Главная Обзор Помощь
Вход
logic855
/
helm-external-secrets
зеркало из https://github.com/external-secrets/external-secrets
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: 4571cfb2cf
Ветки Метки
helm-externa...
/
pkg
/
utils
/
resolvers
/
secret_ref.go

secret_ref.go 2.3 KB
История Исходник

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package resolvers
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"fmt"
    20. 

  20. 

  21. 	corev1 "k8s.io/api/core/v1"
    22. 

  22. 	"k8s.io/apimachinery/pkg/types"
    23. 

  23. 	"sigs.k8s.io/controller-runtime/pkg/client"
    24. 

  24. 

  25. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    26. 

  26. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    27. 

  27. )
    28. 

  28. 

  29. const (
    30. 

  30. 

  31. 	// This is used to determine if a store is cluster-scoped or not.
    32. 

  32. 	// The EmptyStoreKind is not cluster-scoped, hence resources
    33. 

  33. 	// cannot be resolved across namespaces.
    34. 

  34. 	// TODO: when we implement cluster-scoped generators
    35. 

  35. 	// we can remove this and replace it with a interface.
    36. 

  36. 	EmptyStoreKind = "EmptyStoreKind"
    37. 

  37. 

  38. 	errGetKubeSecret         = "cannot get Kubernetes secret %q from namespace %q: %w"
    39. 

  39. 	errSecretKeyFmt          = "cannot find secret data for key: %q"
    40. 

  40. 	errGetKubeSATokenRequest = "cannot request Kubernetes service account token for service account %q: %w"
    41. 

  41. )
    42. 

  42. 

  43. // SecretKeyRef resolves a metav1.SecretKeySelector and returns the value of the secret it points to.
    44. 

  44. // A user must pass the namespace of the originating ExternalSecret, as this may differ
    45. 

  45. // from the namespace defined in the SecretKeySelector.
    46. 

  46. // This func ensures that only a ClusterSecretStore is able to request secrets across namespaces.
    47. 

  47. func SecretKeyRef(
    48. 

  48. 	ctx context.Context,
    49. 

  49. 	c client.Client,
    50. 

  50. 	storeKind string,
    51. 

  51. 	esNamespace string,
    52. 

  52. 	ref *esmeta.SecretKeySelector) (string, error) {
    53. 

  53. 	key := types.NamespacedName{
    54. 

  54. 		Namespace: esNamespace,
    55. 

  55. 		Name:      ref.Name,
    56. 

  56. 	}
    57. 

  57. 	if (storeKind == esv1.ClusterSecretStoreKind) &&
    58. 

  58. 		(ref.Namespace != nil) {
    59. 

  59. 		key.Namespace = *ref.Namespace
    60. 

  60. 	}
    61. 

  61. 	secret := &corev1.Secret{}
    62. 

  62. 	err := c.Get(ctx, key, secret)
    63. 

  63. 	if err != nil {
    64. 

  64. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, key.Namespace, err)
    65. 

  65. 	}
    66. 

  66. 	val, ok := secret.Data[ref.Key]
    67. 

  67. 	if !ok {
    68. 

  68. 		return "", fmt.Errorf(errSecretKeyFmt, ref.Key)
    69. 

  69. 	}
    70. 

  70. 	return string(val), nil
    71. 

  71. }
    72.