ホーム エクスプローラ ヘルプ
サインイン
logic855
/
helm-external-secrets
同期ミラー https://github.com/external-secrets/external-secrets
1
0
フォーク 0
ファイル 課題 0 Wiki
ツリー: 4392e89376
ブランチ タグ
helm-externa...
/
pkg
/
provider
/
volcengine
/
client.go

client.go 4.4 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package volcengine
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 

  25. 	"github.com/volcengine/volcengine-go-sdk/service/kms"
    26. 

  26. 	corev1 "k8s.io/api/core/v1"
    27. 

  27. 

  28. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    29. 

  29. )
    30. 

  30. 

  31. const (
    32. 

  32. 	notImplemented = "not implemented"
    33. 

  33. )
    34. 

  34. 

  35. var _ esapi.SecretsClient = &Client{}
    36. 

  36. 

  37. // Client is a client for the Volcengine provider.
    38. 

  38. type Client struct {
    39. 

  39. 	kms kms.KMSAPI
    40. 

  40. }
    41. 

  41. 

  42. // NewClient creates a new Volcengine client.
    43. 

  43. func NewClient(kms kms.KMSAPI) *Client {
    44. 

  44. 	return &Client{
    45. 

  45. 		kms: kms,
    46. 

  46. 	}
    47. 

  47. }
    48. 

  48. 

  49. // GetSecret retrieves a secret value from Volcengine Secrets Manager.
    50. 

  50. func (c *Client) GetSecret(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) ([]byte, error) {
    51. 

  51. 	return c.getSecretValue(ctx, ref)
    52. 

  52. }
    53. 

  53. 

  54. // SecretExists checks if a secret exists in Volcengine Secrets Manager.
    55. 

  55. func (c *Client) SecretExists(ctx context.Context, remoteRef esapi.PushSecretRemoteRef) (bool, error) {
    56. 

  56. 	secretName := remoteRef.GetRemoteKey()
    57. 

  57. 	if secretName == "" {
    58. 

  58. 		return false, errors.New("secret name is empty")
    59. 

  59. 	}
    60. 

  60. 	_, err := c.kms.DescribeSecretWithContext(ctx, &kms.DescribeSecretInput{
    61. 

  61. 		SecretName: &secretName,
    62. 

  62. 	})
    63. 

  63. 	if err != nil {
    64. 

  64. 		return false, err
    65. 

  65. 	}
    66. 

  66. 	return true, nil
    67. 

  67. }
    68. 

  68. 

  69. // Validate checks if the provider is configured correctly.
    70. 

  70. func (c *Client) Validate() (esapi.ValidationResult, error) {
    71. 

  71. 	if c.kms != nil {
    72. 

  72. 		return esapi.ValidationResultReady, nil
    73. 

  73. 	}
    74. 

  74. 	return esapi.ValidationResultError, errors.New("kms client is not initialized")
    75. 

  75. }
    76. 

  76. 

  77. // GetSecretMap retrieves a secret value and unmarshals it as a map.
    78. 

  78. func (c *Client) GetSecretMap(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    79. 

  79. 	value, err := c.getSecretValue(ctx, ref)
    80. 

  80. 	if err != nil {
    81. 

  81. 		return nil, err
    82. 

  82. 	}
    83. 

  83. 

  84. 	var rawSecretMap map[string]json.RawMessage
    85. 

  85. 	if err := json.Unmarshal(value, &rawSecretMap); err != nil {
    86. 

  86. 		return nil, fmt.Errorf("failed to unmarshal secret: %w", err)
    87. 

  87. 	}
    88. 

  88. 

  89. 	secretMap := make(map[string][]byte, len(rawSecretMap))
    90. 

  90. 	for key, value := range rawSecretMap {
    91. 

  91. 		secretMap[key] = []byte(value)
    92. 

  92. 	}
    93. 

  93. 	return secretMap, nil
    94. 

  94. }
    95. 

  95. 

  96. // GetAllSecrets retrieves all secrets matching the given criteria.
    97. 

  97. func (c *Client) GetAllSecrets(_ context.Context, _ esapi.ExternalSecretFind) (map[string][]byte, error) {
    98. 

  98. 	return nil, errors.New(notImplemented)
    99. 

  99. }
    100. 

  100. 

  101. // PushSecret creates or updates a secret in Volcengine Secrets Manager.
    102. 

  102. func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esapi.PushSecretData) error {
    103. 

  103. 	return errors.New(notImplemented)
    104. 

  104. }
    105. 

  105. 

  106. // DeleteSecret deletes a secret from Volcengine Secrets Manager.
    107. 

  107. func (c *Client) DeleteSecret(_ context.Context, _ esapi.PushSecretRemoteRef) error {
    108. 

  108. 	return errors.New(notImplemented)
    109. 

  109. }
    110. 

  110. 

  111. // Close is a no-op for the Volcengine client.
    112. 

  112. func (c *Client) Close(_ context.Context) error {
    113. 

  113. 	return nil
    114. 

  114. }
    115. 

  115. 

  116. func (c *Client) getSecretValue(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) ([]byte, error) {
    117. 

  117. 	output, err := c.kms.GetSecretValueWithContext(ctx, &kms.GetSecretValueInput{
    118. 

  118. 		SecretName: &ref.Key,
    119. 

  119. 		VersionID:  resolveVersion(ref),
    120. 

  120. 	})
    121. 

  121. 	if err != nil {
    122. 

  122. 		return nil, err
    123. 

  123. 	}
    124. 

  124. 

  125. 	if output.SecretValue == nil {
    126. 

  126. 		return nil, fmt.Errorf("secret %s has no value", ref.Key)
    127. 

  127. 	}
    128. 

  128. 

  129. 	secret := []byte(*output.SecretValue)
    130. 

  130. 

  131. 	if ref.Property == "" {
    132. 

  132. 		return secret, nil
    133. 

  133. 	}
    134. 

  134. 

  135. 	return extractProperty(secret, ref.Property)
    136. 

  136. }
    137. 

  137. 

  138. func extractProperty(secret []byte, property string) ([]byte, error) {
    139. 

  139. 	var secretMap map[string]json.RawMessage
    140. 

  140. 	if err := json.Unmarshal(secret, &secretMap); err != nil {
    141. 

  141. 		return nil, fmt.Errorf("failed to unmarshal secret: %w", err)
    142. 

  142. 	}
    143. 

  143. 

  144. 	value, ok := secretMap[property]
    145. 

  145. 	if !ok {
    146. 

  146. 		return nil, fmt.Errorf("property %q not found in secret", property)
    147. 

  147. 	}
    148. 

  148. 

  149. 	var s string
    150. 

  150. 	if json.Unmarshal(value, &s) == nil {
    151. 

  151. 		return []byte(s), nil
    152. 

  152. 	}
    153. 

  153. 	return value, nil
    154. 

  154. }
    155. 

  155. 

  156. func resolveVersion(ref esapi.ExternalSecretDataRemoteRef) *string {
    157. 

  157. 	if ref.Version != "" {
    158. 

  158. 		return &ref.Version
    159. 

  159. 	}
    160. 

  160. 	return nil
    161. 

  161. }
    162.