Domů Procházet Nápověda
Přihlásit se
logic855
/
helm-external-secrets
zrcadlo https://github.com/external-secrets/external-secrets
1
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Strom: aed3d30736
Větve Značky
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook.go

webhook.go 11 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"crypto/tls"
    21. 

  21. 	"crypto/x509"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io"
    24. 

  24. 	"net/http"
    25. 

  25. 	"net/url"
    26. 

  26. 	"strings"
    27. 

  27. 	tpl "text/template"
    28. 

  28. 

  29. 	"github.com/Masterminds/sprig"
    30. 

  30. 	"github.com/PaesslerAG/jsonpath"
    31. 

  31. 	"gopkg.in/yaml.v3"
    32. 

  32. 	corev1 "k8s.io/api/core/v1"
    33. 

  33. 	"sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. 	"github.com/external-secrets/external-secrets/pkg/template"
    40. 

  40. )
    41. 

  41. 

  42. // Provider satisfies the provider interface.
    43. 

  43. type Provider struct{}
    44. 

  44. 

  45. type WebHook struct {
    46. 

  46. 	kube      client.Client
    47. 

  47. 	store     esv1alpha1.GenericStore
    48. 

  48. 	namespace string
    49. 

  49. 	storeKind string
    50. 

  50. }
    51. 

  51. 

  52. func init() {
    53. 

  53. 	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
    54. 

  54. 		Webhook: &esv1alpha1.WebhookProvider{},
    55. 

  55. 	})
    56. 

  56. }
    57. 

  57. 

  58. func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
    59. 

  59. 	whClient := &WebHook{
    60. 

  60. 		kube:      kube,
    61. 

  61. 		store:     store,
    62. 

  62. 		namespace: namespace,
    63. 

  63. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    64. 

  64. 	}
    65. 

  65. 	return whClient, nil
    66. 

  66. }
    67. 

  67. 

  68. func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.WebhookProvider, error) {
    69. 

  69. 	spc := store.GetSpec()
    70. 

  70. 	if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
    71. 

  71. 		return nil, fmt.Errorf("missing store provider webhook")
    72. 

  72. 	}
    73. 

  73. 	return spc.Provider.Webhook, nil
    74. 

  74. }
    75. 

  75. 

  76. func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelector) (*corev1.Secret, error) {
    77. 

  77. 	ke := client.ObjectKey{
    78. 

  78. 		Name:      ref.Name,
    79. 

  79. 		Namespace: w.namespace,
    80. 

  80. 	}
    81. 

  81. 	if w.storeKind == esv1alpha1.ClusterSecretStoreKind {
    82. 

  82. 		if ref.Namespace == nil {
    83. 

  83. 			return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
    84. 

  84. 		}
    85. 

  85. 		ke.Namespace = *ref.Namespace
    86. 

  86. 	}
    87. 

  87. 	secret := &corev1.Secret{}
    88. 

  88. 	if err := w.kube.Get(ctx, ke, secret); err != nil {
    89. 

  89. 		return nil, fmt.Errorf("failed to get clustersecretstore webhook secret %s: %w", ref.Name, err)
    90. 

  90. 	}
    91. 

  91. 	return secret, nil
    92. 

  92. }
    93. 

  93. 

  94. func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    95. 

  95. 	provider, err := getProvider(w.store)
    96. 

  96. 	if err != nil {
    97. 

  97. 		return nil, fmt.Errorf("failed to get store: %w", err)
    98. 

  98. 	}
    99. 

  99. 	result, err := w.getWebhookData(ctx, provider, ref)
    100. 

  100. 	if err != nil {
    101. 

  101. 		return nil, err
    102. 

  102. 	}
    103. 

  103. 	// Only parse as json if we have a jsonpath set
    104. 

  104. 	if provider.Result.JSONPath != "" {
    105. 

  105. 		jsondata := interface{}(nil)
    106. 

  106. 		if err := yaml.Unmarshal(result, &jsondata); err != nil {
    107. 

  107. 			return nil, fmt.Errorf("failed to parse response json: %w", err)
    108. 

  108. 		}
    109. 

  109. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    110. 

  110. 		if err != nil {
    111. 

  111. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    112. 

  112. 		}
    113. 

  113. 		jsonvalue, ok := jsondata.(string)
    114. 

  114. 		if !ok {
    115. 

  115. 			return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    116. 

  116. 		}
    117. 

  117. 		return []byte(jsonvalue), nil
    118. 

  118. 	}
    119. 

  119. 

  120. 	return result, nil
    121. 

  121. }
    122. 

  122. 

  123. func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    124. 

  124. 	provider, err := getProvider(w.store)
    125. 

  125. 	if err != nil {
    126. 

  126. 		return nil, fmt.Errorf("failed to get store: %w", err)
    127. 

  127. 	}
    128. 

  128. 	result, err := w.getWebhookData(ctx, provider, ref)
    129. 

  129. 	if err != nil {
    130. 

  130. 		return nil, err
    131. 

  131. 	}
    132. 

  132. 

  133. 	// We always want json here, so just parse it out
    134. 

  134. 	jsondata := interface{}(nil)
    135. 

  135. 	if err := yaml.Unmarshal(result, &jsondata); err != nil {
    136. 

  136. 		return nil, fmt.Errorf("failed to parse response json: %w", err)
    137. 

  137. 	}
    138. 

  138. 	// Get subdata via jsonpath, if given
    139. 

  139. 	if provider.Result.JSONPath != "" {
    140. 

  140. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    141. 

  141. 		if err != nil {
    142. 

  142. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    143. 

  143. 		}
    144. 

  144. 	}
    145. 

  145. 	// If the value is a string, try to parse it as json
    146. 

  146. 	jsonstring, ok := jsondata.(string)
    147. 

  147. 	if ok {
    148. 

  148. 		// This could also happen if the response was a single json-encoded string
    149. 

  149. 		// but that is an extremely unlikely scenario
    150. 

  150. 		if err := yaml.Unmarshal([]byte(jsonstring), &jsondata); err != nil {
    151. 

  151. 			return nil, fmt.Errorf("failed to parse response json from jsonpath: %w", err)
    152. 

  152. 		}
    153. 

  153. 	}
    154. 

  154. 	// Use the data as a key-value map
    155. 

  155. 	jsonvalue, ok := jsondata.(map[string]interface{})
    156. 

  156. 	if !ok {
    157. 

  157. 		return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    158. 

  158. 	}
    159. 

  159. 

  160. 	// Change the map of generic objects to a map of byte arrays
    161. 

  161. 	values := make(map[string][]byte)
    162. 

  162. 	for rKey, rValue := range jsonvalue {
    163. 

  163. 		jVal, ok := rValue.(string)
    164. 

  164. 		if !ok {
    165. 

  165. 			return nil, fmt.Errorf("failed to get response (wrong type in key '%s': %T)", rKey, rValue)
    166. 

  166. 		}
    167. 

  167. 		values[rKey] = []byte(jVal)
    168. 

  168. 	}
    169. 

  169. 	return values, nil
    170. 

  170. }
    171. 

  171. 

  172. func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef, secrets []esv1alpha1.WebhookSecret) (map[string]map[string]string, error) {
    173. 

  173. 	data := map[string]map[string]string{
    174. 

  174. 		"remoteRef": {
    175. 

  175. 			"key":      url.QueryEscape(ref.Key),
    176. 

  176. 			"version":  url.QueryEscape(ref.Version),
    177. 

  177. 			"property": url.QueryEscape(ref.Property),
    178. 

  178. 		},
    179. 

  179. 	}
    180. 

  180. 	for _, secref := range secrets {
    181. 

  181. 		if _, ok := data[secref.Name]; !ok {
    182. 

  182. 			data[secref.Name] = make(map[string]string)
    183. 

  183. 		}
    184. 

  184. 		secret, err := w.getStoreSecret(ctx, secref.SecretRef)
    185. 

  185. 		if err != nil {
    186. 

  186. 			return nil, err
    187. 

  187. 		}
    188. 

  188. 		for sKey, sVal := range secret.Data {
    189. 

  189. 			data[secref.Name][sKey] = string(sVal)
    190. 

  190. 		}
    191. 

  191. 	}
    192. 

  192. 	return data, nil
    193. 

  193. }
    194. 

  194. 

  195. func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1alpha1.WebhookProvider, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    196. 

  196. 	data, err := w.getTemplateData(ctx, ref, provider.Secrets)
    197. 

  197. 	if err != nil {
    198. 

  198. 		return nil, err
    199. 

  199. 	}
    200. 

  200. 	method := provider.Method
    201. 

  201. 	if method == "" {
    202. 

  202. 		method = "GET"
    203. 

  203. 	}
    204. 

  204. 	url, err := executeTemplateString(provider.URL, data)
    205. 

  205. 	if err != nil {
    206. 

  206. 		return nil, fmt.Errorf("failed to parse url: %w", err)
    207. 

  207. 	}
    208. 

  208. 	body, err := executeTemplate(provider.Body, data)
    209. 

  209. 	if err != nil {
    210. 

  210. 		return nil, fmt.Errorf("failed to parse body: %w", err)
    211. 

  211. 	}
    212. 

  212. 

  213. 	req, err := http.NewRequestWithContext(ctx, method, url, &body)
    214. 

  214. 	if err != nil {
    215. 

  215. 		return nil, fmt.Errorf("failed to create request: %w", err)
    216. 

  216. 	}
    217. 

  217. 	for hKey, hValueTpl := range provider.Headers {
    218. 

  218. 		hValue, err := executeTemplateString(hValueTpl, data)
    219. 

  219. 		if err != nil {
    220. 

  220. 			return nil, fmt.Errorf("failed to parse header %s: %w", hKey, err)
    221. 

  221. 		}
    222. 

  222. 		req.Header.Add(hKey, hValue)
    223. 

  223. 	}
    224. 

  224. 

  225. 	client, err := w.getHTTPClient(provider)
    226. 

  226. 	if err != nil {
    227. 

  227. 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
    228. 

  228. 	}
    229. 

  229. 	resp, err := client.Do(req)
    230. 

  230. 	if err != nil {
    231. 

  231. 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
    232. 

  232. 	}
    233. 

  233. 	defer resp.Body.Close()
    234. 

  234. 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
    235. 

  235. 		return nil, fmt.Errorf("endpoint gave error %s", resp.Status)
    236. 

  236. 	}
    237. 

  237. 	return io.ReadAll(resp.Body)
    238. 

  238. }
    239. 

  239. 

  240. func (w *WebHook) getHTTPClient(provider *esv1alpha1.WebhookProvider) (*http.Client, error) {
    241. 

  241. 	client := &http.Client{}
    242. 

  242. 	if provider.Timeout != nil {
    243. 

  243. 		client.Timeout = provider.Timeout.Duration
    244. 

  244. 	}
    245. 

  245. 	if len(provider.CABundle) == 0 && provider.CAProvider == nil {
    246. 

  246. 		// No need to process ca stuff if it is not there
    247. 

  247. 		return client, nil
    248. 

  248. 	}
    249. 

  249. 	caCertPool, err := w.getCACertPool(provider)
    250. 

  250. 	if err != nil {
    251. 

  251. 		return nil, err
    252. 

  252. 	}
    253. 

  253. 

  254. 	tlsConf := &tls.Config{
    255. 

  255. 		RootCAs:    caCertPool,
    256. 

  256. 		MinVersion: tls.VersionTLS12,
    257. 

  257. 	}
    258. 

  258. 	client.Transport = &http.Transport{TLSClientConfig: tlsConf}
    259. 

  259. 	return client, nil
    260. 

  260. }
    261. 

  261. 

  262. func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.CertPool, error) {
    263. 

  263. 	caCertPool := x509.NewCertPool()
    264. 

  264. 	if len(provider.CABundle) > 0 {
    265. 

  265. 		ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
    266. 

  266. 		if !ok {
    267. 

  267. 			return nil, fmt.Errorf("failed to append cabundle")
    268. 

  268. 		}
    269. 

  269. 	}
    270. 

  270. 

  271. 	if provider.CAProvider != nil && w.storeKind == esv1alpha1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
    272. 

  272. 		return nil, fmt.Errorf("missing namespace on CAProvider secret")
    273. 

  273. 	}
    274. 

  274. 

  275. 	if provider.CAProvider != nil {
    276. 

  276. 		var cert []byte
    277. 

  277. 		var err error
    278. 

  278. 

  279. 		switch provider.CAProvider.Type {
    280. 

  280. 		case esv1alpha1.WebhookCAProviderTypeSecret:
    281. 

  281. 			cert, err = w.getCertFromSecret(provider)
    282. 

  282. 		case esv1alpha1.WebhookCAProviderTypeConfigMap:
    283. 

  283. 			cert, err = w.getCertFromConfigMap(provider)
    284. 

  284. 		default:
    285. 

  285. 			err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
    286. 

  286. 		}
    287. 

  287. 

  288. 		if err != nil {
    289. 

  289. 			return nil, err
    290. 

  290. 		}
    291. 

  291. 

  292. 		ok := caCertPool.AppendCertsFromPEM(cert)
    293. 

  293. 		if !ok {
    294. 

  294. 			return nil, fmt.Errorf("failed to append cabundle")
    295. 

  295. 		}
    296. 

  296. 	}
    297. 

  297. 	return caCertPool, nil
    298. 

  298. }
    299. 

  299. 

  300. func (w *WebHook) getCertFromSecret(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
    301. 

  301. 	secretRef := esmeta.SecretKeySelector{
    302. 

  302. 		Name: provider.CAProvider.Name,
    303. 

  303. 		Key:  provider.CAProvider.Key,
    304. 

  304. 	}
    305. 

  305. 

  306. 	if provider.CAProvider.Namespace != nil {
    307. 

  307. 		secretRef.Namespace = provider.CAProvider.Namespace
    308. 

  308. 	}
    309. 

  309. 

  310. 	ctx := context.Background()
    311. 

  311. 	res, err := w.secretKeyRef(ctx, &secretRef)
    312. 

  312. 	if err != nil {
    313. 

  313. 		return nil, err
    314. 

  314. 	}
    315. 

  315. 

  316. 	return []byte(res), nil
    317. 

  317. }
    318. 

  318. 

  319. func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    320. 

  320. 	secret := &corev1.Secret{}
    321. 

  321. 	ref := client.ObjectKey{
    322. 

  322. 		Namespace: w.namespace,
    323. 

  323. 		Name:      secretRef.Name,
    324. 

  324. 	}
    325. 

  325. 	if (w.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    326. 

  326. 		(secretRef.Namespace != nil) {
    327. 

  327. 		ref.Namespace = *secretRef.Namespace
    328. 

  328. 	}
    329. 

  329. 	err := w.kube.Get(ctx, ref, secret)
    330. 

  330. 	if err != nil {
    331. 

  331. 		return "", err
    332. 

  332. 	}
    333. 

  333. 

  334. 	keyBytes, ok := secret.Data[secretRef.Key]
    335. 

  335. 	if !ok {
    336. 

  336. 		return "", err
    337. 

  337. 	}
    338. 

  338. 

  339. 	value := string(keyBytes)
    340. 

  340. 	valueStr := strings.TrimSpace(value)
    341. 

  341. 	return valueStr, nil
    342. 

  342. }
    343. 

  343. 

  344. func (w *WebHook) getCertFromConfigMap(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
    345. 

  345. 	objKey := client.ObjectKey{
    346. 

  346. 		Name: provider.CAProvider.Name,
    347. 

  347. 	}
    348. 

  348. 

  349. 	if provider.CAProvider.Namespace != nil {
    350. 

  350. 		objKey.Namespace = *provider.CAProvider.Namespace
    351. 

  351. 	}
    352. 

  352. 

  353. 	configMapRef := &corev1.ConfigMap{}
    354. 

  354. 	ctx := context.Background()
    355. 

  355. 	err := w.kube.Get(ctx, objKey, configMapRef)
    356. 

  356. 	if err != nil {
    357. 

  357. 		return nil, fmt.Errorf("failed to get caprovider secret %s: %w", objKey.Name, err)
    358. 

  358. 	}
    359. 

  359. 

  360. 	val, ok := configMapRef.Data[provider.CAProvider.Key]
    361. 

  361. 	if !ok {
    362. 

  362. 		return nil, fmt.Errorf("failed to get caprovider configmap %s -> %s", objKey.Name, provider.CAProvider.Key)
    363. 

  363. 	}
    364. 

  364. 

  365. 	return []byte(val), nil
    366. 

  366. }
    367. 

  367. 

  368. func (w *WebHook) Close(ctx context.Context) error {
    369. 

  369. 	return nil
    370. 

  370. }
    371. 

  371. 

  372. func executeTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
    373. 

  373. 	result, err := executeTemplate(tmpl, data)
    374. 

  374. 	if err != nil {
    375. 

  375. 		return "", err
    376. 

  376. 	}
    377. 

  377. 	return result.String(), nil
    378. 

  378. }
    379. 

  379. 

  380. func executeTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
    381. 

  381. 	var result bytes.Buffer
    382. 

  382. 	if tmpl == "" {
    383. 

  383. 		return result, nil
    384. 

  384. 	}
    385. 

  385. 	urlt, err := tpl.New("webhooktemplate").Funcs(sprig.TxtFuncMap()).Funcs(template.FuncMap()).Parse(tmpl)
    386. 

  386. 	if err != nil {
    387. 

  387. 		return result, err
    388. 

  388. 	}
    389. 

  389. 	if err := urlt.Execute(&result, data); err != nil {
    390. 

  390. 		return result, err
    391. 

  391. 	}
    392. 

  392. 	return result, nil
    393. 

  393. }
    394.