Главная Обзор Помощь
Вход
logic855
/
helm-external-secrets
зеркало из https://github.com/external-secrets/external-secrets
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: 21f1dca82e
Ветки Метки
helm-externa...
/
pkg
/
provider
/
vault
/
client_get_all_secrets.go

client_get_all_secrets.go 4.0 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"fmt"
    21. 

  21. 	"strings"
    22. 

  22. 

  23. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    24. 

  24. 	"github.com/external-secrets/external-secrets/pkg/constants"
    25. 

  25. 	"github.com/external-secrets/external-secrets/pkg/find"
    26. 

  26. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    27. 

  27. )
    28. 

  28. 

  29. const (
    30. 

  30. 	errUnsupportedKvVersion = "cannot perform find operations with kv version v1"
    31. 

  31. )
    32. 

  32. 

  33. // GetAllSecrets gets multiple secrets from the provider and loads into a kubernetes secret.
    34. 

  34. // First load all secrets from secretStore path configuration
    35. 

  35. // Then, gets secrets from a matching name or matching custom_metadata.
    36. 

  36. func (c *client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    37. 

  37. 	if c.store.Version == esv1beta1.VaultKVStoreV1 {
    38. 

  38. 		return nil, errors.New(errUnsupportedKvVersion)
    39. 

  39. 	}
    40. 

  40. 	searchPath := ""
    41. 

  41. 	if ref.Path != nil {
    42. 

  42. 		searchPath = *ref.Path + "/"
    43. 

  43. 	}
    44. 

  44. 	potentialSecrets, err := c.listSecrets(ctx, searchPath)
    45. 

  45. 	if err != nil {
    46. 

  46. 		return nil, err
    47. 

  47. 	}
    48. 

  48. 	if ref.Name != nil {
    49. 

  49. 		return c.findSecretsFromName(ctx, potentialSecrets, *ref.Name)
    50. 

  50. 	}
    51. 

  51. 	return c.findSecretsFromTags(ctx, potentialSecrets, ref.Tags)
    52. 

  52. }
    53. 

  53. 

  54. func (c *client) findSecretsFromTags(ctx context.Context, candidates []string, tags map[string]string) (map[string][]byte, error) {
    55. 

  55. 	secrets := make(map[string][]byte)
    56. 

  56. 	for _, name := range candidates {
    57. 

  57. 		match := true
    58. 

  58. 		metadata, err := c.readSecretMetadata(ctx, name)
    59. 

  59. 		if err != nil {
    60. 

  60. 			return nil, err
    61. 

  61. 		}
    62. 

  62. 		for tk, tv := range tags {
    63. 

  63. 			p, ok := metadata[tk]
    64. 

  64. 			if !ok || p != tv {
    65. 

  65. 				match = false
    66. 

  66. 				break
    67. 

  67. 			}
    68. 

  68. 		}
    69. 

  69. 		if match {
    70. 

  70. 			secret, err := c.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: name})
    71. 

  71. 			if errors.Is(err, esv1beta1.NoSecretError{}) {
    72. 

  72. 				continue
    73. 

  73. 			}
    74. 

  74. 			if err != nil {
    75. 

  75. 				return nil, err
    76. 

  76. 			}
    77. 

  77. 			if secret != nil {
    78. 

  78. 				secrets[name] = secret
    79. 

  79. 			}
    80. 

  80. 		}
    81. 

  81. 	}
    82. 

  82. 	return secrets, nil
    83. 

  83. }
    84. 

  84. 

  85. func (c *client) findSecretsFromName(ctx context.Context, candidates []string, ref esv1beta1.FindName) (map[string][]byte, error) {
    86. 

  86. 	secrets := make(map[string][]byte)
    87. 

  87. 	matcher, err := find.New(ref)
    88. 

  88. 	if err != nil {
    89. 

  89. 		return nil, err
    90. 

  90. 	}
    91. 

  91. 	for _, name := range candidates {
    92. 

  92. 		ok := matcher.MatchName(name)
    93. 

  93. 		if ok {
    94. 

  94. 			secret, err := c.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: name})
    95. 

  95. 			if errors.Is(err, esv1beta1.NoSecretError{}) {
    96. 

  96. 				continue
    97. 

  97. 			}
    98. 

  98. 			if err != nil {
    99. 

  99. 				return nil, err
    100. 

  100. 			}
    101. 

  101. 			if secret != nil {
    102. 

  102. 				secrets[name] = secret
    103. 

  103. 			}
    104. 

  104. 		}
    105. 

  105. 	}
    106. 

  106. 	return secrets, nil
    107. 

  107. }
    108. 

  108. 

  109. func (c *client) listSecrets(ctx context.Context, path string) ([]string, error) {
    110. 

  110. 	secrets := make([]string, 0)
    111. 

  111. 	url, err := c.buildMetadataPath(path)
    112. 

  112. 	if err != nil {
    113. 

  113. 		return nil, err
    114. 

  114. 	}
    115. 

  115. 	secret, err := c.logical.ListWithContext(ctx, url)
    116. 

  116. 	metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultListSecrets, err)
    117. 

  117. 	if err != nil {
    118. 

  118. 		return nil, fmt.Errorf(errReadSecret, err)
    119. 

  119. 	}
    120. 

  120. 	if secret == nil {
    121. 

  121. 		return nil, fmt.Errorf("provided path %v does not contain any secrets", url)
    122. 

  122. 	}
    123. 

  123. 	t, ok := secret.Data["keys"]
    124. 

  124. 	if !ok {
    125. 

  125. 		return nil, nil
    126. 

  126. 	}
    127. 

  127. 	paths := t.([]any)
    128. 

  128. 	for _, p := range paths {
    129. 

  129. 		strPath := p.(string)
    130. 

  130. 		fullPath := path + strPath // because path always ends with a /
    131. 

  131. 		if path == "" {
    132. 

  132. 			fullPath = strPath
    133. 

  133. 		}
    134. 

  134. 		// Recurrently find secrets
    135. 

  135. 		if !strings.HasSuffix(p.(string), "/") {
    136. 

  136. 			secrets = append(secrets, fullPath)
    137. 

  137. 		} else {
    138. 

  138. 			partial, err := c.listSecrets(ctx, fullPath)
    139. 

  139. 			if err != nil {
    140. 

  140. 				return nil, err
    141. 

  141. 			}
    142. 

  142. 			secrets = append(secrets, partial...)
    143. 

  143. 		}
    144. 

  144. 	}
    145. 

  145. 	return secrets, nil
    146. 

  146. }
    147.