+// allowing to read credentials from Kubernetes secrets, as described in
+// https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure.
+type K8sSecretProvider struct {
+	// Path to the fiel containing the access key,
+	// e.g. /etc/s3-secrets/access-key.
+	AccessKeyFilename string `json:"access_key_file"`
+
+	// Path to the fiel containing the secret key,
+	// e.g. /etc/s3-secrets/secret-key.
+	SecretKeyFilename string `json:"secret_key_file"`
+}
+
+// IsExpired implements credentials.Provider.
+// As there is no totally reliable way to tell
+// if a file was modified accross all filesystems except opening it,
+// we always return true, and p.Retrieve will open it regardless.
+func (*K8sSecretProvider) IsExpired() bool {
+	return true
+}
+
+// Retrieve implements credentials.Provider.
+// It reads files pointed to by p.AccessKeyFilename and p.SecretKeyFilename.
+func (p *K8sSecretProvider) Retrieve() (value credentials.Value, err error) {
+	load := func(filename string, dst *string) {
+		b, err1 := os.ReadFile(filename)
+		if err1 != nil {
+			err = errors.Join(err, err1)
+			return
+		}
+
+		*dst = string(b)
+	}
+
+	load(p.AccessKeyFilename, &value.AccessKeyID)
+	load(p.SecretKeyFilename, &value.SecretAccessKey)
+
+	return value, err
+}
+
+var _ credentials.Provider = new(K8sSecretProvider)
diff --git a/backends/s3/credentials_test.go b/backends/s3/credentials_test.go
@@ -0,0 +1,98 @@
+package s3_test
+
+import (
+	"context"
+	"io"
+	"os"
+	"testing"
+
+	"github.com/PowerDNS/simpleblob/backends/s3"
+	"github.com/PowerDNS/simpleblob/backends/s3/s3testing"
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+)
+
+func TestPodProvider(t *testing.T) {
+	if testing.Short() && !s3testing.HasLocalMinio() {
+		t.Skip("Skipping test requiring downloading minio")
+	}
+
+	_ = os.Chdir(t.TempDir())
+
+	// Instanciate provider (what we're testing).
+	provider := &s3.K8sSecretProvider{
+		AccessKeyFilename: "access-key",
+		SecretKeyFilename: "secret-key",
+	}
+
+	// writeFiles creates or overwrites provider files
+	// with the same content.
+	writeFiles := func(content string) {
+		writeContent := func(filename string) {
+			f, err := os.Create(filename)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer f.Close()
+			if content == "" {
+				return
+			}
+			_, err = io.WriteString(f, content)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		writeContent(provider.AccessKeyFilename)
+		writeContent(provider.SecretKeyFilename)
+	}
+
+	ctx := context.Background()
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// Create server
+	addr, stop, err := s3testing.ServeMinio(ctx, ".")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer stop()
+
+	// First credential files creation.
+	// Keep them empty for now,
+	// so that calls to the server will fail.
+	writeFiles("")
+
+	// Create minio client, using our provider.
+	creds := credentials.New(provider)
+	clt, err := minio.New(addr, &minio.Options{
+		Creds:  creds,
+		Region: "us-east-1",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertClientSuccess := func(want bool, when string) {
+		_, err = clt.BucketExists(ctx, "doesnotmatter")
+		s := "fail"
+		if want {
+			s = "succeed"
+		}
+		ok := (err == nil) == want
+		if !ok {
+			t.Fatalf("expected call to %s %s", s, when)
+		}
+	}
+
+	// The files do not hold the right values,
+	// so a call to the server should fail.
+	assertClientSuccess(false, "just after init")
+
+	// Write the right keys to the files.
+	writeFiles(s3testing.AdminUserOrPassword)
+	assertClientSuccess(true, "after changing files content")
+
+	// Change content of the files.
+	writeFiles("badcredentials")
+	assertClientSuccess(false, "after changing again, to bad credentials")
+}
diff --git a/backends/s3/s3.go b/backends/s3/s3.go
@@ -45,6 +45,9 @@ type Options struct {
 	AccessKey string `yaml:"access_key"`
 	SecretKey string `yaml:"secret_key"`
 
+	// Allow using custom credentials provider.
+	Provider K8sSecretProvider `yaml:"kubernetes_secrets,omitempty"`
+
 	// Region defaults to "us-east-1", which also works for Minio
 	Region string `yaml:"region"`
 	Bucket string `yaml:"bucket"`
@@ -93,10 +96,11 @@ type Options struct {
 }
 
 func (o Options) Check() error {
-	if o.AccessKey == "" {
+	hasProvider := o.Provider != K8sSecretProvider{}
+	if !hasProvider && o.AccessKey == "" {
 		return fmt.Errorf("s3 storage.options: access_key is required")
 	}
-	if o.SecretKey == "" {
+	if !hasProvider && o.SecretKey == "" {
 		return fmt.Errorf("s3 storage.options: secret_key is required")
 	}
 	if o.Bucket == "" {
@@ -342,8 +346,13 @@ func New(ctx context.Context, opt Options) (*Backend, error) {
 		return nil, fmt.Errorf("unsupported scheme for S3: '%s', use http or https.", u.Scheme)
 	}
 
+	creds := credentials.NewStaticV4(opt.AccessKey, opt.SecretKey, "")
+	if opt.Provider != (K8sSecretProvider{}) {
+		creds = credentials.New(&opt.Provider)
+	}
+
 	cfg := &minio.Options{
-		Creds:     credentials.NewStaticV4(opt.AccessKey, opt.SecretKey, ""),
+		Creds:     creds,
 		Secure:    useSSL,
 		Transport: hc.Transport,
 		Region:    opt.Region,
@@ -404,7 +413,7 @@ func convertMinioError(err error, isList bool) error {
 	}
 	errRes := minio.ToErrorResponse(err)
 	if !isList && errRes.StatusCode == 404 {
-    		return fmt.Errorf("%w: %s", os.ErrNotExist, err.Error())
+		return fmt.Errorf("%w: %s", os.ErrNotExist, err.Error())
 	}
 	if errRes.Code == "BucketAlreadyOwnedByYou" {
 		return nil
diff --git a/backends/s3/s3testing/minio.go b/backends/s3/s3testing/minio.go
@@ -0,0 +1,131 @@
+package s3testing
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"os/exec"
+	"runtime"
+	"time"
+)
+
+const (
+	AdminUserOrPassword = "simpleblob"
+)
+
+// ServeMinio starts a Minio server in the background,
+// and waits for it to be ready.
+// It returns its address,
+// and a function to stop the server gracefully.
+//
+// The admin username and password for the server are both "simpleblob".
+//
+// If the minio binary cannot be found locally,
+// it is downloaded by calling MinioBin.
+func ServeMinio(ctx context.Context, dir string) (string, func() error, error) {
+	port, err := FreePort()
+	if err != nil {
+		return "", nil, err
+	}
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+
+	cmdname, err := MinioBin()
+	if err != nil {
+		return "", nil, err
+	}
+
+	cmd := exec.CommandContext(ctx, cmdname, "server", "--quiet", "--address", addr, dir)
+	cmd.Env = append(cmd.Environ(), "MINIO_BROWSER=off")
+	cmd.Env = append(cmd.Env, "MINIO_ROOT_USER="+AdminUserOrPassword, "MINIO_ROOT_PASSWORD="+AdminUserOrPassword)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Start(); err != nil {
+		return "", nil, err
+	}
+
+	// Wait for server to accept requests.
+	readyURL := "http://" + addr + "/minio/health/ready"
+	ticker := time.NewTicker(30 * time.Millisecond)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return "", nil, ctx.Err()
+		case <-ticker.C:
+		}
+
+		resp, err := http.Get(readyURL)
+		if err == nil && resp.StatusCode == 200 {
+			break
+		}
+	}
+
+	stop := func() error {
+		_ = cmd.Process.Signal(os.Interrupt)
+		return cmd.Wait()
+	}
+	return addr, stop, nil
+}
+
+// minioExecPath is the cached path to minio binary,
+// that is returned when calling MinioBin.
+var minioExecPath string
+
+// HasLocalMinio returns true if minio can be found in PATH.
+// If an error occurs while searching,
+// the function panics.
+func HasLocalMinio() bool {
+	_, err := exec.LookPath("minio")
+	if err != nil && !errors.Is(err, exec.ErrNotFound) {
+		panic(err)
+	}
+	return err == nil
+}
+
+// MinioBin tries to find minio in PATH,
+// or downloads it to a temporary file.
+//
+// The result is cached and shared among callers.
+func MinioBin() (string, error) {
+	if minioExecPath != "" {
+		return minioExecPath, nil
+	}
+
+	binpath, err := exec.LookPath("minio")
+	if err == nil {
+		minioExecPath = binpath
+		return binpath, nil
+	}
+	if !errors.Is(err, exec.ErrNotFound) {
+		return "", err
+	}
+
+	f, err := os.CreateTemp("", "minio")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	url := fmt.Sprintf("https://dl.min.io/server/minio/release/%s-%s/minio", runtime.GOOS, runtime.GOARCH)
+	resp, err := http.Get(url)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	_, err = io.Copy(f, resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	err = f.Chmod(0755)
+	if err != nil {
+		return "", err
+	}
+
+	minioExecPath = f.Name()
+	return minioExecPath, nil
+}
diff --git a/backends/s3/s3testing/port.go b/backends/s3/s3testing/port.go
@@ -0,0 +1,14 @@
+package s3testing
+
+import "net"
+
+// FreePort returns a port number free for use.
+func FreePort() (int, error) {
+	l, err := net.Listen("tcp", ":0")
+	if err != nil {
+		return 0, err
+	}
+	defer l.Close()
+	addr := l.Addr().(*net.TCPAddr)
+	return addr.Port, nil
+}
