main.go

// Copyright 2022 VaultOperator Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package main

import (
	"errors"
	"flag"
	"os"

	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
	// to ensure that exec-entrypoint and run can make use of them.
	_ "k8s.io/client-go/plugin/pkg/client/auth"

	"k8s.io/apimachinery/pkg/runtime"
	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/healthz"
	"sigs.k8s.io/controller-runtime/pkg/log/zap"

	vaultv1alpha1 "github.com/finleap-connect/vaultoperator/api/v1alpha1"
	"github.com/finleap-connect/vaultoperator/controllers"
	"github.com/finleap-connect/vaultoperator/vault"
	//+kubebuilder:scaffold:imports
)

var (
	scheme   = runtime.NewScheme()
	setupLog = ctrl.Log.WithName("setup")
)

func init() {
	utilruntime.Must(clientgoscheme.AddToScheme(scheme))

	utilruntime.Must(vaultv1alpha1.AddToScheme(scheme))
	//+kubebuilder:scaffold:scheme
}

func main() {
	var (
		vaultAddr            string
		vaultRoleID          string
		vaultSecretID        string
		vaultToken           string
		metricsAddr          string
		enableLeaderElection bool
		vaultNamespace       string
		probeAddr            string
	)
	flag.StringVar(&vaultAddr, "vault-addr", "", "The address the vault client will connect to.")
	flag.StringVar(&vaultRoleID, "vault-role-id", "", "AppRole RoleID used to connect to vault.")
	flag.StringVar(&vaultSecretID, "vault-secret-id", "", "AppRole SecretID used to connect to vault.")
	flag.StringVar(&vaultToken, "vault-token", "", "If no AppRole should be used, a token can be provided.")
	flag.StringVar(&vaultNamespace, "vault-namespace", "", "The Vault namespace the operator works with.")
	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
		"Enable leader election for controller manager. "+
			"Enabling this will ensure there is only one active controller manager.")
	opts := zap.Options{
		Development: true,
	}
	opts.BindFlags(flag.CommandLine)
	flag.Parse()

	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

	// Check if vault credentials were provided via env variables and make sure
	// mandatory variables are provided
	if vaultAddr == "" {
		vaultAddr = os.Getenv("VAULT_ADDR")
	}
	if vaultRoleID == "" {
		vaultRoleID = os.Getenv("VAULT_ROLE_ID")
	}
	if vaultSecretID == "" {
		vaultSecretID = os.Getenv("VAULT_SECRET_ID")
	}
	if vaultToken == "" {
		vaultToken = os.Getenv("VAULT_TOKEN")
	}
	if vaultNamespace == "" {
		vaultNamespace = os.Getenv("VAULT_NAMESPACE")
	}
	if vaultAddr == "" {
		setupLog.Error(errors.New("vault configuration incomplete"), "vault addr missing")
		os.Exit(1)
	}
	var authMethod vault.AuthMethod
	if vaultToken != "" {
		authMethod = &vault.TokenAuth{
			Token: vaultToken,
		}
	} else if vaultRoleID != "" && vaultSecretID != "" {
		authMethod = &vault.AppRoleAuth{
			RoleID:   vaultRoleID,
			SecretID: vaultSecretID,
		}
	} else {
		setupLog.Error(errors.New("no valid configuration for authentication provided"), "token or approle missing")
		os.Exit(2)
	}
	vc, err := vault.NewClient(vaultAddr, vaultNamespace, authMethod)
	if err != nil {
		setupLog.Error(err, "unable to create vault client")
		os.Exit(1)
	}

	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
		Scheme:                 scheme,
		MetricsBindAddress:     metricsAddr,
		Port:                   9443,
		HealthProbeBindAddress: probeAddr,
		LeaderElection:         enableLeaderElection,
		LeaderElectionID:       "43aa3c97.vault.finleap.cloud",
	})
	if err != nil {
		setupLog.Error(err, "unable to start manager")
		os.Exit(1)
	}

	if err = (&controllers.VaultSecretReconciler{
		Client: mgr.GetClient(),
		Scheme: mgr.GetScheme(),
		Log:    ctrl.Log.WithName("controllers").WithName("VaultSecret"),
		Vault:  vc,
	}).SetupWithManager(mgr); err != nil {
		setupLog.Error(err, "unable to create controller", "controller", "VaultSecret")
		os.Exit(1)
	}

	if err = (&vaultv1alpha1.VaultSecret{}).SetupWebhookWithManager(mgr); err != nil {
		setupLog.Error(err, "unable to create webhook", "webhook", "VaultSecret")
	}
	//+kubebuilder:scaffold:builder

	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
		setupLog.Error(err, "unable to set up health check")
		os.Exit(1)
	}
	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
		setupLog.Error(err, "unable to set up ready check")
		os.Exit(1)
	}

	setupLog.Info("starting manager")
	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
		setupLog.Error(err, "problem running manager")
		os.Exit(1)
	}
}