Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 0a1ef6c1a9
Branches Tags
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook.go

webhook.go 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"crypto/tls"
    21. 

  21. 	"crypto/x509"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io"
    24. 

  24. 	"net/http"
    25. 

  25. 	"net/url"
    26. 

  26. 	"strings"
    27. 

  27. 	tpl "text/template"
    28. 

  28. 

  29. 	"github.com/Masterminds/sprig"
    30. 

  30. 	"github.com/PaesslerAG/jsonpath"
    31. 

  31. 	"gopkg.in/yaml.v3"
    32. 

  32. 	corev1 "k8s.io/api/core/v1"
    33. 

  33. 	"sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. 	"github.com/external-secrets/external-secrets/pkg/template"
    40. 

  40. 	"github.com/external-secrets/external-secrets/pkg/utils"
    41. 

  41. )
    42. 

  42. 

  43. // Provider satisfies the provider interface.
    44. 

  44. type Provider struct{}
    45. 

  45. 

  46. type WebHook struct {
    47. 

  47. 	kube      client.Client
    48. 

  48. 	store     esv1alpha1.GenericStore
    49. 

  49. 	namespace string
    50. 

  50. 	storeKind string
    51. 

  51. 	http      *http.Client
    52. 

  52. }
    53. 

  53. 

  54. func init() {
    55. 

  55. 	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
    56. 

  56. 		Webhook: &esv1alpha1.WebhookProvider{},
    57. 

  57. 	})
    58. 

  58. }
    59. 

  59. 

  60. func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
    61. 

  61. 	whClient := &WebHook{
    62. 

  62. 		kube:      kube,
    63. 

  63. 		store:     store,
    64. 

  64. 		namespace: namespace,
    65. 

  65. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    66. 

  66. 	}
    67. 

  67. 	provider, err := getProvider(store)
    68. 

  68. 	if err != nil {
    69. 

  69. 		return nil, err
    70. 

  70. 	}
    71. 

  71. 	whClient.http, err = whClient.getHTTPClient(provider)
    72. 

  72. 	if err != nil {
    73. 

  73. 		return nil, err
    74. 

  74. 	}
    75. 

  75. 	return whClient, nil
    76. 

  76. }
    77. 

  77. 

  78. func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.WebhookProvider, error) {
    79. 

  79. 	spc := store.GetSpec()
    80. 

  80. 	if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
    81. 

  81. 		return nil, fmt.Errorf("missing store provider webhook")
    82. 

  82. 	}
    83. 

  83. 	return spc.Provider.Webhook, nil
    84. 

  84. }
    85. 

  85. 

  86. func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelector) (*corev1.Secret, error) {
    87. 

  87. 	ke := client.ObjectKey{
    88. 

  88. 		Name:      ref.Name,
    89. 

  89. 		Namespace: w.namespace,
    90. 

  90. 	}
    91. 

  91. 	if w.storeKind == esv1alpha1.ClusterSecretStoreKind {
    92. 

  92. 		if ref.Namespace == nil {
    93. 

  93. 			return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
    94. 

  94. 		}
    95. 

  95. 		ke.Namespace = *ref.Namespace
    96. 

  96. 	}
    97. 

  97. 	secret := &corev1.Secret{}
    98. 

  98. 	if err := w.kube.Get(ctx, ke, secret); err != nil {
    99. 

  99. 		return nil, fmt.Errorf("failed to get clustersecretstore webhook secret %s: %w", ref.Name, err)
    100. 

  100. 	}
    101. 

  101. 	return secret, nil
    102. 

  102. }
    103. 

  103. 

  104. func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    105. 

  105. 	provider, err := getProvider(w.store)
    106. 

  106. 	if err != nil {
    107. 

  107. 		return nil, fmt.Errorf("failed to get store: %w", err)
    108. 

  108. 	}
    109. 

  109. 	result, err := w.getWebhookData(ctx, provider, ref)
    110. 

  110. 	if err != nil {
    111. 

  111. 		return nil, err
    112. 

  112. 	}
    113. 

  113. 	// Only parse as json if we have a jsonpath set
    114. 

  114. 	if provider.Result.JSONPath != "" {
    115. 

  115. 		jsondata := interface{}(nil)
    116. 

  116. 		if err := yaml.Unmarshal(result, &jsondata); err != nil {
    117. 

  117. 			return nil, fmt.Errorf("failed to parse response json: %w", err)
    118. 

  118. 		}
    119. 

  119. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    120. 

  120. 		if err != nil {
    121. 

  121. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    122. 

  122. 		}
    123. 

  123. 		jsonvalue, ok := jsondata.(string)
    124. 

  124. 		if !ok {
    125. 

  125. 			return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    126. 

  126. 		}
    127. 

  127. 		return []byte(jsonvalue), nil
    128. 

  128. 	}
    129. 

  129. 

  130. 	return result, nil
    131. 

  131. }
    132. 

  132. 

  133. func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
    134. 

  134. 	provider, err := getProvider(w.store)
    135. 

  135. 	if err != nil {
    136. 

  136. 		return nil, fmt.Errorf("failed to get store: %w", err)
    137. 

  137. 	}
    138. 

  138. 	result, err := w.getWebhookData(ctx, provider, ref.GetDataRemoteRef())
    139. 

  139. 	if err != nil {
    140. 

  140. 		return nil, err
    141. 

  141. 	}
    142. 

  142. 

  143. 	// We always want json here, so just parse it out
    144. 

  144. 	jsondata := interface{}(nil)
    145. 

  145. 	if err := yaml.Unmarshal(result, &jsondata); err != nil {
    146. 

  146. 		return nil, fmt.Errorf("failed to parse response json: %w", err)
    147. 

  147. 	}
    148. 

  148. 	// Get subdata via jsonpath, if given
    149. 

  149. 	if provider.Result.JSONPath != "" {
    150. 

  150. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    151. 

  151. 		if err != nil {
    152. 

  152. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    153. 

  153. 		}
    154. 

  154. 	}
    155. 

  155. 	// If the value is a string, try to parse it as json
    156. 

  156. 	jsonstring, ok := jsondata.(string)
    157. 

  157. 	if ok {
    158. 

  158. 		// This could also happen if the response was a single json-encoded string
    159. 

  159. 		// but that is an extremely unlikely scenario
    160. 

  160. 		if err := yaml.Unmarshal([]byte(jsonstring), &jsondata); err != nil {
    161. 

  161. 			return nil, fmt.Errorf("failed to parse response json from jsonpath: %w", err)
    162. 

  162. 		}
    163. 

  163. 	}
    164. 

  164. 	// Use the data as a key-value map
    165. 

  165. 	jsonvalue, ok := jsondata.(map[string]interface{})
    166. 

  166. 	if !ok {
    167. 

  167. 		return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    168. 

  168. 	}
    169. 

  169. 

  170. 	// Change the map of generic objects to a map of byte arrays
    171. 

  171. 	values := make(map[string][]byte)
    172. 

  172. 	for rKey, rValue := range jsonvalue {
    173. 

  173. 		jVal, ok := rValue.(string)
    174. 

  174. 		if !ok {
    175. 

  175. 			return nil, fmt.Errorf("failed to get response (wrong type in key '%s': %T)", rKey, rValue)
    176. 

  176. 		}
    177. 

  177. 		values[rKey] = []byte(jVal)
    178. 

  178. 	}
    179. 

  179. 	return values, nil
    180. 

  180. }
    181. 

  181. 

  182. func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef, secrets []esv1alpha1.WebhookSecret) (map[string]map[string]string, error) {
    183. 

  183. 	data := map[string]map[string]string{
    184. 

  184. 		"remoteRef": {
    185. 

  185. 			"key":      url.QueryEscape(ref.Key),
    186. 

  186. 			"version":  url.QueryEscape(ref.Version),
    187. 

  187. 			"property": url.QueryEscape(ref.Property),
    188. 

  188. 		},
    189. 

  189. 	}
    190. 

  190. 	for _, secref := range secrets {
    191. 

  191. 		if _, ok := data[secref.Name]; !ok {
    192. 

  192. 			data[secref.Name] = make(map[string]string)
    193. 

  193. 		}
    194. 

  194. 		secret, err := w.getStoreSecret(ctx, secref.SecretRef)
    195. 

  195. 		if err != nil {
    196. 

  196. 			return nil, err
    197. 

  197. 		}
    198. 

  198. 		for sKey, sVal := range secret.Data {
    199. 

  199. 			data[secref.Name][sKey] = string(sVal)
    200. 

  200. 		}
    201. 

  201. 	}
    202. 

  202. 	return data, nil
    203. 

  203. }
    204. 

  204. 

  205. func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1alpha1.WebhookProvider, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    206. 

  206. 	if w.http == nil {
    207. 

  207. 		return nil, fmt.Errorf("http client not initialized")
    208. 

  208. 	}
    209. 

  209. 	data, err := w.getTemplateData(ctx, ref, provider.Secrets)
    210. 

  210. 	if err != nil {
    211. 

  211. 		return nil, err
    212. 

  212. 	}
    213. 

  213. 	method := provider.Method
    214. 

  214. 	if method == "" {
    215. 

  215. 		method = http.MethodGet
    216. 

  216. 	}
    217. 

  217. 	url, err := executeTemplateString(provider.URL, data)
    218. 

  218. 	if err != nil {
    219. 

  219. 		return nil, fmt.Errorf("failed to parse url: %w", err)
    220. 

  220. 	}
    221. 

  221. 	body, err := executeTemplate(provider.Body, data)
    222. 

  222. 	if err != nil {
    223. 

  223. 		return nil, fmt.Errorf("failed to parse body: %w", err)
    224. 

  224. 	}
    225. 

  225. 

  226. 	req, err := http.NewRequestWithContext(ctx, method, url, &body)
    227. 

  227. 	if err != nil {
    228. 

  228. 		return nil, fmt.Errorf("failed to create request: %w", err)
    229. 

  229. 	}
    230. 

  230. 	for hKey, hValueTpl := range provider.Headers {
    231. 

  231. 		hValue, err := executeTemplateString(hValueTpl, data)
    232. 

  232. 		if err != nil {
    233. 

  233. 			return nil, fmt.Errorf("failed to parse header %s: %w", hKey, err)
    234. 

  234. 		}
    235. 

  235. 		req.Header.Add(hKey, hValue)
    236. 

  236. 	}
    237. 

  237. 

  238. 	resp, err := w.http.Do(req)
    239. 

  239. 	if err != nil {
    240. 

  240. 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
    241. 

  241. 	}
    242. 

  242. 	defer resp.Body.Close()
    243. 

  243. 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
    244. 

  244. 		return nil, fmt.Errorf("endpoint gave error %s", resp.Status)
    245. 

  245. 	}
    246. 

  246. 	return io.ReadAll(resp.Body)
    247. 

  247. }
    248. 

  248. 

  249. func (w *WebHook) getHTTPClient(provider *esv1alpha1.WebhookProvider) (*http.Client, error) {
    250. 

  250. 	client := &http.Client{}
    251. 

  251. 	if provider.Timeout != nil {
    252. 

  252. 		client.Timeout = provider.Timeout.Duration
    253. 

  253. 	}
    254. 

  254. 	if len(provider.CABundle) == 0 && provider.CAProvider == nil {
    255. 

  255. 		// No need to process ca stuff if it is not there
    256. 

  256. 		return client, nil
    257. 

  257. 	}
    258. 

  258. 	caCertPool, err := w.getCACertPool(provider)
    259. 

  259. 	if err != nil {
    260. 

  260. 		return nil, err
    261. 

  261. 	}
    262. 

  262. 

  263. 	tlsConf := &tls.Config{
    264. 

  264. 		RootCAs:    caCertPool,
    265. 

  265. 		MinVersion: tls.VersionTLS12,
    266. 

  266. 	}
    267. 

  267. 	client.Transport = &http.Transport{TLSClientConfig: tlsConf}
    268. 

  268. 	return client, nil
    269. 

  269. }
    270. 

  270. 

  271. func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.CertPool, error) {
    272. 

  272. 	caCertPool := x509.NewCertPool()
    273. 

  273. 	if len(provider.CABundle) > 0 {
    274. 

  274. 		ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
    275. 

  275. 		if !ok {
    276. 

  276. 			return nil, fmt.Errorf("failed to append cabundle")
    277. 

  277. 		}
    278. 

  278. 	}
    279. 

  279. 

  280. 	if provider.CAProvider != nil && w.storeKind == esv1alpha1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
    281. 

  281. 		return nil, fmt.Errorf("missing namespace on CAProvider secret")
    282. 

  282. 	}
    283. 

  283. 

  284. 	if provider.CAProvider != nil {
    285. 

  285. 		var cert []byte
    286. 

  286. 		var err error
    287. 

  287. 

  288. 		switch provider.CAProvider.Type {
    289. 

  289. 		case esv1alpha1.WebhookCAProviderTypeSecret:
    290. 

  290. 			cert, err = w.getCertFromSecret(provider)
    291. 

  291. 		case esv1alpha1.WebhookCAProviderTypeConfigMap:
    292. 

  292. 			cert, err = w.getCertFromConfigMap(provider)
    293. 

  293. 		default:
    294. 

  294. 			err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
    295. 

  295. 		}
    296. 

  296. 

  297. 		if err != nil {
    298. 

  298. 			return nil, err
    299. 

  299. 		}
    300. 

  300. 

  301. 		ok := caCertPool.AppendCertsFromPEM(cert)
    302. 

  302. 		if !ok {
    303. 

  303. 			return nil, fmt.Errorf("failed to append cabundle")
    304. 

  304. 		}
    305. 

  305. 	}
    306. 

  306. 	return caCertPool, nil
    307. 

  307. }
    308. 

  308. 

  309. func (w *WebHook) getCertFromSecret(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
    310. 

  310. 	secretRef := esmeta.SecretKeySelector{
    311. 

  311. 		Name: provider.CAProvider.Name,
    312. 

  312. 		Key:  provider.CAProvider.Key,
    313. 

  313. 	}
    314. 

  314. 

  315. 	if provider.CAProvider.Namespace != nil {
    316. 

  316. 		secretRef.Namespace = provider.CAProvider.Namespace
    317. 

  317. 	}
    318. 

  318. 

  319. 	ctx := context.Background()
    320. 

  320. 	res, err := w.secretKeyRef(ctx, &secretRef)
    321. 

  321. 	if err != nil {
    322. 

  322. 		return nil, err
    323. 

  323. 	}
    324. 

  324. 

  325. 	return []byte(res), nil
    326. 

  326. }
    327. 

  327. 

  328. func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    329. 

  329. 	secret := &corev1.Secret{}
    330. 

  330. 	ref := client.ObjectKey{
    331. 

  331. 		Namespace: w.namespace,
    332. 

  332. 		Name:      secretRef.Name,
    333. 

  333. 	}
    334. 

  334. 	if (w.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    335. 

  335. 		(secretRef.Namespace != nil) {
    336. 

  336. 		ref.Namespace = *secretRef.Namespace
    337. 

  337. 	}
    338. 

  338. 	err := w.kube.Get(ctx, ref, secret)
    339. 

  339. 	if err != nil {
    340. 

  340. 		return "", err
    341. 

  341. 	}
    342. 

  342. 

  343. 	keyBytes, ok := secret.Data[secretRef.Key]
    344. 

  344. 	if !ok {
    345. 

  345. 		return "", err
    346. 

  346. 	}
    347. 

  347. 

  348. 	value := string(keyBytes)
    349. 

  349. 	valueStr := strings.TrimSpace(value)
    350. 

  350. 	return valueStr, nil
    351. 

  351. }
    352. 

  352. 

  353. func (w *WebHook) getCertFromConfigMap(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
    354. 

  354. 	objKey := client.ObjectKey{
    355. 

  355. 		Name: provider.CAProvider.Name,
    356. 

  356. 	}
    357. 

  357. 

  358. 	if provider.CAProvider.Namespace != nil {
    359. 

  359. 		objKey.Namespace = *provider.CAProvider.Namespace
    360. 

  360. 	}
    361. 

  361. 

  362. 	configMapRef := &corev1.ConfigMap{}
    363. 

  363. 	ctx := context.Background()
    364. 

  364. 	err := w.kube.Get(ctx, objKey, configMapRef)
    365. 

  365. 	if err != nil {
    366. 

  366. 		return nil, fmt.Errorf("failed to get caprovider secret %s: %w", objKey.Name, err)
    367. 

  367. 	}
    368. 

  368. 

  369. 	val, ok := configMapRef.Data[provider.CAProvider.Key]
    370. 

  370. 	if !ok {
    371. 

  371. 		return nil, fmt.Errorf("failed to get caprovider configmap %s -> %s", objKey.Name, provider.CAProvider.Key)
    372. 

  372. 	}
    373. 

  373. 

  374. 	return []byte(val), nil
    375. 

  375. }
    376. 

  376. 

  377. // Implements store.Client.GetAllSecrets Interface.
    378. 

  378. // New version of GetAllSecrets.
    379. 

  379. func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
    380. 

  380. 	// TO be implemented
    381. 

  381. 	return nil, utils.ThrowNotImplemented()
    382. 

  382. }
    383. 

  383. 

  384. func (w *WebHook) Close(ctx context.Context) error {
    385. 

  385. 	return nil
    386. 

  386. }
    387. 

  387. 

  388. func executeTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
    389. 

  389. 	result, err := executeTemplate(tmpl, data)
    390. 

  390. 	if err != nil {
    391. 

  391. 		return "", err
    392. 

  392. 	}
    393. 

  393. 	return result.String(), nil
    394. 

  394. }
    395. 

  395. 

  396. func executeTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
    397. 

  397. 	var result bytes.Buffer
    398. 

  398. 	if tmpl == "" {
    399. 

  399. 		return result, nil
    400. 

  400. 	}
    401. 

  401. 	urlt, err := tpl.New("webhooktemplate").Funcs(sprig.TxtFuncMap()).Funcs(template.FuncMap()).Parse(tmpl)
    402. 

  402. 	if err != nil {
    403. 

  403. 		return result, err
    404. 

  404. 	}
    405. 

  405. 	if err := urlt.Execute(&result, data); err != nil {
    406. 

  406. 		return result, err
    407. 

  407. 	}
    408. 

  408. 	return result, nil
    409. 

  409. }
    410.