keyvault.go 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package keyvault
  13. import (
  14. "context"
  15. "crypto/x509"
  16. b64 "encoding/base64"
  17. "encoding/json"
  18. "encoding/pem"
  19. "errors"
  20. "fmt"
  21. "os"
  22. "path"
  23. "regexp"
  24. "strings"
  25. "github.com/Azure/azure-sdk-for-go/profiles/latest/keyvault/keyvault"
  26. "github.com/Azure/go-autorest/autorest"
  27. "github.com/Azure/go-autorest/autorest/adal"
  28. "github.com/Azure/go-autorest/autorest/azure"
  29. kvauth "github.com/Azure/go-autorest/autorest/azure/auth"
  30. "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
  31. "github.com/lestrrat-go/jwx/jwk"
  32. "github.com/tidwall/gjson"
  33. "golang.org/x/crypto/pkcs12"
  34. "golang.org/x/crypto/sha3"
  35. authv1 "k8s.io/api/authentication/v1"
  36. corev1 "k8s.io/api/core/v1"
  37. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  38. "k8s.io/apimachinery/pkg/types"
  39. "k8s.io/client-go/kubernetes"
  40. kcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
  41. pointer "k8s.io/utils/ptr"
  42. "sigs.k8s.io/controller-runtime/pkg/client"
  43. ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
  44. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  45. smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
  46. "github.com/external-secrets/external-secrets/pkg/constants"
  47. "github.com/external-secrets/external-secrets/pkg/metrics"
  48. "github.com/external-secrets/external-secrets/pkg/utils"
  49. )
  50. const (
  51. defaultObjType = "secret"
  52. objectTypeCert = "cert"
  53. objectTypeKey = "key"
  54. AzureDefaultAudience = "api://AzureADTokenExchange"
  55. AnnotationClientID = "azure.workload.identity/client-id"
  56. AnnotationTenantID = "azure.workload.identity/tenant-id"
  57. managerLabel = "external-secrets"
  58. errUnexpectedStoreSpec = "unexpected store spec"
  59. errMissingAuthType = "cannot initialize Azure Client: no valid authType was specified"
  60. errPropNotExist = "property %s does not exist in key %s"
  61. errTagNotExist = "tag %s does not exist"
  62. errUnknownObjectType = "unknown Azure Keyvault object Type for %s"
  63. errUnmarshalJSONData = "error unmarshalling json data: %w"
  64. errDataFromCert = "cannot get use dataFrom to get certificate secret"
  65. errDataFromKey = "cannot get use dataFrom to get key secret"
  66. errMissingTenant = "missing tenantID in store config"
  67. errMissingSecretRef = "missing secretRef in provider config"
  68. errMissingClientIDSecret = "missing accessKeyID/secretAccessKey in store config"
  69. errFindSecret = "could not find secret %s/%s: %w"
  70. errFindDataKey = "no data for %q in secret '%s/%s'"
  71. errInvalidStore = "invalid store"
  72. errInvalidStoreSpec = "invalid store spec"
  73. errInvalidStoreProv = "invalid store provider"
  74. errInvalidAzureProv = "invalid azure keyvault provider"
  75. errInvalidSecRefClientID = "invalid AuthSecretRef.ClientID: %w"
  76. errInvalidSecRefClientSecret = "invalid AuthSecretRef.ClientSecret: %w"
  77. errInvalidSARef = "invalid ServiceAccountRef: %w"
  78. errMissingWorkloadEnvVars = "missing environment variables. AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE must be set"
  79. errReadTokenFile = "unable to read token file %s: %w"
  80. errMissingSAAnnotation = "missing service account annotation: %s"
  81. )
  82. // https://github.com/external-secrets/external-secrets/issues/644
  83. var _ esv1beta1.SecretsClient = &Azure{}
  84. var _ esv1beta1.Provider = &Azure{}
  85. // interface to keyvault.BaseClient.
  86. type SecretClient interface {
  87. GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (result keyvault.KeyBundle, err error)
  88. GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (result keyvault.SecretBundle, err error)
  89. GetSecretsComplete(ctx context.Context, vaultBaseURL string, maxresults *int32) (result keyvault.SecretListResultIterator, err error)
  90. GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (result keyvault.CertificateBundle, err error)
  91. SetSecret(ctx context.Context, vaultBaseURL string, secretName string, parameters keyvault.SecretSetParameters) (result keyvault.SecretBundle, err error)
  92. ImportKey(ctx context.Context, vaultBaseURL string, keyName string, parameters keyvault.KeyImportParameters) (result keyvault.KeyBundle, err error)
  93. ImportCertificate(ctx context.Context, vaultBaseURL string, certificateName string, parameters keyvault.CertificateImportParameters) (result keyvault.CertificateBundle, err error)
  94. DeleteCertificate(ctx context.Context, vaultBaseURL string, certificateName string) (result keyvault.DeletedCertificateBundle, err error)
  95. DeleteKey(ctx context.Context, vaultBaseURL string, keyName string) (result keyvault.DeletedKeyBundle, err error)
  96. DeleteSecret(ctx context.Context, vaultBaseURL string, secretName string) (result keyvault.DeletedSecretBundle, err error)
  97. }
  98. type Azure struct {
  99. crClient client.Client
  100. kubeClient kcorev1.CoreV1Interface
  101. store esv1beta1.GenericStore
  102. provider *esv1beta1.AzureKVProvider
  103. baseClient SecretClient
  104. namespace string
  105. }
  106. func init() {
  107. esv1beta1.Register(&Azure{}, &esv1beta1.SecretStoreProvider{
  108. AzureKV: &esv1beta1.AzureKVProvider{},
  109. })
  110. }
  111. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
  112. func (a *Azure) Capabilities() esv1beta1.SecretStoreCapabilities {
  113. return esv1beta1.SecretStoreReadWrite
  114. }
  115. // NewClient constructs a new secrets client based on the provided store.
  116. func (a *Azure) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
  117. return newClient(ctx, store, kube, namespace)
  118. }
  119. func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
  120. provider, err := getProvider(store)
  121. if err != nil {
  122. return nil, err
  123. }
  124. cfg, err := ctrlcfg.GetConfig()
  125. if err != nil {
  126. return nil, err
  127. }
  128. kubeClient, err := kubernetes.NewForConfig(cfg)
  129. if err != nil {
  130. return nil, err
  131. }
  132. az := &Azure{
  133. crClient: kube,
  134. kubeClient: kubeClient.CoreV1(),
  135. store: store,
  136. namespace: namespace,
  137. provider: provider,
  138. }
  139. // allow SecretStore controller validation to pass
  140. // when using referent namespace.
  141. if store.GetKind() == esv1beta1.ClusterSecretStoreKind &&
  142. namespace == "" &&
  143. isReferentSpec(provider) {
  144. return az, nil
  145. }
  146. var authorizer autorest.Authorizer
  147. switch *provider.AuthType {
  148. case esv1beta1.AzureManagedIdentity:
  149. authorizer, err = az.authorizerForManagedIdentity()
  150. case esv1beta1.AzureServicePrincipal:
  151. authorizer, err = az.authorizerForServicePrincipal(ctx)
  152. case esv1beta1.AzureWorkloadIdentity:
  153. authorizer, err = az.authorizerForWorkloadIdentity(ctx, NewTokenProvider)
  154. default:
  155. err = fmt.Errorf(errMissingAuthType)
  156. }
  157. cl := keyvault.New()
  158. cl.Authorizer = authorizer
  159. az.baseClient = &cl
  160. return az, err
  161. }
  162. func getProvider(store esv1beta1.GenericStore) (*esv1beta1.AzureKVProvider, error) {
  163. spc := store.GetSpec()
  164. if spc == nil || spc.Provider.AzureKV == nil {
  165. return nil, errors.New(errUnexpectedStoreSpec)
  166. }
  167. return spc.Provider.AzureKV, nil
  168. }
  169. func (a *Azure) ValidateStore(store esv1beta1.GenericStore) error {
  170. if store == nil {
  171. return fmt.Errorf(errInvalidStore)
  172. }
  173. spc := store.GetSpec()
  174. if spc == nil {
  175. return fmt.Errorf(errInvalidStoreSpec)
  176. }
  177. if spc.Provider == nil {
  178. return fmt.Errorf(errInvalidStoreProv)
  179. }
  180. p := spc.Provider.AzureKV
  181. if p == nil {
  182. return fmt.Errorf(errInvalidAzureProv)
  183. }
  184. if p.AuthSecretRef != nil {
  185. if p.AuthSecretRef.ClientID != nil {
  186. if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientID); err != nil {
  187. return fmt.Errorf(errInvalidSecRefClientID, err)
  188. }
  189. }
  190. if p.AuthSecretRef.ClientSecret != nil {
  191. if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientSecret); err != nil {
  192. return fmt.Errorf(errInvalidSecRefClientSecret, err)
  193. }
  194. }
  195. }
  196. if p.ServiceAccountRef != nil {
  197. if err := utils.ValidateReferentServiceAccountSelector(store, *p.ServiceAccountRef); err != nil {
  198. return fmt.Errorf(errInvalidSARef, err)
  199. }
  200. }
  201. return nil
  202. }
  203. func canDelete(tags map[string]*string, err error) (bool, error) {
  204. aerr := &autorest.DetailedError{}
  205. conv := errors.As(err, aerr)
  206. if err != nil && !conv {
  207. return false, fmt.Errorf("could not parse error: %w", err)
  208. }
  209. if conv && aerr.StatusCode != 404 { // Secret is already deleted, nothing to do.
  210. return false, fmt.Errorf("unexpected api error: %w", err)
  211. }
  212. if aerr.StatusCode == 404 {
  213. return false, nil
  214. }
  215. manager, ok := tags["managed-by"]
  216. if !ok || manager == nil || *manager != managerLabel {
  217. return false, fmt.Errorf("not managed by external-secrets")
  218. }
  219. return true, nil
  220. }
  221. func (a *Azure) deleteKeyVaultKey(ctx context.Context, keyName string) error {
  222. value, err := a.baseClient.GetKey(ctx, *a.provider.VaultURL, keyName, "")
  223. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetKey, err)
  224. ok, err := canDelete(value.Tags, err)
  225. if err != nil {
  226. return fmt.Errorf("error getting key %v: %w", keyName, err)
  227. }
  228. if ok {
  229. _, err = a.baseClient.DeleteKey(ctx, *a.provider.VaultURL, keyName)
  230. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVDeleteKey, err)
  231. if err != nil {
  232. return fmt.Errorf("error deleting key %v: %w", keyName, err)
  233. }
  234. }
  235. return nil
  236. }
  237. func (a *Azure) deleteKeyVaultSecret(ctx context.Context, secretName string) error {
  238. value, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, "")
  239. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  240. ok, err := canDelete(value.Tags, err)
  241. if err != nil {
  242. return fmt.Errorf("error getting secret %v: %w", secretName, err)
  243. }
  244. if ok {
  245. _, err = a.baseClient.DeleteSecret(ctx, *a.provider.VaultURL, secretName)
  246. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVDeleteSecret, err)
  247. if err != nil {
  248. return fmt.Errorf("error deleting secret %v: %w", secretName, err)
  249. }
  250. }
  251. return nil
  252. }
  253. func (a *Azure) deleteKeyVaultCertificate(ctx context.Context, certName string) error {
  254. value, err := a.baseClient.GetCertificate(ctx, *a.provider.VaultURL, certName, "")
  255. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetCertificate, err)
  256. ok, err := canDelete(value.Tags, err)
  257. if err != nil {
  258. return fmt.Errorf("error getting certificate %v: %w", certName, err)
  259. }
  260. if ok {
  261. _, err = a.baseClient.DeleteCertificate(ctx, *a.provider.VaultURL, certName)
  262. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVDeleteCertificate, err)
  263. if err != nil {
  264. return fmt.Errorf("error deleting certificate %v: %w", certName, err)
  265. }
  266. }
  267. return nil
  268. }
  269. func (a *Azure) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
  270. objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: remoteRef.GetRemoteKey()})
  271. switch objectType {
  272. case defaultObjType:
  273. return a.deleteKeyVaultSecret(ctx, secretName)
  274. case objectTypeCert:
  275. return a.deleteKeyVaultCertificate(ctx, secretName)
  276. case objectTypeKey:
  277. return a.deleteKeyVaultKey(ctx, secretName)
  278. default:
  279. return fmt.Errorf("secret type '%v' is not supported", objectType)
  280. }
  281. }
  282. func getCertificateFromValue(value []byte) (*x509.Certificate, error) {
  283. // 1st: try decode pkcs12
  284. _, localCert, err := pkcs12.Decode(value, "")
  285. if err == nil {
  286. return localCert, nil
  287. }
  288. // 2nd: try DER
  289. localCert, err = x509.ParseCertificate(value)
  290. if err == nil {
  291. return localCert, nil
  292. }
  293. // 3nd: parse PEM blocks
  294. for {
  295. block, rest := pem.Decode(value)
  296. value = rest
  297. if block == nil {
  298. break
  299. }
  300. cert, err := x509.ParseCertificate(block.Bytes)
  301. if err == nil {
  302. return cert, nil
  303. }
  304. }
  305. return nil, fmt.Errorf("could not parse certificate value as PKCS#12, DER or PEM")
  306. }
  307. func getKeyFromValue(value []byte) (interface{}, error) {
  308. val := value
  309. pemBlock, _ := pem.Decode(value)
  310. // if a private key regular expression doesn't match, we should consider this key to be symmetric
  311. if pemBlock == nil {
  312. return val, nil
  313. }
  314. val = pemBlock.Bytes
  315. switch pemBlock.Type {
  316. case "PRIVATE KEY":
  317. return x509.ParsePKCS8PrivateKey(val)
  318. case "RSA PRIVATE KEY":
  319. return x509.ParsePKCS1PrivateKey(val)
  320. case "EC PRIVATE KEY":
  321. return x509.ParseECPrivateKey(val)
  322. default:
  323. return nil, fmt.Errorf("key type %v is not supported", pemBlock.Type)
  324. }
  325. }
  326. func canCreate(tags map[string]*string, err error) (bool, error) {
  327. aerr := &autorest.DetailedError{}
  328. conv := errors.As(err, aerr)
  329. if err != nil && !conv {
  330. return false, fmt.Errorf("could not parse error: %w", err)
  331. }
  332. if conv && aerr.StatusCode != 404 {
  333. return false, fmt.Errorf("unexpected api error: %w", err)
  334. }
  335. if err == nil {
  336. manager, ok := tags["managed-by"]
  337. if !ok || manager == nil || *manager != managerLabel {
  338. return false, fmt.Errorf("not managed by external-secrets")
  339. }
  340. }
  341. return true, nil
  342. }
  343. func (a *Azure) setKeyVaultSecret(ctx context.Context, secretName string, value []byte) error {
  344. secret, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, "")
  345. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  346. ok, err := canCreate(secret.Tags, err)
  347. if err != nil {
  348. return fmt.Errorf("cannot get secret %v: %w", secretName, err)
  349. }
  350. if !ok {
  351. return nil
  352. }
  353. val := string(value)
  354. if secret.Value != nil && val == *secret.Value {
  355. return nil
  356. }
  357. secretParams := keyvault.SecretSetParameters{
  358. Value: &val,
  359. Tags: map[string]*string{
  360. "managed-by": pointer.To(managerLabel),
  361. },
  362. SecretAttributes: &keyvault.SecretAttributes{
  363. Enabled: pointer.To(true),
  364. },
  365. }
  366. _, err = a.baseClient.SetSecret(ctx, *a.provider.VaultURL, secretName, secretParams)
  367. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  368. if err != nil {
  369. return fmt.Errorf("could not set secret %v: %w", secretName, err)
  370. }
  371. return nil
  372. }
  373. func (a *Azure) setKeyVaultCertificate(ctx context.Context, secretName string, value []byte) error {
  374. val := b64.StdEncoding.EncodeToString(value)
  375. localCert, err := getCertificateFromValue(value)
  376. if err != nil {
  377. return fmt.Errorf("value from secret is not a valid certificate: %w", err)
  378. }
  379. cert, err := a.baseClient.GetCertificate(ctx, *a.provider.VaultURL, secretName, "")
  380. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetCertificate, err)
  381. ok, err := canCreate(cert.Tags, err)
  382. if err != nil {
  383. return fmt.Errorf("cannot get certificate %v: %w", secretName, err)
  384. }
  385. if !ok {
  386. return nil
  387. }
  388. b512 := sha3.Sum512(localCert.Raw)
  389. if cert.Cer != nil && b512 == sha3.Sum512(*cert.Cer) {
  390. return nil
  391. }
  392. params := keyvault.CertificateImportParameters{
  393. Base64EncodedCertificate: &val,
  394. Tags: map[string]*string{
  395. "managed-by": pointer.To(managerLabel),
  396. },
  397. }
  398. _, err = a.baseClient.ImportCertificate(ctx, *a.provider.VaultURL, secretName, params)
  399. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVImportCertificate, err)
  400. if err != nil {
  401. return fmt.Errorf("could not import certificate %v: %w", secretName, err)
  402. }
  403. return nil
  404. }
  405. func equalKeys(newKey, oldKey keyvault.JSONWebKey) bool {
  406. // checks for everything except KeyID and KeyOps
  407. rsaCheck := newKey.E != nil && oldKey.E != nil && *newKey.E == *oldKey.E &&
  408. newKey.N != nil && oldKey.N != nil && *newKey.N == *oldKey.N
  409. symmetricCheck := newKey.Crv == oldKey.Crv &&
  410. newKey.T != nil && oldKey.T != nil && *newKey.T == *oldKey.T &&
  411. newKey.X != nil && oldKey.X != nil && *newKey.X == *oldKey.X &&
  412. newKey.Y != nil && oldKey.Y != nil && *newKey.Y == *oldKey.Y
  413. return newKey.Kty == oldKey.Kty && (rsaCheck || symmetricCheck)
  414. }
  415. func (a *Azure) setKeyVaultKey(ctx context.Context, secretName string, value []byte) error {
  416. key, err := getKeyFromValue(value)
  417. if err != nil {
  418. return fmt.Errorf("could not load private key %v: %w", secretName, err)
  419. }
  420. jwKey, err := jwk.New(key)
  421. if err != nil {
  422. return fmt.Errorf("failed to generate a JWK from secret %v content: %w", secretName, err)
  423. }
  424. buf, err := json.Marshal(jwKey)
  425. if err != nil {
  426. return fmt.Errorf("error parsing key: %w", err)
  427. }
  428. azkey := keyvault.JSONWebKey{}
  429. err = json.Unmarshal(buf, &azkey)
  430. if err != nil {
  431. return fmt.Errorf("error unmarshalling key: %w", err)
  432. }
  433. keyFromVault, err := a.baseClient.GetKey(ctx, *a.provider.VaultURL, secretName, "")
  434. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetKey, err)
  435. ok, err := canCreate(keyFromVault.Tags, err)
  436. if err != nil {
  437. return fmt.Errorf("cannot get key %v: %w", secretName, err)
  438. }
  439. if !ok {
  440. return nil
  441. }
  442. if keyFromVault.Key != nil && equalKeys(azkey, *keyFromVault.Key) {
  443. return nil
  444. }
  445. params := keyvault.KeyImportParameters{
  446. Key: &azkey,
  447. KeyAttributes: &keyvault.KeyAttributes{},
  448. Tags: map[string]*string{
  449. "managed-by": pointer.To(managerLabel),
  450. },
  451. }
  452. _, err = a.baseClient.ImportKey(ctx, *a.provider.VaultURL, secretName, params)
  453. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVImportKey, err)
  454. if err != nil {
  455. return fmt.Errorf("could not import key %v: %w", secretName, err)
  456. }
  457. return nil
  458. }
  459. // PushSecret stores secrets into a Key vault instance.
  460. func (a *Azure) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
  461. if data.GetSecretKey() == "" {
  462. return fmt.Errorf("pushing the whole secret is not yet implemented")
  463. }
  464. objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: data.GetRemoteKey()})
  465. value := secret.Data[data.GetSecretKey()]
  466. switch objectType {
  467. case defaultObjType:
  468. return a.setKeyVaultSecret(ctx, secretName, value)
  469. case objectTypeCert:
  470. return a.setKeyVaultCertificate(ctx, secretName, value)
  471. case objectTypeKey:
  472. return a.setKeyVaultKey(ctx, secretName, value)
  473. default:
  474. return fmt.Errorf("secret type %v not supported", objectType)
  475. }
  476. }
  477. // Implements store.Client.GetAllSecrets Interface.
  478. // Retrieves a map[string][]byte with the secret names as key and the secret itself as the calue.
  479. func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  480. basicClient := a.baseClient
  481. secretsMap := make(map[string][]byte)
  482. checkTags := len(ref.Tags) > 0
  483. checkName := ref.Name != nil && len(ref.Name.RegExp) > 0
  484. secretListIter, err := basicClient.GetSecretsComplete(ctx, *a.provider.VaultURL, nil)
  485. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecrets, err)
  486. err = parseError(err)
  487. if err != nil {
  488. return nil, err
  489. }
  490. for secretListIter.NotDone() {
  491. secret := secretListIter.Value()
  492. ok, secretName := isValidSecret(checkTags, checkName, ref, secret)
  493. if !ok {
  494. err = secretListIter.Next()
  495. if err != nil {
  496. return nil, err
  497. }
  498. continue
  499. }
  500. secretResp, err := basicClient.GetSecret(ctx, *a.provider.VaultURL, secretName, "")
  501. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  502. err = parseError(err)
  503. if err != nil {
  504. return nil, err
  505. }
  506. secretValue := *secretResp.Value
  507. secretsMap[secretName] = []byte(secretValue)
  508. err = secretListIter.Next()
  509. if err != nil {
  510. return nil, err
  511. }
  512. }
  513. return secretsMap, nil
  514. }
  515. // Retrieves a tag value if specified and all tags in JSON format if not.
  516. func getSecretTag(tags map[string]*string, property string) ([]byte, error) {
  517. if property == "" {
  518. secretTagsData := make(map[string]string)
  519. for k, v := range tags {
  520. secretTagsData[k] = *v
  521. }
  522. return json.Marshal(secretTagsData)
  523. }
  524. if val, exist := tags[property]; exist {
  525. return []byte(*val), nil
  526. }
  527. idx := strings.Index(property, ".")
  528. if idx < 0 {
  529. return nil, fmt.Errorf(errTagNotExist, property)
  530. }
  531. if idx > 0 {
  532. tagName := property[0:idx]
  533. if val, exist := tags[tagName]; exist {
  534. key := strings.Replace(property, tagName+".", "", 1)
  535. return getProperty(*val, key, property)
  536. }
  537. }
  538. return nil, fmt.Errorf(errTagNotExist, property)
  539. }
  540. // Retrieves a property value if specified and the secret value if not.
  541. func getProperty(secret, property, key string) ([]byte, error) {
  542. if property == "" {
  543. return []byte(secret), nil
  544. }
  545. res := gjson.Get(secret, property)
  546. if !res.Exists() {
  547. idx := strings.Index(property, ".")
  548. if idx < 0 {
  549. return nil, fmt.Errorf(errPropNotExist, property, key)
  550. }
  551. escaped := strings.ReplaceAll(property, ".", "\\.")
  552. jValue := gjson.Get(secret, escaped)
  553. if jValue.Exists() {
  554. return []byte(jValue.String()), nil
  555. }
  556. return nil, fmt.Errorf(errPropNotExist, property, key)
  557. }
  558. return []byte(res.String()), nil
  559. }
  560. func parseError(err error) error {
  561. aerr := autorest.DetailedError{}
  562. if errors.As(err, &aerr) && aerr.StatusCode == 404 {
  563. return esv1beta1.NoSecretError{}
  564. }
  565. return err
  566. }
  567. // Implements store.Client.GetSecret Interface.
  568. // Retrieves a secret/Key/Certificate/Tag with the secret name defined in ref.Name
  569. // The Object Type is defined as a prefix in the ref.Name , if no prefix is defined , we assume a secret is required.
  570. func (a *Azure) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  571. objectType, secretName := getObjType(ref)
  572. switch objectType {
  573. case defaultObjType:
  574. // returns a SecretBundle with the secret value
  575. // https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault#SecretBundle
  576. secretResp, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, ref.Version)
  577. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  578. err = parseError(err)
  579. if err != nil {
  580. return nil, err
  581. }
  582. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  583. return getSecretTag(secretResp.Tags, ref.Property)
  584. }
  585. return getProperty(*secretResp.Value, ref.Property, ref.Key)
  586. case objectTypeCert:
  587. // returns a CertBundle. We return CER contents of x509 certificate
  588. // see: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault#CertificateBundle
  589. certResp, err := a.baseClient.GetCertificate(ctx, *a.provider.VaultURL, secretName, ref.Version)
  590. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetCertificate, err)
  591. err = parseError(err)
  592. if err != nil {
  593. return nil, err
  594. }
  595. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  596. return getSecretTag(certResp.Tags, ref.Property)
  597. }
  598. return *certResp.Cer, nil
  599. case objectTypeKey:
  600. // returns a KeyBundle that contains a jwk
  601. // azure kv returns only public keys
  602. // see: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault#KeyBundle
  603. keyResp, err := a.baseClient.GetKey(ctx, *a.provider.VaultURL, secretName, ref.Version)
  604. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetKey, err)
  605. err = parseError(err)
  606. if err != nil {
  607. return nil, err
  608. }
  609. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  610. return getSecretTag(keyResp.Tags, ref.Property)
  611. }
  612. return json.Marshal(keyResp.Key)
  613. }
  614. return nil, fmt.Errorf(errUnknownObjectType, secretName)
  615. }
  616. // returns a SecretBundle with the tags values.
  617. func (a *Azure) getSecretTags(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string]*string, error) {
  618. _, secretName := getObjType(ref)
  619. secretResp, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, ref.Version)
  620. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  621. err = parseError(err)
  622. if err != nil {
  623. return nil, err
  624. }
  625. secretTagsData := make(map[string]*string)
  626. for tagname, tagval := range secretResp.Tags {
  627. name := secretName + "_" + tagname
  628. kv := make(map[string]string)
  629. err = json.Unmarshal([]byte(*tagval), &kv)
  630. // if the tagvalue is not in JSON format then we added to secretTagsData we added as it is
  631. if err != nil {
  632. secretTagsData[name] = tagval
  633. } else {
  634. for k, v := range kv {
  635. value := v
  636. secretTagsData[name+"_"+k] = &value
  637. }
  638. }
  639. }
  640. return secretTagsData, nil
  641. }
  642. // Implements store.Client.GetSecretMap Interface.
  643. // New version of GetSecretMap.
  644. func (a *Azure) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  645. objectType, secretName := getObjType(ref)
  646. switch objectType {
  647. case defaultObjType:
  648. data, err := a.GetSecret(ctx, ref)
  649. if err != nil {
  650. return nil, err
  651. }
  652. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  653. tags, _ := a.getSecretTags(ctx, ref)
  654. return getSecretMapProperties(tags, ref.Key, ref.Property), nil
  655. }
  656. return getSecretMapMap(data)
  657. case objectTypeCert:
  658. return nil, fmt.Errorf(errDataFromCert)
  659. case objectTypeKey:
  660. return nil, fmt.Errorf(errDataFromKey)
  661. }
  662. return nil, fmt.Errorf(errUnknownObjectType, secretName)
  663. }
  664. func getSecretMapMap(data []byte) (map[string][]byte, error) {
  665. kv := make(map[string]json.RawMessage)
  666. err := json.Unmarshal(data, &kv)
  667. if err != nil {
  668. return nil, fmt.Errorf(errUnmarshalJSONData, err)
  669. }
  670. secretData := make(map[string][]byte)
  671. for k, v := range kv {
  672. var strVal string
  673. err = json.Unmarshal(v, &strVal)
  674. if err == nil {
  675. secretData[k] = []byte(strVal)
  676. } else {
  677. secretData[k] = v
  678. }
  679. }
  680. return secretData, nil
  681. }
  682. func getSecretMapProperties(tags map[string]*string, key, property string) map[string][]byte {
  683. tagByteArray := make(map[string][]byte)
  684. if property != "" {
  685. keyPropertyName := key + "_" + property
  686. singleTag, _ := getSecretTag(tags, keyPropertyName)
  687. tagByteArray[keyPropertyName] = singleTag
  688. return tagByteArray
  689. }
  690. for k, v := range tags {
  691. tagByteArray[k] = []byte(*v)
  692. }
  693. return tagByteArray
  694. }
  695. func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider tokenProviderFunc) (autorest.Authorizer, error) {
  696. aadEndpoint := AadEndpointForType(a.provider.EnvironmentType)
  697. kvResource := kvResourceForProviderConfig(a.provider.EnvironmentType)
  698. // if no serviceAccountRef was provided
  699. // we expect certain env vars to be present.
  700. // They are set by the azure workload identity webhook.
  701. if a.provider.ServiceAccountRef == nil {
  702. clientID := os.Getenv("AZURE_CLIENT_ID")
  703. tenantID := os.Getenv("AZURE_TENANT_ID")
  704. tokenFilePath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
  705. if clientID == "" || tenantID == "" || tokenFilePath == "" {
  706. return nil, errors.New(errMissingWorkloadEnvVars)
  707. }
  708. token, err := os.ReadFile(tokenFilePath)
  709. if err != nil {
  710. return nil, fmt.Errorf(errReadTokenFile, tokenFilePath, err)
  711. }
  712. tp, err := tokenProvider(ctx, string(token), clientID, tenantID, aadEndpoint, kvResource)
  713. if err != nil {
  714. return nil, err
  715. }
  716. return autorest.NewBearerAuthorizer(tp), nil
  717. }
  718. ns := a.namespace
  719. if a.store.GetKind() == esv1beta1.ClusterSecretStoreKind && a.provider.ServiceAccountRef.Namespace != nil {
  720. ns = *a.provider.ServiceAccountRef.Namespace
  721. }
  722. var sa corev1.ServiceAccount
  723. err := a.crClient.Get(ctx, types.NamespacedName{
  724. Name: a.provider.ServiceAccountRef.Name,
  725. Namespace: ns,
  726. }, &sa)
  727. if err != nil {
  728. return nil, err
  729. }
  730. clientID, ok := sa.ObjectMeta.Annotations[AnnotationClientID]
  731. if !ok {
  732. return nil, fmt.Errorf(errMissingSAAnnotation, AnnotationClientID)
  733. }
  734. tenantID, ok := sa.ObjectMeta.Annotations[AnnotationTenantID]
  735. if !ok {
  736. return nil, fmt.Errorf(errMissingSAAnnotation, AnnotationTenantID)
  737. }
  738. audiences := []string{AzureDefaultAudience}
  739. if len(a.provider.ServiceAccountRef.Audiences) > 0 {
  740. audiences = append(audiences, a.provider.ServiceAccountRef.Audiences...)
  741. }
  742. token, err := FetchSAToken(ctx, ns, a.provider.ServiceAccountRef.Name, audiences, a.kubeClient)
  743. if err != nil {
  744. return nil, err
  745. }
  746. tp, err := tokenProvider(ctx, token, clientID, tenantID, aadEndpoint, kvResource)
  747. if err != nil {
  748. return nil, err
  749. }
  750. return autorest.NewBearerAuthorizer(tp), nil
  751. }
  752. func FetchSAToken(ctx context.Context, ns, name string, audiences []string, kubeClient kcorev1.CoreV1Interface) (string, error) {
  753. token, err := kubeClient.ServiceAccounts(ns).CreateToken(ctx, name, &authv1.TokenRequest{
  754. Spec: authv1.TokenRequestSpec{
  755. Audiences: audiences,
  756. },
  757. }, metav1.CreateOptions{})
  758. if err != nil {
  759. return "", err
  760. }
  761. return token.Status.Token, nil
  762. }
  763. // tokenProvider satisfies the adal.OAuthTokenProvider interface.
  764. type tokenProvider struct {
  765. accessToken string
  766. }
  767. type tokenProviderFunc func(ctx context.Context, token, clientID, tenantID, aadEndpoint, kvResource string) (adal.OAuthTokenProvider, error)
  768. func NewTokenProvider(ctx context.Context, token, clientID, tenantID, aadEndpoint, kvResource string) (adal.OAuthTokenProvider, error) {
  769. // exchange token with Azure AccessToken
  770. cred := confidential.NewCredFromAssertionCallback(func(ctx context.Context, aro confidential.AssertionRequestOptions) (string, error) {
  771. return token, nil
  772. })
  773. cClient, err := confidential.New(fmt.Sprintf("%s%s/oauth2/token", aadEndpoint, tenantID), clientID, cred)
  774. if err != nil {
  775. return nil, err
  776. }
  777. scope := kvResource
  778. // .default needs to be added to the scope
  779. if !strings.Contains(kvResource, ".default") {
  780. scope = fmt.Sprintf("%s/.default", kvResource)
  781. }
  782. authRes, err := cClient.AcquireTokenByCredential(ctx, []string{
  783. scope,
  784. })
  785. if err != nil {
  786. return nil, err
  787. }
  788. return &tokenProvider{
  789. accessToken: authRes.AccessToken,
  790. }, nil
  791. }
  792. func (t *tokenProvider) OAuthToken() string {
  793. return t.accessToken
  794. }
  795. func (a *Azure) authorizerForManagedIdentity() (autorest.Authorizer, error) {
  796. msiConfig := kvauth.NewMSIConfig()
  797. msiConfig.Resource = kvResourceForProviderConfig(a.provider.EnvironmentType)
  798. if a.provider.IdentityID != nil {
  799. msiConfig.ClientID = *a.provider.IdentityID
  800. }
  801. return msiConfig.Authorizer()
  802. }
  803. func (a *Azure) authorizerForServicePrincipal(ctx context.Context) (autorest.Authorizer, error) {
  804. if a.provider.TenantID == nil {
  805. return nil, fmt.Errorf(errMissingTenant)
  806. }
  807. if a.provider.AuthSecretRef == nil {
  808. return nil, fmt.Errorf(errMissingSecretRef)
  809. }
  810. if a.provider.AuthSecretRef.ClientID == nil || a.provider.AuthSecretRef.ClientSecret == nil {
  811. return nil, fmt.Errorf(errMissingClientIDSecret)
  812. }
  813. clusterScoped := false
  814. if a.store.GetKind() == esv1beta1.ClusterSecretStoreKind {
  815. clusterScoped = true
  816. }
  817. cid, err := a.secretKeyRef(ctx, a.namespace, *a.provider.AuthSecretRef.ClientID, clusterScoped)
  818. if err != nil {
  819. return nil, err
  820. }
  821. csec, err := a.secretKeyRef(ctx, a.namespace, *a.provider.AuthSecretRef.ClientSecret, clusterScoped)
  822. if err != nil {
  823. return nil, err
  824. }
  825. clientCredentialsConfig := kvauth.NewClientCredentialsConfig(cid, csec, *a.provider.TenantID)
  826. clientCredentialsConfig.Resource = kvResourceForProviderConfig(a.provider.EnvironmentType)
  827. clientCredentialsConfig.AADEndpoint = AadEndpointForType(a.provider.EnvironmentType)
  828. return clientCredentialsConfig.Authorizer()
  829. }
  830. // secretKeyRef fetch a secret key.
  831. func (a *Azure) secretKeyRef(ctx context.Context, namespace string, secretRef smmeta.SecretKeySelector, clusterScoped bool) (string, error) {
  832. var secret corev1.Secret
  833. ref := types.NamespacedName{
  834. Name: secretRef.Name,
  835. Namespace: namespace,
  836. }
  837. if clusterScoped && secretRef.Namespace != nil {
  838. ref.Namespace = *secretRef.Namespace
  839. }
  840. err := a.crClient.Get(ctx, ref, &secret)
  841. if err != nil {
  842. return "", fmt.Errorf(errFindSecret, ref.Namespace, ref.Name, err)
  843. }
  844. keyBytes, ok := secret.Data[secretRef.Key]
  845. if !ok {
  846. return "", fmt.Errorf(errFindDataKey, secretRef.Key, secretRef.Name, namespace)
  847. }
  848. value := strings.TrimSpace(string(keyBytes))
  849. return value, nil
  850. }
  851. func (a *Azure) Close(_ context.Context) error {
  852. return nil
  853. }
  854. func (a *Azure) Validate() (esv1beta1.ValidationResult, error) {
  855. if a.store.GetKind() == esv1beta1.ClusterSecretStoreKind && isReferentSpec(a.provider) {
  856. return esv1beta1.ValidationResultUnknown, nil
  857. }
  858. return esv1beta1.ValidationResultReady, nil
  859. }
  860. func isReferentSpec(prov *esv1beta1.AzureKVProvider) bool {
  861. if prov.AuthSecretRef != nil &&
  862. ((prov.AuthSecretRef.ClientID != nil &&
  863. prov.AuthSecretRef.ClientID.Namespace == nil) ||
  864. (prov.AuthSecretRef.ClientSecret != nil &&
  865. prov.AuthSecretRef.ClientSecret.Namespace == nil)) {
  866. return true
  867. }
  868. if prov.ServiceAccountRef != nil &&
  869. prov.ServiceAccountRef.Namespace == nil {
  870. return true
  871. }
  872. return false
  873. }
  874. func AadEndpointForType(t esv1beta1.AzureEnvironmentType) string {
  875. switch t {
  876. case esv1beta1.AzureEnvironmentPublicCloud:
  877. return azure.PublicCloud.ActiveDirectoryEndpoint
  878. case esv1beta1.AzureEnvironmentChinaCloud:
  879. return azure.ChinaCloud.ActiveDirectoryEndpoint
  880. case esv1beta1.AzureEnvironmentUSGovernmentCloud:
  881. return azure.USGovernmentCloud.ActiveDirectoryEndpoint
  882. case esv1beta1.AzureEnvironmentGermanCloud:
  883. return azure.GermanCloud.ActiveDirectoryEndpoint
  884. default:
  885. return azure.PublicCloud.ActiveDirectoryEndpoint
  886. }
  887. }
  888. func ServiceManagementEndpointForType(t esv1beta1.AzureEnvironmentType) string {
  889. switch t {
  890. case esv1beta1.AzureEnvironmentPublicCloud:
  891. return azure.PublicCloud.ServiceManagementEndpoint
  892. case esv1beta1.AzureEnvironmentChinaCloud:
  893. return azure.ChinaCloud.ServiceManagementEndpoint
  894. case esv1beta1.AzureEnvironmentUSGovernmentCloud:
  895. return azure.USGovernmentCloud.ServiceManagementEndpoint
  896. case esv1beta1.AzureEnvironmentGermanCloud:
  897. return azure.GermanCloud.ServiceManagementEndpoint
  898. default:
  899. return azure.PublicCloud.ServiceManagementEndpoint
  900. }
  901. }
  902. func kvResourceForProviderConfig(t esv1beta1.AzureEnvironmentType) string {
  903. var res string
  904. switch t {
  905. case esv1beta1.AzureEnvironmentPublicCloud:
  906. res = azure.PublicCloud.KeyVaultEndpoint
  907. case esv1beta1.AzureEnvironmentChinaCloud:
  908. res = azure.ChinaCloud.KeyVaultEndpoint
  909. case esv1beta1.AzureEnvironmentUSGovernmentCloud:
  910. res = azure.USGovernmentCloud.KeyVaultEndpoint
  911. case esv1beta1.AzureEnvironmentGermanCloud:
  912. res = azure.GermanCloud.KeyVaultEndpoint
  913. default:
  914. res = azure.PublicCloud.KeyVaultEndpoint
  915. }
  916. return strings.TrimSuffix(res, "/")
  917. }
  918. func getObjType(ref esv1beta1.ExternalSecretDataRemoteRef) (string, string) {
  919. objectType := defaultObjType
  920. secretName := ref.Key
  921. nameSplitted := strings.Split(secretName, "/")
  922. if len(nameSplitted) > 1 {
  923. objectType = nameSplitted[0]
  924. secretName = nameSplitted[1]
  925. // TODO: later tokens can be used to read the secret tags
  926. }
  927. return objectType, secretName
  928. }
  929. func isValidSecret(checkTags, checkName bool, ref esv1beta1.ExternalSecretFind, secret keyvault.SecretItem) (bool, string) {
  930. if secret.ID == nil || !*secret.Attributes.Enabled {
  931. return false, ""
  932. }
  933. if checkTags && !okByTags(ref, secret) {
  934. return false, ""
  935. }
  936. secretName := path.Base(*secret.ID)
  937. if checkName && !okByName(ref, secretName) {
  938. return false, ""
  939. }
  940. return true, secretName
  941. }
  942. func okByName(ref esv1beta1.ExternalSecretFind, secretName string) bool {
  943. matches, _ := regexp.MatchString(ref.Name.RegExp, secretName)
  944. return matches
  945. }
  946. func okByTags(ref esv1beta1.ExternalSecretFind, secret keyvault.SecretItem) bool {
  947. tagsFound := true
  948. for k, v := range ref.Tags {
  949. if val, ok := secret.Tags[k]; !ok || *val != v {
  950. tagsFound = false
  951. break
  952. }
  953. }
  954. return tagsFound
  955. }