Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 024ddf52b0
Branches Tags
helm-externa...
/
cmd
/
esoctl
/
template.go

template.go 6.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8. 	https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package main
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"os"
    23. 

  23. 	"path/filepath"
    24. 

  24. 

  25. 	"github.com/spf13/cobra"
    26. 

  26. 	corev1 "k8s.io/api/core/v1"
    27. 

  27. 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
    28. 

  28. 	"k8s.io/apimachinery/pkg/runtime"
    29. 

  29. 	"sigs.k8s.io/yaml"
    30. 

  30. 

  31. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    32. 

  32. 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    33. 

  33. 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
    34. 

  34. 	"github.com/external-secrets/external-secrets/runtime/template"
    35. 

  35. )
    36. 

  36. 

  37. // version is filled during build time.
    38. 

  38. var version string
    39. 

  39. 

  40. var (
    41. 

  41. 	templateFile              string
    42. 

  42. 	secretDataFile            string
    43. 

  43. 	outputFile                string
    44. 

  44. 	templateFromConfigMapFile string
    45. 

  45. 	templateFromSecretFile    string
    46. 

  46. 	showVersion               bool
    47. 

  47. )
    48. 

  48. 

  49. func init() {
    50. 

  50. 	rootCmd.AddCommand(templateCmd)
    51. 

  51. 	templateCmd.Flags().StringVar(&templateFile, "source-templated-object", "", "Link to a file containing the object that contains the template")
    52. 

  52. 	templateCmd.Flags().StringVar(&secretDataFile, "source-secret-data-file", "", "Link to a file containing secret data in form of map[string][]byte")
    53. 

  53. 	templateCmd.Flags().StringVar(&templateFromConfigMapFile, "template-from-config-map", "", "Link to a file containing config map data for TemplateFrom.ConfigMap")
    54. 

  54. 	templateCmd.Flags().StringVar(&templateFromSecretFile, "template-from-secret", "", "Link to a file containing config map data for TemplateFrom.Secret")
    55. 

  55. 	templateCmd.Flags().StringVar(&outputFile, "output", "", "If set, the output will be written to this file")
    56. 

  56. 	templateCmd.Flags().BoolVar(&showVersion, "version", false, "If set, only print the version and exit")
    57. 

  57. }
    58. 

  58. 

  59. var templateCmd = &cobra.Command{
    60. 

  60. 	Use:   "template",
    61. 

  61. 	Short: "given an input and a template provides an output",
    62. 

  62. 	Long:  `Given an input that mimics a secret's data section and a template it produces an output of the render template.`,
    63. 

  63. 	RunE:  templateRun,
    64. 

  64. }
    65. 

  65. 

  66. func templateRun(_ *cobra.Command, _ []string) error {
    67. 

  67. 	if version == "" {
    68. 

  68. 		version = "0.0.0-dev"
    69. 

  69. 	}
    70. 

  70. 

  71. 	if showVersion {
    72. 

  72. 		fmt.Printf("version: %s\n", version)
    73. 

  73. 

  74. 		os.Exit(0)
    75. 

  75. 	}
    76. 

  76. 

  77. 	ctx := context.Background()
    78. 

  78. 	obj := &unstructured.Unstructured{}
    79. 

  79. 	content, err := os.ReadFile(filepath.Clean(templateFile))
    80. 

  80. 	if err != nil {
    81. 

  81. 		return fmt.Errorf("could not read template file: %w", err)
    82. 

  82. 	}
    83. 

  83. 

  84. 	if err := yaml.Unmarshal(content, obj); err != nil {
    85. 

  85. 		return fmt.Errorf("could not unmarshal template: %w", err)
    86. 

  86. 	}
    87. 

  87. 

  88. 	tmpl, err := fetchTemplateFromSourceObject(obj)
    89. 

  89. 	if err != nil {
    90. 

  90. 		return err
    91. 

  91. 	}
    92. 

  92. 

  93. 	data := map[string][]byte{}
    94. 

  94. 	sourceDataContent, err := os.ReadFile(filepath.Clean(secretDataFile))
    95. 

  95. 	if err != nil {
    96. 

  96. 		return fmt.Errorf("could not read source secret file: %w", err)
    97. 

  97. 	}
    98. 

  98. 

  99. 	if err := yaml.Unmarshal(sourceDataContent, &data); err != nil {
    100. 

  100. 		return fmt.Errorf("could not unmarshal secret: %w", err)
    101. 

  101. 	}
    102. 

  102. 

  103. 	execute, err := template.EngineForVersion(tmpl.EngineVersion)
    104. 

  104. 	if err != nil {
    105. 

  105. 		return err
    106. 

  106. 	}
    107. 

  107. 

  108. 	targetSecret := &corev1.Secret{}
    109. 

  109. 	p := &templating.Parser{
    110. 

  110. 		TargetSecret: targetSecret,
    111. 

  111. 		DataMap:      data,
    112. 

  112. 		Exec:         execute,
    113. 

  113. 	}
    114. 

  114. 

  115. 	if err := setupFromConfigAndFromSecret(p); err != nil {
    116. 

  116. 		return fmt.Errorf("could not setup from secret: %w", err)
    117. 

  117. 	}
    118. 

  118. 

  119. 	if err := executeTemplate(ctx, p, tmpl); err != nil {
    120. 

  120. 		return fmt.Errorf("could not render template: %w", err)
    121. 

  121. 	}
    122. 

  122. 

  123. 	out := os.Stdout
    124. 

  124. 	if outputFile != "" {
    125. 

  125. 		f, err := os.Create(filepath.Clean(outputFile))
    126. 

  126. 		if err != nil {
    127. 

  127. 			return fmt.Errorf("could not create output file: %w", err)
    128. 

  128. 		}
    129. 

  129. 		defer func() {
    130. 

  130. 			_ = f.Close()
    131. 

  131. 		}()
    132. 

  132. 

  133. 		out = f
    134. 

  134. 	}
    135. 

  135. 

  136. 	// display the resulting secret
    137. 

  137. 	content, err = yaml.Marshal(targetSecret)
    138. 

  138. 	if err != nil {
    139. 

  139. 		return fmt.Errorf("could not marshal secret: %w", err)
    140. 

  140. 	}
    141. 

  141. 

  142. 	_, err = fmt.Fprintln(out, string(content))
    143. 

  143. 

  144. 	return err
    145. 

  145. }
    146. 

  146. 

  147. func fetchTemplateFromSourceObject(obj *unstructured.Unstructured) (*esv1.ExternalSecretTemplate, error) {
    148. 

  148. 	var tmpl *esv1.ExternalSecretTemplate
    149. 

  149. 	switch obj.GetKind() {
    150. 

  150. 	case "ExternalSecret":
    151. 

  151. 		es := &esv1.ExternalSecret{}
    152. 

  152. 		if err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, es); err != nil {
    153. 

  153. 			return nil, err
    154. 

  154. 		}
    155. 

  155. 

  156. 		tmpl = es.Spec.Target.Template
    157. 

  157. 	case "PushSecret":
    158. 

  158. 		ps := &v1alpha1.PushSecret{}
    159. 

  159. 		if err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, ps); err != nil {
    160. 

  160. 			return nil, err
    161. 

  161. 		}
    162. 

  162. 

  163. 		tmpl = ps.Spec.Template
    164. 

  164. 	default:
    165. 

  165. 		return nil, fmt.Errorf("unsupported template kind %s", obj.GetKind())
    166. 

  166. 	}
    167. 

  167. 

  168. 	return tmpl, nil
    169. 

  169. }
    170. 

  170. 

  171. func executeTemplate(ctx context.Context, p *templating.Parser, tmpl *esv1.ExternalSecretTemplate) error {
    172. 

  172. 	// apply templates defined in template.templateFrom
    173. 

  173. 	err := p.MergeTemplateFrom(ctx, "default", tmpl)
    174. 

  174. 	if err != nil {
    175. 

  175. 		return fmt.Errorf("could not merge template: %w", err)
    176. 

  176. 	}
    177. 

  177. 

  178. 	// apply data templates
    179. 

  179. 	// NOTE: explicitly defined template.data templates take precedence over templateFrom
    180. 

  180. 	err = p.MergeMap(tmpl.Data, esv1.TemplateTargetData)
    181. 

  181. 	if err != nil {
    182. 

  182. 		return fmt.Errorf("could not merge data: %w", err)
    183. 

  183. 	}
    184. 

  184. 

  185. 	// apply templates for labels
    186. 

  186. 	// NOTE: this only works for v2 templates
    187. 

  187. 	err = p.MergeMap(tmpl.Metadata.Labels, esv1.TemplateTargetLabels)
    188. 

  188. 	if err != nil {
    189. 

  189. 		return fmt.Errorf("could not merge labels: %w", err)
    190. 

  190. 	}
    191. 

  191. 

  192. 	// apply template for annotations
    193. 

  193. 	// NOTE: this only works for v2 templates
    194. 

  194. 	err = p.MergeMap(tmpl.Metadata.Annotations, esv1.TemplateTargetAnnotations)
    195. 

  195. 	if err != nil {
    196. 

  196. 		return fmt.Errorf("could not merge annotations: %w", err)
    197. 

  197. 	}
    198. 

  198. 

  199. 	return err
    200. 

  200. }
    201. 

  201. 

  202. func setupFromConfigAndFromSecret(p *templating.Parser) error {
    203. 

  203. 	if templateFromConfigMapFile != "" {
    204. 

  204. 		var configMap corev1.ConfigMap
    205. 

  205. 		configMapContent, err := os.ReadFile(filepath.Clean(templateFromConfigMapFile))
    206. 

  206. 		if err != nil {
    207. 

  207. 			return err
    208. 

  208. 		}
    209. 

  209. 

  210. 		if err := yaml.Unmarshal(configMapContent, &configMap); err != nil {
    211. 

  211. 			return fmt.Errorf("could not unmarshal configmap: %w", err)
    212. 

  212. 		}
    213. 

  213. 

  214. 		p.TemplateFromConfigMap = &configMap
    215. 

  215. 	}
    216. 

  216. 

  217. 	if templateFromSecretFile != "" {
    218. 

  218. 		var secret corev1.Secret
    219. 

  219. 		secretContent, err := os.ReadFile(filepath.Clean(templateFromSecretFile))
    220. 

  220. 		if err != nil {
    221. 

  221. 			return err
    222. 

  222. 		}
    223. 

  223. 

  224. 		if err := yaml.Unmarshal(secretContent, &secret); err != nil {
    225. 

  225. 			return fmt.Errorf("could not unmarshal secret: %w", err)
    226. 

  226. 		}
    227. 

  227. 

  228. 		p.TemplateFromSecret = &secret
    229. 

  229. 	}
    230. 

  230. 	return nil
    231. 

  231. }
    232.