Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 82d419e2ee
Branches Tags
helm-externa...
/
pkg
/
provider
/
chef
/
chef.go

chef.go 13 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package chef
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"encoding/json"
    19. 

  19. 	"fmt"
    20. 

  20. 	"net/url"
    21. 

  21. 	"strings"
    22. 

  22. 	"time"
    23. 

  23. 

  24. 	"github.com/go-chef/chef"
    25. 

  25. 	"github.com/go-logr/logr"
    26. 

  26. 	"github.com/tidwall/gjson"
    27. 

  27. 	corev1 "k8s.io/api/core/v1"
    28. 

  28. 	"k8s.io/apimachinery/pkg/types"
    29. 

  29. 	ctrl "sigs.k8s.io/controller-runtime"
    30. 

  30. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    31. 

  31. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    32. 

  32. 

  33. 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    34. 

  34. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    35. 

  35. 	"github.com/external-secrets/external-secrets/pkg/utils"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	errChefStore                             = "received invalid Chef SecretStore resource: %w"
    40. 

  40. 	errMissingStore                          = "missing store"
    41. 

  41. 	errMissingStoreSpec                      = "missing store spec"
    42. 

  42. 	errMissingProvider                       = "missing provider"
    43. 

  43. 	errMissingChefProvider                   = "missing chef provider"
    44. 

  44. 	errMissingUserName                       = "missing username"
    45. 

  45. 	errMissingServerURL                      = "missing serverurl"
    46. 

  46. 	errMissingAuth                           = "cannot initialize Chef Client: no valid authType was specified"
    47. 

  47. 	errMissingSecretKey                      = "missing Secret Key"
    48. 

  48. 	errInvalidClusterStoreMissingPKNamespace = "invalid ClusterSecretStore: missing privateKeySecretRef.Namespace"
    49. 

  49. 	errFetchK8sSecret                        = "could not fetch SecretKey Secret: %w"
    50. 

  50. 	errInvalidURL                            = "invalid serverurl: %w"
    51. 

  51. 	errChefClient                            = "unable to create chef client: %w"
    52. 

  52. 	errChefProvider                          = "missing or invalid spec: %w"
    53. 

  53. 	errUninitalizedChefProvider              = "chef provider is not initialized"
    54. 

  54. 	errNoDatabagItemFound                    = "data bag item %s not found in data bag %s"
    55. 

  55. 	errNoDatabagItemPropertyFound            = "property %s not found in data bag item"
    56. 

  56. 	errCannotListDataBagItems                = "unable to list items in data bag %s, may be given data bag doesn't exists or it is empty"
    57. 

  57. 	errUnableToConvertToJSON                 = "unable to convert databagItem into JSON"
    58. 

  58. 	errInvalidFormat                         = "invalid key format in data section. Expected value 'databagName/databagItemName'"
    59. 

  59. 	errStoreValidateFailed                   = "unable to validate provided store. Check if username, serverUrl and privateKey are correct"
    60. 

  60. 	errServerURLNoEndSlash                   = "serverurl does not end with slash(/)"
    61. 

  61. 	errInvalidDataform                       = "invalid key format in dataForm section. Expected only 'databagName'"
    62. 

  62. 	errNotImplemented                        = "not implemented"
    63. 

  63. 

  64. 	ProviderChef             = "Chef"
    65. 

  65. 	CallChefGetDataBagItem   = "GetDataBagItem"
    66. 

  66. 	CallChefListDataBagItems = "ListDataBagItems"
    67. 

  67. 	CallChefGetUser          = "GetUser"
    68. 

  68. )
    69. 

  69. 

  70. var contextTimeout = time.Second * 25
    71. 

  71. 

  72. type DatabagFetcher interface {
    73. 

  73. 	GetItem(databagName string, databagItem string) (item chef.DataBagItem, err error)
    74. 

  74. 	ListItems(name string) (data *chef.DataBagListResult, err error)
    75. 

  75. }
    76. 

  76. 

  77. type UserInterface interface {
    78. 

  78. 	Get(name string) (user chef.User, err error)
    79. 

  79. }
    80. 

  80. 

  81. type Providerchef struct {
    82. 

  82. 	clientName     string
    83. 

  83. 	databagService DatabagFetcher
    84. 

  84. 	userService    UserInterface
    85. 

  85. 	log            logr.Logger
    86. 

  86. }
    87. 

  87. 

  88. var _ v1beta1.SecretsClient = &Providerchef{}
    89. 

  89. var _ v1beta1.Provider = &Providerchef{}
    90. 

  90. 

  91. func init() {
    92. 

  92. 	v1beta1.Register(&Providerchef{}, &v1beta1.SecretStoreProvider{
    93. 

  93. 		Chef: &v1beta1.ChefProvider{},
    94. 

  94. 	})
    95. 

  95. }
    96. 

  96. 

  97. func (providerchef *Providerchef) NewClient(ctx context.Context, store v1beta1.GenericStore, kube kclient.Client, namespace string) (v1beta1.SecretsClient, error) {
    98. 

  98. 	chefProvider, err := getChefProvider(store)
    99. 

  99. 	if err != nil {
    100. 

  100. 		return nil, fmt.Errorf(errChefProvider, err)
    101. 

  101. 	}
    102. 

  102. 

  103. 	credentialsSecret := &corev1.Secret{}
    104. 

  104. 	objectKey := types.NamespacedName{
    105. 

  105. 		Name:      chefProvider.Auth.SecretRef.SecretKey.Name,
    106. 

  106. 		Namespace: namespace,
    107. 

  107. 	}
    108. 

  108. 

  109. 	if store.GetObjectKind().GroupVersionKind().Kind == v1beta1.ClusterSecretStoreKind {
    110. 

  110. 		if chefProvider.Auth.SecretRef.SecretKey.Namespace == nil {
    111. 

  111. 			return nil, fmt.Errorf(errInvalidClusterStoreMissingPKNamespace)
    112. 

  112. 		}
    113. 

  113. 		objectKey.Namespace = *chefProvider.Auth.SecretRef.SecretKey.Namespace
    114. 

  114. 	}
    115. 

  115. 

  116. 	if err := kube.Get(ctx, objectKey, credentialsSecret); err != nil {
    117. 

  117. 		return nil, fmt.Errorf(errFetchK8sSecret, err)
    118. 

  118. 	}
    119. 

  119. 

  120. 	secretKey := credentialsSecret.Data[chefProvider.Auth.SecretRef.SecretKey.Key]
    121. 

  121. 	if len(secretKey) == 0 {
    122. 

  122. 		return nil, fmt.Errorf(errMissingSecretKey)
    123. 

  123. 	}
    124. 

  124. 

  125. 	client, err := chef.NewClient(&chef.Config{
    126. 

  126. 		Name:    chefProvider.UserName,
    127. 

  127. 		Key:     string(secretKey),
    128. 

  128. 		BaseURL: chefProvider.ServerURL,
    129. 

  129. 	})
    130. 

  130. 	if err != nil {
    131. 

  131. 		return nil, fmt.Errorf(errChefClient, err)
    132. 

  132. 	}
    133. 

  133. 

  134. 	providerchef.clientName = chefProvider.UserName
    135. 

  135. 	providerchef.databagService = client.DataBags
    136. 

  136. 	providerchef.userService = client.Users
    137. 

  137. 	providerchef.log = ctrl.Log.WithName("provider").WithName("chef").WithName("secretsmanager")
    138. 

  138. 	return providerchef, nil
    139. 

  139. }
    140. 

  140. 

  141. // Close closes the client connection.
    142. 

  142. func (providerchef *Providerchef) Close(_ context.Context) error {
    143. 

  143. 	return nil
    144. 

  144. }
    145. 

  145. 

  146. // Validate checks if the client is configured correctly
    147. 

  147. // to be able to retrieve secrets from the provider.
    148. 

  148. func (providerchef *Providerchef) Validate() (v1beta1.ValidationResult, error) {
    149. 

  149. 	_, err := providerchef.userService.Get(providerchef.clientName)
    150. 

  150. 	metrics.ObserveAPICall(ProviderChef, CallChefGetUser, err)
    151. 

  151. 	if err != nil {
    152. 

  152. 		return v1beta1.ValidationResultError, fmt.Errorf(errStoreValidateFailed)
    153. 

  153. 	}
    154. 

  154. 	return v1beta1.ValidationResultReady, nil
    155. 

  155. }
    156. 

  156. 

  157. // GetAllSecrets Retrieves a map[string][]byte with the Databag names as key and the Databag's Items as secrets.
    158. 

  158. func (providerchef *Providerchef) GetAllSecrets(_ context.Context, _ v1beta1.ExternalSecretFind) (map[string][]byte, error) {
    159. 

  159. 	return nil, fmt.Errorf("dataFrom.find not suppported")
    160. 

  160. }
    161. 

  161. 

  162. // GetSecret returns a databagItem present in the databag. format example: databagName/databagItemName.
    163. 

  163. func (providerchef *Providerchef) GetSecret(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    164. 

  164. 	if utils.IsNil(providerchef.databagService) {
    165. 

  165. 		return nil, fmt.Errorf(errUninitalizedChefProvider)
    166. 

  166. 	}
    167. 

  167. 

  168. 	key := ref.Key
    169. 

  169. 	databagName := ""
    170. 

  170. 	databagItem := ""
    171. 

  171. 	nameSplitted := strings.Split(key, "/")
    172. 

  172. 	if len(nameSplitted) > 1 {
    173. 

  173. 		databagName = nameSplitted[0]
    174. 

  174. 		databagItem = nameSplitted[1]
    175. 

  175. 	}
    176. 

  176. 	providerchef.log.Info("fetching secret value", "databag Name:", databagName, "databag Item:", databagItem)
    177. 

  177. 	if databagName != "" && databagItem != "" {
    178. 

  178. 		return getSingleDatabagItemWithContext(ctx, providerchef, databagName, databagItem, ref.Property)
    179. 

  179. 	}
    180. 

  180. 

  181. 	return nil, fmt.Errorf(errInvalidFormat)
    182. 

  182. }
    183. 

  183. 

  184. func getSingleDatabagItemWithContext(ctx context.Context, providerchef *Providerchef, dataBagName, databagItemName, propertyName string) ([]byte, error) {
    185. 

  185. 	ctxWithTimeout, cancel := context.WithTimeout(ctx, contextTimeout)
    186. 

  186. 	defer cancel()
    187. 

  187. 	type result = struct {
    188. 

  188. 		values []byte
    189. 

  189. 		err    error
    190. 

  190. 	}
    191. 

  191. 	getWithTimeout := func() chan result {
    192. 

  192. 		resultChan := make(chan result, 1)
    193. 

  193. 		go func() {
    194. 

  194. 			defer close(resultChan)
    195. 

  195. 			ditem, err := providerchef.databagService.GetItem(dataBagName, databagItemName)
    196. 

  196. 			metrics.ObserveAPICall(ProviderChef, CallChefGetDataBagItem, err)
    197. 

  197. 			if err != nil {
    198. 

  198. 				resultChan <- result{err: fmt.Errorf(errNoDatabagItemFound, databagItemName, dataBagName)}
    199. 

  199. 				return
    200. 

  200. 			}
    201. 

  201. 			jsonByte, err := json.Marshal(ditem)
    202. 

  202. 			if err != nil {
    203. 

  203. 				resultChan <- result{err: fmt.Errorf(errUnableToConvertToJSON)}
    204. 

  204. 				return
    205. 

  205. 			}
    206. 

  206. 			if propertyName != "" {
    207. 

  207. 				propertyValue, err := getPropertyFromDatabagItem(jsonByte, propertyName)
    208. 

  208. 				if err != nil {
    209. 

  209. 					resultChan <- result{err: err}
    210. 

  210. 					return
    211. 

  211. 				}
    212. 

  212. 				resultChan <- result{values: propertyValue}
    213. 

  213. 			} else {
    214. 

  214. 				resultChan <- result{values: jsonByte}
    215. 

  215. 			}
    216. 

  216. 		}()
    217. 

  217. 		return resultChan
    218. 

  218. 	}
    219. 

  219. 	select {
    220. 

  220. 	case <-ctxWithTimeout.Done():
    221. 

  221. 		return nil, ctxWithTimeout.Err()
    222. 

  222. 	case r := <-getWithTimeout():
    223. 

  223. 		if r.err != nil {
    224. 

  224. 			return nil, r.err
    225. 

  225. 		}
    226. 

  226. 		return r.values, nil
    227. 

  227. 	}
    228. 

  228. }
    229. 

  229. 

  230. /*
    231. 

  231. A path is a series of keys separated by a dot.
    232. 

  232. A key may contain special wildcard characters '*' and '?'.
    233. 

  233. To access an array value use the index as the key.
    234. 

  234. To get the number of elements in an array or to access a child path, use the '#' character.
    235. 

  235. The dot and wildcard characters can be escaped with '\'.
    236. 

  236. 

  237. refer https://github.com/tidwall/gjson#:~:text=JSON%20byte%20slices.-,Path%20Syntax,-Below%20is%20a
    238. 

  238. */
    239. 

  239. func getPropertyFromDatabagItem(jsonByte []byte, propertyName string) ([]byte, error) {
    240. 

  240. 	result := gjson.GetBytes(jsonByte, propertyName)
    241. 

  241. 

  242. 	if !result.Exists() {
    243. 

  243. 		return nil, fmt.Errorf(errNoDatabagItemPropertyFound, propertyName)
    244. 

  244. 	}
    245. 

  245. 	return []byte(result.Str), nil
    246. 

  246. }
    247. 

  247. 

  248. // GetSecretMap returns multiple k/v pairs from the provider, for dataFrom.extract.key
    249. 

  249. // dataFrom.extract.key only accepts dataBagName, example : dataFrom.extract.key: myDatabag
    250. 

  250. // databagItemName or Property not expected in key.
    251. 

  251. func (providerchef *Providerchef) GetSecretMap(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    252. 

  252. 	if utils.IsNil(providerchef.databagService) {
    253. 

  253. 		return nil, fmt.Errorf(errUninitalizedChefProvider)
    254. 

  254. 	}
    255. 

  255. 	databagName := ref.Key
    256. 

  256. 

  257. 	if strings.Contains(databagName, "/") {
    258. 

  258. 		return nil, fmt.Errorf(errInvalidDataform)
    259. 

  259. 	}
    260. 

  260. 	getAllSecrets := make(map[string][]byte)
    261. 

  261. 	providerchef.log.Info("fetching all items from", "databag:", databagName)
    262. 

  262. 	dataItems, err := providerchef.databagService.ListItems(databagName)
    263. 

  263. 	metrics.ObserveAPICall(ProviderChef, CallChefListDataBagItems, err)
    264. 

  264. 	if err != nil {
    265. 

  265. 		return nil, fmt.Errorf(errCannotListDataBagItems, databagName)
    266. 

  266. 	}
    267. 

  267. 

  268. 	for dataItem := range *dataItems {
    269. 

  269. 		dItem, err := getSingleDatabagItemWithContext(ctx, providerchef, databagName, dataItem, "")
    270. 

  270. 		if err != nil {
    271. 

  271. 			return nil, fmt.Errorf(errNoDatabagItemFound, dataItem, databagName)
    272. 

  272. 		}
    273. 

  273. 		getAllSecrets[dataItem] = dItem
    274. 

  274. 	}
    275. 

  275. 	return getAllSecrets, nil
    276. 

  276. }
    277. 

  277. 

  278. // ValidateStore checks if the provided store is valid.
    279. 

  279. func (providerchef *Providerchef) ValidateStore(store v1beta1.GenericStore) (admission.Warnings, error) {
    280. 

  280. 	chefProvider, err := getChefProvider(store)
    281. 

  281. 	if err != nil {
    282. 

  282. 		return nil, fmt.Errorf(errChefStore, err)
    283. 

  283. 	}
    284. 

  284. 	// check namespace compared to kind
    285. 

  285. 	if err := utils.ValidateSecretSelector(store, chefProvider.Auth.SecretRef.SecretKey); err != nil {
    286. 

  286. 		return nil, fmt.Errorf(errChefStore, err)
    287. 

  287. 	}
    288. 

  288. 	return nil, nil
    289. 

  289. }
    290. 

  290. 

  291. // getChefProvider validates the incoming store and return the chef provider.
    292. 

  292. func getChefProvider(store v1beta1.GenericStore) (*v1beta1.ChefProvider, error) {
    293. 

  293. 	if store == nil {
    294. 

  294. 		return nil, fmt.Errorf(errMissingStore)
    295. 

  295. 	}
    296. 

  296. 	storeSpec := store.GetSpec()
    297. 

  297. 	if storeSpec == nil {
    298. 

  298. 		return nil, fmt.Errorf(errMissingStoreSpec)
    299. 

  299. 	}
    300. 

  300. 	provider := storeSpec.Provider
    301. 

  301. 	if provider == nil {
    302. 

  302. 		return nil, fmt.Errorf(errMissingProvider)
    303. 

  303. 	}
    304. 

  304. 	chefProvider := storeSpec.Provider.Chef
    305. 

  305. 	if chefProvider == nil {
    306. 

  306. 		return nil, fmt.Errorf(errMissingChefProvider)
    307. 

  307. 	}
    308. 

  308. 	if chefProvider.UserName == "" {
    309. 

  309. 		return chefProvider, fmt.Errorf(errMissingUserName)
    310. 

  310. 	}
    311. 

  311. 	if chefProvider.ServerURL == "" {
    312. 

  312. 		return chefProvider, fmt.Errorf(errMissingServerURL)
    313. 

  313. 	}
    314. 

  314. 	if !strings.HasSuffix(chefProvider.ServerURL, "/") {
    315. 

  315. 		return chefProvider, fmt.Errorf(errServerURLNoEndSlash)
    316. 

  316. 	}
    317. 

  317. 	// check valid URL
    318. 

  318. 	if _, err := url.ParseRequestURI(chefProvider.ServerURL); err != nil {
    319. 

  319. 		return chefProvider, fmt.Errorf(errInvalidURL, err)
    320. 

  320. 	}
    321. 

  321. 	if chefProvider.Auth == nil {
    322. 

  322. 		return chefProvider, fmt.Errorf(errMissingAuth)
    323. 

  323. 	}
    324. 

  324. 	if chefProvider.Auth.SecretRef.SecretKey.Key == "" {
    325. 

  325. 		return chefProvider, fmt.Errorf(errMissingSecretKey)
    326. 

  326. 	}
    327. 

  327. 

  328. 	return chefProvider, nil
    329. 

  329. }
    330. 

  330. 

  331. // Not Implemented DeleteSecret.
    332. 

  332. func (providerchef *Providerchef) DeleteSecret(_ context.Context, _ v1beta1.PushSecretRemoteRef) error {
    333. 

  333. 	return fmt.Errorf(errNotImplemented)
    334. 

  334. }
    335. 

  335. 

  336. // Not Implemented PushSecret.
    337. 

  337. func (providerchef *Providerchef) PushSecret(_ context.Context, _ *corev1.Secret, _ v1beta1.PushSecretData) error {
    338. 

  338. 	return fmt.Errorf(errNotImplemented)
    339. 

  339. }
    340. 

  340. 

  341. func (providerchef *Providerchef) SecretExists(_ context.Context, _ v1beta1.PushSecretRemoteRef) (bool, error) {
    342. 

  342. 	return false, fmt.Errorf(errNotImplemented)
    343. 

  343. }
    344. 

  344. 

  345. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    346. 

  346. func (providerchef *Providerchef) Capabilities() v1beta1.SecretStoreCapabilities {
    347. 

  347. 	return v1beta1.SecretStoreReadOnly
    348. 

  348. }
    349.