--no-edit

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "kuberest"
-version = "0.9.2"
+version = "1.0.0"
 authors = ["Sébastien Huss <[email protected]>"]
 edition = "2021"
 default-run = "controller"
@@ -67,7 +67,7 @@ anyhow = "1.0.75"
 handlebars =  { version = "5.1.2", features = ["script_helper", "string_helpers"] }
 handlebars_misc_helpers = { version = "0.16.3", features = ["string", "json", "jsonnet", "regex", "uuid"] }
 rhai = { version = "1.18.0", features = ["sync", "serde"] }
-reqwest = "0.12.4"
+reqwest = { version = "0.12.4", features = ["rustls-tls"] }
 base64 = "0.22.1"
 rand = "0.8.5"
 

charts/kuberest/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: kuberest
 description: Allow to Control remote REST api endpoints from the confort of your cluster
 type: application
-version: "0.9.2"
-appVersion: "0.9.2"
+version: "1.0.0"
+appVersion: "1.0.0"

deploy/crd/crd.yaml

@@ -22,10 +22,6 @@ spec:
           spec:
             description: Describe the specification of a RestEndPoint
             properties:
-              change:
-                description: A rhai intermediate script to handle url change, or basic-to-token authentification method transition
-                nullable: true
-                type: string
               checkFrequency:
                 description: 'checkFrequency define the pooling interval (in seconds, default: 300)'
                 format: uint64
@@ -38,6 +34,14 @@ spec:
                   baseurl:
                     description: The baseurl the client will use. All path will use this as a prefix
                     type: string
+                  clientCert:
+                    description: mTLS client certificate
+                    nullable: true
+                    type: string
+                  clientKey:
+                    description: mTLS client key
+                    nullable: true
+                    type: string
                   createMethod:
                     description: 'Method to use when creating an object (default: Get)'
                     enum:
@@ -66,6 +70,10 @@ spec:
                     - Get
                     nullable: true
                     type: string
+                  serverCa:
+                    description: For self-signed Certificates on the destination endpoint
+                    nullable: true
+                    type: string
                   teardown:
                     description: 'Delete the Objects on RestEndPoint deletion (default: true, inability to do so will block RestEndPoint)'
                     nullable: true
@@ -394,7 +402,6 @@ spec:
                       - TemplateFailed
                       - PreScriptFailed
                       - PostScriptFailed
-                      - ChangeScriptFailed
                       - TeardownScriptFailed
                       - ReadFailed
                       - WriteFailed

deploy/operator/deployment.yaml

@@ -8,7 +8,7 @@ metadata:
   labels:
     app: kuberest
     app.kubernetes.io/name: kuberest
-    app.kubernetes.io/version: "0.9.2"
+    app.kubernetes.io/version: "1.0.0"
   namespace: default
 automountServiceAccountToken: true
 ---
@@ -54,7 +54,7 @@ metadata:
   labels:
     app: kuberest
     app.kubernetes.io/name: kuberest
-    app.kubernetes.io/version: "0.9.2"
+    app.kubernetes.io/version: "1.0.0"
 spec:
   type: ClusterIP
   ports:
@@ -74,7 +74,7 @@ metadata:
   labels:
     app: kuberest
     app.kubernetes.io/name: kuberest
-    app.kubernetes.io/version: "0.9.2"
+    app.kubernetes.io/version: "1.0.0"
 spec:
   replicas: 1
   selector:
@@ -92,7 +92,7 @@ spec:
         {}
       containers:
       - name: kuberest
-        image: sebt3/kuberest:0.9.2
+        image: sebt3/kuberest:1.0.0
         imagePullPolicy: IfNotPresent
         securityContext:
           {}

docs/flow.drawio

@@ -1 +1 @@
-<mxfile host="Electron" modified="2024-06-09T10:56:11.307Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/20.8.16 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" etag="uYdw_ArCQYEWExXCvqUo" version="20.8.16" type="device"><diagram id="prtHgNgQTEPvFCAcTncT" name="Page-1">7VhNc9owEP01HNPxN86xgaQ5tJ1kckh6FNZiq5W9riwH6K+vjOVPEUg7pGWYXBjt8+5Kem+9SJ64s3T9SZA8+YIU+MSx6HrizieO47uW+q2ATQ24l0ENxILRGrI74IH9Ag3quLhkFIqBo0TkkuVDMMIsg0gOMCIEroZuS+TDWXMSgwE8RISb6COjMqnR0Jl2+C2wOGlmtoPL+klKGme9kyIhFFc9yL2euDOBKOtRup4Br7hreKnjbl542i5MQCZfE3Dz9eLxZ3pzF/B05T3d2vfW/f2F7dVpngkv9Y4jzqqMasEgy1yvXW4aQtQ28mqoKOJYqpmvVgmT8JCTqIJXqgoUlsiUK8tWwxwES0GC6ILuOuhqiZnUstt+5Y4Fkwwzxc/c+lAhS8b5DDmK7QJc6kNIPYUXUuAP6D0JnYUbBNWTOp9n9fK16fSGQUhYv0il3QqkChtQLVZslEsTYGlNdVFPtbnqKsRuZE961dH4EV2UcZu5000NtHR/IqNlyJgLuCgiwXJpSCgSTBdlcVi6sTYjJZaETkm0S4mFF/iWdySy/SHZtmuyHe4gO3wzsh3znUlIFp8J325wany7ZnFjIc+DbX96amwbZLMsL2Vh8oxlRoFqMg9xPerhBMLlTm6DKITFslFHzzZSyzlWpY+ot1/ZxoO34t5sLAIIPUfqT4/70GAZqDoJahOFTDDGjPDrDr3qdKhOGp3PZ8Rcc/cdpNxo8kgpcagNrJl86o2/taeUypqvdeatsWmMTG33qW/0oiqzC9taTVxfRatVsdrkfg0VJ1iKCPZwpxu0JCIGucfP210TAjiR7Hm4jqMLbP6LrIR6cc7x7fK8U3u7zGuGugaov5UzJD8Yn5/+O/mBQb7Z6zL6sbotKyvipChYNGR62OnGreRftrEjtq3me8KhtuXs1runp79DzgZ7dXfTM9wh216/m0PK5bCcPH9UJvU2dVT//j9KNG4KnjVKVPNgJNqWXLvtv6/C6XsV7jv0HaxC970K91ahMruPabV790XSvf4N</diagram></mxfile>
+<mxfile host="Electron" modified="2024-06-12T06:34:05.367Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/20.8.16 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" etag="a1Ilo8MFglajOgOMce7d" version="20.8.16" type="device"><diagram id="prtHgNgQTEPvFCAcTncT" name="Page-1">7VhLc9owEP41HOn4jXNsyOvQdsjkkPQorAWrlb2uLMfQX18Zy/ghAiSTdBgmJ7SfVivp+9YriZE7TVa3gmTxd6TAR45FVyP3auQ4tud66qdC1jUSupMaWApGtVMLPLC/oEFLowWjkPccJSKXLOuDEaYpRLKHESGw7LstkPdnzcgSDOAhItxEHxmVsd6FM2nxO2DLuJnZDi7qnoQ0znoneUwolh3IvR65U4Eo61aymgKvyGt4qcfdvNC7XZiAVB4z4ObH+PFPcjMLeFJ6T3f2vXV/P7a1PM+EF3rHEWdVRLVgkEWm1y7XDSFqG1nVVBRxLNTMl2XMJDxkJKrgUqWBwmKZcGXZqpmBYAlIEO2gWQtdLjCVWnbbr9wxZ5Jhqvi5sr5UyIJxPkWOYrMAl/oQUk/huRT4Gzo9oTN3g6DqqeN5VifeNpzJm6byGYSEVQfSPN4CqsWKtXJpei2tqU7qiTbLNkPsRva4kx2NH9FJudxGbnVTDS3da2S0DBkzAeM8EiyThoQixmRe5IelG2ozUGJB6IREu5SYe4Fvee9Ett8n23ZNtsMdZIcfRrZrko25PA+2/cmpsW2QzdKskLnJMxYpBarJPMT1oKYQCBc7uQ2iEOaLRh0920At5524dwfU20eWleCjuHcM7gUQeo7Unx73ocEyUHUz0SYKGeMSU8KvW/Sy1aE6+Vqfb4iZ5u4XSLnW5JFCYl8bWDH51Gn/3J6alXW10pE3xroxUrXdp67RGVWZ7bCN1YzrqmjtUzHHQkSwhypdjyURS5B7/PRdp+Jxb04I4ESy5/4N8N0FNk+RUqgP5xy/Ls87ta/LvPaqa6k6Vs6Q/CA4NfIDg3yz1qX0a/V6U1bESZ6zqM90v9INS8n/LGNvL1vNc/ZQ2XKOLFsdPf0dcjbY0dVNzzBDtnkONpeUi346ef4gTep961Hd9+gg0LAoeNYgUE2MEWiTctttvz0LJ59Z2Mmug1nofmbh67JQme2fO7V7+xeZe/0P</diagram></mxfile>

examples/abuses/README.md

@@ -0,0 +1,17 @@
+# Warning
+
+Examples in this directory are only here to demo some of the operator features.
+
+This directory is named "abuses" for a reason: kuberest have never been designed to do theses things. It is just possible by its featureset.
+
+There is probably a better operator out there better suited for the task than kuberest ([Secret Generator](https://github.com/mittwald/kubernetes-secret-generator), [External Secret](https://external-secrets.io/latest/), [reflector](https://github.com/emberstack/kubernetes-reflector)...) do not use kuberest if your use-case is only any of these but use a better suited tool :)
+
+## secret-copy
+
+For this one to work, multi-tenancy have to be disabled at the operator level.
+
+## k8s-system-pod
+
+Seriously don't do this. This is just an mTLS demo, and the api-server is an mTLS enabled API we all knows. Having your admin mtls keys within the cluster is a huge security issue. Writes on the api-server is completly untested
+
+

examples/abuses/k8s-system-pod.yaml

@@ -0,0 +1,33 @@
+apiVersion: kuberest.solidite.fr/v1
+kind: RestEndPoint
+metadata:
+  name: k8s-system-pod
+spec:
+  inputs:
+  - name: admin
+    secretRef:
+      name: k8s-admin
+  client:
+    baseurl: >-
+      https://{{ env_var "KUBERNETES_SERVICE_HOST" }}:{{ env_var "KUBERNETES_SERVICE_PORT" }}
+    serverCa: "{{ base64_decode input.admin.data.certificate-authority-data }}"
+    clientCert: "{{ base64_decode input.admin.data.client-certificate-data }}"
+    clientKey: "{{ base64_decode input.admin.data.client-key-data }}"
+  reads:
+  - name: version
+    path: version
+    items: [{"name": "get", "key": ""}]
+  - name: pod
+    path: api/v1/namespaces/kube-system/pods
+    items: [{"name": "list", "key": ""}]
+  outputs:
+  - kind: ConfigMap
+    metadata:
+      name: result
+    data:
+      version.yaml: |-
+        ---
+        {{ json_to_str read.version.get format="yaml" }}
+      pod.yaml: |-
+        ---
+        {{ json_to_str read.pod.list format="yaml" }}

src/handlebarshandler.rs

@@ -6,24 +6,24 @@ pub use serde_json::Value;
 use tracing::*;
 
 handlebars_helper!(base64_decode: |arg:Value| String::from_utf8(STANDARD.decode(arg.as_str().unwrap_or_else(|| {
-    warn!("handlebars::base64_decode received a non-string parameter: {:}",arg);
+    warn!("handlebars::base64_decode received a non-string parameter: {:?}",arg);
     ""
 }).to_string()).unwrap_or_else(|e| {
-    warn!("handlebars::base64_decode failed to decode with: {e}");
+    warn!("handlebars::base64_decode failed to decode with: {e:?}");
     vec![]
 })).unwrap_or_else(|e| {
-    warn!("handlebars::base64_decode failed to convert to string with: {e}");
+    warn!("handlebars::base64_decode failed to convert to string with: {e:?}");
     String::new()
 }));
 handlebars_helper!(base64_encode: |arg:Value| STANDARD.encode(arg.as_str().unwrap_or_else(|| {
-    warn!("handlebars::base64_encode received a non-string parameter: {:}",arg);
+    warn!("handlebars::base64_encode received a non-string parameter: {:?}",arg);
     ""
 }).to_string()));
 handlebars_helper!(header_basic: |username:Value,password:Value| format!("Basic {}",STANDARD.encode(format!("{}:{}",username.as_str().unwrap_or_else(|| {
-    warn!("handlebars::header_basic received a non-string username: {:}",username);
+    warn!("handlebars::header_basic received a non-string username: {:?}",username);
     ""
 }),password.as_str().unwrap_or_else(|| {
-    warn!("handlebars::header_basic received a non-string password: {:}",password);
+    warn!("handlebars::header_basic received a non-string password: {:?}",password);
     ""
 })))));
 handlebars_helper!(gen_password:  |len:u32| Passwords::new().generate(len, 6, 2, 2));
@@ -53,8 +53,14 @@ impl HandleBars<'_> {
         self.engine.register_template_string(name, template)
     }
 
-    pub fn register_template_rhai(&mut self, name: String, template: String) {
-        self.register_template(name.as_str(), template.as_str()).unwrap();
+    pub fn register_template_rhai(&mut self, name: String, template: String) -> bool {
+        match self.register_template(name.as_str(), template.as_str()) {
+            Ok(()) => true,
+            Err(e) => {
+                debug!("Registring template from rhai generated: {e:?}");
+                false
+            }
+        }
     }
 
     pub fn render(
@@ -66,6 +72,11 @@ impl HandleBars<'_> {
     }
 
     pub fn render_from_rhai(&mut self, template: String, data: rhai::Map) -> String {
-        self.engine.render_template(template.as_str(), &data).unwrap()
+        self.engine
+            .render_template(template.as_str(), &data)
+            .unwrap_or_else(|e| {
+                debug!("Rendering template from rhai generated: {e:?}");
+                String::new()
+            })
     }
 }