feat: add byok support and refactor

Author: aramase

.gitignore

@@ -23,3 +23,6 @@ azure.json
 
 # OSX trash
 .DS_Store
+
+.idea/
+_output/

.pipelines/unit-tests-template.yml

@@ -6,17 +6,18 @@ jobs:
       clean: all
     variables:
       - group: kubernetes-kms
-      - name: GOPATH
-        value: '$(system.defaultWorkingDirectory)/gopath'
 
     steps:
       - task: GoTool@0
         inputs:
-          version: 1.14.2
+          version: 1.15
       - script: V=1 make build
         displayName: Build
       - script: make unit-test
         displayName: Run unit tests
+      - script: |
+          sudo ./_output/kubernetes-kms --version
+        displayName: Check binary version
       - script: |
           sudo mkdir /etc/kubernetes
           echo -e '{\n    "tenantId": "'$TENANT_ID'",\n    "subscriptionId": "'$SUBSCRIPTION_ID'",\n    "aadClientId": "'$CLIENT_ID'",\n    "aadClientSecret": "'$CLIENT_SECRET'",\n    "resourceGroup": "'$KV_RESOURCE_GROUP'",\n    "location": "'$AZURE_LOCATION'",\n    "providerVaultName": "'$KV_NAME'",\n    "providerKeyName": "'$KV_KEY'",\n    "providerKeyVersion": "'$KV_KEY_VERSION'"\n}' | sudo tee --append /etc/kubernetes/azure.json  > /dev/null
@@ -25,7 +26,7 @@ jobs:
           CLIENT_ID: $(AZURE_CLIENT_ID)
           CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
       - script: |
-          sudo ./kubernetes-kms > /dev/null &
+          sudo ./_output/kubernetes-kms --keyvault-name $KV_NAME --key-name $KV_KEY --key-version $KV_KEY_VERSION --listen-addr "unix:///opt/azurekms.sock" > /dev/null &
           echo Waiting 2 seconds for the server to start
           sleep 2
           make integration-test

Dockerfile

@@ -1,6 +1,6 @@
 FROM alpine:3.5
 WORKDIR /bin
 
-ADD ./kubernetes-kms /bin/k8s-azure-kms
+ADD _output/kubernetes-kms /bin/k8s-azure-kms
 
 CMD ["./k8s-azure-kms"] 

Makefile

@@ -1,11 +1,19 @@
-binary := kubernetes-kms
+ORG_PATH=github.com/Azure
+PROJECT_NAME := kubernetes-kms
+REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)"
 REGISTRY_NAME ?= upstreamk8sci
 REGISTRY ?= $(REGISTRY_NAME).azurecr.io
 REPO_PREFIX ?= k8s/kms
-DOCKER_IMAGE := $(REGISTRY)/$(REPO_PREFIX)/keyvault
-VERSION ?= v0.0.9
+DOCKER_IMAGE ?= $(REGISTRY)/$(REPO_PREFIX)/keyvault
+IMAGE_VERSION ?= v0.0.9
 CGO_ENABLED_FLAG := 0
 
+BUILD_VERSION_VAR := $(REPO_PATH)/pkg/version.BuildVersion
+BUILD_DATE_VAR := $(REPO_PATH)/pkg/version.BuildDate
+BUILD_DATE := $$(date +%Y-%m-%d-%H:%M)
+GIT_VAR := $(REPO_PATH)/pkg/version.GitCommit
+GIT_HASH := $$(git rev-parse --short HEAD)
+
 ifeq ($(OS),Windows_NT)
 	GOOS_FLAG = windows
 else
@@ -18,33 +26,25 @@ else
 	endif
 endif
 
+GO_BUILD_OPTIONS := --tags "netgo osusergo"  -ldflags "-s -X $(BUILD_VERSION_VAR)=$(IMAGE_VERSION) -X $(GIT_VAR)=$(GIT_HASH) -X $(BUILD_DATE_VAR)=$(BUILD_DATE) -extldflags '-static'"
+
 .PHONY: build
 build: authors
 	@echo "Building..."
-	$Q GOOS=${GOOS_FLAG} CGO_ENABLED=${CGO_ENABLED_FLAG} go build .
+	$Q GOOS=${GOOS_FLAG} CGO_ENABLED=${CGO_ENABLED_FLAG} go build $(GO_BUILD_OPTIONS) -o _output/kubernetes-kms ./cmd/server/
 
-build-image: authors deps
-	@echo "Building..."
-	$Q GOOS=linux CGO_ENABLED=${CGO_ENABLED_FLAG} go build .
+build-image: authors build
 	@echo "Building docker image..."
-	$Q docker build -t $(DOCKER_IMAGE):$(VERSION) .
+	$Q docker build -t $(DOCKER_IMAGE):$(IMAGE_VERSION) .
 
 push: build-image
-	$Q docker push $(DOCKER_IMAGE):$(VERSION)
+	$Q docker push $(DOCKER_IMAGE):$(IMAGE_VERSION)
 
 .PHONY: clean deps unit-test integration-test
 
-deps: setup
-	@echo "Ensuring Dependencies..."
-	$Q go env
-
 clean:
 	@echo "Clean..."
-	$Q rm -rf $(binary)
-
-setup: clean
-	@echo "Setup..."
-	go get -u github.com/golang/dep/cmd/dep
+	$Q rm -rf _output/
 
 authors:
 	$Q git log --all --format='%aN <%cE>' | sort -u  | sed -n '/github/!p' > GITAUTHORS
@@ -59,14 +59,7 @@ integration-test:
 
 unit-test:
 	@echo "Running Unit Tests..."
-ifndef CI
-	@echo "Running Unit Tests outside CI..."
-	$Q go env
 	go test -race -v -count=1 `go list ./... | grep -v client`
-else
-	@echo "Running Unit Tests inside CI..."
-	go test -race $(shell go list ./... | grep -v /test/e2e) -v
-endif
 
 .PHONY: mod
 mod:

cmd/server/main.go

@@ -0,0 +1,105 @@
+// Copyright (c) Microsoft and contributors.  All rights reserved.
+//
+// This source code is licensed under the MIT license found in the
+// LICENSE file in the root directory of this source tree.
+
+package main
+
+import (
+	"context"
+	"flag"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/Azure/kubernetes-kms/pkg/plugin"
+	"github.com/Azure/kubernetes-kms/pkg/utils"
+	"github.com/Azure/kubernetes-kms/pkg/version"
+
+	kvmgmt "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2016-10-01/keyvault"
+	"google.golang.org/grpc"
+	pb "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1"
+	json "k8s.io/component-base/logs/json"
+	"k8s.io/klog/v2"
+)
+
+var (
+	listenAddr    = flag.String("listen-addr", "unix:///tmp/azurekms.sock", "gRPC listen address")
+	keyvaultName  = flag.String("keyvault-name", "", "Azure Key Vault name")
+	keyName       = flag.String("key-name", "", "Azure Key Vault KMS key name")
+	keyVersion    = flag.String("key-version", "", "Azure Key Vault KMS key version")
+	keyvaultSKU   = flag.String("keyvault-sku", string(kvmgmt.Standard), "Azure Key Vault SKU")
+	logFormatJSON = flag.Bool("log-format-json", false, "set log formatter to json")
+	// TODO change this to follow the hyphen format. DEPRECATE this flag and introduce the new flag
+	configFilePath = flag.String("configFilePath", "/etc/kubernetes/azure.json", "Path for Azure Cloud Provider config file")
+	versionInfo    = flag.Bool("version", false, "Prints the version information")
+)
+
+func main() {
+	klog.InitFlags(nil)
+	defer klog.Flush()
+
+	flag.Parse()
+
+	if *logFormatJSON {
+		klog.SetLogger(json.JSONLogger)
+	}
+
+	if *versionInfo {
+		version.PrintVersion()
+		os.Exit(0)
+	}
+
+	ctx := withShutdownSignal(context.Background())
+
+	klog.InfoS("Starting KeyManagementServiceServer service", "version", version.BuildVersion, "buildDate", version.BuildDate)
+	kmsServer, err := plugin.New(ctx, *configFilePath, *keyvaultName, *keyName, *keyVersion, *keyvaultSKU)
+	if err != nil {
+		klog.Fatalf("failed to create server, error: %v", err)
+	}
+
+	// Initialize and run the GRPC server
+	proto, addr, err := utils.ParseEndpoint(*listenAddr)
+	if err != nil {
+		klog.Fatalf("failed to parse endpoint, err: %+v", err)
+	}
+	if err := os.Remove(addr); err != nil && !os.IsNotExist(err) {
+		klog.Fatalf("failed to remove %s, error: %s", addr, err.Error())
+	}
+
+	listener, err := net.Listen(proto, addr)
+	if err != nil {
+		klog.Fatalf("failed to listen: %v", err)
+	}
+	opts := []grpc.ServerOption{
+		grpc.UnaryInterceptor(utils.LogGRPC),
+	}
+
+	s := grpc.NewServer(opts...)
+	pb.RegisterKeyManagementServiceServer(s, kmsServer)
+
+	klog.Infof("Listening for connections on address: %v", listener.Addr())
+	go s.Serve(listener)
+
+	<-ctx.Done()
+	// gracefully stop the grpc server
+	klog.Infof("terminating the server")
+	s.GracefulStop()
+}
+
+// withShutdownSignal returns a copy of the parent context that will close if
+// the process receives termination signals.
+func withShutdownSignal(ctx context.Context) context.Context {
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGINT, os.Interrupt)
+
+	nctx, cancel := context.WithCancel(ctx)
+
+	go func() {
+		<-signalChan
+		klog.Info("received shutdown signal")
+		cancel()
+	}()
+	return nctx
+}

go.mod

@@ -1,26 +1,22 @@
 module github.com/Azure/kubernetes-kms
 
-go 1.14
+go 1.15
 
 require (
-	github.com/Azure/azure-sdk-for-go v11.3.0-beta+incompatible
-	github.com/Azure/go-autorest v10.15.5+incompatible
-	github.com/dgrijalva/jwt-go v3.1.0+incompatible // indirect
-	github.com/dnaeon/go-vcr v1.0.1 // indirect
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/golang/mock v1.1.1
-	github.com/golang/protobuf v1.0.0
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/Azure/azure-sdk-for-go v48.2.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.9.6
+	github.com/Azure/go-autorest/autorest/adal v0.8.2
+	github.com/Azure/go-autorest/autorest/to v0.4.0
+	github.com/Azure/go-autorest/autorest/validation v0.3.0 // indirect
+	github.com/dnaeon/go-vcr v1.1.0 // indirect
+	github.com/golang/mock v1.3.1
+	github.com/golang/protobuf v1.4.2
 	github.com/satori/go.uuid v1.2.0 // indirect
-	github.com/satori/uuid v1.2.0 // indirect
-	github.com/stretchr/testify v1.6.1 // indirect
-	golang.org/x/crypto v0.0.0-20180211211603-9de5f2eaf759
-	golang.org/x/net v0.0.0-20180208041118-f5dfe339be1d
-	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 // indirect
-	golang.org/x/sys v0.0.0-20180202135801-37707fdb30a5
-	golang.org/x/text v0.3.1-0.20180208041248-4e4a3210bb54 // indirect
-	google.golang.org/genproto v0.0.0-20180206005123-2b5a72b8730b // indirect
-	google.golang.org/grpc v1.9.2
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	gopkg.in/yaml.v2 v2.3.0 // indirect
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/net v0.0.0-20200707034311-ab3426394381
+	google.golang.org/grpc v1.27.0
+	gopkg.in/yaml.v2 v2.3.0
+	k8s.io/apiserver v0.19.4
+	k8s.io/component-base v0.19.4
+	k8s.io/klog/v2 v2.2.0
 )