Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 1f7fabbc9b
Branches Tags
helm-externa...
/
providers
/
v1
/
dvls
/
provider.go

provider.go 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package dvls
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"net/url"
    23. 

  23. 

  24. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    25. 

  25. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    26. 

  26. 

  27. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    28. 

  28. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    29. 

  29. 	"github.com/external-secrets/external-secrets/runtime/esutils"
    30. 

  30. )
    31. 

  31. 

  32. var _ esv1.Provider = &Provider{}
    33. 

  33. 

  34. // Provider implements the external-secrets Provider interface for DVLS.
    35. 

  35. type Provider struct{}
    36. 

  36. 

  37. // NewClient creates a new DVLS SecretsClient.
    38. 

  38. func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
    39. 

  39. 	dvlsProvider, err := getDVLSProvider(store)
    40. 

  40. 	if err != nil {
    41. 

  41. 		return nil, err
    42. 

  42. 	}
    43. 

  43. 

  44. 	storeKind := store.GetObjectKind().GroupVersionKind().Kind
    45. 

  45. 

  46. 	dvlsClient, err := NewDVLSClient(ctx, kube, storeKind, namespace, dvlsProvider)
    47. 

  47. 	if err != nil {
    48. 

  48. 		return nil, fmt.Errorf("failed to create DVLS client: %w", err)
    49. 

  49. 	}
    50. 

  50. 

  51. 	return NewClient(dvlsClient), nil
    52. 

  52. }
    53. 

  53. 

  54. // ValidateStore validates the SecretStore configuration.
    55. 

  55. func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    56. 

  56. 	dvlsProvider, err := getDVLSProvider(store)
    57. 

  57. 	if err != nil {
    58. 

  58. 		return nil, err
    59. 

  59. 	}
    60. 

  60. 

  61. 	if dvlsProvider.ServerURL == "" {
    62. 

  62. 		return nil, fmt.Errorf("serverUrl is required")
    63. 

  63. 	}
    64. 

  64. 

  65. 	parsedURL, err := url.Parse(dvlsProvider.ServerURL)
    66. 

  66. 	if err != nil {
    67. 

  67. 		return nil, fmt.Errorf("serverUrl must be a valid URL: %w", err)
    68. 

  68. 	}
    69. 

  69. 	if parsedURL.Scheme == "" || parsedURL.Host == "" {
    70. 

  70. 		return nil, fmt.Errorf("serverUrl must be a valid URL with scheme and host")
    71. 

  71. 	}
    72. 

  72. 

  73. 	if parsedURL.Scheme != "https" && parsedURL.Scheme != "http" {
    74. 

  74. 		return nil, fmt.Errorf("serverUrl scheme must be http or https, got %q", parsedURL.Scheme)
    75. 

  75. 	}
    76. 

  76. 

  77. 	if parsedURL.Scheme == "http" && !dvlsProvider.Insecure {
    78. 

  78. 		return nil, fmt.Errorf("http URLs require 'insecure: true' to be set explicitly")
    79. 

  79. 	}
    80. 

  80. 

  81. 	// Validate auth configuration
    82. 

  82. 	if err := validateAuthSecretRef(store, &dvlsProvider.Auth.SecretRef); err != nil {
    83. 

  83. 		return nil, err
    84. 

  84. 	}
    85. 

  85. 

  86. 	return nil, nil
    87. 

  87. }
    88. 

  88. 

  89. // Capabilities returns the provider's capabilities.
    90. 

  90. func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
    91. 

  91. 	return esv1.SecretStoreReadWrite
    92. 

  92. }
    93. 

  93. 

  94. // validateAuthSecretRef validates the authentication secret references.
    95. 

  95. func validateAuthSecretRef(store esv1.GenericStore, ref *esv1.DVLSAuthSecretRef) error {
    96. 

  96. 	if err := requireSecretSelector(ref.AppID, "appId"); err != nil {
    97. 

  97. 		return err
    98. 

  98. 	}
    99. 

  99. 	if err := esutils.ValidateSecretSelector(store, ref.AppID); err != nil {
    100. 

  100. 		return fmt.Errorf("invalid appId: %w", err)
    101. 

  101. 	}
    102. 

  102. 

  103. 	if err := requireSecretSelector(ref.AppSecret, "appSecret"); err != nil {
    104. 

  104. 		return err
    105. 

  105. 	}
    106. 

  106. 	if err := esutils.ValidateSecretSelector(store, ref.AppSecret); err != nil {
    107. 

  107. 		return fmt.Errorf("invalid appSecret: %w", err)
    108. 

  108. 	}
    109. 

  109. 	return nil
    110. 

  110. }
    111. 

  111. 

  112. func requireSecretSelector(sel esmeta.SecretKeySelector, field string) error {
    113. 

  113. 	if sel.Name == "" {
    114. 

  114. 		return fmt.Errorf("%s secret name is required", field)
    115. 

  115. 	}
    116. 

  116. 

  117. 	if sel.Key == "" {
    118. 

  118. 		return fmt.Errorf("%s secret key is required", field)
    119. 

  119. 	}
    120. 

  120. 

  121. 	return nil
    122. 

  122. }
    123. 

  123. 

  124. // getDVLSProvider extracts the DVLS provider configuration from the store.
    125. 

  125. func getDVLSProvider(store esv1.GenericStore) (*esv1.DVLSProvider, error) {
    126. 

  126. 	spec := store.GetSpec()
    127. 

  127. 	if spec == nil || spec.Provider == nil || spec.Provider.DVLS == nil {
    128. 

  128. 		return nil, fmt.Errorf("DVLS provider configuration is missing")
    129. 

  129. 	}
    130. 

  130. 	return spec.Provider.DVLS, nil
    131. 

  131. }
    132. 

  132. 

  133. // NewProvider creates a new DVLS Provider instance.
    134. 

  134. func NewProvider() esv1.Provider {
    135. 

  135. 	return &Provider{}
    136. 

  136. }
    137. 

  137. 

  138. // ProviderSpec returns the provider specification for registration.
    139. 

  139. func ProviderSpec() *esv1.SecretStoreProvider {
    140. 

  140. 	return &esv1.SecretStoreProvider{
    141. 

  141. 		DVLS: &esv1.DVLSProvider{},
    142. 

  142. 	}
    143. 

  143. }
    144. 

  144. 

  145. // MaintenanceStatus returns the maintenance status of the provider.
    146. 

  146. func MaintenanceStatus() esv1.MaintenanceStatus {
    147. 

  147. 	return esv1.MaintenanceStatusMaintained
    148. 

  148. }
    149.