Почетна Преглед Помоћ
Пријавите се
logic855
/
helm-external-secrets
огледало од https://github.com/external-secrets/external-secrets
1
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Дрво: 5f1680c32e
Гране Ознаке
helm-externa...
/
pkg
/
provider
/
previder
/
provider.go

provider.go 4.0 KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8. 	https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. package previder
    17. 

  17. 

  18. import (
    19. 

  19. 	"context"
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 

  23. 	previderclient "github.com/previder/vault-cli/pkg"
    24. 

  24. 	corev1 "k8s.io/api/core/v1"
    25. 

  25. 	"sigs.k8s.io/controller-runtime/pkg/client"
    26. 

  26. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    27. 

  27. 

  28. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    29. 

  29. 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
    30. 

  30. )
    31. 

  31. 

  32. const (
    33. 

  33. 	errNotImplemented = "not implemented"
    34. 

  34. )
    35. 

  35. 

  36. var _ esv1.Provider = &SecretManager{}
    37. 

  37. 

  38. type SecretManager struct {
    39. 

  39. 	VaultClient previderclient.PreviderVaultClient
    40. 

  40. }
    41. 

  41. 

  42. func init() {
    43. 

  43. 	esv1.Register(&SecretManager{}, &esv1.SecretStoreProvider{
    44. 

  44. 		Previder: &esv1.PreviderProvider{},
    45. 

  45. 	}, esv1.MaintenanceStatusMaintained)
    46. 

  46. }
    47. 

  47. 

  48. func (s *SecretManager) NewClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
    49. 

  49. 	if store == nil {
    50. 

  50. 		return nil, fmt.Errorf("secret store not found: %v", "nil store")
    51. 

  51. 	}
    52. 

  52. 	storeSpec := store.GetSpec().Provider.Previder
    53. 

  53. 

  54. 	storeKind := store.GetObjectKind().GroupVersionKind().Kind
    55. 

  55. 	accessToken, err := resolvers.SecretKeyRef(ctx, kube, storeKind, namespace, &storeSpec.Auth.SecretRef.AccessToken)
    56. 

  56. 	if err != nil {
    57. 

  57. 		return nil, fmt.Errorf(accessToken, err)
    58. 

  58. 	}
    59. 

  59. 

  60. 	s.VaultClient, err = previderclient.NewVaultClient(storeSpec.BaseURI, accessToken)
    61. 

  61. 

  62. 	if err != nil {
    63. 

  63. 		return nil, err
    64. 

  64. 	}
    65. 

  65. 	return s, nil
    66. 

  66. }
    67. 

  67. 

  68. func (s *SecretManager) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    69. 

  69. 	storeSpec := store.GetSpec()
    70. 

  70. 	previderSpec := storeSpec.Provider.Previder
    71. 

  71. 	if previderSpec == nil {
    72. 

  72. 		return nil, errors.New("missing Previder spec")
    73. 

  73. 	}
    74. 

  74. 	if previderSpec.Auth.SecretRef == nil {
    75. 

  75. 		return nil, errors.New("missing Previder Auth SecretRef")
    76. 

  76. 	}
    77. 

  77. 	accessToken := previderSpec.Auth.SecretRef.AccessToken
    78. 

  78. 

  79. 	if accessToken.Name == "" {
    80. 

  80. 		return nil, errors.New("missing Previder accessToken name")
    81. 

  81. 	}
    82. 

  82. 	if accessToken.Key == "" {
    83. 

  83. 		return nil, errors.New("missing Previder accessToken key")
    84. 

  84. 	}
    85. 

  85. 

  86. 	return nil, nil
    87. 

  87. }
    88. 

  88. 

  89. func (s *SecretManager) Capabilities() esv1.SecretStoreCapabilities {
    90. 

  90. 	return esv1.SecretStoreReadOnly
    91. 

  91. }
    92. 

  92. 

  93. func (s *SecretManager) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
    94. 

  94. 	secret, err := s.VaultClient.DecryptSecret(ref.Key)
    95. 

  95. 	if err != nil {
    96. 

  96. 		return nil, err
    97. 

  97. 	}
    98. 

  98. 	return []byte(secret.Secret), nil
    99. 

  99. }
    100. 

  100. 

  101. func (s *SecretManager) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
    102. 

  102. 	return errors.New(errNotImplemented)
    103. 

  103. }
    104. 

  104. 

  105. func (s *SecretManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
    106. 

  106. 	return errors.New(errNotImplemented)
    107. 

  107. }
    108. 

  108. 

  109. func (s *SecretManager) SecretExists(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) (bool, error) {
    110. 

  110. 	return false, errors.New(errNotImplemented)
    111. 

  111. }
    112. 

  112. 

  113. func (s *SecretManager) Validate() (esv1.ValidationResult, error) {
    114. 

  114. 	_, err := s.VaultClient.GetSecrets()
    115. 

  115. 	if err != nil {
    116. 

  116. 		return esv1.ValidationResultError, err
    117. 

  117. 	}
    118. 

  118. 

  119. 	return esv1.ValidationResultReady, nil
    120. 

  120. }
    121. 

  121. 

  122. func (s *SecretManager) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    123. 

  123. 	secrets, err := s.GetSecret(ctx, ref)
    124. 

  124. 	if err != nil {
    125. 

  125. 		return nil, err
    126. 

  126. 	}
    127. 

  127. 	secretData := make(map[string][]byte)
    128. 

  128. 	secretData[ref.Key] = secrets
    129. 

  129. 	return secretData, nil
    130. 

  130. }
    131. 

  131. 

  132. func (s *SecretManager) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
    133. 

  133. 	return nil, errors.New(errNotImplemented)
    134. 

  134. }
    135. 

  135. 

  136. func (s *SecretManager) Close(ctx context.Context) error {
    137. 

  137. 	return nil
    138. 

  138. }
    139.