Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: a012f4829c
Branches Tags
helm-externa...
/
pkg
/
provider
/
chef
/
chef.go

chef.go 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package chef
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"encoding/json"
    19. 

  19. 	"fmt"
    20. 

  20. 	"net/url"
    21. 

  21. 	"strings"
    22. 

  22. 	"time"
    23. 

  23. 

  24. 	"github.com/go-chef/chef"
    25. 

  25. 	"github.com/go-logr/logr"
    26. 

  26. 	"github.com/tidwall/gjson"
    27. 

  27. 	corev1 "k8s.io/api/core/v1"
    28. 

  28. 	"k8s.io/apimachinery/pkg/types"
    29. 

  29. 	ctrl "sigs.k8s.io/controller-runtime"
    30. 

  30. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    31. 

  31. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    32. 

  32. 

  33. 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    34. 

  34. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    35. 

  35. 	"github.com/external-secrets/external-secrets/pkg/utils"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	errChefStore                             = "received invalid Chef SecretStore resource: %w"
    40. 

  40. 	errMissingStore                          = "missing store"
    41. 

  41. 	errMissingStoreSpec                      = "missing store spec"
    42. 

  42. 	errMissingProvider                       = "missing provider"
    43. 

  43. 	errMissingChefProvider                   = "missing chef provider"
    44. 

  44. 	errMissingUserName                       = "missing username"
    45. 

  45. 	errMissingServerURL                      = "missing serverurl"
    46. 

  46. 	errMissingAuth                           = "cannot initialize Chef Client: no valid authType was specified"
    47. 

  47. 	errMissingSecretKey                      = "missing Secret Key"
    48. 

  48. 	errInvalidClusterStoreMissingPKNamespace = "invalid ClusterSecretStore: missing privateKeySecretRef.Namespace"
    49. 

  49. 	errFetchK8sSecret                        = "could not fetch SecretKey Secret: %w"
    50. 

  50. 	errInvalidURL                            = "invalid serverurl: %w"
    51. 

  51. 	errChefClient                            = "unable to create chef client: %w"
    52. 

  52. 	errChefProvider                          = "missing or invalid spec: %w"
    53. 

  53. 	errUninitalizedChefProvider              = "chef provider is not initialized"
    54. 

  54. 	errNoDatabagItemFound                    = "data bag item %s not found in data bag %s"
    55. 

  55. 	errNoDatabagItemPropertyFound            = "property %s not found in data bag item"
    56. 

  56. 	errCannotListDataBagItems                = "unable to list items in data bag %s, may be given data bag doesn't exists or it is empty"
    57. 

  57. 	errUnableToConvertToJSON                 = "unable to convert databagItem into JSON"
    58. 

  58. 	errInvalidFormat                         = "invalid key format in data section. Expected value 'databagName/databagItemName'"
    59. 

  59. 	errStoreValidateFailed                   = "unable to validate provided store. Check if username, serverUrl and privateKey are correct"
    60. 

  60. 	errServerURLNoEndSlash                   = "serverurl does not end with slash(/)"
    61. 

  61. 	errInvalidDataform                       = "invalid key format in dataForm section. Expected only 'databagName'"
    62. 

  62. 

  63. 	ProviderChef             = "Chef"
    64. 

  64. 	CallChefGetDataBagItem   = "GetDataBagItem"
    65. 

  65. 	CallChefListDataBagItems = "ListDataBagItems"
    66. 

  66. 	CallChefGetUser          = "GetUser"
    67. 

  67. )
    68. 

  68. 

  69. var contextTimeout = time.Second * 25
    70. 

  70. 

  71. type DatabagFetcher interface {
    72. 

  72. 	GetItem(databagName string, databagItem string) (item chef.DataBagItem, err error)
    73. 

  73. 	ListItems(name string) (data *chef.DataBagListResult, err error)
    74. 

  74. }
    75. 

  75. 

  76. type UserInterface interface {
    77. 

  77. 	Get(name string) (user chef.User, err error)
    78. 

  78. }
    79. 

  79. 

  80. type Providerchef struct {
    81. 

  81. 	clientName     string
    82. 

  82. 	databagService DatabagFetcher
    83. 

  83. 	userService    UserInterface
    84. 

  84. 	log            logr.Logger
    85. 

  85. }
    86. 

  86. 

  87. var _ v1beta1.SecretsClient = &Providerchef{}
    88. 

  88. var _ v1beta1.Provider = &Providerchef{}
    89. 

  89. 

  90. func init() {
    91. 

  91. 	v1beta1.Register(&Providerchef{}, &v1beta1.SecretStoreProvider{
    92. 

  92. 		Chef: &v1beta1.ChefProvider{},
    93. 

  93. 	})
    94. 

  94. }
    95. 

  95. 

  96. func (providerchef *Providerchef) NewClient(ctx context.Context, store v1beta1.GenericStore, kube kclient.Client, namespace string) (v1beta1.SecretsClient, error) {
    97. 

  97. 	chefProvider, err := getChefProvider(store)
    98. 

  98. 	if err != nil {
    99. 

  99. 		return nil, fmt.Errorf(errChefProvider, err)
    100. 

  100. 	}
    101. 

  101. 

  102. 	credentialsSecret := &corev1.Secret{}
    103. 

  103. 	objectKey := types.NamespacedName{
    104. 

  104. 		Name:      chefProvider.Auth.SecretRef.SecretKey.Name,
    105. 

  105. 		Namespace: namespace,
    106. 

  106. 	}
    107. 

  107. 

  108. 	if store.GetObjectKind().GroupVersionKind().Kind == v1beta1.ClusterSecretStoreKind {
    109. 

  109. 		if chefProvider.Auth.SecretRef.SecretKey.Namespace == nil {
    110. 

  110. 			return nil, fmt.Errorf(errInvalidClusterStoreMissingPKNamespace)
    111. 

  111. 		}
    112. 

  112. 		objectKey.Namespace = *chefProvider.Auth.SecretRef.SecretKey.Namespace
    113. 

  113. 	}
    114. 

  114. 

  115. 	if err := kube.Get(ctx, objectKey, credentialsSecret); err != nil {
    116. 

  116. 		return nil, fmt.Errorf(errFetchK8sSecret, err)
    117. 

  117. 	}
    118. 

  118. 

  119. 	secretKey := credentialsSecret.Data[chefProvider.Auth.SecretRef.SecretKey.Key]
    120. 

  120. 	if len(secretKey) == 0 {
    121. 

  121. 		return nil, fmt.Errorf(errMissingSecretKey)
    122. 

  122. 	}
    123. 

  123. 

  124. 	client, err := chef.NewClient(&chef.Config{
    125. 

  125. 		Name:    chefProvider.UserName,
    126. 

  126. 		Key:     string(secretKey),
    127. 

  127. 		BaseURL: chefProvider.ServerURL,
    128. 

  128. 	})
    129. 

  129. 	if err != nil {
    130. 

  130. 		return nil, fmt.Errorf(errChefClient, err)
    131. 

  131. 	}
    132. 

  132. 

  133. 	providerchef.clientName = chefProvider.UserName
    134. 

  134. 	providerchef.databagService = client.DataBags
    135. 

  135. 	providerchef.userService = client.Users
    136. 

  136. 	providerchef.log = ctrl.Log.WithName("provider").WithName("chef").WithName("secretsmanager")
    137. 

  137. 	return providerchef, nil
    138. 

  138. }
    139. 

  139. 

  140. // Close closes the client connection.
    141. 

  141. func (providerchef *Providerchef) Close(_ context.Context) error {
    142. 

  142. 	return nil
    143. 

  143. }
    144. 

  144. 

  145. // Validate checks if the client is configured correctly
    146. 

  146. // to be able to retrieve secrets from the provider.
    147. 

  147. func (providerchef *Providerchef) Validate() (v1beta1.ValidationResult, error) {
    148. 

  148. 	_, err := providerchef.userService.Get(providerchef.clientName)
    149. 

  149. 	metrics.ObserveAPICall(ProviderChef, CallChefGetUser, err)
    150. 

  150. 	if err != nil {
    151. 

  151. 		return v1beta1.ValidationResultError, fmt.Errorf(errStoreValidateFailed)
    152. 

  152. 	}
    153. 

  153. 	return v1beta1.ValidationResultReady, nil
    154. 

  154. }
    155. 

  155. 

  156. // GetAllSecrets Retrieves a map[string][]byte with the Databag names as key and the Databag's Items as secrets.
    157. 

  157. func (providerchef *Providerchef) GetAllSecrets(_ context.Context, _ v1beta1.ExternalSecretFind) (map[string][]byte, error) {
    158. 

  158. 	return nil, fmt.Errorf("dataFrom.find not suppported")
    159. 

  159. }
    160. 

  160. 

  161. // GetSecret returns a databagItem present in the databag. format example: databagName/databagItemName.
    162. 

  162. func (providerchef *Providerchef) GetSecret(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    163. 

  163. 	if utils.IsNil(providerchef.databagService) {
    164. 

  164. 		return nil, fmt.Errorf(errUninitalizedChefProvider)
    165. 

  165. 	}
    166. 

  166. 

  167. 	key := ref.Key
    168. 

  168. 	databagName := ""
    169. 

  169. 	databagItem := ""
    170. 

  170. 	nameSplitted := strings.Split(key, "/")
    171. 

  171. 	if len(nameSplitted) > 1 {
    172. 

  172. 		databagName = nameSplitted[0]
    173. 

  173. 		databagItem = nameSplitted[1]
    174. 

  174. 	}
    175. 

  175. 	providerchef.log.Info("fetching secret value", "databag Name:", databagName, "databag Item:", databagItem)
    176. 

  176. 	if databagName != "" && databagItem != "" {
    177. 

  177. 		return getSingleDatabagItemWithContext(ctx, providerchef, databagName, databagItem, ref.Property)
    178. 

  178. 	}
    179. 

  179. 

  180. 	return nil, fmt.Errorf(errInvalidFormat)
    181. 

  181. }
    182. 

  182. 

  183. func getSingleDatabagItemWithContext(ctx context.Context, providerchef *Providerchef, dataBagName, databagItemName, propertyName string) ([]byte, error) {
    184. 

  184. 	ctxWithTimeout, cancel := context.WithTimeout(ctx, contextTimeout)
    185. 

  185. 	defer cancel()
    186. 

  186. 	type result = struct {
    187. 

  187. 		values []byte
    188. 

  188. 		err    error
    189. 

  189. 	}
    190. 

  190. 	getWithTimeout := func() chan result {
    191. 

  191. 		resultChan := make(chan result, 1)
    192. 

  192. 		go func() {
    193. 

  193. 			defer close(resultChan)
    194. 

  194. 			ditem, err := providerchef.databagService.GetItem(dataBagName, databagItemName)
    195. 

  195. 			metrics.ObserveAPICall(ProviderChef, CallChefGetDataBagItem, err)
    196. 

  196. 			if err != nil {
    197. 

  197. 				resultChan <- result{err: fmt.Errorf(errNoDatabagItemFound, databagItemName, dataBagName)}
    198. 

  198. 				return
    199. 

  199. 			}
    200. 

  200. 			jsonByte, err := json.Marshal(ditem)
    201. 

  201. 			if err != nil {
    202. 

  202. 				resultChan <- result{err: fmt.Errorf(errUnableToConvertToJSON)}
    203. 

  203. 				return
    204. 

  204. 			}
    205. 

  205. 			if propertyName != "" {
    206. 

  206. 				propertyValue, err := getPropertyFromDatabagItem(jsonByte, propertyName)
    207. 

  207. 				if err != nil {
    208. 

  208. 					resultChan <- result{err: err}
    209. 

  209. 					return
    210. 

  210. 				}
    211. 

  211. 				resultChan <- result{values: propertyValue}
    212. 

  212. 			} else {
    213. 

  213. 				resultChan <- result{values: jsonByte}
    214. 

  214. 			}
    215. 

  215. 		}()
    216. 

  216. 		return resultChan
    217. 

  217. 	}
    218. 

  218. 	select {
    219. 

  219. 	case <-ctxWithTimeout.Done():
    220. 

  220. 		return nil, ctxWithTimeout.Err()
    221. 

  221. 	case r := <-getWithTimeout():
    222. 

  222. 		if r.err != nil {
    223. 

  223. 			return nil, r.err
    224. 

  224. 		}
    225. 

  225. 		return r.values, nil
    226. 

  226. 	}
    227. 

  227. }
    228. 

  228. 

  229. /*
    230. 

  230. A path is a series of keys separated by a dot.
    231. 

  231. A key may contain special wildcard characters '*' and '?'.
    232. 

  232. To access an array value use the index as the key.
    233. 

  233. To get the number of elements in an array or to access a child path, use the '#' character.
    234. 

  234. The dot and wildcard characters can be escaped with '\'.
    235. 

  235. 

  236. refer https://github.com/tidwall/gjson#:~:text=JSON%20byte%20slices.-,Path%20Syntax,-Below%20is%20a
    237. 

  237. */
    238. 

  238. func getPropertyFromDatabagItem(jsonByte []byte, propertyName string) ([]byte, error) {
    239. 

  239. 	result := gjson.GetBytes(jsonByte, propertyName)
    240. 

  240. 

  241. 	if !result.Exists() {
    242. 

  242. 		return nil, fmt.Errorf(errNoDatabagItemPropertyFound, propertyName)
    243. 

  243. 	}
    244. 

  244. 	return []byte(result.Str), nil
    245. 

  245. }
    246. 

  246. 

  247. // GetSecretMap returns multiple k/v pairs from the provider, for dataFrom.extract.key
    248. 

  248. // dataFrom.extract.key only accepts dataBagName, example : dataFrom.extract.key: myDatabag
    249. 

  249. // databagItemName or Property not expected in key.
    250. 

  250. func (providerchef *Providerchef) GetSecretMap(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    251. 

  251. 	if utils.IsNil(providerchef.databagService) {
    252. 

  252. 		return nil, fmt.Errorf(errUninitalizedChefProvider)
    253. 

  253. 	}
    254. 

  254. 	databagName := ref.Key
    255. 

  255. 

  256. 	if strings.Contains(databagName, "/") {
    257. 

  257. 		return nil, fmt.Errorf(errInvalidDataform)
    258. 

  258. 	}
    259. 

  259. 	getAllSecrets := make(map[string][]byte)
    260. 

  260. 	providerchef.log.Info("fetching all items from", "databag:", databagName)
    261. 

  261. 	dataItems, err := providerchef.databagService.ListItems(databagName)
    262. 

  262. 	metrics.ObserveAPICall(ProviderChef, CallChefListDataBagItems, err)
    263. 

  263. 	if err != nil {
    264. 

  264. 		return nil, fmt.Errorf(errCannotListDataBagItems, databagName)
    265. 

  265. 	}
    266. 

  266. 

  267. 	for dataItem := range *dataItems {
    268. 

  268. 		dItem, err := getSingleDatabagItemWithContext(ctx, providerchef, databagName, dataItem, "")
    269. 

  269. 		if err != nil {
    270. 

  270. 			return nil, fmt.Errorf(errNoDatabagItemFound, dataItem, databagName)
    271. 

  271. 		}
    272. 

  272. 		getAllSecrets[dataItem] = dItem
    273. 

  273. 	}
    274. 

  274. 	return getAllSecrets, nil
    275. 

  275. }
    276. 

  276. 

  277. // ValidateStore checks if the provided store is valid.
    278. 

  278. func (providerchef *Providerchef) ValidateStore(store v1beta1.GenericStore) (admission.Warnings, error) {
    279. 

  279. 	chefProvider, err := getChefProvider(store)
    280. 

  280. 	if err != nil {
    281. 

  281. 		return nil, fmt.Errorf(errChefStore, err)
    282. 

  282. 	}
    283. 

  283. 	// check namespace compared to kind
    284. 

  284. 	if err := utils.ValidateSecretSelector(store, chefProvider.Auth.SecretRef.SecretKey); err != nil {
    285. 

  285. 		return nil, fmt.Errorf(errChefStore, err)
    286. 

  286. 	}
    287. 

  287. 	return nil, nil
    288. 

  288. }
    289. 

  289. 

  290. // getChefProvider validates the incoming store and return the chef provider.
    291. 

  291. func getChefProvider(store v1beta1.GenericStore) (*v1beta1.ChefProvider, error) {
    292. 

  292. 	if store == nil {
    293. 

  293. 		return nil, fmt.Errorf(errMissingStore)
    294. 

  294. 	}
    295. 

  295. 	storeSpec := store.GetSpec()
    296. 

  296. 	if storeSpec == nil {
    297. 

  297. 		return nil, fmt.Errorf(errMissingStoreSpec)
    298. 

  298. 	}
    299. 

  299. 	provider := storeSpec.Provider
    300. 

  300. 	if provider == nil {
    301. 

  301. 		return nil, fmt.Errorf(errMissingProvider)
    302. 

  302. 	}
    303. 

  303. 	chefProvider := storeSpec.Provider.Chef
    304. 

  304. 	if chefProvider == nil {
    305. 

  305. 		return nil, fmt.Errorf(errMissingChefProvider)
    306. 

  306. 	}
    307. 

  307. 	if chefProvider.UserName == "" {
    308. 

  308. 		return chefProvider, fmt.Errorf(errMissingUserName)
    309. 

  309. 	}
    310. 

  310. 	if chefProvider.ServerURL == "" {
    311. 

  311. 		return chefProvider, fmt.Errorf(errMissingServerURL)
    312. 

  312. 	}
    313. 

  313. 	if !strings.HasSuffix(chefProvider.ServerURL, "/") {
    314. 

  314. 		return chefProvider, fmt.Errorf(errServerURLNoEndSlash)
    315. 

  315. 	}
    316. 

  316. 	// check valid URL
    317. 

  317. 	if _, err := url.ParseRequestURI(chefProvider.ServerURL); err != nil {
    318. 

  318. 		return chefProvider, fmt.Errorf(errInvalidURL, err)
    319. 

  319. 	}
    320. 

  320. 	if chefProvider.Auth == nil {
    321. 

  321. 		return chefProvider, fmt.Errorf(errMissingAuth)
    322. 

  322. 	}
    323. 

  323. 	if chefProvider.Auth.SecretRef.SecretKey.Key == "" {
    324. 

  324. 		return chefProvider, fmt.Errorf(errMissingSecretKey)
    325. 

  325. 	}
    326. 

  326. 

  327. 	return chefProvider, nil
    328. 

  328. }
    329. 

  329. 

  330. // Not Implemented DeleteSecret.
    331. 

  331. func (providerchef *Providerchef) DeleteSecret(_ context.Context, _ v1beta1.PushSecretRemoteRef) error {
    332. 

  332. 	return fmt.Errorf("not implemented")
    333. 

  333. }
    334. 

  334. 

  335. // Not Implemented PushSecret.
    336. 

  336. func (providerchef *Providerchef) PushSecret(_ context.Context, _ *corev1.Secret, _ v1beta1.PushSecretData) error {
    337. 

  337. 	return fmt.Errorf("not implemented")
    338. 

  338. }
    339. 

  339. 

  340. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    341. 

  341. func (providerchef *Providerchef) Capabilities() v1beta1.SecretStoreCapabilities {
    342. 

  342. 	return v1beta1.SecretStoreReadOnly
    343. 

  343. }
    344.