feat: support multiple credential holders on GlobalDNS and VPN

[yunkon-kim]

• Upgrade mc-terrarium to v0.1.4
• Enable multiple credential holders in GlobalDNS and VPN
• Fetch AWS credentials dynamically via OpenBao holder paths
• Align 'x-credential-holder' header in REST and core modules
• Add mc-terrarium script in init/ for OpenBao credential registration

ref) cloud-barista/mc-terrarium#205

[yunkon-kim]

@seokho-son

Since changing the credential format, registering IBM and GCP credentials fails during make init. Are you experiencing any issues?

[seokho-son]

Let me check. :)

[seokho-son]

ibm:
  # ApiKey: API key
  # https://cloud.ibm.com/docs/account?topic=account-userapikey
  # ex: 5fwefhLlehfkaseefeffhcviuneiunifhnizHe3uhiL
  ApiKey:
  
  
gcp:
  # client_id: OAuth 2 Client ID (or Unique ID) of the service account
  # https://console.cloud.google.com/iam-admin/serviceaccounts
  # ex: "107777777600845725910" (Please note that adding double quotes is required.)
  client_id: "1...................2"

  # ClientEmail(client_email): Client Email of the service account
  # https://console.cloud.google.com/iam-admin/serviceaccounts/details/${client_id}/keys?authuser=1&project=${ProjectID}&supportedpurview=project
  # ex: user01@cloud-barista.com
  client_email:

  # private_key_id: One of Private Key IDs of the service account
  # ex: f89f5asfsesefsefsfefes0se0fse0f00ef565e33
  private_key_id: 

  # PrivateKey(private_key): Private Key of the Private Key ID of the service account (need to provide inlined format includeing \n characters.)
  # ex: -----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqh...iH0ew=\n-----END PRIVATE KEY-----\n
  private_key: -----BEGIN PRIVATE KEY-----

  # ProjectID(project_id): Project ID of the service account
  # ex: cloud-barista
  project_id: seokho-etri

[seokho-son]

Both OpenBao and CB-SP credentials for IBM/GCP works for me.

[seokho-son]

[yunkon-kim]

Registering credentials on OpenBao is working well for me as well. But.. registering those on Spider failed with GCP: Incomplete credential data, Skip.

I left the S3-related keys blank; would that be an issue?

[seokho-son]

yes it might be an issue I guess.

why don't you/we commented the keys with empty value in the credentials.yaml ?

[yunkon-kim]

I’m currently performing batch tests (Create, Get, and Delete) for VPNs on aws-to-tencent and aws-to-azure.

After the test, I will try your comment :)

[yunkon-kim]

In the meantime, I have two questions:

1. (minor) Lowercasing the header

I've changed X-Credential-Holder to x-credential-holder to stay consistent with Tumblebug API docs. HTTP headers are not case-sensitive, so this does not affect functionality. Is it okay to proceed as is?

2. Context Propagation

I've applied context propagation throughout GlobalDNS and VPN (from the Tumblebug API user input to the Terrarium API call). It appears to me that many other APIs do not yet use this pattern, so I would appreciate it if you could review whether this approach aligns with what you explained offline.

[yunkon-kim]

The test has passed. I'm switching the PR status to 'Ready for review'.

[seokho-son]

t many other APIs do not yet use this pattern, so I would appreciate it if you could review whether this approach aligns with what you explained offline.

@yunkon-kim could you let me know many other APIs do not yet use this pattern ? I've applied it to (most) required api handlers and core functionalities that requires calls to CSP with credentials (connections)

[yunkon-kim]

It appeared that the context was not being passed to the core function in about 5 handlers checked randomly. :)
(Including GlobalDns, VPN)

For example, I imagined the following parameter passing by the offline discussion.

// @Failure 500 {object} model.SimpleMsg
// @Router /resources/globalDns/hostedZone [get]
func RestGetHostedZones(c echo.Context) error {
	log.Debug().Msg("[DNS-REST] GET /resources/globalDns/hostedZone called")

	resp, err := resource.ListHostedZones(c.Request().Context()) <<<==== Passing context like this
	if err != nil {
		log.Error().Err(err).Msg("[DNS-REST] ListHostedZones failed")
		return c.JSON(classifyDnsError(err), model.SimpleMsg{Message: err.Error()})
	}

	log.Debug().Int("count", len(resp.HostedZones)).Msg("[DNS-REST] ListHostedZones succeeded")
	return c.JSON(http.StatusOK, resp)
}

[seokho-son]

@yunkon-kim
Oh,
For GlobalDns and VPN, I didn’t apply the context because those APIs did not support CredentialHolder at the time.

I expected this PR to add the context to all relevant APIs for GlobalDns and VPN. :)

[seokho-son]

/approve