Home Esplora Aiuto
Accedi
logic855
/
helm-external-secrets
mirror da https://github.com/external-secrets/external-secrets
1
0
Forka 0
File Problemi 0 Wiki
Albero (Tree): ac0eaedf16
Rami (Branch) Tag
helm-externa...
/
pkg
/
provider
/
alibaba
/
kms.go

kms.go 11 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package alibaba
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"fmt"
    21. 

  21. 

  22. 	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
    23. 

  23. 	kmssdk "github.com/alibabacloud-go/kms-20160120/v3/client"
    24. 

  24. 	util "github.com/alibabacloud-go/tea-utils/v2/service"
    25. 

  25. 	credential "github.com/aliyun/credentials-go/credentials"
    26. 

  26. 	"github.com/avast/retry-go/v4"
    27. 

  27. 	"github.com/tidwall/gjson"
    28. 

  28. 	corev1 "k8s.io/api/core/v1"
    29. 

  29. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    30. 

  30. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    31. 

  31. 

  32. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    33. 

  33. 	"github.com/external-secrets/external-secrets/pkg/utils"
    34. 

  34. 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
    35. 

  35. )
    36. 

  36. 

  37. const (
    38. 

  38. 	errAlibabaClient               = "cannot setup new Alibaba client: %w"
    39. 

  39. 	errUninitalizedAlibabaProvider = "provider Alibaba is not initialized"
    40. 

  40. 	errFetchAccessKeyID            = "could not fetch AccessKeyID secret: %w"
    41. 

  41. 	errFetchAccessKeySecret        = "could not fetch AccessKeySecret secret: %w"
    42. 

  42. 	errNotImplemented              = "not implemented"
    43. 

  43. )
    44. 

  44. 

  45. // https://github.com/external-secrets/external-secrets/issues/644
    46. 

  46. var _ esv1beta1.SecretsClient = &KeyManagementService{}
    47. 

  47. var _ esv1beta1.Provider = &KeyManagementService{}
    48. 

  48. 

  49. type KeyManagementService struct {
    50. 

  50. 	Client SMInterface
    51. 

  51. 	Config *openapi.Config
    52. 

  52. }
    53. 

  53. 

  54. type SMInterface interface {
    55. 

  55. 	GetSecretValue(ctx context.Context, request *kmssdk.GetSecretValueRequest) (*kmssdk.GetSecretValueResponseBody, error)
    56. 

  56. 	Endpoint() string
    57. 

  57. }
    58. 

  58. 

  59. func (kms *KeyManagementService) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
    60. 

  60. 	return fmt.Errorf(errNotImplemented)
    61. 

  61. }
    62. 

  62. 

  63. func (kms *KeyManagementService) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
    64. 

  64. 	return fmt.Errorf(errNotImplemented)
    65. 

  65. }
    66. 

  66. 

  67. func (kms *KeyManagementService) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
    68. 

  68. 	return false, fmt.Errorf(errNotImplemented)
    69. 

  69. }
    70. 

  70. 

  71. // Empty GetAllSecrets.
    72. 

  72. func (kms *KeyManagementService) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    73. 

  73. 	// TO be implemented
    74. 

  74. 	return nil, fmt.Errorf(errNotImplemented)
    75. 

  75. }
    76. 

  76. 

  77. // GetSecret returns a single secret from the provider.
    78. 

  78. func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    79. 

  79. 	if utils.IsNil(kms.Client) {
    80. 

  80. 		return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
    81. 

  81. 	}
    82. 

  82. 

  83. 	request := &kmssdk.GetSecretValueRequest{
    84. 

  84. 		SecretName: &ref.Key,
    85. 

  85. 	}
    86. 

  86. 

  87. 	if ref.Version != "" {
    88. 

  88. 		request.VersionId = &ref.Version
    89. 

  89. 	}
    90. 

  90. 

  91. 	secretOut, err := kms.Client.GetSecretValue(ctx, request)
    92. 

  92. 	if err != nil {
    93. 

  93. 		return nil, SanitizeErr(err)
    94. 

  94. 	}
    95. 

  95. 	if ref.Property == "" {
    96. 

  96. 		if utils.Deref(secretOut.SecretData) != "" {
    97. 

  97. 			return []byte(utils.Deref(secretOut.SecretData)), nil
    98. 

  98. 		}
    99. 

  99. 		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
    100. 

  100. 	}
    101. 

  101. 	var payload string
    102. 

  102. 	if utils.Deref(secretOut.SecretData) != "" {
    103. 

  103. 		payload = utils.Deref(secretOut.SecretData)
    104. 

  104. 	}
    105. 

  105. 	val := gjson.Get(payload, ref.Property)
    106. 

  106. 	if !val.Exists() {
    107. 

  107. 		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
    108. 

  108. 	}
    109. 

  109. 	return []byte(val.String()), nil
    110. 

  110. }
    111. 

  111. 

  112. // GetSecretMap returns multiple k/v pairs from the provider.
    113. 

  113. func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    114. 

  114. 	data, err := kms.GetSecret(ctx, ref)
    115. 

  115. 	if err != nil {
    116. 

  116. 		return nil, err
    117. 

  117. 	}
    118. 

  118. 	kv := make(map[string]string)
    119. 

  119. 	err = json.Unmarshal(data, &kv)
    120. 

  120. 	if err != nil {
    121. 

  121. 		return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
    122. 

  122. 	}
    123. 

  123. 	secretData := make(map[string][]byte)
    124. 

  124. 	for k, v := range kv {
    125. 

  125. 		secretData[k] = []byte(v)
    126. 

  126. 	}
    127. 

  127. 	return secretData, nil
    128. 

  128. }
    129. 

  129. 

  130. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    131. 

  131. func (kms *KeyManagementService) Capabilities() esv1beta1.SecretStoreCapabilities {
    132. 

  132. 	return esv1beta1.SecretStoreReadOnly
    133. 

  133. }
    134. 

  134. 

  135. // NewClient constructs a new secrets client based on the provided store.
    136. 

  136. func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
    137. 

  137. 	storeSpec := store.GetSpec()
    138. 

  138. 	alibabaSpec := storeSpec.Provider.Alibaba
    139. 

  139. 

  140. 	credentials, err := newAuth(ctx, kube, store, namespace)
    141. 

  141. 	if err != nil {
    142. 

  142. 		return nil, fmt.Errorf("failed to create Alibaba credentials: %w", err)
    143. 

  143. 	}
    144. 

  144. 

  145. 	config := &openapi.Config{
    146. 

  146. 		RegionId:   utils.Ptr(alibabaSpec.RegionID),
    147. 

  147. 		Credential: credentials,
    148. 

  148. 	}
    149. 

  149. 

  150. 	options := newOptions(store)
    151. 

  151. 	client, err := newClient(config, options)
    152. 

  152. 	if err != nil {
    153. 

  153. 		return nil, fmt.Errorf(errAlibabaClient, err)
    154. 

  154. 	}
    155. 

  155. 

  156. 	kms.Client = client
    157. 

  157. 	kms.Config = config
    158. 

  158. 	return kms, nil
    159. 

  159. }
    160. 

  160. 

  161. func newOptions(store esv1beta1.GenericStore) *util.RuntimeOptions {
    162. 

  162. 	storeSpec := store.GetSpec()
    163. 

  163. 

  164. 	options := &util.RuntimeOptions{}
    165. 

  165. 	// Setup retry options, if present in storeSpec
    166. 

  166. 	if storeSpec.RetrySettings != nil {
    167. 

  167. 		var retryAmount int
    168. 

  168. 

  169. 		if storeSpec.RetrySettings.MaxRetries != nil {
    170. 

  170. 			retryAmount = int(*storeSpec.RetrySettings.MaxRetries)
    171. 

  171. 		} else {
    172. 

  172. 			retryAmount = 3
    173. 

  173. 		}
    174. 

  174. 

  175. 		options.Autoretry = utils.Ptr(true)
    176. 

  176. 		options.MaxAttempts = utils.Ptr(retryAmount)
    177. 

  177. 	}
    178. 

  178. 

  179. 	return options
    180. 

  180. }
    181. 

  181. 

  182. func newAuth(ctx context.Context, kube kclient.Client, store esv1beta1.GenericStore, namespace string) (credential.Credential, error) {
    183. 

  183. 	storeSpec := store.GetSpec()
    184. 

  184. 	alibabaSpec := storeSpec.Provider.Alibaba
    185. 

  185. 

  186. 	switch {
    187. 

  187. 	case alibabaSpec.Auth.RRSAAuth != nil:
    188. 

  188. 		credentials, err := newRRSAAuth(store)
    189. 

  189. 		if err != nil {
    190. 

  190. 			return nil, fmt.Errorf("failed to create Alibaba OIDC credentials: %w", err)
    191. 

  191. 		}
    192. 

  192. 

  193. 		return credentials, nil
    194. 

  194. 	case alibabaSpec.Auth.SecretRef != nil:
    195. 

  195. 		credentials, err := newAccessKeyAuth(ctx, kube, store, namespace)
    196. 

  196. 		if err != nil {
    197. 

  197. 			return nil, fmt.Errorf("failed to create Alibaba AccessKey credentials: %w", err)
    198. 

  198. 		}
    199. 

  199. 

  200. 		return credentials, nil
    201. 

  201. 	default:
    202. 

  202. 		return nil, fmt.Errorf("alibaba authentication methods wasn't provided")
    203. 

  203. 	}
    204. 

  204. }
    205. 

  205. 

  206. func newRRSAAuth(store esv1beta1.GenericStore) (credential.Credential, error) {
    207. 

  207. 	storeSpec := store.GetSpec()
    208. 

  208. 	alibabaSpec := storeSpec.Provider.Alibaba
    209. 

  209. 

  210. 	credentialConfig := &credential.Config{
    211. 

  211. 		OIDCProviderArn:   &alibabaSpec.Auth.RRSAAuth.OIDCProviderARN,
    212. 

  212. 		OIDCTokenFilePath: &alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath,
    213. 

  213. 		RoleArn:           &alibabaSpec.Auth.RRSAAuth.RoleARN,
    214. 

  214. 		RoleSessionName:   &alibabaSpec.Auth.RRSAAuth.SessionName,
    215. 

  215. 		Type:              utils.Ptr("oidc_role_arn"),
    216. 

  216. 		ConnectTimeout:    utils.Ptr(30),
    217. 

  217. 		Timeout:           utils.Ptr(60),
    218. 

  218. 	}
    219. 

  219. 

  220. 	return credential.NewCredential(credentialConfig)
    221. 

  221. }
    222. 

  222. 

  223. func newAccessKeyAuth(ctx context.Context, kube kclient.Client, store esv1beta1.GenericStore, namespace string) (credential.Credential, error) {
    224. 

  224. 	storeSpec := store.GetSpec()
    225. 

  225. 	alibabaSpec := storeSpec.Provider.Alibaba
    226. 

  226. 	storeKind := store.GetObjectKind().GroupVersionKind().Kind
    227. 

  227. 	accessKeyID, err := resolvers.SecretKeyRef(ctx, kube, storeKind, namespace, &alibabaSpec.Auth.SecretRef.AccessKeyID)
    228. 

  228. 	if err != nil {
    229. 

  229. 		return nil, fmt.Errorf(errFetchAccessKeyID, err)
    230. 

  230. 	}
    231. 

  231. 	accessKeySecret, err := resolvers.SecretKeyRef(ctx, kube, storeKind, namespace, &alibabaSpec.Auth.SecretRef.AccessKeySecret)
    232. 

  232. 	if err != nil {
    233. 

  233. 		return nil, fmt.Errorf(errFetchAccessKeySecret, err)
    234. 

  234. 	}
    235. 

  235. 	credentialConfig := &credential.Config{
    236. 

  236. 		AccessKeyId:     utils.Ptr(accessKeyID),
    237. 

  237. 		AccessKeySecret: utils.Ptr(accessKeySecret),
    238. 

  238. 		Type:            utils.Ptr("access_key"),
    239. 

  239. 		ConnectTimeout:  utils.Ptr(30),
    240. 

  240. 		Timeout:         utils.Ptr(60),
    241. 

  241. 	}
    242. 

  242. 

  243. 	return credential.NewCredential(credentialConfig)
    244. 

  244. }
    245. 

  245. 

  246. func (kms *KeyManagementService) Close(_ context.Context) error {
    247. 

  247. 	return nil
    248. 

  248. }
    249. 

  249. 

  250. func (kms *KeyManagementService) Validate() (esv1beta1.ValidationResult, error) {
    251. 

  251. 	err := retry.Do(
    252. 

  252. 		func() error {
    253. 

  253. 			_, err := kms.Config.Credential.GetCredential()
    254. 

  254. 			if err != nil {
    255. 

  255. 				return err
    256. 

  256. 			}
    257. 

  257. 

  258. 			return nil
    259. 

  259. 		},
    260. 

  260. 		retry.Attempts(5),
    261. 

  261. 	)
    262. 

  262. 	if err != nil {
    263. 

  263. 		return esv1beta1.ValidationResultError, SanitizeErr(err)
    264. 

  264. 	}
    265. 

  265. 

  266. 	return esv1beta1.ValidationResultReady, nil
    267. 

  267. }
    268. 

  268. 

  269. func (kms *KeyManagementService) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
    270. 

  270. 	storeSpec := store.GetSpec()
    271. 

  271. 	alibabaSpec := storeSpec.Provider.Alibaba
    272. 

  272. 

  273. 	regionID := alibabaSpec.RegionID
    274. 

  274. 

  275. 	if regionID == "" {
    276. 

  276. 		return nil, fmt.Errorf("missing alibaba region")
    277. 

  277. 	}
    278. 

  278. 

  279. 	return nil, kms.validateStoreAuth(store)
    280. 

  280. }
    281. 

  281. 

  282. func (kms *KeyManagementService) validateStoreAuth(store esv1beta1.GenericStore) error {
    283. 

  283. 	storeSpec := store.GetSpec()
    284. 

  284. 	alibabaSpec := storeSpec.Provider.Alibaba
    285. 

  285. 

  286. 	switch {
    287. 

  287. 	case alibabaSpec.Auth.RRSAAuth != nil:
    288. 

  288. 		return kms.validateStoreRRSAAuth(store)
    289. 

  289. 	case alibabaSpec.Auth.SecretRef != nil:
    290. 

  290. 		return kms.validateStoreAccessKeyAuth(store)
    291. 

  291. 	default:
    292. 

  292. 		return fmt.Errorf("missing alibaba auth provider")
    293. 

  293. 	}
    294. 

  294. }
    295. 

  295. 

  296. func (kms *KeyManagementService) validateStoreRRSAAuth(store esv1beta1.GenericStore) error {
    297. 

  297. 	storeSpec := store.GetSpec()
    298. 

  298. 	alibabaSpec := storeSpec.Provider.Alibaba
    299. 

  299. 

  300. 	if alibabaSpec.Auth.RRSAAuth.OIDCProviderARN == "" {
    301. 

  301. 		return fmt.Errorf("missing alibaba OIDC proivder ARN")
    302. 

  302. 	}
    303. 

  303. 

  304. 	if alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath == "" {
    305. 

  305. 		return fmt.Errorf("missing alibaba OIDC token file path")
    306. 

  306. 	}
    307. 

  307. 

  308. 	if alibabaSpec.Auth.RRSAAuth.RoleARN == "" {
    309. 

  309. 		return fmt.Errorf("missing alibaba Assume Role ARN")
    310. 

  310. 	}
    311. 

  311. 

  312. 	if alibabaSpec.Auth.RRSAAuth.SessionName == "" {
    313. 

  313. 		return fmt.Errorf("missing alibaba session name")
    314. 

  314. 	}
    315. 

  315. 

  316. 	return nil
    317. 

  317. }
    318. 

  318. 

  319. func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1beta1.GenericStore) error {
    320. 

  320. 	storeSpec := store.GetSpec()
    321. 

  321. 	alibabaSpec := storeSpec.Provider.Alibaba
    322. 

  322. 

  323. 	accessKeyID := alibabaSpec.Auth.SecretRef.AccessKeyID
    324. 

  324. 	err := utils.ValidateSecretSelector(store, accessKeyID)
    325. 

  325. 	if err != nil {
    326. 

  326. 		return err
    327. 

  327. 	}
    328. 

  328. 

  329. 	if accessKeyID.Name == "" {
    330. 

  330. 		return fmt.Errorf("missing alibaba access ID name")
    331. 

  331. 	}
    332. 

  332. 

  333. 	if accessKeyID.Key == "" {
    334. 

  334. 		return fmt.Errorf("missing alibaba access ID key")
    335. 

  335. 	}
    336. 

  336. 

  337. 	accessKeySecret := alibabaSpec.Auth.SecretRef.AccessKeySecret
    338. 

  338. 	err = utils.ValidateSecretSelector(store, accessKeySecret)
    339. 

  339. 	if err != nil {
    340. 

  340. 		return err
    341. 

  341. 	}
    342. 

  342. 

  343. 	if accessKeySecret.Name == "" {
    344. 

  344. 		return fmt.Errorf("missing alibaba access key secret name")
    345. 

  345. 	}
    346. 

  346. 

  347. 	if accessKeySecret.Key == "" {
    348. 

  348. 		return fmt.Errorf("missing alibaba access key secret key")
    349. 

  349. 	}
    350. 

  350. 

  351. 	return nil
    352. 

  352. }
    353. 

  353. 

  354. func init() {
    355. 

  355. 	esv1beta1.Register(&KeyManagementService{}, &esv1beta1.SecretStoreProvider{
    356. 

  356. 		Alibaba: &esv1beta1.AlibabaProvider{},
    357. 

  357. 	})
    358. 

  358. }
    359.