Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: cdb74afea4
Branches Tags
helm-externa...
/
providers
/
v1
/
dvls
/
provider.go

provider.go 4.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package dvls
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"net/url"
    23. 

  23. 	"strings"
    24. 

  24. 

  25. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    26. 

  26. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    27. 

  27. 

  28. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    29. 

  29. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    30. 

  30. 	"github.com/external-secrets/external-secrets/runtime/esutils"
    31. 

  31. )
    32. 

  32. 

  33. var _ esv1.Provider = &Provider{}
    34. 

  34. 

  35. // Provider implements the external-secrets Provider interface for DVLS.
    36. 

  36. type Provider struct{}
    37. 

  37. 

  38. // NewClient creates a new DVLS SecretsClient.
    39. 

  39. func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
    40. 

  40. 	dvlsProvider, err := getDVLSProvider(store)
    41. 

  41. 	if err != nil {
    42. 

  42. 		return nil, err
    43. 

  43. 	}
    44. 

  44. 

  45. 	storeKind := store.GetObjectKind().GroupVersionKind().Kind
    46. 

  46. 

  47. 	credClient, vaultID, err := NewDVLSClient(ctx, kube, storeKind, namespace, dvlsProvider)
    48. 

  48. 	if err != nil {
    49. 

  49. 		return nil, fmt.Errorf("failed to create DVLS client: %w", err)
    50. 

  50. 	}
    51. 

  51. 

  52. 	return NewClient(credClient, vaultID), nil
    53. 

  53. }
    54. 

  54. 

  55. // ValidateStore validates the SecretStore configuration.
    56. 

  56. func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    57. 

  57. 	dvlsProvider, err := getDVLSProvider(store)
    58. 

  58. 	if err != nil {
    59. 

  59. 		return nil, err
    60. 

  60. 	}
    61. 

  61. 

  62. 	if dvlsProvider.ServerURL == "" {
    63. 

  63. 		return nil, fmt.Errorf("serverUrl is required")
    64. 

  64. 	}
    65. 

  65. 

  66. 	vault := strings.TrimSpace(dvlsProvider.Vault)
    67. 

  67. 	if vault != dvlsProvider.Vault {
    68. 

  68. 		return nil, fmt.Errorf("vault must not contain leading or trailing whitespace")
    69. 

  69. 	}
    70. 

  70. 

  71. 	parsedURL, err := url.Parse(dvlsProvider.ServerURL)
    72. 

  72. 	if err != nil {
    73. 

  73. 		return nil, fmt.Errorf("serverUrl must be a valid URL: %w", err)
    74. 

  74. 	}
    75. 

  75. 	if parsedURL.Scheme == "" || parsedURL.Host == "" {
    76. 

  76. 		return nil, fmt.Errorf("serverUrl must be a valid URL with scheme and host")
    77. 

  77. 	}
    78. 

  78. 

  79. 	if parsedURL.Scheme != "https" && parsedURL.Scheme != "http" {
    80. 

  80. 		return nil, fmt.Errorf("serverUrl scheme must be http or https, got %q", parsedURL.Scheme)
    81. 

  81. 	}
    82. 

  82. 

  83. 	if parsedURL.Scheme == "http" && !dvlsProvider.Insecure {
    84. 

  84. 		return nil, fmt.Errorf("http URLs require 'insecure: true' to be set explicitly")
    85. 

  85. 	}
    86. 

  86. 

  87. 	// Validate auth configuration
    88. 

  88. 	if err := validateAuthSecretRef(store, &dvlsProvider.Auth.SecretRef); err != nil {
    89. 

  89. 		return nil, err
    90. 

  90. 	}
    91. 

  91. 

  92. 	return nil, nil
    93. 

  93. }
    94. 

  94. 

  95. // Capabilities returns the provider's capabilities.
    96. 

  96. func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
    97. 

  97. 	return esv1.SecretStoreReadWrite
    98. 

  98. }
    99. 

  99. 

  100. // validateAuthSecretRef validates the authentication secret references.
    101. 

  101. func validateAuthSecretRef(store esv1.GenericStore, ref *esv1.DVLSAuthSecretRef) error {
    102. 

  102. 	if err := requireSecretSelector(ref.AppID, "appId"); err != nil {
    103. 

  103. 		return err
    104. 

  104. 	}
    105. 

  105. 	if err := esutils.ValidateSecretSelector(store, ref.AppID); err != nil {
    106. 

  106. 		return fmt.Errorf("invalid appId: %w", err)
    107. 

  107. 	}
    108. 

  108. 

  109. 	if err := requireSecretSelector(ref.AppSecret, "appSecret"); err != nil {
    110. 

  110. 		return err
    111. 

  111. 	}
    112. 

  112. 	if err := esutils.ValidateSecretSelector(store, ref.AppSecret); err != nil {
    113. 

  113. 		return fmt.Errorf("invalid appSecret: %w", err)
    114. 

  114. 	}
    115. 

  115. 	return nil
    116. 

  116. }
    117. 

  117. 

  118. func requireSecretSelector(sel esmeta.SecretKeySelector, field string) error {
    119. 

  119. 	if sel.Name == "" {
    120. 

  120. 		return fmt.Errorf("%s secret name is required", field)
    121. 

  121. 	}
    122. 

  122. 

  123. 	if sel.Key == "" {
    124. 

  124. 		return fmt.Errorf("%s secret key is required", field)
    125. 

  125. 	}
    126. 

  126. 

  127. 	return nil
    128. 

  128. }
    129. 

  129. 

  130. // getDVLSProvider extracts the DVLS provider configuration from the store.
    131. 

  131. func getDVLSProvider(store esv1.GenericStore) (*esv1.DVLSProvider, error) {
    132. 

  132. 	spec := store.GetSpec()
    133. 

  133. 	if spec == nil || spec.Provider == nil || spec.Provider.DVLS == nil {
    134. 

  134. 		return nil, fmt.Errorf("DVLS provider configuration is missing")
    135. 

  135. 	}
    136. 

  136. 	return spec.Provider.DVLS, nil
    137. 

  137. }
    138. 

  138. 

  139. // NewProvider creates a new DVLS Provider instance.
    140. 

  140. func NewProvider() esv1.Provider {
    141. 

  141. 	return &Provider{}
    142. 

  142. }
    143. 

  143. 

  144. // ProviderSpec returns the provider specification for registration.
    145. 

  145. func ProviderSpec() *esv1.SecretStoreProvider {
    146. 

  146. 	return &esv1.SecretStoreProvider{
    147. 

  147. 		DVLS: &esv1.DVLSProvider{},
    148. 

  148. 	}
    149. 

  149. }
    150. 

  150. 

  151. // MaintenanceStatus returns the maintenance status of the provider.
    152. 

  152. func MaintenanceStatus() esv1.MaintenanceStatus {
    153. 

  153. 	return esv1.MaintenanceStatusMaintained
    154. 

  154. }
    155.