client.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package secretmanager
  13. import (
  14. "bytes"
  15. "context"
  16. "encoding/json"
  17. "errors"
  18. "fmt"
  19. "strconv"
  20. "strings"
  21. secretmanager "cloud.google.com/go/secretmanager/apiv1"
  22. "github.com/googleapis/gax-go/v2"
  23. "github.com/googleapis/gax-go/v2/apierror"
  24. "github.com/tidwall/gjson"
  25. "google.golang.org/api/iterator"
  26. secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
  27. "google.golang.org/grpc/codes"
  28. ctrl "sigs.k8s.io/controller-runtime"
  29. kclient "sigs.k8s.io/controller-runtime/pkg/client"
  30. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  31. "github.com/external-secrets/external-secrets/pkg/find"
  32. "github.com/external-secrets/external-secrets/pkg/utils"
  33. )
  34. const (
  35. CloudPlatformRole = "https://www.googleapis.com/auth/cloud-platform"
  36. defaultVersion = "latest"
  37. errGCPSMStore = "received invalid GCPSM SecretStore resource"
  38. errUnableGetCredentials = "unable to get credentials: %w"
  39. errClientClose = "unable to close SecretManager client: %w"
  40. errMissingStoreSpec = "invalid: missing store spec"
  41. errInvalidClusterStoreMissingSAKNamespace = "invalid ClusterSecretStore: missing GCP SecretAccessKey Namespace"
  42. errInvalidClusterStoreMissingSANamespace = "invalid ClusterSecretStore: missing GCP Service Account Namespace"
  43. errFetchSAKSecret = "could not fetch SecretAccessKey secret: %w"
  44. errMissingSAK = "missing SecretAccessKey"
  45. errUnableProcessJSONCredentials = "failed to process the provided JSON credentials: %w"
  46. errUnableCreateGCPSMClient = "failed to create GCP secretmanager client: %w"
  47. errUninitalizedGCPProvider = "provider GCP is not initialized"
  48. errClientGetSecretAccess = "unable to access Secret from SecretManager Client: %w"
  49. errJSONSecretUnmarshal = "unable to unmarshal secret: %w"
  50. errInvalidStore = "invalid store"
  51. errInvalidStoreSpec = "invalid store spec"
  52. errInvalidStoreProv = "invalid store provider"
  53. errInvalidGCPProv = "invalid gcp secrets manager provider"
  54. errInvalidAuthSecretRef = "invalid auth secret ref: %w"
  55. errInvalidWISARef = "invalid workload identity service account reference: %w"
  56. errUnexpectedFindOperator = "unexpected find operator"
  57. )
  58. type Client struct {
  59. smClient GoogleSecretManagerClient
  60. kube kclient.Client
  61. store *esv1beta1.GCPSMProvider
  62. // namespace of the external secret
  63. namespace string
  64. workloadIdentity *workloadIdentity
  65. }
  66. type GoogleSecretManagerClient interface {
  67. DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
  68. AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
  69. ListSecrets(ctx context.Context, req *secretmanagerpb.ListSecretsRequest, opts ...gax.CallOption) *secretmanager.SecretIterator
  70. AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
  71. CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
  72. Close() error
  73. GetSecret(ctx context.Context, req *secretmanagerpb.GetSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
  74. }
  75. var log = ctrl.Log.WithName("provider").WithName("gcp").WithName("secretsmanager")
  76. func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
  77. var gcpSecret *secretmanagerpb.Secret
  78. var err error
  79. gcpSecret, err = c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
  80. Name: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
  81. })
  82. var gErr *apierror.APIError
  83. if errors.As(err, &gErr) {
  84. if gErr.GRPCStatus().Code() == codes.NotFound {
  85. return nil
  86. }
  87. return err
  88. }
  89. if err != nil {
  90. return err
  91. }
  92. manager, ok := gcpSecret.Labels["managed-by"]
  93. if !ok || manager != "external-secrets" {
  94. return nil
  95. }
  96. deleteSecretVersionReq := &secretmanagerpb.DeleteSecretRequest{
  97. Name: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
  98. }
  99. return c.smClient.DeleteSecret(ctx, deleteSecretVersionReq)
  100. }
  101. // SetSecret pushes a kubernetes secret key into gcp provider Secret.
  102. func (c *Client) SetSecret(ctx context.Context, payload []byte, remoteRef esv1beta1.PushRemoteRef) error {
  103. createSecretReq := &secretmanagerpb.CreateSecretRequest{
  104. Parent: fmt.Sprintf("projects/%s", c.store.ProjectID),
  105. SecretId: remoteRef.GetRemoteKey(),
  106. Secret: &secretmanagerpb.Secret{
  107. Labels: map[string]string{
  108. "managed-by": "external-secrets",
  109. },
  110. Replication: &secretmanagerpb.Replication{
  111. Replication: &secretmanagerpb.Replication_Automatic_{
  112. Automatic: &secretmanagerpb.Replication_Automatic{},
  113. },
  114. },
  115. },
  116. }
  117. var gcpSecret *secretmanagerpb.Secret
  118. var err error
  119. gcpSecret, err = c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
  120. Name: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
  121. })
  122. var gErr *apierror.APIError
  123. if err != nil && errors.As(err, &gErr) {
  124. if gErr.GRPCStatus().Code() == codes.NotFound {
  125. gcpSecret, err = c.smClient.CreateSecret(ctx, createSecretReq)
  126. if err != nil {
  127. return err
  128. }
  129. } else {
  130. return err
  131. }
  132. }
  133. manager, ok := gcpSecret.Labels["managed-by"]
  134. if !ok || manager != "external-secrets" {
  135. return fmt.Errorf("secret %v is not managed by external secrets", remoteRef.GetRemoteKey())
  136. }
  137. gcpVersion, err := c.smClient.AccessSecretVersion(ctx, &secretmanagerpb.AccessSecretVersionRequest{
  138. Name: fmt.Sprintf("projects/%s/secrets/%s/versions/latest", c.store.ProjectID, remoteRef.GetRemoteKey()),
  139. })
  140. if errors.As(err, &gErr) {
  141. if err != nil && gErr.GRPCStatus().Code() != codes.NotFound {
  142. return err
  143. }
  144. } else if err != nil {
  145. return err
  146. }
  147. if gcpVersion != nil && gcpVersion.Payload != nil && bytes.Equal(payload, gcpVersion.Payload.Data) {
  148. return nil
  149. }
  150. addSecretVersionReq := &secretmanagerpb.AddSecretVersionRequest{
  151. Parent: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
  152. Payload: &secretmanagerpb.SecretPayload{
  153. Data: payload,
  154. },
  155. }
  156. _, err = c.smClient.AddSecretVersion(ctx, addSecretVersionReq)
  157. if err != nil {
  158. return err
  159. }
  160. return nil
  161. }
  162. // GetAllSecrets syncs multiple secrets from gcp provider into a single Kubernetes Secret.
  163. func (c *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  164. if ref.Name != nil {
  165. return c.findByName(ctx, ref)
  166. }
  167. if len(ref.Tags) > 0 {
  168. return c.findByTags(ctx, ref)
  169. }
  170. return nil, errors.New(errUnexpectedFindOperator)
  171. }
  172. func (c *Client) findByName(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  173. // regex matcher
  174. matcher, err := find.New(*ref.Name)
  175. if err != nil {
  176. return nil, err
  177. }
  178. req := &secretmanagerpb.ListSecretsRequest{
  179. Parent: fmt.Sprintf("projects/%s", c.store.ProjectID),
  180. }
  181. if ref.Path != nil {
  182. req.Filter = fmt.Sprintf("name:%s", *ref.Path)
  183. }
  184. // Call the API.
  185. it := c.smClient.ListSecrets(ctx, req)
  186. secretMap := make(map[string][]byte)
  187. for {
  188. resp, err := it.Next()
  189. if errors.Is(err, iterator.Done) {
  190. break
  191. }
  192. if err != nil {
  193. return nil, fmt.Errorf("failed to list secrets: %w", err)
  194. }
  195. log.V(1).Info("gcp sm findByName found", "secrets", strconv.Itoa(it.PageInfo().Remaining()))
  196. key := c.trimName(resp.Name)
  197. // If we don't match we skip.
  198. // Also, if we have path, and it is not at the beguining we skip.
  199. // We have to check if path is at the beguining of the key because
  200. // there is no way to create a `name:%s*` (starts with) filter
  201. // At https://cloud.google.com/secret-manager/docs/filtering you can use `*`
  202. // but not like that it seems.
  203. if !matcher.MatchName(key) || (ref.Path != nil && !strings.HasPrefix(key, *ref.Path)) {
  204. continue
  205. }
  206. log.V(1).Info("gcp sm findByName matches", "name", resp.Name)
  207. secretMap[key], err = c.getData(ctx, key)
  208. if err != nil {
  209. return nil, err
  210. }
  211. }
  212. return utils.ConvertKeys(ref.ConversionStrategy, secretMap)
  213. }
  214. func (c *Client) getData(ctx context.Context, key string) ([]byte, error) {
  215. dataRef := esv1beta1.ExternalSecretDataRemoteRef{
  216. Key: key,
  217. }
  218. data, err := c.GetSecret(ctx, dataRef)
  219. if err != nil {
  220. return []byte(""), err
  221. }
  222. return data, nil
  223. }
  224. func (c *Client) findByTags(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  225. var tagFilter string
  226. for k, v := range ref.Tags {
  227. tagFilter = fmt.Sprintf("%slabels.%s=%s ", tagFilter, k, v)
  228. }
  229. tagFilter = strings.TrimSuffix(tagFilter, " ")
  230. if ref.Path != nil {
  231. tagFilter = fmt.Sprintf("%s name:%s", tagFilter, *ref.Path)
  232. }
  233. req := &secretmanagerpb.ListSecretsRequest{
  234. Parent: fmt.Sprintf("projects/%s", c.store.ProjectID),
  235. }
  236. log.V(1).Info("gcp sm findByTags", "tagFilter", tagFilter)
  237. req.Filter = tagFilter
  238. // Call the API.
  239. it := c.smClient.ListSecrets(ctx, req)
  240. secretMap := make(map[string][]byte)
  241. for {
  242. resp, err := it.Next()
  243. if errors.Is(err, iterator.Done) {
  244. break
  245. }
  246. if err != nil {
  247. return nil, fmt.Errorf("failed to list secrets: %w", err)
  248. }
  249. key := c.trimName(resp.Name)
  250. if ref.Path != nil && !strings.HasPrefix(key, *ref.Path) {
  251. continue
  252. }
  253. log.V(1).Info("gcp sm findByTags matches tags", "name", resp.Name)
  254. secretMap[key], err = c.getData(ctx, key)
  255. if err != nil {
  256. return nil, err
  257. }
  258. }
  259. return utils.ConvertKeys(ref.ConversionStrategy, secretMap)
  260. }
  261. func (c *Client) trimName(name string) string {
  262. projectIDNumuber := c.extractProjectIDNumber(name)
  263. key := strings.TrimPrefix(name, fmt.Sprintf("projects/%s/secrets/", projectIDNumuber))
  264. return key
  265. }
  266. // extractProjectIDNumber grabs the project id from the full name returned by gcp api
  267. // gcp api seems to always return the number and not the project name
  268. // (and users would always use the name, while requests accept both).
  269. func (c *Client) extractProjectIDNumber(secretFullName string) string {
  270. s := strings.Split(secretFullName, "/")
  271. ProjectIDNumuber := s[1]
  272. return ProjectIDNumuber
  273. }
  274. // GetSecret returns a single secret from the provider.
  275. func (c *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  276. if utils.IsNil(c.smClient) || c.store.ProjectID == "" {
  277. return nil, fmt.Errorf(errUninitalizedGCPProvider)
  278. }
  279. version := ref.Version
  280. if version == "" {
  281. version = defaultVersion
  282. }
  283. req := &secretmanagerpb.AccessSecretVersionRequest{
  284. Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", c.store.ProjectID, ref.Key, version),
  285. }
  286. result, err := c.smClient.AccessSecretVersion(ctx, req)
  287. if err != nil {
  288. return nil, fmt.Errorf(errClientGetSecretAccess, err)
  289. }
  290. if ref.Property == "" {
  291. if result.Payload.Data != nil {
  292. return result.Payload.Data, nil
  293. }
  294. return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Key)
  295. }
  296. var payload string
  297. if result.Payload.Data != nil {
  298. payload = string(result.Payload.Data)
  299. }
  300. idx := strings.Index(ref.Property, ".")
  301. refProperty := ref.Property
  302. if idx > 0 {
  303. refProperty = strings.ReplaceAll(refProperty, ".", "\\.")
  304. val := gjson.Get(payload, refProperty)
  305. if val.Exists() {
  306. return []byte(val.String()), nil
  307. }
  308. }
  309. val := gjson.Get(payload, ref.Property)
  310. if !val.Exists() {
  311. return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
  312. }
  313. return []byte(val.String()), nil
  314. }
  315. // GetSecretMap returns multiple k/v pairs from the provider.
  316. func (c *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  317. if c.smClient == nil || c.store.ProjectID == "" {
  318. return nil, fmt.Errorf(errUninitalizedGCPProvider)
  319. }
  320. data, err := c.GetSecret(ctx, ref)
  321. if err != nil {
  322. return nil, err
  323. }
  324. kv := make(map[string]json.RawMessage)
  325. err = json.Unmarshal(data, &kv)
  326. if err != nil {
  327. return nil, fmt.Errorf(errJSONSecretUnmarshal, err)
  328. }
  329. secretData := make(map[string][]byte)
  330. for k, v := range kv {
  331. var strVal string
  332. err = json.Unmarshal(v, &strVal)
  333. if err == nil {
  334. secretData[k] = []byte(strVal)
  335. } else {
  336. secretData[k] = v
  337. }
  338. }
  339. return secretData, nil
  340. }
  341. func (c *Client) Close(ctx context.Context) error {
  342. var err error
  343. if c.smClient != nil {
  344. err = c.smClient.Close()
  345. }
  346. if c.workloadIdentity != nil {
  347. err = c.workloadIdentity.Close()
  348. }
  349. useMu.Unlock()
  350. if err != nil {
  351. return fmt.Errorf(errClientClose, err)
  352. }
  353. return nil
  354. }
  355. func (c *Client) Validate() (esv1beta1.ValidationResult, error) {
  356. return esv1beta1.ValidationResultReady, nil
  357. }