pushsecret_controller.go 45 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285
  1. /*
  2. Copyright © The ESO Authors
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. https://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. // Package pushsecret implements the controller for managing PushSecret resources.
  14. package pushsecret
  15. import (
  16. "bytes"
  17. "context"
  18. "errors"
  19. "fmt"
  20. "maps"
  21. "regexp"
  22. "slices"
  23. "strings"
  24. "text/template"
  25. "time"
  26. "github.com/go-logr/logr"
  27. v1 "k8s.io/api/core/v1"
  28. apierrors "k8s.io/apimachinery/pkg/api/errors"
  29. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  30. "k8s.io/apimachinery/pkg/labels"
  31. "k8s.io/apimachinery/pkg/runtime"
  32. "k8s.io/apimachinery/pkg/types"
  33. "k8s.io/client-go/rest"
  34. "k8s.io/client-go/tools/record"
  35. ctrl "sigs.k8s.io/controller-runtime"
  36. "sigs.k8s.io/controller-runtime/pkg/builder"
  37. "sigs.k8s.io/controller-runtime/pkg/client"
  38. "sigs.k8s.io/controller-runtime/pkg/controller"
  39. "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
  40. "sigs.k8s.io/controller-runtime/pkg/event"
  41. "sigs.k8s.io/controller-runtime/pkg/predicate"
  42. esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
  43. esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
  44. genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
  45. ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
  46. "github.com/external-secrets/external-secrets/pkg/controllers/pushsecret/psmetrics"
  47. "github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
  48. ctrlutil "github.com/external-secrets/external-secrets/pkg/controllers/util"
  49. "github.com/external-secrets/external-secrets/runtime/esutils"
  50. "github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
  51. "github.com/external-secrets/external-secrets/runtime/statemanager"
  52. estemplate "github.com/external-secrets/external-secrets/runtime/template/v2"
  53. "github.com/external-secrets/external-secrets/runtime/util/locks"
  54. // Load registered generators.
  55. _ "github.com/external-secrets/external-secrets/pkg/register"
  56. )
  57. const (
  58. errFailedGetSecret = "could not get source secret"
  59. errPatchStatus = "error merging"
  60. errGetSecretStore = "could not get SecretStore %q, %w"
  61. errGetClusterSecretStore = "could not get ClusterSecretStore %q, %w"
  62. errSetSecretFailed = "could not write remote ref %v to target secretstore %v: %v"
  63. errFailedSetSecret = "set secret failed: %v"
  64. errConvert = "could not apply conversion strategy to keys: %v"
  65. pushSecretFinalizer = "pushsecret.externalsecrets.io/finalizer"
  66. errCloudNotUpdateFinalizer = "could not update finalizers: %w"
  67. bundleSourceKey = "(bundle)"
  68. )
  69. // Reconciler is the controller for PushSecret resources.
  70. // It manages the lifecycle of PushSecrets, ensuring that secrets are pushed to
  71. // specified secret stores according to the defined policies and templates.
  72. type Reconciler struct {
  73. client.Client
  74. Log logr.Logger
  75. Scheme *runtime.Scheme
  76. recorder record.EventRecorder
  77. RestConfig *rest.Config
  78. RequeueInterval time.Duration
  79. ControllerClass string
  80. }
  81. type generationChangedOrDeletionPredicate struct {
  82. predicate.GenerationChangedPredicate
  83. }
  84. func (generationChangedOrDeletionPredicate) Update(e event.UpdateEvent) bool {
  85. if e.ObjectNew.GetDeletionTimestamp() != nil {
  86. return true
  87. }
  88. return e.ObjectNew.GetGeneration() != e.ObjectOld.GetGeneration()
  89. }
  90. // storeInfo holds the identifying attributes of a secret store for per-store processing.
  91. type storeInfo struct {
  92. Name string
  93. Kind string
  94. Labels map[string]string
  95. }
  96. }
  97. // SetupWithManager sets up the controller with the Manager.
  98. // It configures the controller to watch PushSecret resources and
  99. // manages indexing for efficient lookups based on secret stores and deletion policies.
  100. func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opts controller.Options) error {
  101. r.recorder = mgr.GetEventRecorderFor("pushsecret")
  102. // Index PushSecrets by the stores they have pushed to (for finalizer management on store deletion)
  103. // Refer to common.go for more details on the index function
  104. if err := mgr.GetFieldIndexer().IndexField(ctx, &esapi.PushSecret{}, "status.syncedPushSecrets", func(obj client.Object) []string {
  105. ps := obj.(*esapi.PushSecret)
  106. // Only index PushSecrets with DeletionPolicy=Delete for efficiency
  107. if ps.Spec.DeletionPolicy != esapi.PushSecretDeletionPolicyDelete {
  108. return nil
  109. }
  110. // Format is typically "Kind/Name" (e.g., "SecretStore/store1", "ClusterSecretStore/clusterstore1")
  111. storeKeys := make([]string, 0, len(ps.Status.SyncedPushSecrets))
  112. for storeKey := range ps.Status.SyncedPushSecrets {
  113. storeKeys = append(storeKeys, storeKey)
  114. }
  115. return storeKeys
  116. }); err != nil {
  117. return err
  118. }
  119. // Index PushSecrets by deletionPolicy for quick filtering
  120. if err := mgr.GetFieldIndexer().IndexField(ctx, &esapi.PushSecret{}, "spec.deletionPolicy", func(obj client.Object) []string {
  121. ps := obj.(*esapi.PushSecret)
  122. return []string{string(ps.Spec.DeletionPolicy)}
  123. }); err != nil {
  124. return err
  125. }
  126. return ctrl.NewControllerManagedBy(mgr).
  127. WithOptions(opts).
  128. For(&esapi.PushSecret{}, builder.WithPredicates(generationChangedOrDeletionPredicate{})).
  129. Complete(r)
  130. }
  131. // Reconcile is part of the main kubernetes reconciliation loop which aims to
  132. // move the current state of the cluster closer to the desired state.
  133. // For more details, check Reconcile and its Result here:
  134. // - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
  135. func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
  136. log := r.Log.WithValues("pushsecret", req.NamespacedName)
  137. resourceLabels := ctrlmetrics.RefineNonConditionMetricLabels(map[string]string{"name": req.Name, "namespace": req.Namespace})
  138. start := time.Now()
  139. pushSecretReconcileDuration := psmetrics.GetGaugeVec(psmetrics.PushSecretReconcileDurationKey)
  140. defer func() { pushSecretReconcileDuration.With(resourceLabels).Set(float64(time.Since(start))) }()
  141. var ps esapi.PushSecret
  142. mgr := secretstore.NewManager(r.Client, r.ControllerClass, false)
  143. defer func() {
  144. _ = mgr.Close(ctx)
  145. }()
  146. if err := r.Get(ctx, req.NamespacedName, &ps); err != nil {
  147. if apierrors.IsNotFound(err) {
  148. return ctrl.Result{}, nil
  149. }
  150. msg := "unable to get PushSecret"
  151. r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, msg)
  152. log.Error(err, msg)
  153. return ctrl.Result{}, fmt.Errorf("get resource: %w", err)
  154. }
  155. refreshInt := r.RequeueInterval
  156. if ps.Spec.RefreshInterval != nil {
  157. refreshInt = ps.Spec.RefreshInterval.Duration
  158. }
  159. p := client.MergeFrom(ps.DeepCopy())
  160. defer func() {
  161. err := r.Client.Status().Patch(ctx, &ps, p)
  162. if err != nil && !apierrors.IsNotFound(err) {
  163. log.Error(err, errPatchStatus)
  164. }
  165. }()
  166. switch ps.Spec.DeletionPolicy {
  167. case esapi.PushSecretDeletionPolicyDelete:
  168. // finalizer logic. Only added if we should delete the secrets
  169. if ps.ObjectMeta.DeletionTimestamp.IsZero() {
  170. if added := controllerutil.AddFinalizer(&ps, pushSecretFinalizer); added {
  171. if err := r.Client.Update(ctx, &ps, &client.UpdateOptions{}); err != nil {
  172. return ctrl.Result{}, fmt.Errorf(errCloudNotUpdateFinalizer, err)
  173. }
  174. return ctrl.Result{Requeue: true}, nil
  175. }
  176. } else if controllerutil.ContainsFinalizer(&ps, pushSecretFinalizer) {
  177. // trigger a cleanup with no Synced Map
  178. badState, err := r.DeleteSecretFromProviders(ctx, &ps, esapi.SyncedPushSecretsMap{}, mgr)
  179. if err != nil {
  180. msg := fmt.Sprintf("Failed to Delete Secrets from Provider: %v", err)
  181. r.markAsFailed(msg, &ps, badState)
  182. return ctrl.Result{}, err
  183. }
  184. controllerutil.RemoveFinalizer(&ps, pushSecretFinalizer)
  185. if err := r.Client.Update(ctx, &ps, &client.UpdateOptions{}); err != nil {
  186. return ctrl.Result{}, fmt.Errorf("could not update finalizers: %w", err)
  187. }
  188. return ctrl.Result{}, nil
  189. }
  190. case esapi.PushSecretDeletionPolicyNone:
  191. if controllerutil.ContainsFinalizer(&ps, pushSecretFinalizer) {
  192. controllerutil.RemoveFinalizer(&ps, pushSecretFinalizer)
  193. if err := r.Client.Update(ctx, &ps, &client.UpdateOptions{}); err != nil {
  194. return ctrl.Result{}, fmt.Errorf(errCloudNotUpdateFinalizer, err)
  195. }
  196. }
  197. default:
  198. }
  199. timeSinceLastRefresh := 0 * time.Second
  200. if !ps.Status.RefreshTime.IsZero() {
  201. timeSinceLastRefresh = time.Since(ps.Status.RefreshTime.Time)
  202. }
  203. if !shouldRefresh(ps) {
  204. refreshInt = (ps.Spec.RefreshInterval.Duration - timeSinceLastRefresh) + 5*time.Second
  205. log.V(1).Info("skipping refresh", "rv", ctrlutil.GetResourceVersion(ps.ObjectMeta), "nr", refreshInt.Seconds())
  206. return ctrl.Result{RequeueAfter: refreshInt}, nil
  207. }
  208. if err := validateDataToStoreRefs(ps.Spec.DataTo, ps.Spec.SecretStoreRefs); err != nil {
  209. r.markAsFailed(err.Error(), &ps, nil)
  210. return ctrl.Result{}, err
  211. }
  212. secrets, err := r.resolveSecrets(ctx, &ps)
  213. if err != nil {
  214. isSecretSelector := ps.Spec.Selector.Secret != nil && ps.Spec.Selector.Secret.Name != ""
  215. if apierrors.IsNotFound(err) && isSecretSelector &&
  216. ps.Spec.DeletionPolicy == esapi.PushSecretDeletionPolicyDelete &&
  217. len(ps.Status.SyncedPushSecrets) > 0 {
  218. return ctrl.Result{}, r.handleSourceSecretDeleted(ctx, &ps, mgr)
  219. }
  220. r.markAsFailed(errFailedGetSecret, &ps, nil)
  221. return ctrl.Result{}, err
  222. }
  223. secretStores, err := r.GetSecretStores(ctx, ps)
  224. if err != nil {
  225. r.markAsFailed(err.Error(), &ps, nil)
  226. return ctrl.Result{}, err
  227. }
  228. // Filter out SecretStores that are being deleted to avoid finalizer conflicts
  229. activeSecretStores := make(map[esapi.PushSecretStoreRef]esv1.GenericStore, len(secretStores))
  230. for ref, store := range secretStores {
  231. // Skip stores that are being deleted
  232. if !store.GetDeletionTimestamp().IsZero() {
  233. log.Info("skipping SecretStore that is being deleted", "storeName", store.GetName(), "storeKind", store.GetKind())
  234. continue
  235. }
  236. activeSecretStores[ref] = store
  237. }
  238. secretStores, err = removeUnmanagedStores(ctx, req.Namespace, r, activeSecretStores)
  239. if err != nil {
  240. r.markAsFailed(err.Error(), &ps, nil)
  241. return ctrl.Result{}, err
  242. }
  243. // if no stores are managed by this controller
  244. if len(secretStores) == 0 {
  245. return ctrl.Result{}, nil
  246. }
  247. if err := validateDataToMatchesResolvedStores(ps.Spec.DataTo, secretStores); err != nil {
  248. r.markAsFailed(err.Error(), &ps, nil)
  249. return ctrl.Result{}, err
  250. }
  251. allSyncedSecrets := make(esapi.SyncedPushSecretsMap)
  252. for _, secret := range secrets {
  253. if err := r.applyTemplate(ctx, &ps, &secret); err != nil {
  254. return ctrl.Result{}, err
  255. }
  256. syncedSecrets, err := r.PushSecretToProviders(ctx, secretStores, ps, &secret, mgr)
  257. if err != nil {
  258. if errors.Is(err, locks.ErrConflict) {
  259. log.Info("retry to acquire lock to update the secret later", "error", err)
  260. return ctrl.Result{Requeue: true}, nil
  261. }
  262. totalSecrets := mergeSecretState(syncedSecrets, ps.Status.SyncedPushSecrets)
  263. msg := fmt.Sprintf(errFailedSetSecret, err)
  264. r.markAsFailed(msg, &ps, totalSecrets)
  265. return ctrl.Result{}, err
  266. }
  267. switch ps.Spec.DeletionPolicy {
  268. case esapi.PushSecretDeletionPolicyDelete:
  269. badSyncState, err := r.DeleteSecretFromProviders(ctx, &ps, syncedSecrets, mgr)
  270. if err != nil {
  271. msg := fmt.Sprintf("Failed to Delete Secrets from Provider: %v", err)
  272. r.markAsFailed(msg, &ps, badSyncState)
  273. return ctrl.Result{}, err
  274. }
  275. case esapi.PushSecretDeletionPolicyNone:
  276. default:
  277. }
  278. allSyncedSecrets = mergeSecretState(allSyncedSecrets, syncedSecrets)
  279. }
  280. r.markAsDone(&ps, allSyncedSecrets, start)
  281. return ctrl.Result{RequeueAfter: refreshInt}, nil
  282. }
  283. // handleSourceSecretDeleted cleans up provider secrets when source Secret is unavailable.
  284. func (r *Reconciler) handleSourceSecretDeleted(ctx context.Context, ps *esapi.PushSecret, mgr *secretstore.Manager) error {
  285. log := r.Log.WithValues("pushsecret", client.ObjectKeyFromObject(ps))
  286. log.Info("source secret unavailable, cleaning up provider secrets", "syncedSecrets", len(ps.Status.SyncedPushSecrets))
  287. badState, err := r.DeleteSecretFromProviders(ctx, ps, esapi.SyncedPushSecretsMap{}, mgr)
  288. if err != nil {
  289. msg := fmt.Sprintf("failed to cleanup provider secrets: %v", err)
  290. r.markAsFailed(msg, ps, badState)
  291. return err
  292. }
  293. r.setSecrets(ps, esapi.SyncedPushSecretsMap{})
  294. r.markAsSourceDeleted(ps)
  295. return nil
  296. }
  297. func shouldRefresh(ps esapi.PushSecret) bool {
  298. if ps.Status.SyncedResourceVersion != ctrlutil.GetResourceVersion(ps.ObjectMeta) {
  299. return true
  300. }
  301. if ps.Spec.RefreshInterval.Duration == 0 && ps.Status.SyncedResourceVersion != "" {
  302. return false
  303. }
  304. if ps.Status.RefreshTime.IsZero() {
  305. return true
  306. }
  307. return ps.Status.RefreshTime.Add(ps.Spec.RefreshInterval.Duration).Before(time.Now())
  308. }
  309. func (r *Reconciler) markAsFailed(msg string, ps *esapi.PushSecret, syncState esapi.SyncedPushSecretsMap) {
  310. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionFalse, esapi.ReasonErrored, msg)
  311. SetPushSecretCondition(ps, *cond)
  312. if syncState != nil {
  313. r.setSecrets(ps, syncState)
  314. }
  315. r.recorder.Event(ps, v1.EventTypeWarning, esapi.ReasonErrored, msg)
  316. }
  317. func (r *Reconciler) markAsSourceDeleted(ps *esapi.PushSecret) {
  318. msg := "source secret deleted; provider secrets cleaned up"
  319. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionFalse, esapi.ReasonSourceDeleted, msg)
  320. SetPushSecretCondition(ps, *cond)
  321. r.recorder.Event(ps, v1.EventTypeNormal, esapi.ReasonSourceDeleted, msg)
  322. }
  323. func (r *Reconciler) markAsDone(ps *esapi.PushSecret, secrets esapi.SyncedPushSecretsMap, start time.Time) {
  324. msg := "PushSecret synced successfully"
  325. if ps.Spec.UpdatePolicy == esapi.PushSecretUpdatePolicyIfNotExists {
  326. msg += ". Existing secrets in providers unchanged."
  327. }
  328. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionTrue, esapi.ReasonSynced, msg)
  329. SetPushSecretCondition(ps, *cond)
  330. r.setSecrets(ps, secrets)
  331. ps.Status.RefreshTime = metav1.NewTime(start)
  332. ps.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(ps.ObjectMeta)
  333. r.recorder.Event(ps, v1.EventTypeNormal, esapi.ReasonSynced, msg)
  334. }
  335. func (r *Reconciler) setSecrets(ps *esapi.PushSecret, status esapi.SyncedPushSecretsMap) {
  336. ps.Status.SyncedPushSecrets = status
  337. }
  338. func mergeSecretState(newMap, old esapi.SyncedPushSecretsMap) esapi.SyncedPushSecretsMap {
  339. if newMap == nil {
  340. return old
  341. }
  342. out := newMap.DeepCopy()
  343. for k, v := range old {
  344. _, ok := out[k]
  345. if !ok {
  346. out[k] = make(map[string]esapi.PushSecretData)
  347. }
  348. maps.Insert(out[k], maps.All(v))
  349. }
  350. return out
  351. }
  352. // DeleteSecretFromProviders removes secrets from providers that are no longer needed.
  353. // It compares the existing synced secrets in the PushSecret status with the new desired state,
  354. // and deletes any secrets that are no longer present in the new state.
  355. func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.PushSecret, newMap esapi.SyncedPushSecretsMap, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
  356. out := mergeSecretState(newMap, ps.Status.SyncedPushSecrets)
  357. for storeName, oldData := range ps.Status.SyncedPushSecrets {
  358. storeRef := esv1.SecretStoreRef{
  359. Name: strings.Split(storeName, "/")[1],
  360. Kind: strings.Split(storeName, "/")[0],
  361. }
  362. client, err := mgr.Get(ctx, storeRef, ps.Namespace, nil)
  363. if err != nil {
  364. return out, fmt.Errorf("could not get secrets client for store %v: %w", storeName, err)
  365. }
  366. newData, ok := newMap[storeName]
  367. if !ok {
  368. err = r.DeleteAllSecretsFromStore(ctx, client, oldData)
  369. if err != nil {
  370. return out, err
  371. }
  372. delete(out, storeName)
  373. continue
  374. }
  375. for oldEntry, oldRef := range oldData {
  376. _, ok := newData[oldEntry]
  377. if !ok {
  378. err = r.DeleteSecretFromStore(ctx, client, oldRef)
  379. if err != nil {
  380. return out, err
  381. }
  382. delete(out[storeName], oldEntry)
  383. }
  384. }
  385. }
  386. return out, nil
  387. }
  388. // DeleteAllSecretsFromStore removes all secrets from a given secret store.
  389. func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client esv1.SecretsClient, data map[string]esapi.PushSecretData) error {
  390. for _, v := range data {
  391. err := r.DeleteSecretFromStore(ctx, client, v)
  392. if err != nil {
  393. return err
  394. }
  395. }
  396. return nil
  397. }
  398. // DeleteSecretFromStore removes a specific secret from a given secret store.
  399. func (r *Reconciler) DeleteSecretFromStore(ctx context.Context, client esv1.SecretsClient, data esapi.PushSecretData) error {
  400. return client.DeleteSecret(ctx, data.Match.RemoteRef)
  401. }
  402. // PushSecretToProviders pushes the secret data to the specified secret stores.
  403. // It iterates over each store and handles the push operation according to the
  404. // defined update policies and conversion strategies.
  405. func (r *Reconciler) PushSecretToProviders(
  406. ctx context.Context,
  407. stores map[esapi.PushSecretStoreRef]esv1.GenericStore,
  408. ps esapi.PushSecret,
  409. secret *v1.Secret,
  410. mgr *secretstore.Manager,
  411. ) (esapi.SyncedPushSecretsMap, error) {
  412. out := make(esapi.SyncedPushSecretsMap)
  413. var err error
  414. for ref, store := range stores {
  415. si := storeInfo{Name: store.GetName(), Kind: ref.Kind, Labels: store.GetLabels()}
  416. out, err = r.handlePushSecretDataForStore(ctx, ps, secret, out, mgr, si)
  417. if err != nil {
  418. return out, err
  419. }
  420. }
  421. return out, nil
  422. }
  423. func (r *Reconciler) handlePushSecretDataForStore(
  424. ctx context.Context,
  425. ps esapi.PushSecret,
  426. secret *v1.Secret,
  427. out esapi.SyncedPushSecretsMap,
  428. mgr *secretstore.Manager,
  429. si storeInfo,
  430. ) (esapi.SyncedPushSecretsMap, error) {
  431. storeKey := fmt.Sprintf("%v/%v", si.Kind, si.Name)
  432. out[storeKey] = make(map[string]esapi.PushSecretData)
  433. storeRef := esv1.SecretStoreRef{
  434. Name: si.Name,
  435. Kind: si.Kind,
  436. }
  437. secretClient, err := mgr.Get(ctx, storeRef, ps.GetNamespace(), nil)
  438. if err != nil {
  439. return out, fmt.Errorf("could not get secrets client for store %v: %w", si.Name, err)
  440. }
  441. storeSecret := secret.DeepCopy()
  442. filteredDataTo, err := filterDataToForStore(ps.Spec.DataTo, si.Name, si.Kind, si.Labels)
  443. if err != nil {
  444. return out, fmt.Errorf("failed to filter dataTo: %w", err)
  445. }
  446. dataToEntries, bundleOverrides, err := r.expandDataTo(storeSecret, filteredDataTo)
  447. if err != nil {
  448. return out, fmt.Errorf("failed to expand dataTo: %w", err)
  449. }
  450. allData, err := mergeDataEntries(dataToEntries, ps.Spec.Data, storeSecret)
  451. if err != nil {
  452. return out, fmt.Errorf("failed to merge data entries: %w", err)
  453. }
  454. originalStoreSecretData := storeSecret.Data
  455. for _, data := range allData {
  456. params := pushEntryParams{
  457. data: data,
  458. updatePolicy: ps.Spec.UpdatePolicy,
  459. originalData: originalStoreSecretData,
  460. dataOverride: bundleOverrides[statusRef(data)],
  461. storeName: si.Name,
  462. }
  463. if err := r.pushSecretEntry(ctx, secretClient, storeSecret, params); err != nil {
  464. return out, err
  465. }
  466. out[storeKey][statusRef(data)] = data
  467. }
  468. return out, nil
  469. }
  470. // pushEntryParams groups the parameters for pushSecretEntry to keep the
  471. // function signature within the recommended parameter count.
  472. type pushEntryParams struct {
  473. data esapi.PushSecretData
  474. updatePolicy esapi.PushSecretUpdatePolicy
  475. originalData map[string][]byte
  476. dataOverride map[string][]byte
  477. storeName string
  478. }
  479. // pushSecretEntry converts, validates, and pushes a single data entry to the provider.
  480. // If the update policy is IfNotExists and the secret already exists, the push is skipped.
  481. // params.dataOverride, when non-nil, replaces params.originalData for the conversion step —
  482. // used by bundle entries (dataTo with remoteKey) to restrict the pushed payload to matched keys only.
  483. func (r *Reconciler) pushSecretEntry(
  484. ctx context.Context,
  485. secretClient esv1.SecretsClient,
  486. storeSecret *v1.Secret,
  487. params pushEntryParams,
  488. ) error {
  489. sourceData := params.originalData
  490. if params.dataOverride != nil {
  491. sourceData = params.dataOverride
  492. }
  493. secretData, err := esutils.ReverseKeys(params.data.ConversionStrategy, sourceData)
  494. if err != nil {
  495. return fmt.Errorf(errConvert, err)
  496. }
  497. key := params.data.GetSecretKey()
  498. if !secretKeyExists(key, secretData) {
  499. return fmt.Errorf("secret key %v does not exist", key)
  500. }
  501. if params.updatePolicy == esapi.PushSecretUpdatePolicyIfNotExists {
  502. exists, err := secretClient.SecretExists(ctx, params.data.Match.RemoteRef)
  503. if err != nil {
  504. return fmt.Errorf("could not verify if secret exists in store: %w", err)
  505. }
  506. if exists {
  507. return nil
  508. }
  509. }
  510. localSecret := storeSecret.DeepCopy()
  511. localSecret.Data = secretData
  512. if err := secretClient.PushSecret(ctx, localSecret, params.data); err != nil {
  513. return fmt.Errorf(errSetSecretFailed, key, params.storeName, err)
  514. }
  515. return nil
  516. }
  517. func secretKeyExists(key string, data map[string][]byte) bool {
  518. _, ok := data[key]
  519. return key == "" || ok
  520. }
  521. const defaultGeneratorStateKey = "__pushsecret"
  522. func (r *Reconciler) resolveSecrets(ctx context.Context, ps *esapi.PushSecret) ([]v1.Secret, error) {
  523. var err error
  524. generatorState := statemanager.New(ctx, r.Client, r.Scheme, ps.Namespace, ps)
  525. defer func() {
  526. if err != nil {
  527. if err := generatorState.Rollback(); err != nil {
  528. r.Log.Error(err, "error rolling back generator state")
  529. }
  530. return
  531. }
  532. if err := generatorState.Commit(); err != nil {
  533. r.Log.Error(err, "error committing generator state")
  534. }
  535. }()
  536. switch {
  537. case ps.Spec.Selector.Secret != nil && ps.Spec.Selector.Secret.Name != "":
  538. secretName := types.NamespacedName{Name: ps.Spec.Selector.Secret.Name, Namespace: ps.Namespace}
  539. secret := &v1.Secret{}
  540. if err := r.Client.Get(ctx, secretName, secret); err != nil {
  541. return nil, err
  542. }
  543. generatorState.EnqueueFlagLatestStateForGC(defaultGeneratorStateKey)
  544. return []v1.Secret{*secret}, nil
  545. case ps.Spec.Selector.GeneratorRef != nil:
  546. secret, err := r.resolveSecretFromGenerator(ctx, ps.Namespace, ps.Spec.Selector.GeneratorRef, generatorState)
  547. if err != nil {
  548. return nil, fmt.Errorf("could not resolve secret from generator ref %v: %w", ps.Spec.Selector.GeneratorRef, err)
  549. }
  550. return []v1.Secret{*secret}, nil
  551. case ps.Spec.Selector.Secret != nil && ps.Spec.Selector.Secret.Selector != nil:
  552. labelSelector, err := metav1.LabelSelectorAsSelector(ps.Spec.Selector.Secret.Selector)
  553. if err != nil {
  554. return nil, err
  555. }
  556. var secretList v1.SecretList
  557. err = r.List(ctx, &secretList, &client.ListOptions{LabelSelector: labelSelector, Namespace: ps.Namespace})
  558. if err != nil {
  559. return nil, err
  560. }
  561. return secretList.Items, err
  562. }
  563. return nil, errors.New("no secret selector provided")
  564. }
  565. func (r *Reconciler) resolveSecretFromGenerator(ctx context.Context, namespace string, generatorRef *esv1.GeneratorRef, generatorState *statemanager.Manager) (*v1.Secret, error) {
  566. gen, genResource, err := resolvers.GeneratorRef(ctx, r.Client, r.Scheme, namespace, generatorRef)
  567. if err != nil {
  568. return nil, fmt.Errorf("unable to resolve generator: %w", err)
  569. }
  570. var prevState *genv1alpha1.GeneratorState
  571. if generatorState != nil {
  572. prevState, err = generatorState.GetLatestState(defaultGeneratorStateKey)
  573. if err != nil {
  574. return nil, fmt.Errorf("unable to get latest state: %w", err)
  575. }
  576. }
  577. secretMap, newState, err := gen.Generate(ctx, genResource, r.Client, namespace)
  578. if err != nil {
  579. return nil, fmt.Errorf("unable to generate: %w", err)
  580. }
  581. if prevState != nil && generatorState != nil {
  582. generatorState.EnqueueMoveStateToGC(defaultGeneratorStateKey)
  583. }
  584. if generatorState != nil {
  585. generatorState.EnqueueSetLatest(ctx, defaultGeneratorStateKey, namespace, genResource, gen, newState)
  586. }
  587. return &v1.Secret{
  588. ObjectMeta: metav1.ObjectMeta{
  589. Name: "___generated-secret",
  590. Namespace: namespace,
  591. },
  592. Data: secretMap,
  593. }, err
  594. }
  595. // GetSecretStores retrieves the SecretStore and ClusterSecretStore resources
  596. // referenced in the PushSecret. It supports both direct references by name
  597. // and label selectors to find multiple stores.
  598. func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (map[esapi.PushSecretStoreRef]esv1.GenericStore, error) {
  599. stores := make(map[esapi.PushSecretStoreRef]esv1.GenericStore)
  600. for _, refStore := range ps.Spec.SecretStoreRefs {
  601. if refStore.LabelSelector != nil {
  602. labelSelector, err := metav1.LabelSelectorAsSelector(refStore.LabelSelector)
  603. if err != nil {
  604. return nil, fmt.Errorf("could not convert labels: %w", err)
  605. }
  606. if refStore.Kind == esv1.ClusterSecretStoreKind {
  607. clusterSecretStoreList := esv1.ClusterSecretStoreList{}
  608. err = r.List(ctx, &clusterSecretStoreList, &client.ListOptions{LabelSelector: labelSelector})
  609. if err != nil {
  610. return nil, fmt.Errorf("could not list cluster Secret Stores: %w", err)
  611. }
  612. for k, v := range clusterSecretStoreList.Items {
  613. key := esapi.PushSecretStoreRef{
  614. Name: v.Name,
  615. Kind: esv1.ClusterSecretStoreKind,
  616. }
  617. stores[key] = &clusterSecretStoreList.Items[k]
  618. }
  619. } else {
  620. secretStoreList := esv1.SecretStoreList{}
  621. err = r.List(ctx, &secretStoreList, &client.ListOptions{LabelSelector: labelSelector, Namespace: ps.Namespace})
  622. if err != nil {
  623. return nil, fmt.Errorf("could not list Secret Stores: %w", err)
  624. }
  625. for k, v := range secretStoreList.Items {
  626. key := esapi.PushSecretStoreRef{
  627. Name: v.Name,
  628. Kind: esv1.SecretStoreKind,
  629. }
  630. stores[key] = &secretStoreList.Items[k]
  631. }
  632. }
  633. } else {
  634. store, err := r.getSecretStoreFromName(ctx, refStore, ps.Namespace)
  635. if err != nil {
  636. return nil, err
  637. }
  638. stores[refStore] = store
  639. }
  640. }
  641. return stores, nil
  642. }
  643. func (r *Reconciler) getSecretStoreFromName(ctx context.Context, refStore esapi.PushSecretStoreRef, ns string) (esv1.GenericStore, error) {
  644. if refStore.Name == "" {
  645. return nil, errors.New("refStore Name must be provided")
  646. }
  647. ref := types.NamespacedName{
  648. Name: refStore.Name,
  649. }
  650. if refStore.Kind == esv1.ClusterSecretStoreKind {
  651. var store esv1.ClusterSecretStore
  652. err := r.Get(ctx, ref, &store)
  653. if err != nil {
  654. return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
  655. }
  656. return &store, nil
  657. }
  658. ref.Namespace = ns
  659. var store esv1.SecretStore
  660. err := r.Get(ctx, ref, &store)
  661. if err != nil {
  662. return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
  663. }
  664. return &store, nil
  665. }
  666. // NewPushSecretCondition creates a new PushSecret condition.
  667. func NewPushSecretCondition(condType esapi.PushSecretConditionType, status v1.ConditionStatus, reason, message string) *esapi.PushSecretStatusCondition {
  668. return &esapi.PushSecretStatusCondition{
  669. Type: condType,
  670. Status: status,
  671. LastTransitionTime: metav1.Now(),
  672. Reason: reason,
  673. Message: message,
  674. }
  675. }
  676. // SetPushSecretCondition updates the PushSecret to include the provided condition.
  677. func SetPushSecretCondition(ps *esapi.PushSecret, condition esapi.PushSecretStatusCondition) {
  678. currentCond := GetPushSecretCondition(ps.Status.Conditions, condition.Type)
  679. if currentCond != nil && currentCond.Status == condition.Status &&
  680. currentCond.Reason == condition.Reason && currentCond.Message == condition.Message {
  681. psmetrics.UpdatePushSecretCondition(ps, &condition, 1.0)
  682. return
  683. }
  684. // Do not update lastTransitionTime if the status of the condition doesn't change.
  685. if currentCond != nil && currentCond.Status == condition.Status {
  686. condition.LastTransitionTime = currentCond.LastTransitionTime
  687. }
  688. ps.Status.Conditions = append(FilterOutCondition(ps.Status.Conditions, condition.Type), condition)
  689. if currentCond != nil {
  690. psmetrics.UpdatePushSecretCondition(ps, currentCond, 0.0)
  691. }
  692. psmetrics.UpdatePushSecretCondition(ps, &condition, 1.0)
  693. }
  694. // FilterOutCondition returns an empty set of conditions with the provided type.
  695. func FilterOutCondition(conditions []esapi.PushSecretStatusCondition, condType esapi.PushSecretConditionType) []esapi.PushSecretStatusCondition {
  696. newConditions := make([]esapi.PushSecretStatusCondition, 0, len(conditions))
  697. for _, c := range conditions {
  698. if c.Type == condType {
  699. continue
  700. }
  701. newConditions = append(newConditions, c)
  702. }
  703. return newConditions
  704. }
  705. // GetPushSecretCondition returns the condition with the provided type.
  706. func GetPushSecretCondition(conditions []esapi.PushSecretStatusCondition, condType esapi.PushSecretConditionType) *esapi.PushSecretStatusCondition {
  707. for i := range conditions {
  708. c := conditions[i]
  709. if c.Type == condType {
  710. return &c
  711. }
  712. }
  713. return nil
  714. }
  715. func statusRef(ref esv1.PushSecretData) string {
  716. if ref.GetProperty() != "" {
  717. return ref.GetRemoteKey() + "/" + ref.GetProperty()
  718. }
  719. return ref.GetRemoteKey()
  720. }
  721. // removeUnmanagedStores iterates over all SecretStore references and evaluates the controllerClass property.
  722. // Returns a map containing only managed stores.
  723. func removeUnmanagedStores(ctx context.Context, namespace string, r *Reconciler, ss map[esapi.PushSecretStoreRef]esv1.GenericStore) (map[esapi.PushSecretStoreRef]esv1.GenericStore, error) {
  724. for ref := range ss {
  725. var store esv1.GenericStore
  726. switch ref.Kind {
  727. case esv1.SecretStoreKind:
  728. store = &esv1.SecretStore{}
  729. case esv1.ClusterSecretStoreKind:
  730. store = &esv1.ClusterSecretStore{}
  731. namespace = ""
  732. }
  733. err := r.Client.Get(ctx, types.NamespacedName{
  734. Name: ref.Name,
  735. Namespace: namespace,
  736. }, store)
  737. if err != nil {
  738. return ss, err
  739. }
  740. class := store.GetSpec().Controller
  741. if class != "" && class != r.ControllerClass {
  742. delete(ss, ref)
  743. }
  744. }
  745. return ss, nil
  746. }
  747. // matchKeys filters secret keys based on the provided match pattern.
  748. // If pattern is nil or empty, all keys are matched.
  749. func matchKeys(allKeys []string, match *esapi.PushSecretDataToMatch) ([]string, error) {
  750. if match == nil || match.RegExp == "" {
  751. return allKeys, nil
  752. }
  753. re, err := regexp.Compile(match.RegExp)
  754. if err != nil {
  755. return nil, fmt.Errorf("failed to compile regexp pattern %q: %w", match.RegExp, err)
  756. }
  757. matched := make([]string, 0)
  758. for _, key := range allKeys {
  759. if re.MatchString(key) {
  760. matched = append(matched, key)
  761. }
  762. }
  763. return matched, nil
  764. }
  765. // filterDataToForStore returns dataTo entries that target the given store.
  766. func filterDataToForStore(dataToList []esapi.PushSecretDataTo, storeName, storeKind string, storeLabels map[string]string) ([]esapi.PushSecretDataTo, error) {
  767. filtered := make([]esapi.PushSecretDataTo, 0, len(dataToList))
  768. for i, dataTo := range dataToList {
  769. matches, err := dataToMatchesStore(dataTo, storeName, storeKind, storeLabels)
  770. if err != nil {
  771. return nil, fmt.Errorf("dataTo[%d]: %w", i, err)
  772. }
  773. if matches {
  774. filtered = append(filtered, dataTo)
  775. }
  776. }
  777. return filtered, nil
  778. }
  779. // dataToMatchesStore reports whether a single dataTo entry targets the given store.
  780. func dataToMatchesStore(dataTo esapi.PushSecretDataTo, storeName, storeKind string, storeLabels map[string]string) (bool, error) {
  781. if dataTo.StoreRef == nil {
  782. return false, fmt.Errorf("storeRef is required")
  783. }
  784. refKind := dataTo.StoreRef.Kind
  785. if refKind == "" {
  786. refKind = esv1.SecretStoreKind
  787. }
  788. if dataTo.StoreRef.Name != "" {
  789. return dataTo.StoreRef.Name == storeName && refKind == storeKind, nil
  790. }
  791. if dataTo.StoreRef.LabelSelector == nil {
  792. return false, nil
  793. }
  794. selector, err := metav1.LabelSelectorAsSelector(dataTo.StoreRef.LabelSelector)
  795. if err != nil {
  796. return false, fmt.Errorf("invalid labelSelector: %w", err)
  797. }
  798. return refKind == storeKind && selector.Matches(labels.Set(storeLabels)), nil
  799. }
  800. // expandDataTo expands dataTo entries into individual PushSecretData entries.
  801. //
  802. // Two modes are supported per dataTo entry:
  803. //
  804. // Per-key mode (default, no remoteKey set): each matched key becomes a separate entry
  805. // pushed independently. This enables individual key transformation, per-key status
  806. // tracking, granular deletion, and compatibility with all providers.
  807. //
  808. // Bundle mode (remoteKey set): all matched keys are bundled into a single provider
  809. // secret at the given remoteKey path as a JSON object. A single PushSecretData entry
  810. // with SecretKey="" is produced, and the bundleOverrides map carries the filtered
  811. // key set so only matched keys appear in the pushed JSON blob.
  812. //
  813. // Returns the expanded entries, a bundleOverrides map (remoteKey -> filtered data),
  814. // and any error.
  815. func (r *Reconciler) expandDataTo(secret *v1.Secret, dataToList []esapi.PushSecretDataTo) ([]esapi.PushSecretData, map[string]map[string][]byte, error) {
  816. if len(dataToList) == 0 {
  817. return nil, nil, nil
  818. }
  819. allData := make([]esapi.PushSecretData, 0)
  820. bundleOverrides := make(map[string]map[string][]byte)
  821. overallRemoteKeys := make(map[string]string)
  822. for i, dataTo := range dataToList {
  823. entries, keyMap, filteredData, err := r.expandSingleDataTo(secret, dataTo)
  824. if err != nil {
  825. return nil, nil, fmt.Errorf("dataTo[%d]: %w", i, err)
  826. }
  827. if len(entries) == 0 {
  828. r.Log.Info("dataTo entry matched no keys", "index", i)
  829. continue
  830. }
  831. if err := registerRemoteKeys(overallRemoteKeys, keyMap, i); err != nil {
  832. return nil, nil, err
  833. }
  834. recordBundleOverrides(bundleOverrides, entries, filteredData)
  835. allData = append(allData, entries...)
  836. r.Log.Info("expanded dataTo entry", "index", i, "matchedKeys", len(entries), "created", len(keyMap))
  837. }
  838. return allData, bundleOverrides, nil
  839. }
  840. // registerRemoteKeys checks for duplicate remote keys across dataTo entries and
  841. // records new mappings. Returns an error if a duplicate is found.
  842. func registerRemoteKeys(seen, keyMap map[string]string, index int) error {
  843. for sourceKey, remoteKey := range keyMap {
  844. if existingSource, exists := seen[remoteKey]; exists {
  845. return fmt.Errorf("dataTo[%d]: duplicate remote key %q from source key %q (conflicts with %s)", index, remoteKey, sourceKey, existingSource)
  846. }
  847. seen[remoteKey] = fmt.Sprintf("dataTo[%d]:%s", index, sourceKey)
  848. }
  849. return nil
  850. }
  851. // recordBundleOverrides associates filtered data with bundle entries so only
  852. // matched keys appear in the pushed JSON blob.
  853. func recordBundleOverrides(overrides map[string]map[string][]byte, entries []esapi.PushSecretData, filteredData map[string][]byte) {
  854. if filteredData == nil {
  855. return
  856. }
  857. for _, entry := range entries {
  858. overrides[statusRef(entry)] = filteredData
  859. }
  860. }
  861. // expandSingleDataTo processes a single dataTo entry: converts keys, matches them
  862. // against the pattern, applies rewrites, validates remote keys, and builds the
  863. // resulting PushSecretData entries along with the source-to-remote key mapping.
  864. //
  865. // Bundle mode: when dataTo.RemoteKey is set, all matched keys are bundled into a
  866. // single PushSecretData entry with SecretKey="" targeting dataTo.RemoteKey. The
  867. // third return value carries the filtered (matched+converted) key data so that
  868. // only matched keys appear in the JSON blob pushed to the provider.
  869. //
  870. // Per-key mode: when dataTo.RemoteKey is empty, one PushSecretData entry is
  871. // produced per matched key. The third return value is nil.
  872. func (r *Reconciler) expandSingleDataTo(secret *v1.Secret, dataTo esapi.PushSecretDataTo) ([]esapi.PushSecretData, map[string]string, map[string][]byte, error) {
  873. if dataTo.RemoteKey != "" && len(dataTo.Rewrite) > 0 {
  874. return nil, nil, nil, fmt.Errorf("remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)")
  875. }
  876. convertedData, err := esutils.ReverseKeys(dataTo.ConversionStrategy, secret.Data)
  877. if err != nil {
  878. return nil, nil, nil, fmt.Errorf("conversion failed: %w", err)
  879. }
  880. // Map converted keys back to the original K8s secret keys. The resulting
  881. // PushSecretData entries store the original key so that
  882. // resolveSourceKeyConflicts can compare dataTo entries against explicit
  883. // data entries in the same key space. ConversionStrategy is set to None on
  884. // expanded entries because the conversion was already applied during
  885. // matching and rewriting; handlePushSecretDataForStore will look up the
  886. // original key directly in the unconverted secret data.
  887. convertedToOriginal := make(map[string]string, len(secret.Data))
  888. for origKey := range secret.Data {
  889. convKey := esutils.ReverseKey(dataTo.ConversionStrategy, origKey)
  890. convertedToOriginal[convKey] = origKey
  891. }
  892. allKeys := make([]string, 0, len(convertedData))
  893. for key := range convertedData {
  894. allKeys = append(allKeys, key)
  895. }
  896. slices.Sort(allKeys)
  897. matchedKeys, err := matchKeys(allKeys, dataTo.Match)
  898. if err != nil {
  899. return nil, nil, nil, fmt.Errorf("match failed: %w", err)
  900. }
  901. if len(matchedKeys) == 0 {
  902. return nil, nil, nil, nil
  903. }
  904. matchedData := make(map[string][]byte, len(matchedKeys))
  905. for _, key := range matchedKeys {
  906. matchedData[key] = convertedData[key]
  907. }
  908. if dataTo.RemoteKey != "" {
  909. keyMap := map[string]string{bundleSourceKey: dataTo.RemoteKey}
  910. entry := esapi.PushSecretData{
  911. Match: esapi.PushSecretMatch{
  912. SecretKey: "",
  913. RemoteRef: esapi.PushSecretRemoteRef{
  914. RemoteKey: dataTo.RemoteKey,
  915. },
  916. },
  917. Metadata: dataTo.Metadata,
  918. ConversionStrategy: esapi.PushSecretConversionNone,
  919. }
  920. return []esapi.PushSecretData{entry}, keyMap, matchedData, nil
  921. }
  922. keyMap, err := rewriteWithKeyMapping(dataTo.Rewrite, matchedData)
  923. if err != nil {
  924. return nil, nil, nil, fmt.Errorf("rewrite failed: %w", err)
  925. }
  926. for sourceKey, remoteKey := range keyMap {
  927. if remoteKey == "" {
  928. return nil, nil, nil, fmt.Errorf("empty remote key produced for source key %q", sourceKey)
  929. }
  930. }
  931. sortedKeys := slices.Sorted(maps.Keys(keyMap))
  932. entries := make([]esapi.PushSecretData, 0, len(keyMap))
  933. for _, convertedKey := range sortedKeys {
  934. entries = append(entries, esapi.PushSecretData{
  935. Match: esapi.PushSecretMatch{
  936. SecretKey: convertedToOriginal[convertedKey],
  937. RemoteRef: esapi.PushSecretRemoteRef{
  938. RemoteKey: keyMap[convertedKey],
  939. },
  940. },
  941. Metadata: dataTo.Metadata,
  942. ConversionStrategy: esapi.PushSecretConversionNone,
  943. })
  944. }
  945. return entries, keyMap, nil, nil
  946. }
  947. // validateDataToStoreRefs checks that each dataTo entry has a valid storeRef.
  948. func validateDataToStoreRefs(dataToList []esapi.PushSecretDataTo, storeRefs []esapi.PushSecretStoreRef) error {
  949. for i, d := range dataToList {
  950. if d.StoreRef == nil {
  951. return fmt.Errorf("dataTo[%d]: storeRef is required", i)
  952. }
  953. if d.StoreRef.Name == "" && d.StoreRef.LabelSelector == nil {
  954. return fmt.Errorf("dataTo[%d]: storeRef must have name or labelSelector", i)
  955. }
  956. if d.StoreRef.Name != "" && !storeRefExistsInList(d.StoreRef, storeRefs) {
  957. return fmt.Errorf("dataTo[%d]: storeRef %q not found in secretStoreRefs", i, d.StoreRef.Name)
  958. }
  959. }
  960. return nil
  961. }
  962. // storeRefExistsInList checks if a named ref matches any named entry in storeRefs.
  963. func storeRefExistsInList(ref *esapi.PushSecretStoreRef, storeRefs []esapi.PushSecretStoreRef) bool {
  964. refKind := ref.Kind
  965. if refKind == "" {
  966. refKind = esv1.SecretStoreKind
  967. }
  968. for _, sr := range storeRefs {
  969. if sr.Name == "" {
  970. continue
  971. }
  972. srKind := sr.Kind
  973. if srKind == "" {
  974. srKind = esv1.SecretStoreKind
  975. }
  976. if srKind == refKind && sr.Name == ref.Name {
  977. return true
  978. }
  979. }
  980. return false
  981. }
  982. // validateDataToMatchesResolvedStores checks that every dataTo entry with a
  983. // labelSelector actually matches at least one resolved store. Without this,
  984. // a misconfigured labelSelector silently becomes a no-op.
  985. func validateDataToMatchesResolvedStores(dataToList []esapi.PushSecretDataTo, stores map[esapi.PushSecretStoreRef]esv1.GenericStore) error {
  986. for i, dataTo := range dataToList {
  987. if dataTo.StoreRef == nil || dataTo.StoreRef.LabelSelector == nil {
  988. continue
  989. }
  990. if dataTo.StoreRef.Name != "" {
  991. continue
  992. }
  993. selector, err := metav1.LabelSelectorAsSelector(dataTo.StoreRef.LabelSelector)
  994. if err != nil {
  995. return fmt.Errorf("dataTo[%d]: invalid labelSelector: %w", i, err)
  996. }
  997. refKind := dataTo.StoreRef.Kind
  998. if refKind == "" {
  999. refKind = esv1.SecretStoreKind
  1000. }
  1001. if !anyStoreMatchesSelector(refKind, selector, stores) {
  1002. return fmt.Errorf("dataTo[%d]: labelSelector does not match any store in secretStoreRefs", i)
  1003. }
  1004. }
  1005. return nil
  1006. }
  1007. // anyStoreMatchesSelector returns true if at least one resolved store matches
  1008. // the given kind and label selector.
  1009. func anyStoreMatchesSelector(kind string, selector labels.Selector, stores map[esapi.PushSecretStoreRef]esv1.GenericStore) bool {
  1010. for ref, store := range stores {
  1011. if ref.Kind == kind && selector.Matches(labels.Set(store.GetLabels())) {
  1012. return true
  1013. }
  1014. }
  1015. return false
  1016. }
  1017. // rewriteWithKeyMapping applies rewrites and returns originalKey -> rewrittenKey mapping.
  1018. func rewriteWithKeyMapping(rewrites []esapi.PushSecretRewrite, data map[string][]byte) (map[string]string, error) {
  1019. keyMap := make(map[string]string, len(data))
  1020. for k := range data {
  1021. keyMap[k] = k
  1022. }
  1023. for i, op := range rewrites {
  1024. applyFn, err := compileRewrite(op)
  1025. if err != nil {
  1026. return nil, fmt.Errorf("rewrite[%d]: %w", i, err)
  1027. }
  1028. newKeyMap := make(map[string]string, len(keyMap))
  1029. for origKey, currentKey := range keyMap {
  1030. newKey, err := applyFn(currentKey)
  1031. if err != nil {
  1032. return nil, fmt.Errorf("rewrite[%d] on key %q: %w", i, currentKey, err)
  1033. }
  1034. newKeyMap[origKey] = newKey
  1035. }
  1036. keyMap = newKeyMap
  1037. }
  1038. return keyMap, nil
  1039. }
  1040. // compileRewrite pre-compiles a rewrite operation (regexp or template) and
  1041. // returns a function that applies it to a key. This avoids re-compiling the
  1042. // same regexp or re-parsing the same template for every key.
  1043. func compileRewrite(op esapi.PushSecretRewrite) (func(string) (string, error), error) {
  1044. switch {
  1045. case op.Regexp != nil:
  1046. re, err := regexp.Compile(op.Regexp.Source)
  1047. if err != nil {
  1048. return nil, fmt.Errorf("invalid regexp %q: %w", op.Regexp.Source, err)
  1049. }
  1050. target := op.Regexp.Target
  1051. return func(key string) (string, error) {
  1052. return re.ReplaceAllString(key, target), nil
  1053. }, nil
  1054. case op.Transform != nil:
  1055. tmpl, err := template.New("t").Funcs(estemplate.FuncMap()).Parse(op.Transform.Template)
  1056. if err != nil {
  1057. return nil, fmt.Errorf("invalid template: %w", err)
  1058. }
  1059. return func(key string) (string, error) {
  1060. var buf bytes.Buffer
  1061. if err := tmpl.Execute(&buf, map[string]string{"value": key}); err != nil {
  1062. return "", fmt.Errorf("template exec: %w", err)
  1063. }
  1064. return buf.String(), nil
  1065. }, nil
  1066. default:
  1067. return func(key string) (string, error) { return key, nil }, nil
  1068. }
  1069. }
  1070. // resolveSourceKeyConflicts merges dataTo and explicit data entries.
  1071. // When both reference the same source secret key, explicit data wins.
  1072. // Comparison is done using the original (raw) K8s secret key. DataTo entries
  1073. // already store the original key; explicit data entries may store a converted
  1074. // key when ConversionStrategy is set, so we normalize them via the secret.
  1075. func resolveSourceKeyConflicts(dataToEntries, explicitData []esapi.PushSecretData, secret *v1.Secret) []esapi.PushSecretData {
  1076. explicitOriginalKeys := make(map[string]struct{}, len(explicitData))
  1077. for _, data := range explicitData {
  1078. origKey := resolveOriginalKey(data, secret)
  1079. explicitOriginalKeys[origKey] = struct{}{}
  1080. }
  1081. result := make([]esapi.PushSecretData, 0, len(dataToEntries)+len(explicitData))
  1082. for _, data := range dataToEntries {
  1083. if _, exists := explicitOriginalKeys[data.GetSecretKey()]; !exists {
  1084. result = append(result, data)
  1085. }
  1086. }
  1087. return append(result, explicitData...)
  1088. }
  1089. // resolveOriginalKey returns the raw K8s secret key for a PushSecretData entry.
  1090. // If the entry uses a ConversionStrategy, SecretKey is the converted (decoded)
  1091. // form, so we find the original key by converting each raw key and matching.
  1092. // If no conversion is active, SecretKey is already the original key.
  1093. func resolveOriginalKey(data esapi.PushSecretData, secret *v1.Secret) string {
  1094. key := data.GetSecretKey()
  1095. if data.ConversionStrategy == "" || data.ConversionStrategy == esapi.PushSecretConversionNone {
  1096. return key
  1097. }
  1098. for origKey := range secret.Data {
  1099. if esutils.ReverseKey(data.ConversionStrategy, origKey) == key {
  1100. return origKey
  1101. }
  1102. }
  1103. return key
  1104. }
  1105. // validateRemoteKeyUniqueness ensures no two entries push to the same remote location.
  1106. // The remote location is defined by (remoteKey, property) tuple.
  1107. func validateRemoteKeyUniqueness(entries []esapi.PushSecretData) error {
  1108. type remoteLocation struct {
  1109. remoteKey string
  1110. property string
  1111. }
  1112. seen := make(map[remoteLocation]string) // location -> source key (for error message)
  1113. for _, data := range entries {
  1114. loc := remoteLocation{
  1115. remoteKey: data.GetRemoteKey(),
  1116. property: data.GetProperty(),
  1117. }
  1118. sourceKey := data.GetSecretKey()
  1119. if existingSource, exists := seen[loc]; exists {
  1120. if loc.property != "" {
  1121. return fmt.Errorf(
  1122. "duplicate remote key %q with property %q: source keys %q and %q both map to the same destination",
  1123. loc.remoteKey, loc.property, existingSource, sourceKey)
  1124. }
  1125. return fmt.Errorf(
  1126. "duplicate remote key %q: source keys %q and %q both map to the same destination",
  1127. loc.remoteKey, existingSource, sourceKey)
  1128. }
  1129. seen[loc] = sourceKey
  1130. }
  1131. return nil
  1132. }
  1133. // mergeDataEntries combines dataTo and explicit data entries.
  1134. // It resolves source key conflicts (explicit wins) and validates no duplicate remote destinations.
  1135. func mergeDataEntries(dataToEntries, explicitData []esapi.PushSecretData, secret *v1.Secret) ([]esapi.PushSecretData, error) {
  1136. merged := resolveSourceKeyConflicts(dataToEntries, explicitData, secret)
  1137. if err := validateRemoteKeyUniqueness(merged); err != nil {
  1138. return nil, err
  1139. }
  1140. return merged, nil
  1141. }