Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 48a51c8111
Branches Tags
helm-externa...
/
pkg
/
provider
/
conjur
/
client.go

client.go 4.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package conjur
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"fmt"
    21. 

  21. 

  22. 	"github.com/cyberark/conjur-api-go/conjurapi"
    23. 

  23. 	"github.com/cyberark/conjur-api-go/conjurapi/authn"
    24. 

  24. 	corev1 "k8s.io/api/core/v1"
    25. 

  25. 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
    26. 

  26. 	"sigs.k8s.io/controller-runtime/pkg/client"
    27. 

  27. 

  28. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    29. 

  29. 	"github.com/external-secrets/external-secrets/pkg/provider/conjur/util"
    30. 

  30. 	"github.com/external-secrets/external-secrets/pkg/utils"
    31. 

  31. 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
    32. 

  32. )
    33. 

  33. 

  34. var (
    35. 

  35. 	errConjurClient          = "cannot setup new Conjur client: %w"
    36. 

  36. 	errBadServiceUser        = "could not get Auth.Apikey.UserRef: %w"
    37. 

  37. 	errBadServiceAPIKey      = "could not get Auth.Apikey.ApiKeyRef: %w"
    38. 

  38. 	errGetKubeSATokenRequest = "cannot request Kubernetes service account token for service account %q: %w"
    39. 

  39. 	errSecretKeyFmt          = "cannot find secret data for key: %q"
    40. 

  40. )
    41. 

  41. 

  42. // Client is a provider for Conjur.
    43. 

  43. type Client struct {
    44. 

  44. 	StoreKind string
    45. 

  45. 	kube      client.Client
    46. 

  46. 	store     esv1beta1.GenericStore
    47. 

  47. 	namespace string
    48. 

  48. 	corev1    typedcorev1.CoreV1Interface
    49. 

  49. 	clientAPI SecretsClientFactory
    50. 

  50. 	client    SecretsClient
    51. 

  51. }
    52. 

  52. 

  53. func (c *Client) GetConjurClient(ctx context.Context) (SecretsClient, error) {
    54. 

  54. 	// if the client is initialized already, return it
    55. 

  55. 	if c.client != nil {
    56. 

  56. 		return c.client, nil
    57. 

  57. 	}
    58. 

  58. 

  59. 	prov, err := util.GetConjurProvider(c.store)
    60. 

  60. 	if err != nil {
    61. 

  61. 		return nil, err
    62. 

  62. 	}
    63. 

  63. 

  64. 	cert, getCertErr := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
    65. 

  65. 		CABundle:   []byte(prov.CABundle),
    66. 

  66. 		CAProvider: prov.CAProvider,
    67. 

  67. 		StoreKind:  c.store.GetKind(),
    68. 

  68. 		Namespace:  c.namespace,
    69. 

  69. 		Client:     c.kube,
    70. 

  70. 	})
    71. 

  71. 	if getCertErr != nil {
    72. 

  72. 		return nil, getCertErr
    73. 

  73. 	}
    74. 

  74. 

  75. 	config := conjurapi.Config{
    76. 

  76. 		ApplianceURL: prov.URL,
    77. 

  77. 		SSLCert:      string(cert),
    78. 

  78. 	}
    79. 

  79. 

  80. 	if prov.Auth.APIKey != nil {
    81. 

  81. 		config.Account = prov.Auth.APIKey.Account
    82. 

  82. 		conjUser, secErr := resolvers.SecretKeyRef(
    83. 

  83. 			ctx,
    84. 

  84. 			c.kube,
    85. 

  85. 			c.StoreKind,
    86. 

  86. 			c.namespace, prov.Auth.APIKey.UserRef)
    87. 

  87. 		if secErr != nil {
    88. 

  88. 			return nil, fmt.Errorf(errBadServiceUser, secErr)
    89. 

  89. 		}
    90. 

  90. 		conjAPIKey, secErr := resolvers.SecretKeyRef(
    91. 

  91. 			ctx,
    92. 

  92. 			c.kube,
    93. 

  93. 			c.StoreKind,
    94. 

  94. 			c.namespace,
    95. 

  95. 			prov.Auth.APIKey.APIKeyRef)
    96. 

  96. 		if secErr != nil {
    97. 

  97. 			return nil, fmt.Errorf(errBadServiceAPIKey, secErr)
    98. 

  98. 		}
    99. 

  99. 

  100. 		conjur, newClientFromKeyError := c.clientAPI.NewClientFromKey(config,
    101. 

  101. 			authn.LoginPair{
    102. 

  102. 				Login:  conjUser,
    103. 

  103. 				APIKey: conjAPIKey,
    104. 

  104. 			},
    105. 

  105. 		)
    106. 

  106. 

  107. 		if newClientFromKeyError != nil {
    108. 

  108. 			return nil, fmt.Errorf(errConjurClient, newClientFromKeyError)
    109. 

  109. 		}
    110. 

  110. 		c.client = conjur
    111. 

  111. 		return conjur, nil
    112. 

  112. 	} else if prov.Auth.Jwt != nil {
    113. 

  113. 		config.Account = prov.Auth.Jwt.Account
    114. 

  114. 

  115. 		conjur, clientFromJwtError := c.newClientFromJwt(ctx, config, prov.Auth.Jwt)
    116. 

  116. 		if clientFromJwtError != nil {
    117. 

  117. 			return nil, fmt.Errorf(errConjurClient, clientFromJwtError)
    118. 

  118. 		}
    119. 

  119. 

  120. 		c.client = conjur
    121. 

  121. 

  122. 		return conjur, nil
    123. 

  123. 	} else {
    124. 

  124. 		// Should not happen because validate func should catch this
    125. 

  125. 		return nil, errors.New("no authentication method provided")
    126. 

  126. 	}
    127. 

  127. }
    128. 

  128. 

  129. // PushSecret will write a single secret into the provider.
    130. 

  130. func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
    131. 

  131. 	// NOT IMPLEMENTED
    132. 

  132. 	return nil
    133. 

  133. }
    134. 

  134. 

  135. func (c *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
    136. 

  136. 	// NOT IMPLEMENTED
    137. 

  137. 	return nil
    138. 

  138. }
    139. 

  139. 

  140. func (c *Client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
    141. 

  141. 	return false, errors.New("not implemented")
    142. 

  142. }
    143. 

  143. 

  144. // Validate validates the provider.
    145. 

  145. func (c *Client) Validate() (esv1beta1.ValidationResult, error) {
    146. 

  146. 	return esv1beta1.ValidationResultReady, nil
    147. 

  147. }
    148. 

  148. 

  149. // Close closes the provider.
    150. 

  150. func (c *Client) Close(_ context.Context) error {
    151. 

  151. 	return nil
    152. 

  152. }
    153.