Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: c3197051cb
Branches Tags
helm-externa...
/
pkg
/
provider
/
gcp
/
secretmanager
/
secretsmanager.go

secretsmanager.go 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package secretmanager
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"fmt"
    19. 

  19. 	"log"
    20. 

  20. 

  21. 	"cloud.google.com/go/iam"
    22. 

  22. 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
    23. 

  23. 	"github.com/googleapis/gax-go"
    24. 

  24. 	"golang.org/x/oauth2/google"
    25. 

  25. 	"google.golang.org/api/option"
    26. 

  26. 	secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
    27. 

  27. 	iampb "google.golang.org/genproto/googleapis/iam/v1"
    28. 

  28. 	"google.golang.org/grpc"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 	"k8s.io/apimachinery/pkg/types"
    31. 

  31. 	"sigs.k8s.io/controller-runtime/pkg/client"
    32. 

  32. 

  33. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    34. 

  34. 	"github.com/external-secrets/external-secrets/pkg/provider"
    35. 

  35. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	cloudPlatformRole = "https://www.googleapis.com/auth/cloud-platform"
    40. 

  40. 	defaultVersion    = "latest"
    41. 

  41. )
    42. 

  42. 

  43. type GoogleSecretManagerClient interface {
    44. 

  44. 	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
    45. 

  45. 	AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
    46. 

  46. 	Connection() *grpc.ClientConn
    47. 

  47. 	CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
    48. 

  48. 	DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
    49. 

  49. 	DestroySecretVersion(ctx context.Context, req *secretmanagerpb.DestroySecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
    50. 

  50. 	DisableSecretVersion(ctx context.Context, req *secretmanagerpb.DisableSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
    51. 

  51. 	EnableSecretVersion(ctx context.Context, req *secretmanagerpb.EnableSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
    52. 

  52. 	GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)
    53. 

  53. 	GetSecret(ctx context.Context, req *secretmanagerpb.GetSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
    54. 

  54. 	GetSecretVersion(ctx context.Context, req *secretmanagerpb.GetSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
    55. 

  55. 	IAM(name string) *iam.Handle
    56. 

  56. 	ListSecretVersions(ctx context.Context, req *secretmanagerpb.ListSecretVersionsRequest, opts ...gax.CallOption) *secretmanager.SecretVersionIterator
    57. 

  57. 	ListSecrets(ctx context.Context, req *secretmanagerpb.ListSecretsRequest, opts ...gax.CallOption) *secretmanager.SecretIterator
    58. 

  58. 	SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)
    59. 

  59. 	TestIamPermissions(ctx context.Context, req *iampb.TestIamPermissionsRequest, opts ...gax.CallOption) (*iampb.TestIamPermissionsResponse, error)
    60. 

  60. 	UpdateSecret(ctx context.Context, req *secretmanagerpb.UpdateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
    61. 

  61. 	Close() error
    62. 

  62. }
    63. 

  63. 

  64. // GCP is a provider for GCP Secret Manager.
    65. 

  65. type GCP struct {
    66. 

  66. 	projectID           string
    67. 

  67. 	SecretManagerClient GoogleSecretManagerClient
    68. 

  68. }
    69. 

  69. 

  70. // New constructs a GCP Provider.
    71. 

  71. func (sm *GCP) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) {
    72. 

  72. 	// Fetch credential Secret
    73. 

  73. 	credentialsSecret := &corev1.Secret{}
    74. 

  74. 	credentialsSecretName := store.GetSpec().Provider.GCPSM.Auth.SecretRef.SecretAccessKey.Name
    75. 

  75. 	objectKey := types.NamespacedName{Name: credentialsSecretName, Namespace: store.GetNamespace()}
    76. 

  76. 	err := kube.Get(ctx, objectKey, credentialsSecret)
    77. 

  77. 	if err != nil {
    78. 

  78. 		log.Panicf(err.Error(), "Failed to get credentials Secret")
    79. 

  79. 		return nil, err
    80. 

  80. 	}
    81. 

  81. 

  82. 	credentials := credentialsSecret.Data[store.GetSpec().Provider.GCPSM.Auth.SecretRef.SecretAccessKey.Key]
    83. 

  83. 	if len(credentials) == 0 {
    84. 

  84. 		return nil, fmt.Errorf("credentials GCP invalid/not provided")
    85. 

  85. 	}
    86. 

  86. 

  87. 	projectID := store.GetSpec().Provider.GCPSM.ProjectID
    88. 

  88. 

  89. 	sm.projectID = projectID
    90. 

  90. 

  91. 	config, err := google.JWTConfigFromJSON(credentials, cloudPlatformRole)
    92. 

  92. 	if err != nil {
    93. 

  93. 		log.Panicf(err.Error(), "Failed to process the provided JSON credentials")
    94. 

  94. 		return nil, err
    95. 

  95. 	}
    96. 

  96. 

  97. 	ts := config.TokenSource(ctx)
    98. 

  98. 

  99. 	client, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
    100. 

  100. 	if err != nil {
    101. 

  101. 		return nil, fmt.Errorf("failed to create GCP secretmanager client: %w", err)
    102. 

  102. 	}
    103. 

  103. 	sm.SecretManagerClient = client
    104. 

  104. 	return sm, nil
    105. 

  105. }
    106. 

  106. 

  107. // GetSecret returns a single secret from the provider.
    108. 

  108. func (sm *GCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    109. 

  109. 	if sm.SecretManagerClient == nil || sm.projectID == "" {
    110. 

  110. 		return nil, fmt.Errorf("provider GCP is not initialized")
    111. 

  111. 	}
    112. 

  112. 

  113. 	version := ref.Version
    114. 

  114. 	if version == "" {
    115. 

  115. 		version = defaultVersion
    116. 

  116. 	}
    117. 

  117. 

  118. 	resourceName := fmt.Sprintf("projects/%s/secrets/%s/versions/%s", sm.projectID, ref.Key, version)
    119. 

  119. 

  120. 	req := &secretmanagerpb.AccessSecretVersionRequest{
    121. 

  121. 		Name: resourceName,
    122. 

  122. 	}
    123. 

  123. 

  124. 	result, err := sm.SecretManagerClient.AccessSecretVersion(ctx, req)
    125. 

  125. 	if err != nil {
    126. 

  126. 		return nil, err
    127. 

  127. 	}
    128. 

  128. 

  129. 	return []byte(string(result.Payload.Data)), nil
    130. 

  130. }
    131. 

  131. 

  132. // GetSecretMap returns multiple k/v pairs from the provider.
    133. 

  133. func (sm *GCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    134. 

  134. 	if sm.SecretManagerClient == nil || sm.projectID == "" {
    135. 

  135. 		return nil, fmt.Errorf("provider GCP is not initialized")
    136. 

  136. 	}
    137. 

  137. 	return map[string][]byte{
    138. 

  138. 		"noop": []byte("NOOP"),
    139. 

  139. 	}, nil
    140. 

  140. }
    141. 

  141. 

  142. func init() {
    143. 

  143. 	schema.Register(&GCP{}, &esv1alpha1.SecretStoreProvider{
    144. 

  144. 		GCPSM: &esv1alpha1.GCPSMProvider{},
    145. 

  145. 	})
    146. 

  146. }
    147.