Startsida Utforska Hjälp
Logga in
logic855
/
helm-external-secrets
spegling av https://github.com/external-secrets/external-secrets
1
0
Fork 0
Filer Ärenden 0 Wiki
Träd: 14d59bd4aa
Grenar Taggar
helm-externa...
/
providers
/
v1
/
gcp
/
secretmanager
/
provider.go

provider.go 5.9 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package secretmanager
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"sync"
    24. 

  24. 

  25. 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
    26. 

  26. 	"golang.org/x/oauth2"
    27. 

  27. 	"google.golang.org/api/option"
    28. 

  28. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    29. 

  29. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    30. 

  30. 

  31. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    32. 

  32. 	"github.com/external-secrets/external-secrets/runtime/esutils"
    33. 

  33. )
    34. 

  34. 

  35. // Provider is a secrets provider for GCP Secret Manager.
    36. 

  36. // It implements the necessary NewClient() and ValidateStore() funcs.
    37. 

  37. type Provider struct{}
    38. 

  38. 

  39. // https://github.com/external-secrets/external-secrets/issues/644
    40. 

  40. var _ esv1.SecretsClient = &Client{}
    41. 

  41. var _ esv1.Provider = &Provider{}
    42. 

  42. 

  43. /*
    44. 

  44. Currently, GCPSM client has a limitation around how concurrent connections work
    45. 

  45. This limitation causes memory leaks due to random disconnects from living clients
    46. 

  46. and also payload switches when sending a call (such as using a credential from one
    47. 

  47. thread to ask secrets from another thread).
    48. 

  48. A Mutex was implemented to make sure only one connection can be in place at a time.
    49. 

  49. */
    50. 

  50. var useMu = sync.Mutex{}
    51. 

  51. 

  52. // Capabilities returns the provider's capabilities to read/write secrets.
    53. 

  53. func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
    54. 

  54. 	return esv1.SecretStoreReadWrite
    55. 

  55. }
    56. 

  56. 

  57. // NewClient constructs a GCP Provider.
    58. 

  58. func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
    59. 

  59. 	storeSpec := store.GetSpec()
    60. 

  60. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.GCPSM == nil {
    61. 

  61. 		return nil, errors.New(errGCPSMStore)
    62. 

  62. 	}
    63. 

  63. 	gcpStore := storeSpec.Provider.GCPSM
    64. 

  64. 

  65. 	useMu.Lock()
    66. 

  66. 

  67. 	client := &Client{
    68. 

  68. 		kube:      kube,
    69. 

  69. 		store:     gcpStore,
    70. 

  70. 		storeKind: store.GetKind(),
    71. 

  71. 		namespace: namespace,
    72. 

  72. 	}
    73. 

  73. 	defer func() {
    74. 

  74. 		if client.smClient == nil {
    75. 

  75. 			_ = client.Close(ctx)
    76. 

  76. 		}
    77. 

  77. 	}()
    78. 

  78. 

  79. 	// this project ID is used for authentication (currently only relevant for workload identity)
    80. 

  80. 	clusterProjectID, err := clusterProjectID(storeSpec)
    81. 

  81. 	if err != nil {
    82. 

  82. 		return nil, err
    83. 

  83. 	}
    84. 

  84. 	isClusterKind := store.GetObjectKind().GroupVersionKind().Kind == esv1.ClusterSecretStoreKind
    85. 

  85. 	// allow SecretStore controller validation to pass
    86. 

  86. 	// when using referent namespace.
    87. 

  87. 	if namespace == "" && isClusterKind && isReferentSpec(gcpStore) {
    88. 

  88. 		// placeholder smClient to prevent closing the client twice
    89. 

  89. 		client.smClient, _ = secretmanager.NewClient(ctx, option.WithTokenSource(oauth2.StaticTokenSource(&oauth2.Token{})))
    90. 

  90. 		return client, nil
    91. 

  91. 	}
    92. 

  92. 

  93. 	ts, err := NewTokenSource(ctx, gcpStore.Auth, clusterProjectID, store.GetKind(), kube, namespace)
    94. 

  94. 	if err != nil {
    95. 

  95. 		return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
    96. 

  96. 	}
    97. 

  97. 

  98. 	// check if we can get credentials
    99. 

  99. 	_, err = ts.Token()
    100. 

  100. 	if err != nil {
    101. 

  101. 		return nil, fmt.Errorf(errUnableGetCredentials, err)
    102. 

  102. 	}
    103. 

  103. 

  104. 	var clientGCPSM *secretmanager.Client
    105. 

  105. 	if gcpStore.Location != "" {
    106. 

  106. 		ep := fmt.Sprintf("secretmanager.%s.rep.googleapis.com:443", gcpStore.Location)
    107. 

  107. 		regional := option.WithEndpoint(ep)
    108. 

  108. 		clientGCPSM, err = secretmanager.NewClient(ctx, option.WithTokenSource(ts), regional)
    109. 

  109. 		if err != nil {
    110. 

  110. 			return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
    111. 

  111. 		}
    112. 

  112. 	} else {
    113. 

  113. 		clientGCPSM, err = secretmanager.NewClient(ctx, option.WithTokenSource(ts))
    114. 

  114. 		if err != nil {
    115. 

  115. 			return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
    116. 

  116. 		}
    117. 

  117. 	}
    118. 

  118. 	client.smClient = clientGCPSM
    119. 

  119. 	return client, nil
    120. 

  120. }
    121. 

  121. 

  122. // ValidateStore validates the configuration of the secret store.
    123. 

  123. func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    124. 

  124. 	if store == nil {
    125. 

  125. 		return nil, errors.New(errInvalidStore)
    126. 

  126. 	}
    127. 

  127. 	spc := store.GetSpec()
    128. 

  128. 	if spc == nil {
    129. 

  129. 		return nil, errors.New(errInvalidStoreSpec)
    130. 

  130. 	}
    131. 

  131. 	if spc.Provider == nil {
    132. 

  132. 		return nil, errors.New(errInvalidStoreProv)
    133. 

  133. 	}
    134. 

  134. 	g := spc.Provider.GCPSM
    135. 

  135. 	if p == nil {
    136. 

  136. 		return nil, errors.New(errInvalidGCPProv)
    137. 

  137. 	}
    138. 

  138. 	if g.Auth.SecretRef != nil {
    139. 

  139. 		if err := esutils.ValidateReferentSecretSelector(store, g.Auth.SecretRef.SecretAccessKey); err != nil {
    140. 

  140. 			return nil, fmt.Errorf(errInvalidAuthSecretRef, err)
    141. 

  141. 		}
    142. 

  142. 	}
    143. 

  143. 	if g.Auth.WorkloadIdentity != nil {
    144. 

  144. 		if err := esutils.ValidateReferentServiceAccountSelector(store, g.Auth.WorkloadIdentity.ServiceAccountRef); err != nil {
    145. 

  145. 			return nil, fmt.Errorf(errInvalidWISARef, err)
    146. 

  146. 		}
    147. 

  147. 	}
    148. 

  148. 	return nil, nil
    149. 

  149. }
    150. 

  150. 

  151. func clusterProjectID(spec *esv1.SecretStoreSpec) (string, error) {
    152. 

  152. 	if spec.Provider.GCPSM.Auth.WorkloadIdentity != nil && spec.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID != "" {
    153. 

  153. 		return spec.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID, nil
    154. 

  154. 	}
    155. 

  155. 	if spec.Provider.GCPSM.ProjectID != "" {
    156. 

  156. 		return spec.Provider.GCPSM.ProjectID, nil
    157. 

  157. 	}
    158. 

  158. 	return "", errors.New(errNoProjectID)
    159. 

  159. }
    160. 

  160. 

  161. func isReferentSpec(prov *esv1.GCPSMProvider) bool {
    162. 

  162. 	if prov.Auth.SecretRef != nil &&
    163. 

  163. 		prov.Auth.SecretRef.SecretAccessKey.Namespace == nil {
    164. 

  164. 		return true
    165. 

  165. 	}
    166. 

  166. 	if prov.Auth.WorkloadIdentity != nil &&
    167. 

  167. 		prov.Auth.WorkloadIdentity.ServiceAccountRef.Namespace == nil {
    168. 

  168. 		return true
    169. 

  169. 	}
    170. 

  170. 	return false
    171. 

  171. }
    172. 

  172. 

  173. // NewProvider creates a new Provider instance.
    174. 

  174. func NewProvider() esv1.Provider {
    175. 

  175. 	return &Provider{}
    176. 

  176. }
    177. 

  177. 

  178. // ProviderSpec returns the provider specification for registration.
    179. 

  179. func ProviderSpec() *esv1.SecretStoreProvider {
    180. 

  180. 	return &esv1.SecretStoreProvider{
    181. 

  181. 		GCPSM: &esv1.GCPSMProvider{},
    182. 

  182. 	}
    183. 

  183. }
    184. 

  184. 

  185. // MaintenanceStatus returns the maintenance status of the provider.
    186. 

  186. func MaintenanceStatus() esv1.MaintenanceStatus {
    187. 

  187. 	return esv1.MaintenanceStatusMaintained
    188. 

  188. }
    189.