Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 73cc32d500
Branches Tags
helm-externa...
/
providers
/
v1
/
github
/
client.go

client.go 6.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package github
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	crypto_rand "crypto/rand"
    22. 

  22. 	"encoding/base64"
    23. 

  23. 	"encoding/json"
    24. 

  24. 	"fmt"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	github "github.com/google/go-github/v56/github"
    28. 

  28. 	"golang.org/x/crypto/nacl/box"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 	"sigs.k8s.io/controller-runtime/pkg/client"
    31. 

  31. 

  32. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    33. 

  33. )
    34. 

  34. 

  35. const errWriteOnlyProvider = "not implemented - this provider supports write-only operations"
    36. 

  36. 

  37. // https://github.com/external-secrets/external-secrets/issues/644
    38. 

  38. var _ esv1.SecretsClient = &Client{}
    39. 

  39. 

  40. // ActionsServiceClient defines the interface for interacting with GitHub Actions secrets.
    41. 

  41. type ActionsServiceClient interface {
    42. 

  42. 	// CreateOrUpdateOrgSecret creates or updates an organization secret.
    43. 

  43. 	CreateOrUpdateOrgSecret(ctx context.Context, org string, eSecret *github.EncryptedSecret) (response *github.Response, err error)
    44. 

  44. 	// GetOrgSecret retrieves an organization secret.
    45. 

  45. 	GetOrgSecret(ctx context.Context, org string, name string) (*github.Secret, *github.Response, error)
    46. 

  46. 	// ListOrgSecrets lists all organization secrets.
    47. 

  47. 	ListOrgSecrets(ctx context.Context, org string, opts *github.ListOptions) (*github.Secrets, *github.Response, error)
    48. 

  48. }
    49. 

  49. 

  50. // Client implements the External Secrets Kubernetes provider for GitHub Actions secrets.
    51. 

  51. type Client struct {
    52. 

  52. 	crClient         client.Client
    53. 

  53. 	store            esv1.GenericStore
    54. 

  54. 	provider         *esv1.GithubProvider
    55. 

  55. 	baseClient       github.ActionsService
    56. 

  56. 	namespace        string
    57. 

  57. 	storeKind        string
    58. 

  58. 	repoID           int64
    59. 

  59. 	getSecretFn      func(ctx context.Context, ref esv1.PushSecretRemoteRef) (*github.Secret, *github.Response, error)
    60. 

  60. 	getPublicKeyFn   func(ctx context.Context) (*github.PublicKey, *github.Response, error)
    61. 

  61. 	createOrUpdateFn func(ctx context.Context, eSecret *github.EncryptedSecret) (*github.Response, error)
    62. 

  62. 	listSecretsFn    func(ctx context.Context) (*github.Secrets, *github.Response, error)
    63. 

  63. 	deleteSecretFn   func(ctx context.Context, ref esv1.PushSecretRemoteRef) (*github.Response, error)
    64. 

  64. }
    65. 

  65. 

  66. // DeleteSecret deletes a secret from GitHub Actions.
    67. 

  67. func (g *Client) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
    68. 

  68. 	_, err := g.deleteSecretFn(ctx, remoteRef)
    69. 

  69. 	if err != nil {
    70. 

  70. 		return fmt.Errorf("failed to delete secret: %w", err)
    71. 

  71. 	}
    72. 

  72. 	return nil
    73. 

  73. }
    74. 

  74. 

  75. // SecretExists checks if a secret exists in GitHub Actions.
    76. 

  76. func (g *Client) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
    77. 

  77. 	githubSecret, _, err := g.getSecretFn(ctx, ref)
    78. 

  78. 	if err != nil {
    79. 

  79. 		return false, fmt.Errorf("error fetching secret: %w", err)
    80. 

  80. 	}
    81. 

  81. 	if githubSecret != nil {
    82. 

  82. 		return true, nil
    83. 

  83. 	}
    84. 

  84. 	return false, nil
    85. 

  85. }
    86. 

  86. 

  87. // PushSecret pushes a new secret to GitHub Actions.
    88. 

  88. func (g *Client) PushSecret(ctx context.Context, secret *corev1.Secret, remoteRef esv1.PushSecretData) error {
    89. 

  89. 	githubSecret, response, err := g.getSecretFn(ctx, remoteRef)
    90. 

  90. 	if err != nil && (response == nil || response.StatusCode != 404) {
    91. 

  91. 		return fmt.Errorf("error fetching secret: %w", err)
    92. 

  92. 	}
    93. 

  93. 

  94. 	// First at all, we need the organization public key to encrypt the secret.
    95. 

  95. 	publicKey, _, err := g.getPublicKeyFn(ctx)
    96. 

  96. 	if err != nil {
    97. 

  97. 		return fmt.Errorf("error fetching public key: %w", err)
    98. 

  98. 	}
    99. 

  99. 

  100. 	decodedPublicKey, err := base64.StdEncoding.DecodeString(publicKey.GetKey())
    101. 

  101. 	if err != nil {
    102. 

  102. 		return fmt.Errorf("unable to decode public key: %w", err)
    103. 

  103. 	}
    104. 

  104. 

  105. 	var boxKey [32]byte
    106. 

  106. 	copy(boxKey[:], decodedPublicKey)
    107. 

  107. 	var ok bool
    108. 

  108. 	// default to full secret.
    109. 

  109. 	value, err := json.Marshal(secret.Data)
    110. 

  110. 	if err != nil {
    111. 

  111. 		return fmt.Errorf("json.Marshal failed with error %w", err)
    112. 

  112. 	}
    113. 

  113. 	// if key is specified, overwrite to key only
    114. 

  114. 	if remoteRef.GetSecretKey() != "" {
    115. 

  115. 		value, ok = secret.Data[remoteRef.GetSecretKey()]
    116. 

  116. 		if !ok {
    117. 

  117. 			return fmt.Errorf("key %s not found in secret", remoteRef.GetSecretKey())
    118. 

  118. 		}
    119. 

  119. 	}
    120. 

  120. 

  121. 	encryptedBytes, err := box.SealAnonymous([]byte{}, value, &boxKey, crypto_rand.Reader)
    122. 

  122. 	if err != nil {
    123. 

  123. 		return fmt.Errorf("box.SealAnonymous failed with error %w", err)
    124. 

  124. 	}
    125. 

  125. 	name := remoteRef.GetRemoteKey()
    126. 

  126. 	visibility := "all"
    127. 

  127. 	if githubSecret != nil {
    128. 

  128. 		name = githubSecret.Name
    129. 

  129. 		visibility = githubSecret.Visibility
    130. 

  130. 	}
    131. 

  131. 	encryptedString := base64.StdEncoding.EncodeToString(encryptedBytes)
    132. 

  132. 	keyID := publicKey.GetKeyID()
    133. 

  133. 	encryptedSecret := &github.EncryptedSecret{
    134. 

  134. 		Name:           name,
    135. 

  135. 		KeyID:          keyID,
    136. 

  136. 		EncryptedValue: encryptedString,
    137. 

  137. 		Visibility:     visibility,
    138. 

  138. 	}
    139. 

  139. 

  140. 	if _, err := g.createOrUpdateFn(ctx, encryptedSecret); err != nil {
    141. 

  141. 		return fmt.Errorf("failed to create secret: %w", err)
    142. 

  142. 	}
    143. 

  143. 

  144. 	return nil
    145. 

  145. }
    146. 

  146. 

  147. // GetAllSecrets is not implemented as this provider is write-only.
    148. 

  148. func (g *Client) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
    149. 

  149. 	return nil, fmt.Errorf(errWriteOnlyProvider)
    150. 

  150. }
    151. 

  151. 

  152. // GetSecret is not implemented as this provider is write-only.
    153. 

  153. func (g *Client) GetSecret(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
    154. 

  154. 	return nil, fmt.Errorf(errWriteOnlyProvider)
    155. 

  155. }
    156. 

  156. 

  157. // GetSecretMap is not implemented as this provider is write-only.
    158. 

  158. func (g *Client) GetSecretMap(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    159. 

  159. 	return nil, fmt.Errorf(errWriteOnlyProvider)
    160. 

  160. }
    161. 

  161. 

  162. // Close cleans up any resources held by the client. No-op for this provider.
    163. 

  163. func (g *Client) Close(_ context.Context) error {
    164. 

  164. 	return nil
    165. 

  165. }
    166. 

  166. 

  167. // Validate checks if the client is properly configured and has access to the GitHub Actions API.
    168. 

  168. func (g *Client) Validate() (esv1.ValidationResult, error) {
    169. 

  169. 	if g.store.GetKind() == esv1.ClusterSecretStoreKind {
    170. 

  170. 		return esv1.ValidationResultUnknown, nil
    171. 

  171. 	}
    172. 

  172. 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
    173. 

  173. 	defer cancel()
    174. 

  174. 	_, _, err := g.listSecretsFn(ctx)
    175. 

  175. 

  176. 	if err != nil {
    177. 

  177. 		return esv1.ValidationResultError, fmt.Errorf("store is not allowed to list secrets: %w", err)
    178. 

  178. 	}
    179. 

  179. 

  180. 	return esv1.ValidationResultReady, nil
    181. 

  181. }
    182.