logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package esutils

import (
	"context"
	"errors"
	"fmt"

	authenticationv1 "k8s.io/api/authentication/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
	"k8s.io/client-go/rest"
	"k8s.io/client-go/tools/clientcmd"
	kclient "sigs.k8s.io/controller-runtime/pkg/client"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
)

const errUnableCreateK8sSAToken = "cannot create service account token: %q"

// ErrMultipleAuthMethods is returned when more than one inline auth method is configured.
var ErrMultipleAuthMethods = errors.New("multiple auth methods provided: set exactly one of Token, ServiceAccount, or Cert")

// ErrAuthRefWithInlineAuth is returned when both authRef and inline auth are set.
var ErrAuthRefWithInlineAuth = errors.New("authRef and inline auth cannot both be set")

// BuildRESTConfigFromKubernetesConnection builds a *rest.Config from the same
// server/auth fields used by the Kubernetes SecretStore provider. It is shared
// by the kubernetes and CRD providers.
func BuildRESTConfigFromKubernetesConnection(
	ctx context.Context,
	ctrlClient kclient.Client,
	coreV1 typedcorev1.CoreV1Interface,
	storeKind, esNamespace string,
	server esv1.KubernetesServer,
	auth *esv1.KubernetesAuth,
	authRef *esmeta.SecretKeySelector,
) (*rest.Config, error) {
	if authRef != nil {
		if auth != nil {
			return nil, ErrAuthRefWithInlineAuth
		}
		cfg, err := fetchKubernetesSecretKey(ctx, ctrlClient, storeKind, esNamespace, *authRef)
		if err != nil {
			return nil, err
		}
		return clientcmd.RESTConfigFromKubeConfig(cfg)
	}

	if auth == nil {
		return nil, errors.New("no auth provider given")
	}

	if server.URL == "" {
		return nil, errors.New("no server URL provided")
	}

	cfg := &rest.Config{
		Host: server.URL,
	}

	ca, err := FetchCACertFromSource(ctx, CreateCertOpts{
		CABundle:   server.CABundle,
		CAProvider: server.CAProvider,
		StoreKind:  storeKind,
		Namespace:  esNamespace,
		Client:     ctrlClient,
	})
	if err != nil {
		return nil, err
	}

	cfg.TLSClientConfig = rest.TLSClientConfig{
		Insecure: false,
		CAData:   ca,
	}

	if err := applyInlineAuth(ctx, ctrlClient, coreV1, storeKind, esNamespace, auth, cfg); err != nil {
		return nil, err
	}
	return cfg, nil
}

// applyInlineAuth validates that exactly one auth method is set and populates cfg accordingly.
func applyInlineAuth(
	ctx context.Context,
	ctrlClient kclient.Client,
	coreV1 typedcorev1.CoreV1Interface,
	storeKind, esNamespace string,
	auth *esv1.KubernetesAuth,
	cfg *rest.Config,
) error {
	set := 0
	if auth.Token != nil {
		set++
	}
	if auth.ServiceAccount != nil {
		set++
	}
	if auth.Cert != nil {
		set++
	}
	if set > 1 {
		return ErrMultipleAuthMethods
	}

	switch {
	case auth.Token != nil:
		token, err := fetchKubernetesSecretKey(ctx, ctrlClient, storeKind, esNamespace, auth.Token.BearerToken)
		if err != nil {
			return fmt.Errorf("could not fetch Auth.Token.BearerToken: %w", err)
		}
		cfg.BearerToken = string(token)
	case auth.ServiceAccount != nil:
		token, err := serviceAccountToken(ctx, coreV1, storeKind, esNamespace, auth.ServiceAccount)
		if err != nil {
			return fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err)
		}
		cfg.BearerToken = string(token)
	case auth.Cert != nil:
		key, cert, err := clientCertKeyFromSecrets(ctx, ctrlClient, storeKind, esNamespace, auth.Cert)
		if err != nil {
			return fmt.Errorf("could not fetch client key and cert: %w", err)
		}
		cfg.TLSClientConfig.KeyData = key
		cfg.TLSClientConfig.CertData = cert
	default:
		return errors.New("no auth provider given")
	}
	return nil
}

// fetchKubernetesSecretKey resolves a SecretKeySelector and returns its value as bytes.
func fetchKubernetesSecretKey(ctx context.Context, ctrlClient kclient.Client, storeKind, esNamespace string, ref esmeta.SecretKeySelector) ([]byte, error) {
	secret, err := resolvers.SecretKeyRef(
		ctx,
		ctrlClient,
		storeKind,
		esNamespace,
		&ref,
	)
	if err != nil {
		return nil, err
	}
	return []byte(secret), nil
}

// serviceAccountToken creates a short-lived token for the referenced service account.
// For ClusterSecretStore, serviceAccountRef.namespace overrides the provided namespace.
func serviceAccountToken(ctx context.Context, coreV1 typedcorev1.CoreV1Interface, storeKind, namespace string, serviceAccountRef *esmeta.ServiceAccountSelector) ([]byte, error) {
	if storeKind == esv1.ClusterSecretStoreKind && serviceAccountRef.Namespace != nil {
		namespace = *serviceAccountRef.Namespace
	}
	expirationSeconds := int64(3600)
	tr, err := coreV1.ServiceAccounts(namespace).CreateToken(ctx, serviceAccountRef.Name, &authenticationv1.TokenRequest{
		Spec: authenticationv1.TokenRequestSpec{
			Audiences:         serviceAccountRef.Audiences,
			ExpirationSeconds: &expirationSeconds,
		},
	}, metav1.CreateOptions{})
	if err != nil {
		return nil, fmt.Errorf(errUnableCreateK8sSAToken, err)
	}
	return []byte(tr.Status.Token), nil
}

// clientCertKeyFromSecrets fetches client certificate and key material from Secrets.
// It returns key bytes first, then certificate bytes to match rest.TLSClientConfig fields.
func clientCertKeyFromSecrets(ctx context.Context, ctrlClient kclient.Client, storeKind, esNamespace string, cert *esv1.CertAuth) ([]byte, []byte, error) {
	certPEM, err := fetchKubernetesSecretKey(ctx, ctrlClient, storeKind, esNamespace, cert.ClientCert)
	if err != nil {
		return nil, nil, fmt.Errorf("unable to fetch client certificate: %w", err)
	}
	keyPEM, err := fetchKubernetesSecretKey(ctx, ctrlClient, storeKind, esNamespace, cert.ClientKey)
	if err != nil {
		return nil, nil, fmt.Errorf("unable to fetch client key: %w", err)
	}
	return keyPEM, certPEM, nil
}