Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: a012f4829c
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
client_push.go

client_push.go 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"encoding/json"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 

  24. 	corev1 "k8s.io/api/core/v1"
    25. 

  25. 

  26. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    27. 

  27. 	"github.com/external-secrets/external-secrets/pkg/constants"
    28. 

  28. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    29. 

  29. )
    30. 

  30. 

  31. func (c *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
    32. 

  32. 	value := secret.Data[data.GetSecretKey()]
    33. 

  33. 	label := map[string]interface{}{
    34. 

  34. 		"custom_metadata": map[string]string{
    35. 

  35. 			"managed-by": "external-secrets",
    36. 

  36. 		},
    37. 

  37. 	}
    38. 

  38. 	secretVal := make(map[string]interface{})
    39. 

  39. 	path := c.buildPath(data.GetRemoteKey())
    40. 

  40. 	metaPath, err := c.buildMetadataPath(data.GetRemoteKey())
    41. 

  41. 	if err != nil {
    42. 

  42. 		return err
    43. 

  43. 	}
    44. 

  44. 

  45. 	// Retrieve the secret map from vault and convert the secret value in string form.
    46. 

  46. 	vaultSecret, err := c.readSecret(ctx, path, "")
    47. 

  47. 	// If error is not of type secret not found, we should error
    48. 

  48. 	if err != nil && !errors.Is(err, esv1beta1.NoSecretError{}) {
    49. 

  49. 		return err
    50. 

  50. 	}
    51. 

  51. 	// If the secret exists (err == nil), we should check if it is managed by external-secrets
    52. 

  52. 	if err == nil {
    53. 

  53. 		metadata, err := c.readSecretMetadata(ctx, data.GetRemoteKey())
    54. 

  54. 		if err != nil {
    55. 

  55. 			return err
    56. 

  56. 		}
    57. 

  57. 		manager, ok := metadata["managed-by"]
    58. 

  58. 		if !ok || manager != "external-secrets" {
    59. 

  59. 			return fmt.Errorf("secret not managed by external-secrets")
    60. 

  60. 		}
    61. 

  61. 	}
    62. 

  62. 	// Remove the metadata map to check the reconcile difference
    63. 

  63. 	if c.store.Version == esv1beta1.VaultKVStoreV1 {
    64. 

  64. 		delete(vaultSecret, "custom_metadata")
    65. 

  65. 	}
    66. 

  66. 	buf := &bytes.Buffer{}
    67. 

  67. 	enc := json.NewEncoder(buf)
    68. 

  68. 	enc.SetEscapeHTML(false)
    69. 

  69. 	err = enc.Encode(vaultSecret)
    70. 

  70. 	if err != nil {
    71. 

  71. 		return fmt.Errorf("error encoding vault secret: %w", err)
    72. 

  72. 	}
    73. 

  73. 	vaultSecretValue := bytes.TrimSpace(buf.Bytes())
    74. 

  74. 	if err != nil {
    75. 

  75. 		return fmt.Errorf("error marshaling vault secret: %w", err)
    76. 

  76. 	}
    77. 

  77. 	if bytes.Equal(vaultSecretValue, value) {
    78. 

  78. 		return nil
    79. 

  79. 	}
    80. 

  80. 	// If a Push of a property only, we should merge and add/update the property
    81. 

  81. 	if data.GetProperty() != "" {
    82. 

  82. 		if _, ok := vaultSecret[data.GetProperty()]; ok {
    83. 

  83. 			d := vaultSecret[data.GetProperty()].(string)
    84. 

  84. 			if err != nil {
    85. 

  85. 				return fmt.Errorf("error marshaling vault secret: %w", err)
    86. 

  86. 			}
    87. 

  87. 			// If the property has the same value, don't update the secret
    88. 

  88. 			if bytes.Equal([]byte(d), value) {
    89. 

  89. 				return nil
    90. 

  90. 			}
    91. 

  91. 		}
    92. 

  92. 		for k, v := range vaultSecret {
    93. 

  93. 			secretVal[k] = v
    94. 

  94. 		}
    95. 

  95. 		// Secret got from vault is already on map[string]string format
    96. 

  96. 		secretVal[data.GetProperty()] = string(value)
    97. 

  97. 	} else {
    98. 

  98. 		err = json.Unmarshal(value, &secretVal)
    99. 

  99. 		if err != nil {
    100. 

  100. 			return fmt.Errorf("error unmarshalling vault secret: %w", err)
    101. 

  101. 		}
    102. 

  102. 	}
    103. 

  103. 	secretToPush := secretVal
    104. 

  104. 	// Adding custom_metadata to the secret for KV v1
    105. 

  105. 	if c.store.Version == esv1beta1.VaultKVStoreV1 {
    106. 

  106. 		secretToPush["custom_metadata"] = label["custom_metadata"]
    107. 

  107. 	}
    108. 

  108. 	if c.store.Version == esv1beta1.VaultKVStoreV2 {
    109. 

  109. 		secretToPush = map[string]interface{}{
    110. 

  110. 			"data": secretVal,
    111. 

  111. 		}
    112. 

  112. 	}
    113. 

  113. 	if err != nil {
    114. 

  114. 		return fmt.Errorf("failed to convert value to a valid JSON: %w", err)
    115. 

  115. 	}
    116. 

  116. 	// Secret metadata should be pushed separately only for KV2
    117. 

  117. 	if c.store.Version == esv1beta1.VaultKVStoreV2 {
    118. 

  118. 		_, err = c.logical.WriteWithContext(ctx, metaPath, label)
    119. 

  119. 		metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultWriteSecretData, err)
    120. 

  120. 		if err != nil {
    121. 

  121. 			return err
    122. 

  122. 		}
    123. 

  123. 	}
    124. 

  124. 	// Otherwise, create or update the version.
    125. 

  125. 	_, err = c.logical.WriteWithContext(ctx, path, secretToPush)
    126. 

  126. 	metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultWriteSecretData, err)
    127. 

  127. 	return err
    128. 

  128. }
    129. 

  129. 

  130. func (c *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
    131. 

  131. 	path := c.buildPath(remoteRef.GetRemoteKey())
    132. 

  132. 	metaPath, err := c.buildMetadataPath(remoteRef.GetRemoteKey())
    133. 

  133. 	if err != nil {
    134. 

  134. 		return err
    135. 

  135. 	}
    136. 

  136. 	// Retrieve the secret map from vault and convert the secret value in string form.
    137. 

  137. 	secretVal, err := c.readSecret(ctx, path, "")
    138. 

  138. 	// If error is not of type secret not found, we should error
    139. 

  139. 	if err != nil && errors.Is(err, esv1beta1.NoSecretError{}) {
    140. 

  140. 		return nil
    141. 

  141. 	}
    142. 

  142. 	if err != nil {
    143. 

  143. 		return err
    144. 

  144. 	}
    145. 

  145. 	metadata, err := c.readSecretMetadata(ctx, remoteRef.GetRemoteKey())
    146. 

  146. 	if err != nil {
    147. 

  147. 		return err
    148. 

  148. 	}
    149. 

  149. 	manager, ok := metadata["managed-by"]
    150. 

  150. 	if !ok || manager != "external-secrets" {
    151. 

  151. 		return nil
    152. 

  152. 	}
    153. 

  153. 	// If Push for a Property, we need to delete the property and update the secret
    154. 

  154. 	if remoteRef.GetProperty() != "" {
    155. 

  155. 		delete(secretVal, remoteRef.GetProperty())
    156. 

  156. 		// If the only key left in the remote secret is the reference of the metadata.
    157. 

  157. 		if c.store.Version == esv1beta1.VaultKVStoreV1 && len(secretVal) == 1 {
    158. 

  158. 			delete(secretVal, "custom_metadata")
    159. 

  159. 		}
    160. 

  160. 		if len(secretVal) > 0 {
    161. 

  161. 			secretToPush := secretVal
    162. 

  162. 			if c.store.Version == esv1beta1.VaultKVStoreV2 {
    163. 

  163. 				secretToPush = map[string]interface{}{
    164. 

  164. 					"data": secretVal,
    165. 

  165. 				}
    166. 

  166. 			}
    167. 

  167. 			_, err = c.logical.WriteWithContext(ctx, path, secretToPush)
    168. 

  168. 			metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultDeleteSecret, err)
    169. 

  169. 			return err
    170. 

  170. 		}
    171. 

  171. 	}
    172. 

  172. 	_, err = c.logical.DeleteWithContext(ctx, path)
    173. 

  173. 	metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultDeleteSecret, err)
    174. 

  174. 	if err != nil {
    175. 

  175. 		return fmt.Errorf("could not delete secret %v: %w", remoteRef.GetRemoteKey(), err)
    176. 

  176. 	}
    177. 

  177. 	if c.store.Version == esv1beta1.VaultKVStoreV2 {
    178. 

  178. 		_, err = c.logical.DeleteWithContext(ctx, metaPath)
    179. 

  179. 		metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultDeleteSecret, err)
    180. 

  180. 		if err != nil {
    181. 

  181. 			return fmt.Errorf("could not delete secret metadata %v: %w", remoteRef.GetRemoteKey(), err)
    182. 

  182. 		}
    183. 

  183. 	}
    184. 

  184. 	return nil
    185. 

  185. }
    186.