Inicio Explorar Axuda
Iniciar sesión
logic855
/
helm-external-secrets
réplica de https://github.com/external-secrets/external-secrets
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 33d794e3b2
Ramas Etiquetas
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook.go

webhook.go 12 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"crypto/tls"
    21. 

  21. 	"crypto/x509"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io"
    24. 

  24. 	"net/http"
    25. 

  25. 	"net/url"
    26. 

  26. 	"strings"
    27. 

  27. 	tpl "text/template"
    28. 

  28. 	"time"
    29. 

  29. 

  30. 	"github.com/Masterminds/sprig/v3"
    31. 

  31. 	"github.com/PaesslerAG/jsonpath"
    32. 

  32. 	"gopkg.in/yaml.v3"
    33. 

  33. 	corev1 "k8s.io/api/core/v1"
    34. 

  34. 	"sigs.k8s.io/controller-runtime/pkg/client"
    35. 

  35. 

  36. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    37. 

  37. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/template/v2"
    39. 

  39. 	"github.com/external-secrets/external-secrets/pkg/utils"
    40. 

  40. )
    41. 

  41. 

  42. // Provider satisfies the provider interface.
    43. 

  43. type Provider struct{}
    44. 

  44. 

  45. type WebHook struct {
    46. 

  46. 	kube      client.Client
    47. 

  47. 	store     esv1beta1.GenericStore
    48. 

  48. 	namespace string
    49. 

  49. 	storeKind string
    50. 

  50. 	http      *http.Client
    51. 

  51. 	url       string
    52. 

  52. }
    53. 

  53. 

  54. func init() {
    55. 

  55. 	esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
    56. 

  56. 		Webhook: &esv1beta1.WebhookProvider{},
    57. 

  57. 	})
    58. 

  58. }
    59. 

  59. 

  60. func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
    61. 

  61. 	whClient := &WebHook{
    62. 

  62. 		kube:      kube,
    63. 

  63. 		store:     store,
    64. 

  64. 		namespace: namespace,
    65. 

  65. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    66. 

  66. 	}
    67. 

  67. 	provider, err := getProvider(store)
    68. 

  68. 	if err != nil {
    69. 

  69. 		return nil, err
    70. 

  70. 	}
    71. 

  71. 	whClient.url = provider.URL
    72. 

  72. 

  73. 	whClient.http, err = whClient.getHTTPClient(provider)
    74. 

  74. 	if err != nil {
    75. 

  75. 		return nil, err
    76. 

  76. 	}
    77. 

  77. 	return whClient, nil
    78. 

  78. }
    79. 

  79. 

  80. func (p *Provider) ValidateStore(store esv1beta1.GenericStore) error {
    81. 

  81. 	return nil
    82. 

  82. }
    83. 

  83. 

  84. func getProvider(store esv1beta1.GenericStore) (*esv1beta1.WebhookProvider, error) {
    85. 

  85. 	spc := store.GetSpec()
    86. 

  86. 	if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
    87. 

  87. 		return nil, fmt.Errorf("missing store provider webhook")
    88. 

  88. 	}
    89. 

  89. 	return spc.Provider.Webhook, nil
    90. 

  90. }
    91. 

  91. 

  92. func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelector) (*corev1.Secret, error) {
    93. 

  93. 	ke := client.ObjectKey{
    94. 

  94. 		Name:      ref.Name,
    95. 

  95. 		Namespace: w.namespace,
    96. 

  96. 	}
    97. 

  97. 	if w.storeKind == esv1beta1.ClusterSecretStoreKind {
    98. 

  98. 		if ref.Namespace == nil {
    99. 

  99. 			return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
    100. 

  100. 		}
    101. 

  101. 		ke.Namespace = *ref.Namespace
    102. 

  102. 	}
    103. 

  103. 	secret := &corev1.Secret{}
    104. 

  104. 	if err := w.kube.Get(ctx, ke, secret); err != nil {
    105. 

  105. 		return nil, fmt.Errorf("failed to get clustersecretstore webhook secret %s: %w", ref.Name, err)
    106. 

  106. 	}
    107. 

  107. 	return secret, nil
    108. 

  108. }
    109. 

  109. 

  110. // Empty GetAllSecrets.
    111. 

  111. func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    112. 

  112. 	// TO be implemented
    113. 

  113. 	return nil, fmt.Errorf("GetAllSecrets not implemented")
    114. 

  114. }
    115. 

  115. 

  116. func (w *WebHook) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    117. 

  117. 	provider, err := getProvider(w.store)
    118. 

  118. 	if err != nil {
    119. 

  119. 		return nil, fmt.Errorf("failed to get store: %w", err)
    120. 

  120. 	}
    121. 

  121. 	result, err := w.getWebhookData(ctx, provider, ref)
    122. 

  122. 	if err != nil {
    123. 

  123. 		return nil, err
    124. 

  124. 	}
    125. 

  125. 	// Only parse as json if we have a jsonpath set
    126. 

  126. 	if provider.Result.JSONPath != "" {
    127. 

  127. 		jsondata := interface{}(nil)
    128. 

  128. 		if err := yaml.Unmarshal(result, &jsondata); err != nil {
    129. 

  129. 			return nil, fmt.Errorf("failed to parse response json: %w", err)
    130. 

  130. 		}
    131. 

  131. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    132. 

  132. 		if err != nil {
    133. 

  133. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    134. 

  134. 		}
    135. 

  135. 		jsonvalue, ok := jsondata.(string)
    136. 

  136. 		if !ok {
    137. 

  137. 			return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    138. 

  138. 		}
    139. 

  139. 		return []byte(jsonvalue), nil
    140. 

  140. 	}
    141. 

  141. 

  142. 	return result, nil
    143. 

  143. }
    144. 

  144. 

  145. func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    146. 

  146. 	provider, err := getProvider(w.store)
    147. 

  147. 	if err != nil {
    148. 

  148. 		return nil, fmt.Errorf("failed to get store: %w", err)
    149. 

  149. 	}
    150. 

  150. 	result, err := w.getWebhookData(ctx, provider, ref)
    151. 

  151. 	if err != nil {
    152. 

  152. 		return nil, err
    153. 

  153. 	}
    154. 

  154. 

  155. 	// We always want json here, so just parse it out
    156. 

  156. 	jsondata := interface{}(nil)
    157. 

  157. 	if err := yaml.Unmarshal(result, &jsondata); err != nil {
    158. 

  158. 		return nil, fmt.Errorf("failed to parse response json: %w", err)
    159. 

  159. 	}
    160. 

  160. 	// Get subdata via jsonpath, if given
    161. 

  161. 	if provider.Result.JSONPath != "" {
    162. 

  162. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    163. 

  163. 		if err != nil {
    164. 

  164. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    165. 

  165. 		}
    166. 

  166. 	}
    167. 

  167. 	// If the value is a string, try to parse it as json
    168. 

  168. 	jsonstring, ok := jsondata.(string)
    169. 

  169. 	if ok {
    170. 

  170. 		// This could also happen if the response was a single json-encoded string
    171. 

  171. 		// but that is an extremely unlikely scenario
    172. 

  172. 		if err := yaml.Unmarshal([]byte(jsonstring), &jsondata); err != nil {
    173. 

  173. 			return nil, fmt.Errorf("failed to parse response json from jsonpath: %w", err)
    174. 

  174. 		}
    175. 

  175. 	}
    176. 

  176. 	// Use the data as a key-value map
    177. 

  177. 	jsonvalue, ok := jsondata.(map[string]interface{})
    178. 

  178. 	if !ok {
    179. 

  179. 		return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    180. 

  180. 	}
    181. 

  181. 

  182. 	// Change the map of generic objects to a map of byte arrays
    183. 

  183. 	values := make(map[string][]byte)
    184. 

  184. 	for rKey, rValue := range jsonvalue {
    185. 

  185. 		jVal, ok := rValue.(string)
    186. 

  186. 		if !ok {
    187. 

  187. 			return nil, fmt.Errorf("failed to get response (wrong type in key '%s': %T)", rKey, rValue)
    188. 

  188. 		}
    189. 

  189. 		values[rKey] = []byte(jVal)
    190. 

  190. 	}
    191. 

  191. 	return values, nil
    192. 

  192. }
    193. 

  193. 

  194. func (w *WebHook) getTemplateData(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef, secrets []esv1beta1.WebhookSecret) (map[string]map[string]string, error) {
    195. 

  195. 	data := map[string]map[string]string{
    196. 

  196. 		"remoteRef": {
    197. 

  197. 			"key":      url.QueryEscape(ref.Key),
    198. 

  198. 			"version":  url.QueryEscape(ref.Version),
    199. 

  199. 			"property": url.QueryEscape(ref.Property),
    200. 

  200. 		},
    201. 

  201. 	}
    202. 

  202. 	for _, secref := range secrets {
    203. 

  203. 		if _, ok := data[secref.Name]; !ok {
    204. 

  204. 			data[secref.Name] = make(map[string]string)
    205. 

  205. 		}
    206. 

  206. 		secret, err := w.getStoreSecret(ctx, secref.SecretRef)
    207. 

  207. 		if err != nil {
    208. 

  208. 			return nil, err
    209. 

  209. 		}
    210. 

  210. 		for sKey, sVal := range secret.Data {
    211. 

  211. 			data[secref.Name][sKey] = string(sVal)
    212. 

  212. 		}
    213. 

  213. 	}
    214. 

  214. 	return data, nil
    215. 

  215. }
    216. 

  216. 

  217. func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1beta1.WebhookProvider, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    218. 

  218. 	if w.http == nil {
    219. 

  219. 		return nil, fmt.Errorf("http client not initialized")
    220. 

  220. 	}
    221. 

  221. 	data, err := w.getTemplateData(ctx, ref, provider.Secrets)
    222. 

  222. 	if err != nil {
    223. 

  223. 		return nil, err
    224. 

  224. 	}
    225. 

  225. 	method := provider.Method
    226. 

  226. 	if method == "" {
    227. 

  227. 		method = http.MethodGet
    228. 

  228. 	}
    229. 

  229. 	url, err := executeTemplateString(provider.URL, data)
    230. 

  230. 	if err != nil {
    231. 

  231. 		return nil, fmt.Errorf("failed to parse url: %w", err)
    232. 

  232. 	}
    233. 

  233. 	body, err := executeTemplate(provider.Body, data)
    234. 

  234. 	if err != nil {
    235. 

  235. 		return nil, fmt.Errorf("failed to parse body: %w", err)
    236. 

  236. 	}
    237. 

  237. 

  238. 	req, err := http.NewRequestWithContext(ctx, method, url, &body)
    239. 

  239. 	if err != nil {
    240. 

  240. 		return nil, fmt.Errorf("failed to create request: %w", err)
    241. 

  241. 	}
    242. 

  242. 	for hKey, hValueTpl := range provider.Headers {
    243. 

  243. 		hValue, err := executeTemplateString(hValueTpl, data)
    244. 

  244. 		if err != nil {
    245. 

  245. 			return nil, fmt.Errorf("failed to parse header %s: %w", hKey, err)
    246. 

  246. 		}
    247. 

  247. 		req.Header.Add(hKey, hValue)
    248. 

  248. 	}
    249. 

  249. 

  250. 	resp, err := w.http.Do(req)
    251. 

  251. 	if err != nil {
    252. 

  252. 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
    253. 

  253. 	}
    254. 

  254. 	defer resp.Body.Close()
    255. 

  255. 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
    256. 

  256. 		return nil, fmt.Errorf("endpoint gave error %s", resp.Status)
    257. 

  257. 	}
    258. 

  258. 	return io.ReadAll(resp.Body)
    259. 

  259. }
    260. 

  260. 

  261. func (w *WebHook) getHTTPClient(provider *esv1beta1.WebhookProvider) (*http.Client, error) {
    262. 

  262. 	client := &http.Client{}
    263. 

  263. 	if provider.Timeout != nil {
    264. 

  264. 		client.Timeout = provider.Timeout.Duration
    265. 

  265. 	}
    266. 

  266. 	if len(provider.CABundle) == 0 && provider.CAProvider == nil {
    267. 

  267. 		// No need to process ca stuff if it is not there
    268. 

  268. 		return client, nil
    269. 

  269. 	}
    270. 

  270. 	caCertPool, err := w.getCACertPool(provider)
    271. 

  271. 	if err != nil {
    272. 

  272. 		return nil, err
    273. 

  273. 	}
    274. 

  274. 

  275. 	tlsConf := &tls.Config{
    276. 

  276. 		RootCAs:    caCertPool,
    277. 

  277. 		MinVersion: tls.VersionTLS12,
    278. 

  278. 	}
    279. 

  279. 	client.Transport = &http.Transport{TLSClientConfig: tlsConf}
    280. 

  280. 	return client, nil
    281. 

  281. }
    282. 

  282. 

  283. func (w *WebHook) getCACertPool(provider *esv1beta1.WebhookProvider) (*x509.CertPool, error) {
    284. 

  284. 	caCertPool := x509.NewCertPool()
    285. 

  285. 	if len(provider.CABundle) > 0 {
    286. 

  286. 		ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
    287. 

  287. 		if !ok {
    288. 

  288. 			return nil, fmt.Errorf("failed to append cabundle")
    289. 

  289. 		}
    290. 

  290. 	}
    291. 

  291. 

  292. 	if provider.CAProvider != nil && w.storeKind == esv1beta1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
    293. 

  293. 		return nil, fmt.Errorf("missing namespace on CAProvider secret")
    294. 

  294. 	}
    295. 

  295. 

  296. 	if provider.CAProvider != nil {
    297. 

  297. 		var cert []byte
    298. 

  298. 		var err error
    299. 

  299. 

  300. 		switch provider.CAProvider.Type {
    301. 

  301. 		case esv1beta1.WebhookCAProviderTypeSecret:
    302. 

  302. 			cert, err = w.getCertFromSecret(provider)
    303. 

  303. 		case esv1beta1.WebhookCAProviderTypeConfigMap:
    304. 

  304. 			cert, err = w.getCertFromConfigMap(provider)
    305. 

  305. 		default:
    306. 

  306. 			err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
    307. 

  307. 		}
    308. 

  308. 

  309. 		if err != nil {
    310. 

  310. 			return nil, err
    311. 

  311. 		}
    312. 

  312. 

  313. 		ok := caCertPool.AppendCertsFromPEM(cert)
    314. 

  314. 		if !ok {
    315. 

  315. 			return nil, fmt.Errorf("failed to append cabundle")
    316. 

  316. 		}
    317. 

  317. 	}
    318. 

  318. 	return caCertPool, nil
    319. 

  319. }
    320. 

  320. 

  321. func (w *WebHook) getCertFromSecret(provider *esv1beta1.WebhookProvider) ([]byte, error) {
    322. 

  322. 	secretRef := esmeta.SecretKeySelector{
    323. 

  323. 		Name: provider.CAProvider.Name,
    324. 

  324. 		Key:  provider.CAProvider.Key,
    325. 

  325. 	}
    326. 

  326. 

  327. 	if provider.CAProvider.Namespace != nil {
    328. 

  328. 		secretRef.Namespace = provider.CAProvider.Namespace
    329. 

  329. 	}
    330. 

  330. 

  331. 	ctx := context.Background()
    332. 

  332. 	res, err := w.secretKeyRef(ctx, &secretRef)
    333. 

  333. 	if err != nil {
    334. 

  334. 		return nil, err
    335. 

  335. 	}
    336. 

  336. 

  337. 	return []byte(res), nil
    338. 

  338. }
    339. 

  339. 

  340. func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    341. 

  341. 	secret := &corev1.Secret{}
    342. 

  342. 	ref := client.ObjectKey{
    343. 

  343. 		Namespace: w.namespace,
    344. 

  344. 		Name:      secretRef.Name,
    345. 

  345. 	}
    346. 

  346. 	if (w.storeKind == esv1beta1.ClusterSecretStoreKind) &&
    347. 

  347. 		(secretRef.Namespace != nil) {
    348. 

  348. 		ref.Namespace = *secretRef.Namespace
    349. 

  349. 	}
    350. 

  350. 	err := w.kube.Get(ctx, ref, secret)
    351. 

  351. 	if err != nil {
    352. 

  352. 		return "", err
    353. 

  353. 	}
    354. 

  354. 

  355. 	keyBytes, ok := secret.Data[secretRef.Key]
    356. 

  356. 	if !ok {
    357. 

  357. 		return "", err
    358. 

  358. 	}
    359. 

  359. 

  360. 	value := string(keyBytes)
    361. 

  361. 	valueStr := strings.TrimSpace(value)
    362. 

  362. 	return valueStr, nil
    363. 

  363. }
    364. 

  364. 

  365. func (w *WebHook) getCertFromConfigMap(provider *esv1beta1.WebhookProvider) ([]byte, error) {
    366. 

  366. 	objKey := client.ObjectKey{
    367. 

  367. 		Name: provider.CAProvider.Name,
    368. 

  368. 	}
    369. 

  369. 

  370. 	if provider.CAProvider.Namespace != nil {
    371. 

  371. 		objKey.Namespace = *provider.CAProvider.Namespace
    372. 

  372. 	}
    373. 

  373. 

  374. 	configMapRef := &corev1.ConfigMap{}
    375. 

  375. 	ctx := context.Background()
    376. 

  376. 	err := w.kube.Get(ctx, objKey, configMapRef)
    377. 

  377. 	if err != nil {
    378. 

  378. 		return nil, fmt.Errorf("failed to get caprovider secret %s: %w", objKey.Name, err)
    379. 

  379. 	}
    380. 

  380. 

  381. 	val, ok := configMapRef.Data[provider.CAProvider.Key]
    382. 

  382. 	if !ok {
    383. 

  383. 		return nil, fmt.Errorf("failed to get caprovider configmap %s -> %s", objKey.Name, provider.CAProvider.Key)
    384. 

  384. 	}
    385. 

  385. 

  386. 	return []byte(val), nil
    387. 

  387. }
    388. 

  388. 

  389. func (w *WebHook) Close(ctx context.Context) error {
    390. 

  390. 	return nil
    391. 

  391. }
    392. 

  392. 

  393. func (w *WebHook) Validate() error {
    394. 

  394. 	timeout := 4 * time.Second
    395. 

  395. 	url := w.url
    396. 

  396. 

  397. 	return utils.NetworkValidate(url, timeout)
    398. 

  398. }
    399. 

  399. 

  400. func executeTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
    401. 

  401. 	result, err := executeTemplate(tmpl, data)
    402. 

  402. 	if err != nil {
    403. 

  403. 		return "", err
    404. 

  404. 	}
    405. 

  405. 	return result.String(), nil
    406. 

  406. }
    407. 

  407. 

  408. func executeTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
    409. 

  409. 	var result bytes.Buffer
    410. 

  410. 	if tmpl == "" {
    411. 

  411. 		return result, nil
    412. 

  412. 	}
    413. 

  413. 	urlt, err := tpl.New("webhooktemplate").Funcs(sprig.TxtFuncMap()).Funcs(template.FuncMap()).Parse(tmpl)
    414. 

  414. 	if err != nil {
    415. 

  415. 		return result, err
    416. 

  416. 	}
    417. 

  417. 	if err := urlt.Execute(&result, data); err != nil {
    418. 

  418. 		return result, err
    419. 

  419. 	}
    420. 

  420. 	return result, nil
    421. 

  421. }
    422.