Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 96be15a703
Branches Tags
helm-externa...
/
pkg
/
controllers
/
externalsecret
/
externalsecret_controller.go

externalsecret_controller.go 15 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package externalsecret
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"fmt"
    20. 

  20. 	"time"
    21. 

  21. 

  22. 	"github.com/go-logr/logr"
    23. 

  23. 	"github.com/prometheus/client_golang/prometheus"
    24. 

  24. 	v1 "k8s.io/api/core/v1"
    25. 

  25. 	"k8s.io/apimachinery/pkg/api/equality"
    26. 

  26. 	apierrors "k8s.io/apimachinery/pkg/api/errors"
    27. 

  27. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    28. 

  28. 	"k8s.io/apimachinery/pkg/runtime"
    29. 

  29. 	"k8s.io/apimachinery/pkg/types"
    30. 

  30. 	ctrl "sigs.k8s.io/controller-runtime"
    31. 

  31. 	"sigs.k8s.io/controller-runtime/pkg/client"
    32. 

  32. 	"sigs.k8s.io/controller-runtime/pkg/controller"
    33. 

  33. 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	"github.com/external-secrets/external-secrets/pkg/provider"
    37. 

  37. 

  38. 	// Loading registered providers.
    39. 

  39. 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
    40. 

  40. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    41. 

  41. 	"github.com/external-secrets/external-secrets/pkg/utils"
    42. 

  42. )
    43. 

  43. 

  44. const (
    45. 

  45. 	requeueAfter = time.Second * 30
    46. 

  46. 

  47. 	errGetES                 = "could not get ExternalSecret"
    48. 

  48. 	errReconcileES           = "could not reconcile ExternalSecret"
    49. 

  49. 	errPatchStatus           = "unable to patch status"
    50. 

  50. 	errGetSecretStore        = "could not get SecretStore %q, %w"
    51. 

  51. 	errGetClusterSecretStore = "could not get ClusterSecretStore %q, %w"
    52. 

  52. 	errStoreRef              = "could not get store reference"
    53. 

  53. 	errStoreProvider         = "could not get store provider"
    54. 

  54. 	errStoreClient           = "could not get provider client"
    55. 

  55. 	errGetExistingSecret     = "could not get existing secret: %w"
    56. 

  56. 	errCloseStoreClient      = "could not close provider client"
    57. 

  57. 	errSetCtrlReference      = "could not set ExternalSecret controller reference: %w"
    58. 

  58. 	errFetchTplFrom          = "error fetching templateFrom data: %w"
    59. 

  59. 	errGetSecretData         = "could not get secret data from provider: %w"
    60. 

  60. 	errApplyTemplate         = "could not apply template: %w"
    61. 

  61. 	errExecTpl               = "could not execute template: %w"
    62. 

  62. 	errPolicyMergeNotFound   = "the desired secret %s was not found. With creationPolicy=Merge the secret won't be created"
    63. 

  63. 	errPolicyMergeGetSecret  = "unable to get secret %s: %w"
    64. 

  64. 	errPolicyMergeMutate     = "unable to mutate secret %s: %w"
    65. 

  65. 	errPolicyMergePatch      = "unable to patch secret %s: %w"
    66. 

  66. 	errGetSecretKey          = "key %q from ExternalSecret %q: %w"
    67. 

  67. 	errTplCMMissingKey       = "error in configmap %s: missing key %s"
    68. 

  68. 	errTplSecMissingKey      = "error in secret %s: missing key %s"
    69. 

  69. )
    70. 

  70. 

  71. // Reconciler reconciles a ExternalSecret object.
    72. 

  72. type Reconciler struct {
    73. 

  73. 	client.Client
    74. 

  74. 	Log             logr.Logger
    75. 

  75. 	Scheme          *runtime.Scheme
    76. 

  76. 	ControllerClass string
    77. 

  77. 	RequeueInterval time.Duration
    78. 

  78. }
    79. 

  79. 

  80. // Reconcile implements the main reconciliation loop
    81. 

  81. // for watched objects (ExternalSecret, ClusterSecretStore and SecretStore),
    82. 

  82. // and updates/creates a Kubernetes secret based on them.
    83. 

  83. func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
    84. 

  84. 	log := r.Log.WithValues("ExternalSecret", req.NamespacedName)
    85. 

  85. 

  86. 	syncCallsMetricLabels := prometheus.Labels{"name": req.Name, "namespace": req.Namespace}
    87. 

  87. 

  88. 	var externalSecret esv1alpha1.ExternalSecret
    89. 

  89. 

  90. 	err := r.Get(ctx, req.NamespacedName, &externalSecret)
    91. 

  91. 	if apierrors.IsNotFound(err) {
    92. 

  92. 		syncCallsTotal.With(syncCallsMetricLabels).Inc()
    93. 

  93. 		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretDeleted, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretDeleted, "Secret was deleted")
    94. 

  94. 		SetExternalSecretCondition(&esv1alpha1.ExternalSecret{
    95. 

  95. 			ObjectMeta: metav1.ObjectMeta{
    96. 

  96. 				Name:      req.Name,
    97. 

  97. 				Namespace: req.Namespace,
    98. 

  98. 			},
    99. 

  99. 		}, *conditionSynced)
    100. 

  100. 		return ctrl.Result{}, nil
    101. 

  101. 	} else if err != nil {
    102. 

  102. 		log.Error(err, errGetES)
    103. 

  103. 		syncCallsError.With(syncCallsMetricLabels).Inc()
    104. 

  104. 		return ctrl.Result{}, nil
    105. 

  105. 	}
    106. 

  106. 

  107. 	// patch status when done processing
    108. 

  108. 	p := client.MergeFrom(externalSecret.DeepCopy())
    109. 

  109. 	defer func() {
    110. 

  110. 		err = r.Status().Patch(ctx, &externalSecret, p)
    111. 

  111. 		if err != nil {
    112. 

  112. 			log.Error(err, errPatchStatus)
    113. 

  113. 		}
    114. 

  114. 	}()
    115. 

  115. 

  116. 	store, err := r.getStore(ctx, &externalSecret)
    117. 

  117. 	if err != nil {
    118. 

  118. 		log.Error(err, errStoreRef)
    119. 

  119. 		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, err.Error())
    120. 

  120. 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
    121. 

  121. 		syncCallsError.With(syncCallsMetricLabels).Inc()
    122. 

  122. 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
    123. 

  123. 	}
    124. 

  124. 

  125. 	log = log.WithValues("SecretStore", store.GetNamespacedName())
    126. 

  126. 

  127. 	// check if store should be handled by this controller instance
    128. 

  128. 	if !shouldProcessStore(store, r.ControllerClass) {
    129. 

  129. 		log.Info("skipping unmanaged store")
    130. 

  130. 		return ctrl.Result{}, nil
    131. 

  131. 	}
    132. 

  132. 

  133. 	storeProvider, err := schema.GetProvider(store)
    134. 

  134. 	if err != nil {
    135. 

  135. 		log.Error(err, errStoreProvider)
    136. 

  136. 		syncCallsError.With(syncCallsMetricLabels).Inc()
    137. 

  137. 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
    138. 

  138. 	}
    139. 

  139. 

  140. 	secretClient, err := storeProvider.NewClient(ctx, store, r.Client, req.Namespace)
    141. 

  141. 	if err != nil {
    142. 

  142. 		log.Error(err, errStoreClient)
    143. 

  143. 		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, err.Error())
    144. 

  144. 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
    145. 

  145. 		syncCallsError.With(syncCallsMetricLabels).Inc()
    146. 

  146. 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
    147. 

  147. 	}
    148. 

  148. 

  149. 	defer func() {
    150. 

  150. 		err = secretClient.Close(ctx)
    151. 

  151. 		if err != nil {
    152. 

  152. 			log.Error(err, errCloseStoreClient)
    153. 

  153. 		}
    154. 

  154. 	}()
    155. 

  155. 

  156. 	refreshInt := r.RequeueInterval
    157. 

  157. 	if externalSecret.Spec.RefreshInterval != nil {
    158. 

  158. 		refreshInt = externalSecret.Spec.RefreshInterval.Duration
    159. 

  159. 	}
    160. 

  160. 

  161. 	// Target Secret Name should default to the ExternalSecret name if not explicitly specified
    162. 

  162. 	secretName := externalSecret.Spec.Target.Name
    163. 

  163. 	if secretName == "" {
    164. 

  164. 		secretName = externalSecret.ObjectMeta.Name
    165. 

  165. 	}
    166. 

  166. 

  167. 	// fetch external secret, we need to ensure that it exists, and it's hashmap corresponds
    168. 

  168. 	var existingSecret v1.Secret
    169. 

  169. 	err = r.Get(ctx, types.NamespacedName{
    170. 

  170. 		Name:      secretName,
    171. 

  171. 		Namespace: externalSecret.Namespace,
    172. 

  172. 	}, &existingSecret)
    173. 

  173. 	if err != nil && !apierrors.IsNotFound(err) {
    174. 

  174. 		log.Error(err, errGetExistingSecret)
    175. 

  175. 	}
    176. 

  176. 

  177. 	// refresh should be skipped if
    178. 

  178. 	// 1. resource generation hasn't changed
    179. 

  179. 	// 2. refresh interval is 0
    180. 

  180. 	// 3. if we're still within refresh-interval
    181. 

  181. 	if !shouldRefresh(externalSecret) && isSecretValid(existingSecret) {
    182. 

  182. 		log.V(1).Info("skipping refresh", "rv", getResourceVersion(externalSecret))
    183. 

  183. 		return ctrl.Result{RequeueAfter: refreshInt}, nil
    184. 

  184. 	}
    185. 

  185. 	if !shouldReconcile(externalSecret) {
    186. 

  186. 		log.V(1).Info("stopping reconciling", "rv", getResourceVersion(externalSecret))
    187. 

  187. 		return ctrl.Result{
    188. 

  188. 			RequeueAfter: 0,
    189. 

  189. 			Requeue:      false,
    190. 

  190. 		}, nil
    191. 

  191. 	}
    192. 

  192. 

  193. 	secret := &v1.Secret{
    194. 

  194. 		ObjectMeta: metav1.ObjectMeta{
    195. 

  195. 			Name:      secretName,
    196. 

  196. 			Namespace: externalSecret.Namespace,
    197. 

  197. 		},
    198. 

  198. 		Immutable: &externalSecret.Spec.Target.Immutable,
    199. 

  199. 		Data:      make(map[string][]byte),
    200. 

  200. 	}
    201. 

  201. 

  202. 	mutationFunc := func() error {
    203. 

  203. 		if externalSecret.Spec.Target.CreationPolicy == esv1alpha1.Owner {
    204. 

  204. 			err = controllerutil.SetControllerReference(&externalSecret, &secret.ObjectMeta, r.Scheme)
    205. 

  205. 			if err != nil {
    206. 

  206. 				return fmt.Errorf(errSetCtrlReference, err)
    207. 

  207. 			}
    208. 

  208. 		}
    209. 

  209. 

  210. 		dataMap, err := r.getProviderSecretData(ctx, secretClient, &externalSecret)
    211. 

  211. 		if err != nil {
    212. 

  212. 			return fmt.Errorf(errGetSecretData, err)
    213. 

  213. 		}
    214. 

  214. 

  215. 		err = r.applyTemplate(ctx, &externalSecret, secret, dataMap)
    216. 

  216. 		if err != nil {
    217. 

  217. 			return fmt.Errorf(errApplyTemplate, err)
    218. 

  218. 		}
    219. 

  219. 

  220. 		return nil
    221. 

  221. 	}
    222. 

  222. 

  223. 	// nolint
    224. 

  224. 	switch externalSecret.Spec.Target.CreationPolicy {
    225. 

  225. 	case esv1alpha1.Merge:
    226. 

  226. 		err = patchSecret(ctx, r.Client, r.Scheme, secret, mutationFunc)
    227. 

  227. 	case esv1alpha1.None:
    228. 

  228. 		log.V(1).Info("secret creation skipped due to creationPolicy=None")
    229. 

  229. 		err = nil
    230. 

  230. 	default:
    231. 

  231. 		_, err = ctrl.CreateOrUpdate(ctx, r.Client, secret, mutationFunc)
    232. 

  232. 	}
    233. 

  233. 

  234. 	if err != nil {
    235. 

  235. 		log.Error(err, errReconcileES)
    236. 

  236. 		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, err.Error())
    237. 

  237. 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
    238. 

  238. 		syncCallsError.With(syncCallsMetricLabels).Inc()
    239. 

  239. 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
    240. 

  240. 	}
    241. 

  241. 

  242. 	conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionTrue, esv1alpha1.ConditionReasonSecretSynced, "Secret was synced")
    243. 

  243. 	currCond := GetExternalSecretCondition(externalSecret.Status, esv1alpha1.ExternalSecretReady)
    244. 

  244. 	SetExternalSecretCondition(&externalSecret, *conditionSynced)
    245. 

  245. 	externalSecret.Status.RefreshTime = metav1.NewTime(time.Now())
    246. 

  246. 	externalSecret.Status.SyncedResourceVersion = getResourceVersion(externalSecret)
    247. 

  247. 	syncCallsTotal.With(syncCallsMetricLabels).Inc()
    248. 

  248. 	if currCond == nil || currCond.Status != conditionSynced.Status {
    249. 

  249. 		log.Info("reconciled secret") // Log once if on success in any verbosity
    250. 

  250. 	} else {
    251. 

  251. 		log.V(1).Info("reconciled secret") // Log all reconciliation cycles if higher verbosity applied
    252. 

  252. 	}
    253. 

  253. 

  254. 	return ctrl.Result{
    255. 

  255. 		RequeueAfter: refreshInt,
    256. 

  256. 	}, nil
    257. 

  257. }
    258. 

  258. 

  259. func patchSecret(ctx context.Context, c client.Client, scheme *runtime.Scheme, secret *v1.Secret, mutationFunc func() error) error {
    260. 

  260. 	err := c.Get(ctx, client.ObjectKeyFromObject(secret), secret.DeepCopy())
    261. 

  261. 	if apierrors.IsNotFound(err) {
    262. 

  262. 		return fmt.Errorf(errPolicyMergeNotFound, secret.Name)
    263. 

  263. 	}
    264. 

  264. 	if err != nil {
    265. 

  265. 		return fmt.Errorf(errPolicyMergeGetSecret, secret.Name, err)
    266. 

  266. 	}
    267. 

  267. 	existing := secret.DeepCopyObject()
    268. 

  268. 

  269. 	err = mutationFunc()
    270. 

  270. 	if err != nil {
    271. 

  271. 		return fmt.Errorf(errPolicyMergeMutate, secret.Name, err)
    272. 

  272. 	}
    273. 

  273. 

  274. 	// GVK is missing in the Secret, see:
    275. 

  275. 	// https://github.com/kubernetes-sigs/controller-runtime/issues/526
    276. 

  276. 	// https://github.com/kubernetes-sigs/controller-runtime/issues/1517
    277. 

  277. 	// https://github.com/kubernetes/kubernetes/issues/80609
    278. 

  278. 	// we need to manually set it before doing a Patch() as it depends on the GVK
    279. 

  279. 	gvks, unversioned, err := scheme.ObjectKinds(secret)
    280. 

  280. 	if err != nil {
    281. 

  281. 		return err
    282. 

  282. 	}
    283. 

  283. 	if !unversioned && len(gvks) == 1 {
    284. 

  284. 		secret.SetGroupVersionKind(gvks[0])
    285. 

  285. 	}
    286. 

  286. 

  287. 	if equality.Semantic.DeepEqual(existing, secret) {
    288. 

  288. 		return nil
    289. 

  289. 	}
    290. 

  290. 

  291. 	// we're not able to resolve conflicts so we force ownership
    292. 

  292. 	// see: https://kubernetes.io/docs/reference/using-api/server-side-apply/#using-server-side-apply-in-a-controller
    293. 

  293. 	err = c.Patch(ctx, secret, client.Apply, client.FieldOwner("external-secrets"), client.ForceOwnership)
    294. 

  294. 	if err != nil {
    295. 

  295. 		return fmt.Errorf(errPolicyMergePatch, secret.Name, err)
    296. 

  296. 	}
    297. 

  297. 	return nil
    298. 

  298. }
    299. 

  299. 

  300. // shouldProcessStore returns true if the store should be processed.
    301. 

  301. func shouldProcessStore(store esv1alpha1.GenericStore, class string) bool {
    302. 

  302. 	if store.GetSpec().Controller == "" || store.GetSpec().Controller == class {
    303. 

  303. 		return true
    304. 

  304. 	}
    305. 

  305. 	return false
    306. 

  306. }
    307. 

  307. 

  308. func getResourceVersion(es esv1alpha1.ExternalSecret) string {
    309. 

  309. 	return fmt.Sprintf("%d-%s", es.ObjectMeta.GetGeneration(), hashMeta(es.ObjectMeta))
    310. 

  310. }
    311. 

  311. 

  312. func hashMeta(m metav1.ObjectMeta) string {
    313. 

  313. 	type meta struct {
    314. 

  314. 		annotations map[string]string
    315. 

  315. 		labels      map[string]string
    316. 

  316. 	}
    317. 

  317. 	return utils.ObjectHash(meta{
    318. 

  318. 		annotations: m.Annotations,
    319. 

  319. 		labels:      m.Labels,
    320. 

  320. 	})
    321. 

  321. }
    322. 

  322. 

  323. func shouldRefresh(es esv1alpha1.ExternalSecret) bool {
    324. 

  324. 	// refresh if resource version changed
    325. 

  325. 	if es.Status.SyncedResourceVersion != getResourceVersion(es) {
    326. 

  326. 		return true
    327. 

  327. 	}
    328. 

  328. 

  329. 	// skip refresh if refresh interval is 0
    330. 

  330. 	if es.Spec.RefreshInterval.Duration == 0 && es.Status.SyncedResourceVersion != "" {
    331. 

  331. 		return false
    332. 

  332. 	}
    333. 

  333. 	if es.Status.RefreshTime.IsZero() {
    334. 

  334. 		return true
    335. 

  335. 	}
    336. 

  336. 	return !es.Status.RefreshTime.Add(es.Spec.RefreshInterval.Duration).After(time.Now())
    337. 

  337. }
    338. 

  338. 

  339. func shouldReconcile(es esv1alpha1.ExternalSecret) bool {
    340. 

  340. 	if es.Spec.Target.Immutable && hasSyncedCondition(es) {
    341. 

  341. 		return false
    342. 

  342. 	}
    343. 

  343. 	return true
    344. 

  344. }
    345. 

  345. 

  346. func hasSyncedCondition(es esv1alpha1.ExternalSecret) bool {
    347. 

  347. 	for _, condition := range es.Status.Conditions {
    348. 

  348. 		if condition.Reason == "SecretSynced" {
    349. 

  349. 			return true
    350. 

  350. 		}
    351. 

  351. 	}
    352. 

  352. 	return false
    353. 

  353. }
    354. 

  354. 

  355. // isSecretValid checks if the secret exists, and it's data is consistent with the calculated hash.
    356. 

  356. func isSecretValid(existingSecret v1.Secret) bool {
    357. 

  357. 	// if target secret doesn't exist, or annotations as not set, we need to refresh
    358. 

  358. 	if existingSecret.UID == "" || existingSecret.Annotations == nil {
    359. 

  359. 		return false
    360. 

  360. 	}
    361. 

  361. 

  362. 	// if the calculated hash is different from the calculation, then it's invalid
    363. 

  363. 	if existingSecret.Annotations[esv1alpha1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
    364. 

  364. 		return false
    365. 

  365. 	}
    366. 

  366. 	return true
    367. 

  367. }
    368. 

  368. 

  369. // getStore returns the store with the provided ExternalSecret.
    370. 

  370. func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) {
    371. 

  371. 	ref := types.NamespacedName{
    372. 

  372. 		Name: externalSecret.Spec.SecretStoreRef.Name,
    373. 

  373. 	}
    374. 

  374. 

  375. 	if externalSecret.Spec.SecretStoreRef.Kind == esv1alpha1.ClusterSecretStoreKind {
    376. 

  376. 		var store esv1alpha1.ClusterSecretStore
    377. 

  377. 		err := r.Get(ctx, ref, &store)
    378. 

  378. 		if err != nil {
    379. 

  379. 			return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
    380. 

  380. 		}
    381. 

  381. 

  382. 		return &store, nil
    383. 

  383. 	}
    384. 

  384. 

  385. 	ref.Namespace = externalSecret.Namespace
    386. 

  386. 

  387. 	var store esv1alpha1.SecretStore
    388. 

  388. 	err := r.Get(ctx, ref, &store)
    389. 

  389. 	if err != nil {
    390. 

  390. 		return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
    391. 

  391. 	}
    392. 

  392. 	return &store, nil
    393. 

  393. }
    394. 

  394. 

  395. // getProviderSecretData returns the provider's secret data with the provided ExternalSecret.
    396. 

  396. func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.SecretsClient, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) {
    397. 

  397. 	providerData := make(map[string][]byte)
    398. 

  398. 

  399. 	for _, remoteRef := range externalSecret.Spec.DataFrom {
    400. 

  400. 		secretMap, err := providerClient.GetSecretMap(ctx, remoteRef)
    401. 

  401. 		if err != nil {
    402. 

  402. 			return nil, fmt.Errorf(errGetSecretKey, remoteRef.Key, externalSecret.Name, err)
    403. 

  403. 		}
    404. 

  404. 

  405. 		providerData = utils.MergeByteMap(providerData, secretMap)
    406. 

  406. 	}
    407. 

  407. 

  408. 	for _, secretRef := range externalSecret.Spec.Data {
    409. 

  409. 		secretData, err := providerClient.GetSecret(ctx, secretRef.RemoteRef)
    410. 

  410. 		if err != nil {
    411. 

  411. 			return nil, fmt.Errorf(errGetSecretKey, secretRef.RemoteRef.Key, externalSecret.Name, err)
    412. 

  412. 		}
    413. 

  413. 

  414. 		providerData[secretRef.SecretKey] = secretData
    415. 

  415. 	}
    416. 

  416. 

  417. 	return providerData, nil
    418. 

  418. }
    419. 

  419. 

  420. // SetupWithManager returns a new controller builder that will be started by the provided Manager.
    421. 

  421. func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
    422. 

  422. 	return ctrl.NewControllerManagedBy(mgr).
    423. 

  423. 		WithOptions(opts).
    424. 

  424. 		For(&esv1alpha1.ExternalSecret{}).
    425. 

  425. 		Owns(&v1.Secret{}).
    426. 

  426. 		Complete(r)
    427. 

  427. }
    428.