From 6100e17a23291a7de3b5d0f7c7bd6ecc47d34024 Mon Sep 17 00:00:00 2001
From: Matthijs Wolters <matthijs.wolters@rosemanlabs.com>
Date: Mon, 25 Nov 2024 19:06:36 +0100
Subject: [PATCH] Statuscake: read basicauth password straight from secret
 (#608)

* WIP add config option

* Update controller-gen version

Fixes the broken v0.9 of controller-gen because it causes a segfault
when running `make install`

* Update formatting for base CRDS

* Working read secret

* Fixed read secret

* Use new secret function not client function

* Revert random formatting changes

* More stupid formatting fixes

* Final formatting fixes

I don't like formatting :(

* Small fixes and docs update

* Update example

* Update CRDs

* Revert controller-gen version bump

This is so that my upstream PR just focuses on the important bits rather
than mixing changes

* Fix annotation #1

* Update annotations #1.1

* Update annotations #2

* Include explicit checking of keys
---
 api/v1alpha1/endpointmonitor_types.go         |  4 +++
 ...monitor.stakater.com_endpointmonitors.yaml |  3 ++
 ...monitor.stakater.com_endpointmonitors.yaml |  3 ++
 docs/statuscake-configuration.md              | 11 +++++--
 .../endpointMonitor/statuscake-config.yaml    |  1 +
 pkg/monitors/statuscake/statuscake-monitor.go | 20 ++++++++++++
 pkg/secret/secrets.go                         | 31 +++++++++++++++++++
 7 files changed, 70 insertions(+), 3 deletions(-)

diff --git a/api/v1alpha1/endpointmonitor_types.go b/api/v1alpha1/endpointmonitor_types.go
index ac0eebed..321127bd 100644
--- a/api/v1alpha1/endpointmonitor_types.go
+++ b/api/v1alpha1/endpointmonitor_types.go
@@ -163,6 +163,10 @@ type StatusCakeConfig struct {
 	// +optional
 	BasicAuthUser string `json:"basicAuthUser,omitempty"`
 
+	// Basic Auth Secret Name
+	// +optional
+	BasicAuthSecret string `json:"basicAuthSecret,omitempty"`
+
 	// Set Check Rate for the monitor
 	// +optional
 	CheckRate int `json:"checkRate,omitempty"`
diff --git a/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml b/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml
index 5de8cbcc..f7356970 100644
--- a/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml
+++ b/charts/ingressmonitorcontroller/crds/endpointmonitor.stakater.com_endpointmonitors.yaml
@@ -255,6 +255,9 @@ spec:
               statusCakeConfig:
                 description: Configuration for StatusCake Monitor Provider
                 properties:
+                  basicAuthSecret:
+                    description: Basic Auth Secret Name
+                    type: string
                   basicAuthUser:
                     description: Basic Auth User
                     type: string
diff --git a/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml b/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml
index 5de8cbcc..f7356970 100644
--- a/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml
+++ b/config/crd/bases/endpointmonitor.stakater.com_endpointmonitors.yaml
@@ -255,6 +255,9 @@ spec:
               statusCakeConfig:
                 description: Configuration for StatusCake Monitor Provider
                 properties:
+                  basicAuthSecret:
+                    description: Basic Auth Secret Name
+                    type: string
                   basicAuthUser:
                     description: Basic Auth User
                     type: string
diff --git a/docs/statuscake-configuration.md b/docs/statuscake-configuration.md
index 75ac93d0..47c70c24 100644
--- a/docs/statuscake-configuration.md
+++ b/docs/statuscake-configuration.md
@@ -16,15 +16,16 @@ Currently additional Statuscake configurations can be added through these fields
 |:--------------------------------------------------------:|:------------------------------------------------:|
 | CheckRate               | Set Check Rate for the monitor (default: 300)    |
 | TestType                | Set Test type - HTTP, TCP, PING (default: HTTP)  |
-| Paused                   | Pause the service                                |
+| Paused                  | Pause the service                                |
 | PingURL                 | Webhook for alerts                               |
 | FollowRedirect          | Enable ingress redirects                         |
-| Port                     | TCP Port                                         |
+| Port                    | TCP Port                                         |
 | TriggerRate             | Minutes to wait before sending an alert          |
 | ContactGroup            | Contact Group to be alerted.                     |
 | TestTags                | Comma separated list of tags                     |
 | FindString              | String to look for within the response           |
-| BasicAuthUser          | Required for [basic-authenticationchecks](#basic-auth-checks)  |
+| BasicAuthUser           | Required for [basic-authenticationchecks](#basic-auth-checks)  |
+| BasicAuthSecret         | Allows for an alternate method of adding basic-auth to checks |
 | Regions                 | Regions to execute the check from                |
 | RawPostData             | Add data to change the request to a POST         |
 | UserAgent               | Add a user agent string to the request           |
@@ -36,6 +37,10 @@ Statuscake supports checks completing basic auth requirements. In `EndpointMonit
 
 For example; setting the field like `basic-auth-user: 'my-service-username'` will set the username field to the value `my-service-username` and will retrieve the password via `os.Getenv('my-service-username')` and set this appropriately.
 
+In addition to the previous method, you can use the `basicAuthSecret` field to define a secret that should be read by the monitor which contains the basic-auth data. This secret should only contain the keys `username` and `password`. It expects the values for those keys to be strings. NOT base64 encoded strings. Furthermore, the secret must be present in the same namespace as the IngressMonitorController operator. This ensures that we can keep the permissions of the operator to be as small as possible.
+
+So for example, if you have a secret called `my-deployment-secret` it should contain the data `username: my-user` and `password: MyPassword1!` and you should set to `basicAuthSecret: my-deployment-secret`. This will ensure that the monitor can read the basic-auth data correctly.
+
 ## Example:
 
 ```yaml
diff --git a/examples/endpointMonitor/statuscake-config.yaml b/examples/endpointMonitor/statuscake-config.yaml
index fd006504..165d53b4 100644
--- a/examples/endpointMonitor/statuscake-config.yaml
+++ b/examples/endpointMonitor/statuscake-config.yaml
@@ -7,6 +7,7 @@ spec:
   statusCakeConfig:
     port: 123
     basicAuthUser: my-service-username
+    basicAuthSecret: my-basicauth-secret
     checkRate: 300
     realBrowser: true
     testTags: 'abc,def'
diff --git a/pkg/monitors/statuscake/statuscake-monitor.go b/pkg/monitors/statuscake/statuscake-monitor.go
index 585659c1..b4cd58c9 100644
--- a/pkg/monitors/statuscake/statuscake-monitor.go
+++ b/pkg/monitors/statuscake/statuscake-monitor.go
@@ -17,7 +17,9 @@ import (
 	statuscake "github.com/StatusCakeDev/statuscake-go"
 	endpointmonitorv1alpha1 "github.com/stakater/IngressMonitorController/v2/api/v1alpha1"
 	"github.com/stakater/IngressMonitorController/v2/pkg/config"
+	"github.com/stakater/IngressMonitorController/v2/pkg/kube"
 	"github.com/stakater/IngressMonitorController/v2/pkg/models"
+	"github.com/stakater/IngressMonitorController/v2/pkg/secret"
 )
 
 var log = logf.Log.WithName("statuscake-monitor")
@@ -100,6 +102,24 @@ func buildUpsertForm(m models.Monitor, cgroup string) url.Values {
 		}
 	}
 
+	if providerConfig != nil && len(providerConfig.BasicAuthSecret) > 0 {
+		k8sClient, err := kube.GetClient()
+		if err != nil {
+			panic(err)
+		}
+
+		namespace := kube.GetCurrentKubernetesNamespace()
+		username, password, err := secret.ReadBasicAuthSecret(k8sClient.CoreV1().Secrets(namespace), providerConfig.BasicAuthSecret)
+
+		if err != nil {
+			log.Error(err, "Could not read the secret")
+		} else {
+			f.Add("basic_username", username)
+			f.Add("basic_password", password)
+			log.Info("Basic auth requirement detected. Setting username and password")
+		}
+	}
+
 	if providerConfig != nil && len(providerConfig.StatusCodes) > 0 {
 		f.Add("status_codes_csv", providerConfig.StatusCodes)
 
diff --git a/pkg/secret/secrets.go b/pkg/secret/secrets.go
index 704a7167..872cf1be 100644
--- a/pkg/secret/secrets.go
+++ b/pkg/secret/secrets.go
@@ -5,7 +5,9 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	clientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -23,3 +25,32 @@ func LoadSecretData(apiReader client.Reader, secretName, namespace, dataKey stri
 	}
 	return string(retStr), nil
 }
+
+func ReadBasicAuthSecret(apiReader clientv1.SecretInterface, secretName string) (string, string, error) {
+	secret, err := apiReader.Get(context.TODO(), secretName, metav1.GetOptions{})
+	username, password := "", ""
+	if err != nil {
+		return "", "", err
+	}
+
+	for key, value := range secret.Data {
+		switch key {
+		case "username":
+			username = string(value)
+		case "password":
+			password = string(value)
+		default:
+			return "", "", fmt.Errorf("secret %s contained unkown key %s", secretName, key)
+		}
+	}
+
+	if username == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected key '%s'", secretName, "username")
+	} else if password == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected key '%s'", secretName, "password")
+	} else if username == "" && password == "" {
+		return "", "", fmt.Errorf("secret %s does not contain expected keys '%s','%s'", secretName, "username", "password")
+	}
+
+	return username, password, err
+}