Home Verkennen Help
Inloggen
logic855
/
helm-external-secrets
spiegel van https://github.com/external-secrets/external-secrets
1
0
Vork 0
Bestanden Issues 0 Wiki
Boom: ac0eaedf16
Aftakkingen Labels
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook.go

webhook.go 6.1 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"fmt"
    21. 

  21. 	"strconv"
    22. 

  22. 	"time"
    23. 

  23. 

  24. 	"github.com/PaesslerAG/jsonpath"
    25. 

  25. 	corev1 "k8s.io/api/core/v1"
    26. 

  26. 	"sigs.k8s.io/controller-runtime/pkg/client"
    27. 

  27. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    28. 

  28. 

  29. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    30. 

  30. 	"github.com/external-secrets/external-secrets/pkg/common/webhook"
    31. 

  31. 	"github.com/external-secrets/external-secrets/pkg/utils"
    32. 

  32. )
    33. 

  33. 

  34. const (
    35. 

  35. 	errNotImplemented = "not implemented"
    36. 

  36. )
    37. 

  37. 

  38. // https://github.com/external-secrets/external-secrets/issues/644
    39. 

  39. var _ esv1beta1.SecretsClient = &WebHook{}
    40. 

  40. var _ esv1beta1.Provider = &Provider{}
    41. 

  41. 

  42. // Provider satisfies the provider interface.
    43. 

  43. type Provider struct{}
    44. 

  44. 

  45. type WebHook struct {
    46. 

  46. 	wh        webhook.Webhook
    47. 

  47. 	store     esv1beta1.GenericStore
    48. 

  48. 	storeKind string
    49. 

  49. 	url       string
    50. 

  50. }
    51. 

  51. 

  52. func init() {
    53. 

  53. 	esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
    54. 

  54. 		Webhook: &esv1beta1.WebhookProvider{},
    55. 

  55. 	})
    56. 

  56. }
    57. 

  57. 

  58. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    59. 

  59. func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
    60. 

  60. 	return esv1beta1.SecretStoreReadOnly
    61. 

  61. }
    62. 

  62. 

  63. func (p *Provider) NewClient(_ context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
    64. 

  64. 	wh := webhook.Webhook{
    65. 

  65. 		Kube:      kube,
    66. 

  66. 		Namespace: namespace,
    67. 

  67. 	}
    68. 

  68. 	whClient := &WebHook{
    69. 

  69. 		store:     store,
    70. 

  70. 		wh:        wh,
    71. 

  71. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    72. 

  72. 	}
    73. 

  73. 	if whClient.storeKind == esv1beta1.ClusterSecretStoreKind {
    74. 

  74. 		whClient.wh.ClusterScoped = true
    75. 

  75. 	}
    76. 

  76. 	provider, err := getProvider(store)
    77. 

  77. 	if err != nil {
    78. 

  78. 		return nil, err
    79. 

  79. 	}
    80. 

  80. 	whClient.url = provider.URL
    81. 

  81. 

  82. 	whClient.wh.HTTP, err = whClient.wh.GetHTTPClient(provider)
    83. 

  83. 	if err != nil {
    84. 

  84. 		return nil, err
    85. 

  85. 	}
    86. 

  86. 	return whClient, nil
    87. 

  87. }
    88. 

  88. 

  89. func (p *Provider) ValidateStore(_ esv1beta1.GenericStore) (admission.Warnings, error) {
    90. 

  90. 	return nil, nil
    91. 

  91. }
    92. 

  92. 

  93. func getProvider(store esv1beta1.GenericStore) (*webhook.Spec, error) {
    94. 

  94. 	spc := store.GetSpec()
    95. 

  95. 	if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
    96. 

  96. 		return nil, fmt.Errorf("missing store provider webhook")
    97. 

  97. 	}
    98. 

  98. 	out := webhook.Spec{}
    99. 

  99. 	d, err := json.Marshal(spc.Provider.Webhook)
    100. 

  100. 	if err != nil {
    101. 

  101. 		return nil, err
    102. 

  102. 	}
    103. 

  103. 	err = json.Unmarshal(d, &out)
    104. 

  104. 	return &out, err
    105. 

  105. }
    106. 

  106. 

  107. func (w *WebHook) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
    108. 

  108. 	return fmt.Errorf(errNotImplemented)
    109. 

  109. }
    110. 

  110. 

  111. func (w *WebHook) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
    112. 

  112. 	return false, fmt.Errorf(errNotImplemented)
    113. 

  113. }
    114. 

  114. 

  115. // Not Implemented PushSecret.
    116. 

  116. func (w *WebHook) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
    117. 

  117. 	return fmt.Errorf(errNotImplemented)
    118. 

  118. }
    119. 

  119. 

  120. // Empty GetAllSecrets.
    121. 

  121. func (w *WebHook) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    122. 

  122. 	// TO be implemented
    123. 

  123. 	return nil, fmt.Errorf(errNotImplemented)
    124. 

  124. }
    125. 

  125. 

  126. func (w *WebHook) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    127. 

  127. 	provider, err := getProvider(w.store)
    128. 

  128. 	if err != nil {
    129. 

  129. 		return nil, fmt.Errorf("failed to get store: %w", err)
    130. 

  130. 	}
    131. 

  131. 	result, err := w.wh.GetWebhookData(ctx, provider, &ref)
    132. 

  132. 	if err != nil {
    133. 

  133. 		return nil, err
    134. 

  134. 	}
    135. 

  135. 	// Only parse as json if we have a jsonpath set
    136. 

  136. 	data, err := w.wh.GetTemplateData(ctx, &ref, provider.Secrets)
    137. 

  137. 	if err != nil {
    138. 

  138. 		return nil, err
    139. 

  139. 	}
    140. 

  140. 	resultJSONPath, err := webhook.ExecuteTemplateString(provider.Result.JSONPath, data)
    141. 

  141. 	if err != nil {
    142. 

  142. 		return nil, err
    143. 

  143. 	}
    144. 

  144. 	if resultJSONPath != "" {
    145. 

  145. 		jsondata := any(nil)
    146. 

  146. 		if err := json.Unmarshal(result, &jsondata); err != nil {
    147. 

  147. 			return nil, fmt.Errorf("failed to parse response json: %w", err)
    148. 

  148. 		}
    149. 

  149. 		jsondata, err = jsonpath.Get(resultJSONPath, jsondata)
    150. 

  150. 		if err != nil {
    151. 

  151. 			return nil, fmt.Errorf("failed to get response path %s: %w", resultJSONPath, err)
    152. 

  152. 		}
    153. 

  153. 		return extractSecretData(jsondata)
    154. 

  154. 	}
    155. 

  155. 

  156. 	return result, nil
    157. 

  157. }
    158. 

  158. 

  159. // tries to extract data from an any
    160. 

  160. // it is supposed to return a single value.
    161. 

  161. func extractSecretData(jsondata any) ([]byte, error) {
    162. 

  162. 	switch val := jsondata.(type) {
    163. 

  163. 	case bool:
    164. 

  164. 		return []byte(strconv.FormatBool(val)), nil
    165. 

  165. 	case nil:
    166. 

  166. 		return []byte{}, nil
    167. 

  167. 	case int:
    168. 

  168. 		return []byte(strconv.Itoa(val)), nil
    169. 

  169. 	case float64:
    170. 

  170. 		return []byte(strconv.FormatFloat(val, 'f', 0, 64)), nil
    171. 

  171. 	case []byte:
    172. 

  172. 		return val, nil
    173. 

  173. 	case string:
    174. 

  174. 		return []byte(val), nil
    175. 

  175. 

  176. 	// due to backwards compatibility we must keep this!
    177. 

  177. 	// in case we see a []something we pick the first element and return it
    178. 

  178. 	case []any:
    179. 

  179. 		if len(val) == 0 {
    180. 

  180. 			return nil, fmt.Errorf("filter worked but didn't get any result")
    181. 

  181. 		}
    182. 

  182. 		return extractSecretData(val[0])
    183. 

  183. 

  184. 	// in case we encounter a map we serialize it instead of erroring out
    185. 

  185. 	// The user should use that data from within a template and figure
    186. 

  186. 	// out how to deal with it.
    187. 

  187. 	case map[string]any:
    188. 

  188. 		return json.Marshal(val)
    189. 

  189. 	default:
    190. 

  190. 		return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    191. 

  191. 	}
    192. 

  192. }
    193. 

  193. 

  194. func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    195. 

  195. 	provider, err := getProvider(w.store)
    196. 

  196. 	if err != nil {
    197. 

  197. 		return nil, fmt.Errorf("failed to get store: %w", err)
    198. 

  198. 	}
    199. 

  199. 	return w.wh.GetSecretMap(ctx, provider, &ref)
    200. 

  200. }
    201. 

  201. 

  202. func (w *WebHook) Close(_ context.Context) error {
    203. 

  203. 	return nil
    204. 

  204. }
    205. 

  205. 

  206. func (w *WebHook) Validate() (esv1beta1.ValidationResult, error) {
    207. 

  207. 	timeout := 15 * time.Second
    208. 

  208. 	url := w.url
    209. 

  209. 

  210. 	if err := utils.NetworkValidate(url, timeout); err != nil {
    211. 

  211. 		return esv1beta1.ValidationResultError, err
    212. 

  212. 	}
    213. 

  213. 	return esv1beta1.ValidationResultReady, nil
    214. 

  214. }
    215.