Startseite Erkunden Hilfe
Anmelden
logic855
/
helm-external-secrets
Mirror von https://github.com/external-secrets/external-secrets
1
0
Fork 0
Dateien Issues 0 Wiki
Struktur: a0386badf8
Branches Tags
helm-externa...
/
pkg
/
utils
/
resolvers
/
generator.go

generator.go 8.4 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package resolvers
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"fmt"
    20. 

  20. 	"reflect"
    21. 

  21. 

  22. 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
    23. 

  23. 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
    24. 

  24. 	"k8s.io/apimachinery/pkg/runtime"
    25. 

  25. 	"k8s.io/apimachinery/pkg/runtime/schema"
    26. 

  26. 	"k8s.io/apimachinery/pkg/types"
    27. 

  27. 	"sigs.k8s.io/controller-runtime/pkg/client"
    28. 

  28. 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
    29. 

  29. 

  30. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    31. 

  31. 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
    32. 

  32. )
    33. 

  33. 

  34. // these errors are explicitly defined so we can detect them with `errors.Is()`.
    35. 

  35. var (
    36. 

  36. 	// ErrUnableToGetGenerator is returned when a generator reference cannot be resolved.
    37. 

  37. 	ErrUnableToGetGenerator = fmt.Errorf("unable to get generator")
    38. 

  38. )
    39. 

  39. 

  40. // GeneratorRef resolves a generator reference to a generator implementation.
    41. 

  41. func GeneratorRef(ctx context.Context, cl client.Client, scheme *runtime.Scheme, namespace string, generatorRef *esv1beta1.GeneratorRef) (genv1alpha1.Generator, *apiextensions.JSON, error) {
    42. 

  42. 	generator, jsonObj, err := getGenerator(ctx, cl, scheme, namespace, generatorRef)
    43. 

  43. 	if err != nil {
    44. 

  44. 		return nil, nil, fmt.Errorf("%w: %w", ErrUnableToGetGenerator, err)
    45. 

  45. 	}
    46. 

  46. 	return generator, jsonObj, nil
    47. 

  47. }
    48. 

  48. 

  49. func getGenerator(ctx context.Context, cl client.Client, scheme *runtime.Scheme, namespace string, generatorRef *esv1beta1.GeneratorRef) (genv1alpha1.Generator, *apiextensions.JSON, error) {
    50. 

  50. 	// get a GVK from the generatorRef
    51. 

  51. 	gv, err := schema.ParseGroupVersion(generatorRef.APIVersion)
    52. 

  52. 	if err != nil {
    53. 

  53. 		return nil, nil, reconcile.TerminalError(fmt.Errorf("generatorRef has invalid APIVersion: %w", err))
    54. 

  54. 	}
    55. 

  55. 	gvk := schema.GroupVersionKind{
    56. 

  56. 		Group:   gv.Group,
    57. 

  57. 		Version: gv.Version,
    58. 

  58. 		Kind:    generatorRef.Kind,
    59. 

  59. 	}
    60. 

  60. 

  61. 	// fail if the GVK does not use the generator group
    62. 

  62. 	if gvk.Group != genv1alpha1.Group {
    63. 

  63. 		return nil, nil, reconcile.TerminalError(fmt.Errorf("generatorRef may only reference the generators group, but got %s", gvk.Group))
    64. 

  64. 	}
    65. 

  65. 

  66. 	// get a client Object from the GVK
    67. 

  67. 	t, exists := scheme.AllKnownTypes()[gvk]
    68. 

  68. 	if !exists {
    69. 

  69. 		return nil, nil, reconcile.TerminalError(fmt.Errorf("generatorRef references unknown GVK %s", gvk))
    70. 

  70. 	}
    71. 

  71. 	obj := reflect.New(t).Interface().(client.Object)
    72. 

  72. 

  73. 	// this interface provides the Generate() method used by the controller
    74. 

  74. 	// NOTE: all instances of a generator kind use the same instance of this interface
    75. 

  75. 	var generator genv1alpha1.Generator
    76. 

  76. 

  77. 	// ClusterGenerator is a special case because it's a cluster-scoped resource
    78. 

  78. 	// to use it, we create a "virtual" namespaced generator for the current namespace, as if one existed in the API
    79. 

  79. 	if gvk.Kind == genv1alpha1.ClusterGeneratorKind {
    80. 

  80. 		clusterGenerator := obj.(*genv1alpha1.ClusterGenerator)
    81. 

  81. 

  82. 		// get the cluster generator resource from the API
    83. 

  83. 		// NOTE: it's important that we use the structured client so we use the cache
    84. 

  84. 		err = cl.Get(ctx, client.ObjectKey{Name: generatorRef.Name}, clusterGenerator)
    85. 

  85. 		if err != nil {
    86. 

  86. 			return nil, nil, err
    87. 

  87. 		}
    88. 

  88. 

  89. 		// convert the cluster generator to a virtual namespaced generator object
    90. 

  90. 		obj, err = clusterGeneratorToVirtual(clusterGenerator)
    91. 

  91. 		if err != nil {
    92. 

  92. 			return nil, nil, reconcile.TerminalError(fmt.Errorf("invalid ClusterGenerator: %w", err))
    93. 

  93. 		}
    94. 

  94. 

  95. 		// get the generator interface
    96. 

  96. 		var ok bool
    97. 

  97. 		generator, ok = genv1alpha1.GetGeneratorByName(string(clusterGenerator.Spec.Kind))
    98. 

  98. 		if !ok {
    99. 

  99. 			return nil, nil, reconcile.TerminalError(fmt.Errorf("ClusterGenerator has unknown kind %s", clusterGenerator.Spec.Kind))
    100. 

  100. 		}
    101. 

  101. 	} else {
    102. 

  102. 		// get the generator resource from the API
    103. 

  103. 		// NOTE: it's important that we use the structured client so we use the cache
    104. 

  104. 		err = cl.Get(ctx, types.NamespacedName{
    105. 

  105. 			Name:      generatorRef.Name,
    106. 

  106. 			Namespace: namespace,
    107. 

  107. 		}, obj)
    108. 

  108. 		if err != nil {
    109. 

  109. 			return nil, nil, err
    110. 

  110. 		}
    111. 

  111. 

  112. 		// get the generator interface
    113. 

  113. 		var ok bool
    114. 

  114. 		generator, ok = genv1alpha1.GetGeneratorByName(gvk.Kind)
    115. 

  115. 		if !ok {
    116. 

  116. 			return nil, nil, reconcile.TerminalError(fmt.Errorf("generatorRef has unknown kind %s", gvk.Kind))
    117. 

  117. 		}
    118. 

  118. 	}
    119. 

  119. 

  120. 	// convert the generator to unstructured object
    121. 

  121. 	u := &unstructured.Unstructured{}
    122. 

  122. 	u.Object, err = runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
    123. 

  123. 	if err != nil {
    124. 

  124. 		return nil, nil, err
    125. 

  125. 	}
    126. 

  126. 

  127. 	// convert the unstructured object to JSON
    128. 

  128. 	// NOTE: we do this for backwards compatibility with how this API works, not because it's a good idea
    129. 

  129. 	//       we should refactor the generator API to use the normal typed objects
    130. 

  130. 	jsonObj, err := u.MarshalJSON()
    131. 

  131. 	if err != nil {
    132. 

  132. 		return nil, nil, err
    133. 

  133. 	}
    134. 

  134. 

  135. 	return generator, &apiextensions.JSON{Raw: jsonObj}, nil
    136. 

  136. }
    137. 

  137. 

  138. // clusterGeneratorToVirtual converts a ClusterGenerator to a "virtual" namespaced generator that doesn't actually exist in the API.
    139. 

  139. func clusterGeneratorToVirtual(gen *genv1alpha1.ClusterGenerator) (client.Object, error) {
    140. 

  140. 	switch gen.Spec.Kind {
    141. 

  141. 	case genv1alpha1.GeneratorKindACRAccessToken:
    142. 

  142. 		if gen.Spec.Generator.ACRAccessTokenSpec == nil {
    143. 

  143. 			return nil, fmt.Errorf("when kind is %s, ACRAccessTokenSpec must be set", gen.Spec.Kind)
    144. 

  144. 		}
    145. 

  145. 		return &genv1alpha1.ACRAccessToken{
    146. 

  146. 			Spec: *gen.Spec.Generator.ACRAccessTokenSpec,
    147. 

  147. 		}, nil
    148. 

  148. 	case genv1alpha1.GeneratorKindECRAuthorizationToken:
    149. 

  149. 		if gen.Spec.Generator.ECRAuthorizationTokenSpec == nil {
    150. 

  150. 			return nil, fmt.Errorf("when kind is %s, ECRAuthorizationTokenSpec must be set", gen.Spec.Kind)
    151. 

  151. 		}
    152. 

  152. 		return &genv1alpha1.ECRAuthorizationToken{
    153. 

  153. 			Spec: *gen.Spec.Generator.ECRAuthorizationTokenSpec,
    154. 

  154. 		}, nil
    155. 

  155. 	case genv1alpha1.GeneratorKindFake:
    156. 

  156. 		if gen.Spec.Generator.FakeSpec == nil {
    157. 

  157. 			return nil, fmt.Errorf("when kind is %s, FakeSpec must be set", gen.Spec.Kind)
    158. 

  158. 		}
    159. 

  159. 		return &genv1alpha1.Fake{
    160. 

  160. 			Spec: *gen.Spec.Generator.FakeSpec,
    161. 

  161. 		}, nil
    162. 

  162. 	case genv1alpha1.GeneratorKindGCRAccessToken:
    163. 

  163. 		if gen.Spec.Generator.GCRAccessTokenSpec == nil {
    164. 

  164. 			return nil, fmt.Errorf("when kind is %s, GCRAccessTokenSpec must be set", gen.Spec.Kind)
    165. 

  165. 		}
    166. 

  166. 		return &genv1alpha1.GCRAccessToken{
    167. 

  167. 			Spec: *gen.Spec.Generator.GCRAccessTokenSpec,
    168. 

  168. 		}, nil
    169. 

  169. 	case genv1alpha1.GeneratorKindGithubAccessToken:
    170. 

  170. 		if gen.Spec.Generator.GithubAccessTokenSpec == nil {
    171. 

  171. 			return nil, fmt.Errorf("when kind is %s, GithubAccessTokenSpec must be set", gen.Spec.Kind)
    172. 

  172. 		}
    173. 

  173. 		return &genv1alpha1.GithubAccessToken{
    174. 

  174. 			Spec: *gen.Spec.Generator.GithubAccessTokenSpec,
    175. 

  175. 		}, nil
    176. 

  176. 	case genv1alpha1.GeneratorKindQuayAccessToken:
    177. 

  177. 		if gen.Spec.Generator.QuayAccessTokenSpec == nil {
    178. 

  178. 			return nil, fmt.Errorf("when kind is %s, QuayAccessTokenSpec must be set", gen.Spec.Kind)
    179. 

  179. 		}
    180. 

  180. 		return &genv1alpha1.QuayAccessToken{
    181. 

  181. 			Spec: *gen.Spec.Generator.QuayAccessTokenSpec,
    182. 

  182. 		}, nil
    183. 

  183. 	case genv1alpha1.GeneratorKindPassword:
    184. 

  184. 		if gen.Spec.Generator.PasswordSpec == nil {
    185. 

  185. 			return nil, fmt.Errorf("when kind is %s, PasswordSpec must be set", gen.Spec.Kind)
    186. 

  186. 		}
    187. 

  187. 		return &genv1alpha1.Password{
    188. 

  188. 			Spec: *gen.Spec.Generator.PasswordSpec,
    189. 

  189. 		}, nil
    190. 

  190. 	case genv1alpha1.GeneratorKindSTSSessionToken:
    191. 

  191. 		if gen.Spec.Generator.STSSessionTokenSpec == nil {
    192. 

  192. 			return nil, fmt.Errorf("when kind is %s, STSSessionTokenSpec must be set", gen.Spec.Kind)
    193. 

  193. 		}
    194. 

  194. 		return &genv1alpha1.STSSessionToken{
    195. 

  195. 			Spec: *gen.Spec.Generator.STSSessionTokenSpec,
    196. 

  196. 		}, nil
    197. 

  197. 	case genv1alpha1.GeneratorKindUUID:
    198. 

  198. 		if gen.Spec.Generator.UUIDSpec == nil {
    199. 

  199. 			return nil, fmt.Errorf("when kind is %s, UUIDSpec must be set", gen.Spec.Kind)
    200. 

  200. 		}
    201. 

  201. 		return &genv1alpha1.UUID{
    202. 

  202. 			Spec: *gen.Spec.Generator.UUIDSpec,
    203. 

  203. 		}, nil
    204. 

  204. 	case genv1alpha1.GeneratorKindVaultDynamicSecret:
    205. 

  205. 		if gen.Spec.Generator.VaultDynamicSecretSpec == nil {
    206. 

  206. 			return nil, fmt.Errorf("when kind is %s, VaultDynamicSecretSpec must be set", gen.Spec.Kind)
    207. 

  207. 		}
    208. 

  208. 		return &genv1alpha1.VaultDynamicSecret{
    209. 

  209. 			Spec: *gen.Spec.Generator.VaultDynamicSecretSpec,
    210. 

  210. 		}, nil
    211. 

  211. 	case genv1alpha1.GeneratorKindWebhook:
    212. 

  212. 		if gen.Spec.Generator.WebhookSpec == nil {
    213. 

  213. 			return nil, fmt.Errorf("when kind is %s, WebhookSpec must be set", gen.Spec.Kind)
    214. 

  214. 		}
    215. 

  215. 		return &genv1alpha1.Webhook{
    216. 

  216. 			Spec: *gen.Spec.Generator.WebhookSpec,
    217. 

  217. 		}, nil
    218. 

  218. 	default:
    219. 

  219. 		return nil, fmt.Errorf("unknown kind %s", gen.Spec.Kind)
    220. 

  220. 	}
    221. 

  221. }
    222.