Strona główna Odkrywaj Pomoc
Zaloguj się
logic855
/
helm-external-secrets
kopia lustrzana https://github.com/external-secrets/external-secrets
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Drzewo: e19bb62a48
Gałęzie Tagi
helm-externa...
/
pkg
/
provider
/
gcp
/
secretmanager
/
secretsmanager.go

secretsmanager.go 4.2 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package secretmanager
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"fmt"
    19. 

  19. 	"log"
    20. 

  20. 

  21. 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
    22. 

  22. 	"github.com/googleapis/gax-go"
    23. 

  23. 	"golang.org/x/oauth2/google"
    24. 

  24. 	"google.golang.org/api/option"
    25. 

  25. 	secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
    26. 

  26. 	corev1 "k8s.io/api/core/v1"
    27. 

  27. 	"k8s.io/apimachinery/pkg/types"
    28. 

  28. 	"sigs.k8s.io/controller-runtime/pkg/client"
    29. 

  29. 

  30. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    31. 

  31. 	"github.com/external-secrets/external-secrets/pkg/provider"
    32. 

  32. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    33. 

  33. )
    34. 

  34. 

  35. const (
    36. 

  36. 	cloudPlatformRole = "https://www.googleapis.com/auth/cloud-platform"
    37. 

  37. 	defaultVersion    = "latest"
    38. 

  38. )
    39. 

  39. 

  40. type GoogleSecretManagerClient interface {
    41. 

  41. 	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
    42. 

  42. 	Close() error
    43. 

  43. }
    44. 

  44. 

  45. // ProviderGCP is a provider for GCP Secret Manager.
    46. 

  46. type ProviderGCP struct {
    47. 

  47. 	projectID           string
    48. 

  48. 	SecretManagerClient GoogleSecretManagerClient
    49. 

  49. }
    50. 

  50. 

  51. // NewClient constructs a GCP Provider.
    52. 

  52. func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
    53. 

  53. 	// Fetch credential Secret
    54. 

  54. 	credentialsSecret := &corev1.Secret{}
    55. 

  55. 	credentialsSecretName := store.GetSpec().Provider.GCPSM.Auth.SecretRef.SecretAccessKey.Name
    56. 

  56. 	objectKey := types.NamespacedName{Name: credentialsSecretName, Namespace: store.GetNamespace()}
    57. 

  57. 	err := kube.Get(ctx, objectKey, credentialsSecret)
    58. 

  58. 	if err != nil {
    59. 

  59. 		log.Panicf(err.Error(), "Failed to get credentials Secret")
    60. 

  60. 		return nil, err
    61. 

  61. 	}
    62. 

  62. 

  63. 	credentials := credentialsSecret.Data[store.GetSpec().Provider.GCPSM.Auth.SecretRef.SecretAccessKey.Key]
    64. 

  64. 	if len(credentials) == 0 {
    65. 

  65. 		return nil, fmt.Errorf("credentials GCP invalid/not provided")
    66. 

  66. 	}
    67. 

  67. 

  68. 	projectID := store.GetSpec().Provider.GCPSM.ProjectID
    69. 

  69. 

  70. 	sm.projectID = projectID
    71. 

  71. 

  72. 	config, err := google.JWTConfigFromJSON(credentials, cloudPlatformRole)
    73. 

  73. 	if err != nil {
    74. 

  74. 		log.Panicf(err.Error(), "Failed to process the provided JSON credentials")
    75. 

  75. 		return nil, err
    76. 

  76. 	}
    77. 

  77. 

  78. 	ts := config.TokenSource(ctx)
    79. 

  79. 

  80. 	client, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
    81. 

  81. 	if err != nil {
    82. 

  82. 		return nil, fmt.Errorf("failed to create GCP secretmanager client: %w", err)
    83. 

  83. 	}
    84. 

  84. 	sm.SecretManagerClient = client
    85. 

  85. 	return sm, nil
    86. 

  86. }
    87. 

  87. 

  88. // GetSecret returns a single secret from the provider.
    89. 

  89. func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    90. 

  90. 	if sm.SecretManagerClient == nil || sm.projectID == "" {
    91. 

  91. 		return nil, fmt.Errorf("provider GCP is not initialized")
    92. 

  92. 	}
    93. 

  93. 

  94. 	version := ref.Version
    95. 

  95. 	if version == "" {
    96. 

  96. 		version = defaultVersion
    97. 

  97. 	}
    98. 

  98. 

  99. 	resourceName := fmt.Sprintf("projects/%s/secrets/%s/versions/%s", sm.projectID, ref.Key, version)
    100. 

  100. 

  101. 	req := &secretmanagerpb.AccessSecretVersionRequest{
    102. 

  102. 		Name: resourceName,
    103. 

  103. 	}
    104. 

  104. 

  105. 	result, err := sm.SecretManagerClient.AccessSecretVersion(ctx, req)
    106. 

  106. 	if err != nil {
    107. 

  107. 		return nil, err
    108. 

  108. 	}
    109. 

  109. 	err = sm.SecretManagerClient.Close()
    110. 

  110. 	if err != nil {
    111. 

  111. 		return nil, err
    112. 

  112. 	}
    113. 

  113. 	return []byte(string(result.Payload.Data)), nil
    114. 

  114. }
    115. 

  115. 

  116. // GetSecretMap returns multiple k/v pairs from the provider.
    117. 

  117. func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    118. 

  118. 	if sm.SecretManagerClient == nil || sm.projectID == "" {
    119. 

  119. 		return nil, fmt.Errorf("provider GCP is not initialized")
    120. 

  120. 	}
    121. 

  121. 	return map[string][]byte{
    122. 

  122. 		"noop": []byte("NOOP"),
    123. 

  123. 	}, nil
    124. 

  124. }
    125. 

  125. 

  126. func init() {
    127. 

  127. 	schema.Register(&ProviderGCP{}, &esv1alpha1.SecretStoreProvider{
    128. 

  128. 		GCPSM: &esv1alpha1.GCPSMProvider{},
    129. 

  129. 	})
    130. 

  130. }
    131.