client.go 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package secretmanager
  13. import (
  14. "context"
  15. "encoding/json"
  16. "errors"
  17. "fmt"
  18. "strconv"
  19. "strings"
  20. secretmanager "cloud.google.com/go/secretmanager/apiv1"
  21. "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
  22. "github.com/googleapis/gax-go/v2"
  23. "github.com/googleapis/gax-go/v2/apierror"
  24. "github.com/tidwall/gjson"
  25. "google.golang.org/api/iterator"
  26. "google.golang.org/genproto/protobuf/field_mask"
  27. "google.golang.org/grpc/codes"
  28. "google.golang.org/grpc/status"
  29. corev1 "k8s.io/api/core/v1"
  30. ctrl "sigs.k8s.io/controller-runtime"
  31. kclient "sigs.k8s.io/controller-runtime/pkg/client"
  32. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  33. "github.com/external-secrets/external-secrets/pkg/constants"
  34. "github.com/external-secrets/external-secrets/pkg/find"
  35. "github.com/external-secrets/external-secrets/pkg/metrics"
  36. "github.com/external-secrets/external-secrets/pkg/provider/util/locks"
  37. "github.com/external-secrets/external-secrets/pkg/utils"
  38. )
  39. const (
  40. CloudPlatformRole = "https://www.googleapis.com/auth/cloud-platform"
  41. defaultVersion = "latest"
  42. errGCPSMStore = "received invalid GCPSM SecretStore resource"
  43. errUnableGetCredentials = "unable to get credentials: %w"
  44. errClientClose = "unable to close SecretManager client: %w"
  45. errMissingStoreSpec = "invalid: missing store spec"
  46. errFetchSAKSecret = "could not fetch SecretAccessKey secret: %w"
  47. errMissingSAK = "missing SecretAccessKey"
  48. errUnableProcessJSONCredentials = "failed to process the provided JSON credentials: %w"
  49. errUnableCreateGCPSMClient = "failed to create GCP secretmanager client: %w"
  50. errUninitalizedGCPProvider = "provider GCP is not initialized"
  51. errClientGetSecretAccess = "unable to access Secret from SecretManager Client: %w"
  52. errJSONSecretUnmarshal = "unable to unmarshal secret: %w"
  53. errInvalidStore = "invalid store"
  54. errInvalidStoreSpec = "invalid store spec"
  55. errInvalidStoreProv = "invalid store provider"
  56. errInvalidGCPProv = "invalid gcp secrets manager provider"
  57. errInvalidAuthSecretRef = "invalid auth secret data: %w"
  58. errInvalidWISARef = "invalid workload identity service account reference: %w"
  59. errUnexpectedFindOperator = "unexpected find operator"
  60. managedByKey = "managed-by"
  61. managedByValue = "external-secrets"
  62. providerName = "GCPSecretManager"
  63. )
  64. type Client struct {
  65. smClient GoogleSecretManagerClient
  66. kube kclient.Client
  67. store *esv1beta1.GCPSMProvider
  68. storeKind string
  69. // namespace of the external secret
  70. namespace string
  71. workloadIdentity *workloadIdentity
  72. }
  73. type GoogleSecretManagerClient interface {
  74. DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
  75. AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
  76. ListSecrets(ctx context.Context, req *secretmanagerpb.ListSecretsRequest, opts ...gax.CallOption) *secretmanager.SecretIterator
  77. AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
  78. CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
  79. Close() error
  80. GetSecret(ctx context.Context, req *secretmanagerpb.GetSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
  81. UpdateSecret(context.Context, *secretmanagerpb.UpdateSecretRequest, ...gax.CallOption) (*secretmanagerpb.Secret, error)
  82. }
  83. var log = ctrl.Log.WithName("provider").WithName("gcp").WithName("secretsmanager")
  84. func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
  85. gcpSecret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
  86. Name: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
  87. })
  88. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMGetSecret, err)
  89. if err != nil {
  90. if status.Code(err) == codes.NotFound {
  91. return nil
  92. }
  93. return err
  94. }
  95. if manager, ok := gcpSecret.Labels[managedByKey]; !ok || manager != managedByValue {
  96. return nil
  97. }
  98. deleteSecretVersionReq := &secretmanagerpb.DeleteSecretRequest{
  99. Name: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
  100. Etag: gcpSecret.Etag,
  101. }
  102. err = c.smClient.DeleteSecret(ctx, deleteSecretVersionReq)
  103. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMDeleteSecret, err)
  104. return err
  105. }
  106. func parseError(err error) error {
  107. var gerr *apierror.APIError
  108. if errors.As(err, &gerr) && gerr.GRPCStatus().Code() == codes.NotFound {
  109. return esv1beta1.NoSecretError{}
  110. }
  111. return err
  112. }
  113. // PushSecret pushes a kubernetes secret key into gcp provider Secret.
  114. func (c *Client) PushSecret(ctx context.Context, secret *corev1.Secret, pushSecretData esv1beta1.PushSecretData) error {
  115. if pushSecretData.GetSecretKey() == "" {
  116. return fmt.Errorf("pushing the whole secret is not yet implemented")
  117. }
  118. payload := secret.Data[pushSecretData.GetSecretKey()]
  119. secretName := fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, pushSecretData.GetRemoteKey())
  120. gcpSecret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
  121. Name: secretName,
  122. })
  123. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMGetSecret, err)
  124. if err != nil {
  125. if status.Code(err) != codes.NotFound {
  126. return err
  127. }
  128. gcpSecret, err = c.smClient.CreateSecret(ctx, &secretmanagerpb.CreateSecretRequest{
  129. Parent: fmt.Sprintf("projects/%s", c.store.ProjectID),
  130. SecretId: pushSecretData.GetRemoteKey(),
  131. Secret: &secretmanagerpb.Secret{
  132. Labels: map[string]string{
  133. managedByKey: managedByValue,
  134. },
  135. Replication: &secretmanagerpb.Replication{
  136. Replication: &secretmanagerpb.Replication_Automatic_{
  137. Automatic: &secretmanagerpb.Replication_Automatic{},
  138. },
  139. },
  140. },
  141. })
  142. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMCreateSecret, err)
  143. if err != nil {
  144. return err
  145. }
  146. }
  147. builder, err := newPushSecretBuilder(payload, pushSecretData)
  148. if err != nil {
  149. return err
  150. }
  151. annotations, labels, err := builder.buildMetadata(gcpSecret.Annotations, gcpSecret.Labels)
  152. if err != nil {
  153. return err
  154. }
  155. if !mapEqual(gcpSecret.Annotations, annotations) || !mapEqual(gcpSecret.Labels, labels) {
  156. _, err = c.smClient.UpdateSecret(ctx, &secretmanagerpb.UpdateSecretRequest{
  157. Secret: &secretmanagerpb.Secret{
  158. Name: gcpSecret.Name,
  159. Etag: gcpSecret.Etag,
  160. Labels: labels,
  161. Annotations: annotations,
  162. },
  163. UpdateMask: &field_mask.FieldMask{
  164. Paths: []string{"labels", "annotations"},
  165. },
  166. })
  167. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMUpdateSecret, err)
  168. if err != nil {
  169. return err
  170. }
  171. }
  172. unlock, err := locks.TryLock(providerName, secretName)
  173. if err != nil {
  174. return err
  175. }
  176. defer unlock()
  177. gcpVersion, err := c.smClient.AccessSecretVersion(ctx, &secretmanagerpb.AccessSecretVersionRequest{
  178. Name: fmt.Sprintf("%s/versions/latest", secretName),
  179. })
  180. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMAccessSecretVersion, err)
  181. if err != nil && status.Code(err) != codes.NotFound {
  182. return err
  183. }
  184. if gcpVersion != nil && gcpVersion.Payload != nil && !builder.needUpdate(gcpVersion.Payload.Data) {
  185. return nil
  186. }
  187. var original []byte
  188. if gcpVersion != nil && gcpVersion.Payload != nil {
  189. original = gcpVersion.Payload.Data
  190. }
  191. data, err := builder.buildData(original)
  192. if err != nil {
  193. return err
  194. }
  195. addSecretVersionReq := &secretmanagerpb.AddSecretVersionRequest{
  196. Parent: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, pushSecretData.GetRemoteKey()),
  197. Payload: &secretmanagerpb.SecretPayload{
  198. Data: data,
  199. },
  200. }
  201. _, err = c.smClient.AddSecretVersion(ctx, addSecretVersionReq)
  202. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMAddSecretVersion, err)
  203. return err
  204. }
  205. // GetAllSecrets syncs multiple secrets from gcp provider into a single Kubernetes Secret.
  206. func (c *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  207. if ref.Name != nil {
  208. return c.findByName(ctx, ref)
  209. }
  210. if len(ref.Tags) > 0 {
  211. return c.findByTags(ctx, ref)
  212. }
  213. return nil, errors.New(errUnexpectedFindOperator)
  214. }
  215. func (c *Client) findByName(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  216. // regex matcher
  217. matcher, err := find.New(*ref.Name)
  218. if err != nil {
  219. return nil, err
  220. }
  221. req := &secretmanagerpb.ListSecretsRequest{
  222. Parent: fmt.Sprintf("projects/%s", c.store.ProjectID),
  223. }
  224. if ref.Path != nil {
  225. req.Filter = fmt.Sprintf("name:%s", *ref.Path)
  226. }
  227. // Call the API.
  228. it := c.smClient.ListSecrets(ctx, req)
  229. secretMap := make(map[string][]byte)
  230. var resp *secretmanagerpb.Secret
  231. defer metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMListSecrets, err)
  232. for {
  233. resp, err = it.Next()
  234. if errors.Is(err, iterator.Done) {
  235. break
  236. }
  237. if err != nil {
  238. return nil, fmt.Errorf("failed to list secrets: %w", err)
  239. }
  240. log.V(1).Info("gcp sm findByName found", "secrets", strconv.Itoa(it.PageInfo().Remaining()))
  241. key := c.trimName(resp.Name)
  242. // If we don't match we skip.
  243. // Also, if we have path, and it is not at the beguining we skip.
  244. // We have to check if path is at the beguining of the key because
  245. // there is no way to create a `name:%s*` (starts with) filter
  246. // At https://cloud.google.com/secret-manager/docs/filtering you can use `*`
  247. // but not like that it seems.
  248. if !matcher.MatchName(key) || (ref.Path != nil && !strings.HasPrefix(key, *ref.Path)) {
  249. continue
  250. }
  251. log.V(1).Info("gcp sm findByName matches", "name", resp.Name)
  252. secretMap[key], err = c.getData(ctx, key)
  253. if err != nil {
  254. return nil, err
  255. }
  256. }
  257. return utils.ConvertKeys(ref.ConversionStrategy, secretMap)
  258. }
  259. func (c *Client) getData(ctx context.Context, key string) ([]byte, error) {
  260. dataRef := esv1beta1.ExternalSecretDataRemoteRef{
  261. Key: key,
  262. }
  263. data, err := c.GetSecret(ctx, dataRef)
  264. if err != nil {
  265. return []byte(""), err
  266. }
  267. return data, nil
  268. }
  269. func (c *Client) findByTags(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  270. var tagFilter string
  271. for k, v := range ref.Tags {
  272. tagFilter = fmt.Sprintf("%slabels.%s=%s ", tagFilter, k, v)
  273. }
  274. tagFilter = strings.TrimSuffix(tagFilter, " ")
  275. if ref.Path != nil {
  276. tagFilter = fmt.Sprintf("%s name:%s", tagFilter, *ref.Path)
  277. }
  278. req := &secretmanagerpb.ListSecretsRequest{
  279. Parent: fmt.Sprintf("projects/%s", c.store.ProjectID),
  280. }
  281. log.V(1).Info("gcp sm findByTags", "tagFilter", tagFilter)
  282. req.Filter = tagFilter
  283. // Call the API.
  284. it := c.smClient.ListSecrets(ctx, req)
  285. var resp *secretmanagerpb.Secret
  286. var err error
  287. defer metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMListSecrets, err)
  288. secretMap := make(map[string][]byte)
  289. for {
  290. resp, err = it.Next()
  291. if errors.Is(err, iterator.Done) {
  292. break
  293. }
  294. if err != nil {
  295. return nil, fmt.Errorf("failed to list secrets: %w", err)
  296. }
  297. key := c.trimName(resp.Name)
  298. if ref.Path != nil && !strings.HasPrefix(key, *ref.Path) {
  299. continue
  300. }
  301. log.V(1).Info("gcp sm findByTags matches tags", "name", resp.Name)
  302. secretMap[key], err = c.getData(ctx, key)
  303. if err != nil {
  304. return nil, err
  305. }
  306. }
  307. return utils.ConvertKeys(ref.ConversionStrategy, secretMap)
  308. }
  309. func (c *Client) trimName(name string) string {
  310. projectIDNumuber := c.extractProjectIDNumber(name)
  311. key := strings.TrimPrefix(name, fmt.Sprintf("projects/%s/secrets/", projectIDNumuber))
  312. return key
  313. }
  314. // extractProjectIDNumber grabs the project id from the full name returned by gcp api
  315. // gcp api seems to always return the number and not the project name
  316. // (and users would always use the name, while requests accept both).
  317. func (c *Client) extractProjectIDNumber(secretFullName string) string {
  318. s := strings.Split(secretFullName, "/")
  319. ProjectIDNumuber := s[1]
  320. return ProjectIDNumuber
  321. }
  322. // GetSecret returns a single secret from the provider.
  323. func (c *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  324. if utils.IsNil(c.smClient) || c.store.ProjectID == "" {
  325. return nil, fmt.Errorf(errUninitalizedGCPProvider)
  326. }
  327. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  328. return c.getSecretMetadata(ctx, ref)
  329. }
  330. version := ref.Version
  331. if version == "" {
  332. version = defaultVersion
  333. }
  334. req := &secretmanagerpb.AccessSecretVersionRequest{
  335. Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", c.store.ProjectID, ref.Key, version),
  336. }
  337. result, err := c.smClient.AccessSecretVersion(ctx, req)
  338. metrics.ObserveAPICall(constants.ProviderGCPSM, constants.CallGCPSMAccessSecretVersion, err)
  339. err = parseError(err)
  340. if err != nil {
  341. return nil, fmt.Errorf(errClientGetSecretAccess, err)
  342. }
  343. if ref.Property == "" {
  344. if result.Payload.Data != nil {
  345. return result.Payload.Data, nil
  346. }
  347. return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Key)
  348. }
  349. val := getDataByProperty(result.Payload.Data, ref.Property)
  350. if !val.Exists() {
  351. return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
  352. }
  353. return []byte(val.String()), nil
  354. }
  355. func (c *Client) getSecretMetadata(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  356. secret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
  357. Name: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, ref.Key),
  358. })
  359. err = parseError(err)
  360. if err != nil {
  361. return nil, fmt.Errorf(errClientGetSecretAccess, err)
  362. }
  363. const (
  364. annotations = "annotations"
  365. labels = "labels"
  366. )
  367. extractMetadataKey := func(s string, p string) string {
  368. prefix := p + "."
  369. if !strings.HasPrefix(s, prefix) {
  370. return ""
  371. }
  372. return strings.TrimPrefix(s, prefix)
  373. }
  374. if annotation := extractMetadataKey(ref.Property, annotations); annotation != "" {
  375. v, ok := secret.GetAnnotations()[annotation]
  376. if !ok {
  377. return nil, fmt.Errorf("annotation with key %s does not exist in secret %s", annotation, ref.Key)
  378. }
  379. return []byte(v), nil
  380. }
  381. if label := extractMetadataKey(ref.Property, labels); label != "" {
  382. v, ok := secret.GetLabels()[label]
  383. if !ok {
  384. return nil, fmt.Errorf("label with key %s does not exist in secret %s", label, ref.Key)
  385. }
  386. return []byte(v), nil
  387. }
  388. if ref.Property == annotations {
  389. j, err := json.Marshal(secret.GetAnnotations())
  390. if err != nil {
  391. return nil, fmt.Errorf("faild marshaling annotations into json: %w", err)
  392. }
  393. return j, nil
  394. }
  395. if ref.Property == labels {
  396. j, err := json.Marshal(secret.GetLabels())
  397. if err != nil {
  398. return nil, fmt.Errorf("faild marshaling labels into json: %w", err)
  399. }
  400. return j, nil
  401. }
  402. if ref.Property != "" {
  403. return nil, fmt.Errorf("invalid property %s: metadata property should start with either %s or %s", ref.Property, annotations, labels)
  404. }
  405. j, err := json.Marshal(map[string]map[string]string{
  406. "annotations": secret.GetAnnotations(),
  407. "labels": secret.GetLabels(),
  408. })
  409. if err != nil {
  410. return nil, fmt.Errorf("faild marshaling metadata map into json: %w", err)
  411. }
  412. return j, nil
  413. }
  414. // GetSecretMap returns multiple k/v pairs from the provider.
  415. func (c *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  416. if c.smClient == nil || c.store.ProjectID == "" {
  417. return nil, fmt.Errorf(errUninitalizedGCPProvider)
  418. }
  419. data, err := c.GetSecret(ctx, ref)
  420. if err != nil {
  421. return nil, err
  422. }
  423. kv := make(map[string]json.RawMessage)
  424. err = json.Unmarshal(data, &kv)
  425. if err != nil {
  426. return nil, fmt.Errorf(errJSONSecretUnmarshal, err)
  427. }
  428. secretData := make(map[string][]byte)
  429. for k, v := range kv {
  430. var strVal string
  431. err = json.Unmarshal(v, &strVal)
  432. if err == nil {
  433. secretData[k] = []byte(strVal)
  434. } else {
  435. secretData[k] = v
  436. }
  437. }
  438. return secretData, nil
  439. }
  440. func (c *Client) Close(_ context.Context) error {
  441. var err error
  442. if c.smClient != nil {
  443. err = c.smClient.Close()
  444. }
  445. if c.workloadIdentity != nil {
  446. err = c.workloadIdentity.Close()
  447. }
  448. useMu.Unlock()
  449. if err != nil {
  450. return fmt.Errorf(errClientClose, err)
  451. }
  452. return nil
  453. }
  454. func (c *Client) Validate() (esv1beta1.ValidationResult, error) {
  455. if c.storeKind == esv1beta1.ClusterSecretStoreKind && isReferentSpec(c.store) {
  456. return esv1beta1.ValidationResultUnknown, nil
  457. }
  458. return esv1beta1.ValidationResultReady, nil
  459. }
  460. func getDataByProperty(data []byte, property string) gjson.Result {
  461. var payload string
  462. if data != nil {
  463. payload = string(data)
  464. }
  465. idx := strings.Index(property, ".")
  466. refProperty := property
  467. if idx > 0 {
  468. refProperty = strings.ReplaceAll(refProperty, ".", "\\.")
  469. val := gjson.Get(payload, refProperty)
  470. if val.Exists() {
  471. return val
  472. }
  473. }
  474. return gjson.Get(payload, property)
  475. }
  476. func mapEqual(m1, m2 map[string]string) bool {
  477. if len(m1) != len(m2) {
  478. return false
  479. }
  480. for k1, v1 := range m1 {
  481. if v2, ok := m2[k1]; !ok || v1 != v2 {
  482. return false
  483. }
  484. }
  485. return true
  486. }