pushsecret_controller.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package pushsecret
  13. import (
  14. "context"
  15. "fmt"
  16. "strings"
  17. "time"
  18. "github.com/go-logr/logr"
  19. v1 "k8s.io/api/core/v1"
  20. apierrors "k8s.io/apimachinery/pkg/api/errors"
  21. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  22. "k8s.io/apimachinery/pkg/runtime"
  23. "k8s.io/apimachinery/pkg/types"
  24. "k8s.io/client-go/tools/record"
  25. ctrl "sigs.k8s.io/controller-runtime"
  26. "sigs.k8s.io/controller-runtime/pkg/client"
  27. esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
  28. v1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  29. )
  30. const (
  31. errFailedGetSecret = "could not get source secret"
  32. errPatchStatus = "error merging"
  33. errGetSecretStore = "could not get SecretStore %q, %w"
  34. errGetClusterSecretStore = "could not get ClusterSecretStore %q, %w"
  35. errGetProviderFailed = "could not start provider"
  36. errGetSecretsClientFailed = "could not start secrets client"
  37. errCloseStoreClient = "error when calling provider close method"
  38. errSetSecretFailed = "could not write remote ref %v to target secretstore %v: %v"
  39. errFailedSetSecret = "set secret failed: %v"
  40. )
  41. type Reconciler struct {
  42. client.Client
  43. Log logr.Logger
  44. Scheme *runtime.Scheme
  45. recorder record.EventRecorder
  46. RequeueInterval time.Duration
  47. ControllerClass string
  48. }
  49. func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
  50. log := r.Log.WithValues("pushsecret", req.NamespacedName)
  51. var ps esapi.PushSecret
  52. err := r.Get(ctx, req.NamespacedName, &ps)
  53. if apierrors.IsNotFound(err) {
  54. return ctrl.Result{}, nil
  55. } else if err != nil {
  56. msg := "unable to get PushSecret"
  57. r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, msg)
  58. log.Error(err, msg)
  59. return ctrl.Result{}, fmt.Errorf("get resource: %w", err)
  60. }
  61. refreshInt := r.RequeueInterval
  62. if ps.Spec.RefreshInterval != nil {
  63. refreshInt = ps.Spec.RefreshInterval.Duration
  64. }
  65. p := client.MergeFrom(ps.DeepCopy())
  66. defer func() {
  67. err := r.Client.Status().Patch(ctx, &ps, p)
  68. if err != nil {
  69. log.Error(err, errPatchStatus)
  70. }
  71. }()
  72. secret, err := r.GetSecret(ctx, ps)
  73. if err != nil {
  74. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionFalse, esapi.ReasonErrored, errFailedGetSecret)
  75. ps = SetPushSecretCondition(ps, *cond)
  76. r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, errFailedGetSecret)
  77. return ctrl.Result{}, err
  78. }
  79. secretStores, err := r.GetSecretStores(ctx, ps)
  80. if err != nil {
  81. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionFalse, esapi.ReasonErrored, err.Error())
  82. ps = SetPushSecretCondition(ps, *cond)
  83. r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, err.Error())
  84. return ctrl.Result{}, err
  85. }
  86. syncedSecrets, err := r.PushSecretToProviders(ctx, secretStores, ps, secret)
  87. if err != nil {
  88. msg := fmt.Sprintf(errFailedSetSecret, err)
  89. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionFalse, esapi.ReasonErrored, msg)
  90. ps = SetPushSecretCondition(ps, *cond)
  91. r.SetSyncedSecrets(&ps, syncedSecrets)
  92. r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, msg)
  93. return ctrl.Result{}, err
  94. }
  95. switch ps.Spec.DeletionPolicy {
  96. case esapi.PushSecretDeletionPolicyDelete:
  97. badSyncState, err := r.DeleteSecretFromProviders(ctx, &ps, syncedSecrets)
  98. if err != nil {
  99. msg := fmt.Sprintf("Failed to Delete Secrets from Provider: %v", err)
  100. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionFalse, esapi.ReasonErrored, msg)
  101. ps = SetPushSecretCondition(ps, *cond)
  102. r.SetSyncedSecrets(&ps, badSyncState)
  103. r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, msg)
  104. return ctrl.Result{}, err
  105. }
  106. case esapi.PushSecretDeletionPolicyNone:
  107. default:
  108. }
  109. msg := "PushSecret synced successfully"
  110. cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionTrue, esapi.ReasonSynced, msg)
  111. ps = SetPushSecretCondition(ps, *cond)
  112. r.SetSyncedSecrets(&ps, syncedSecrets)
  113. r.recorder.Event(&ps, v1.EventTypeNormal, esapi.ReasonSynced, msg)
  114. return ctrl.Result{RequeueAfter: refreshInt}, nil
  115. }
  116. func (r *Reconciler) SetSyncedSecrets(ps *esapi.PushSecret, status esapi.SyncedPushSecretsMap) {
  117. ps.Status.SyncedPushSecrets = status
  118. }
  119. func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.PushSecret, newMap esapi.SyncedPushSecretsMap) (esapi.SyncedPushSecretsMap, error) {
  120. out := newMap.DeepCopy()
  121. for k, v := range ps.Status.SyncedPushSecrets {
  122. _, ok := out[k]
  123. if !ok {
  124. out[k] = make(map[string]esapi.PushSecretData)
  125. }
  126. for kk, vv := range v {
  127. out[k][kk] = vv
  128. }
  129. }
  130. for storeName, oldData := range ps.Status.SyncedPushSecrets {
  131. storeRef := esapi.PushSecretStoreRef{
  132. Name: strings.Split(storeName, "/")[1],
  133. Kind: strings.Split(storeName, "/")[0],
  134. }
  135. store, err := r.getSecretStoreFromName(ctx, storeRef, ps.Namespace)
  136. if err != nil {
  137. return out, err
  138. }
  139. client, err := r.getClientFromStore(ctx, store, ps)
  140. if err != nil {
  141. return out, fmt.Errorf("could not get secrets client for store %v: %w", store.GetName(), err)
  142. }
  143. defer func() { //nolint
  144. err := client.Close(ctx)
  145. if err != nil {
  146. r.Log.Error(err, errCloseStoreClient)
  147. }
  148. }()
  149. newData, ok := newMap[storeName]
  150. if !ok {
  151. err = r.DeleteAllSecretsFromStore(ctx, client, oldData)
  152. if err != nil {
  153. return out, err
  154. }
  155. delete(out, storeName)
  156. continue
  157. }
  158. for oldEntry, oldRef := range oldData {
  159. _, ok := newData[oldEntry]
  160. if !ok {
  161. err = r.DeleteSecretFromStore(ctx, client, oldRef)
  162. if err != nil {
  163. return out, err
  164. }
  165. delete(out[storeName], oldRef.Match.RemoteRef.RemoteKey)
  166. }
  167. }
  168. }
  169. return out, nil
  170. }
  171. func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client v1beta1.SecretsClient, data map[string]esapi.PushSecretData) error {
  172. for _, v := range data {
  173. err := r.DeleteSecretFromStore(ctx, client, v)
  174. if err != nil {
  175. return err
  176. }
  177. }
  178. return nil
  179. }
  180. func (r *Reconciler) DeleteSecretFromStore(ctx context.Context, client v1beta1.SecretsClient, data esapi.PushSecretData) error {
  181. return client.DeleteSecret(ctx, data.Match.RemoteRef)
  182. }
  183. func (r *Reconciler) getClientFromStore(ctx context.Context, store v1beta1.GenericStore, ps *esapi.PushSecret) (v1beta1.SecretsClient, error) {
  184. provider, err := v1beta1.GetProvider(store)
  185. if err != nil {
  186. return nil, fmt.Errorf(errGetProviderFailed)
  187. }
  188. client, err := provider.NewClient(ctx, store, r.Client, ps.Namespace)
  189. if err != nil {
  190. return nil, fmt.Errorf(errGetSecretsClientFailed)
  191. }
  192. return client, nil
  193. }
  194. func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi.PushSecretStoreRef]v1beta1.GenericStore, ps esapi.PushSecret, secret *v1.Secret) (esapi.SyncedPushSecretsMap, error) {
  195. out := esapi.SyncedPushSecretsMap{}
  196. for ref, store := range stores {
  197. storeKey := fmt.Sprintf("%v/%v", ref.Kind, store.GetName())
  198. out[storeKey] = make(map[string]esapi.PushSecretData)
  199. client, err := r.getClientFromStore(ctx, store, &ps)
  200. if err != nil {
  201. return out, fmt.Errorf("could not get secrets client for store %v: %w", store.GetName(), err)
  202. }
  203. defer func() { //nolint
  204. err := client.Close(ctx)
  205. if err != nil {
  206. r.Log.Error(err, errCloseStoreClient)
  207. }
  208. }()
  209. for _, ref := range ps.Spec.Data {
  210. secretValue, ok := secret.Data[ref.Match.SecretKey]
  211. if !ok {
  212. return out, fmt.Errorf("secret key %v does not exist", ref.Match.SecretKey)
  213. }
  214. err := client.SetSecret(ctx, secretValue, ref.Match.RemoteRef)
  215. if err != nil {
  216. return out, fmt.Errorf(errSetSecretFailed, ref.Match.SecretKey, store.GetName(), err)
  217. }
  218. out[storeKey][ref.Match.RemoteRef.RemoteKey] = ref
  219. }
  220. }
  221. return out, nil
  222. }
  223. func (r *Reconciler) GetSecret(ctx context.Context, ps esapi.PushSecret) (*v1.Secret, error) {
  224. secretName := types.NamespacedName{Name: ps.Spec.Selector.Secret.Name, Namespace: ps.Namespace}
  225. secret := &v1.Secret{}
  226. err := r.Client.Get(ctx, secretName, secret)
  227. if err != nil {
  228. return nil, err
  229. }
  230. return secret, nil
  231. }
  232. func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (map[esapi.PushSecretStoreRef]v1beta1.GenericStore, error) {
  233. stores := make(map[esapi.PushSecretStoreRef]v1beta1.GenericStore)
  234. for _, refStore := range ps.Spec.SecretStoreRefs {
  235. if refStore.LabelSelector != nil {
  236. labelSelector, err := metav1.LabelSelectorAsSelector(refStore.LabelSelector)
  237. if err != nil {
  238. return nil, fmt.Errorf("could not convert labels: %w", err)
  239. }
  240. if refStore.Kind == v1beta1.ClusterSecretStoreKind {
  241. clusterSecretStoreList := v1beta1.ClusterSecretStoreList{}
  242. err = r.List(ctx, &clusterSecretStoreList, &client.ListOptions{LabelSelector: labelSelector})
  243. if err != nil {
  244. return nil, fmt.Errorf("could not list cluster Secret Stores: %w", err)
  245. }
  246. for k, v := range clusterSecretStoreList.Items {
  247. key := esapi.PushSecretStoreRef{
  248. Name: v.Name,
  249. Kind: v1beta1.ClusterSecretStoreKind,
  250. }
  251. stores[key] = &clusterSecretStoreList.Items[k]
  252. }
  253. } else {
  254. secretStoreList := v1beta1.SecretStoreList{}
  255. err = r.List(ctx, &secretStoreList, &client.ListOptions{LabelSelector: labelSelector})
  256. if err != nil {
  257. return nil, fmt.Errorf("could not list Secret Stores: %w", err)
  258. }
  259. for k, v := range secretStoreList.Items {
  260. key := esapi.PushSecretStoreRef{
  261. Name: v.Name,
  262. Kind: v1beta1.SecretStoreKind,
  263. }
  264. stores[key] = &secretStoreList.Items[k]
  265. }
  266. }
  267. } else {
  268. store, err := r.getSecretStoreFromName(ctx, refStore, ps.Namespace)
  269. if err != nil {
  270. return nil, err
  271. }
  272. stores[refStore] = store
  273. }
  274. }
  275. return stores, nil
  276. }
  277. func (r *Reconciler) getSecretStoreFromName(ctx context.Context, refStore esapi.PushSecretStoreRef, ns string) (v1beta1.GenericStore, error) {
  278. if refStore.Name == "" {
  279. return nil, fmt.Errorf("refStore Name must be provided")
  280. }
  281. ref := types.NamespacedName{
  282. Name: refStore.Name,
  283. }
  284. if refStore.Kind == v1beta1.ClusterSecretStoreKind {
  285. var store v1beta1.ClusterSecretStore
  286. err := r.Get(ctx, ref, &store)
  287. if err != nil {
  288. return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
  289. }
  290. return &store, nil
  291. }
  292. ref.Namespace = ns
  293. var store v1beta1.SecretStore
  294. err := r.Get(ctx, ref, &store)
  295. if err != nil {
  296. return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
  297. }
  298. return &store, nil
  299. }
  300. func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
  301. r.recorder = mgr.GetEventRecorderFor("pushsecret")
  302. return ctrl.NewControllerManagedBy(mgr).
  303. For(&esapi.PushSecret{}).
  304. Complete(r)
  305. }
  306. func NewPushSecretCondition(condType esapi.PushSecretConditionType, status v1.ConditionStatus, reason, message string) *esapi.PushSecretStatusCondition {
  307. return &esapi.PushSecretStatusCondition{
  308. Type: condType,
  309. Status: status,
  310. LastTransitionTime: metav1.Now(),
  311. Reason: reason,
  312. Message: message,
  313. }
  314. }
  315. func SetPushSecretCondition(gs esapi.PushSecret, condition esapi.PushSecretStatusCondition) esapi.PushSecret {
  316. status := gs.Status
  317. currentCond := GetPushSecretCondition(status, condition.Type)
  318. if currentCond != nil && currentCond.Status == condition.Status &&
  319. currentCond.Reason == condition.Reason && currentCond.Message == condition.Message {
  320. return gs
  321. }
  322. // Do not update lastTransitionTime if the status of the condition doesn't change.
  323. if currentCond != nil && currentCond.Status == condition.Status {
  324. condition.LastTransitionTime = currentCond.LastTransitionTime
  325. }
  326. status.Conditions = append(filterOutCondition(status.Conditions, condition.Type), condition)
  327. gs.Status = status
  328. return gs
  329. }
  330. // filterOutCondition returns an empty set of conditions with the provided type.
  331. func filterOutCondition(conditions []esapi.PushSecretStatusCondition, condType esapi.PushSecretConditionType) []esapi.PushSecretStatusCondition {
  332. newConditions := make([]esapi.PushSecretStatusCondition, 0, len(conditions))
  333. for _, c := range conditions {
  334. if c.Type == condType {
  335. continue
  336. }
  337. newConditions = append(newConditions, c)
  338. }
  339. return newConditions
  340. }
  341. // GetSecretStoreCondition returns the condition with the provided type.
  342. func GetPushSecretCondition(status esapi.PushSecretStatus, condType esapi.PushSecretConditionType) *esapi.PushSecretStatusCondition {
  343. for i := range status.Conditions {
  344. c := status.Conditions[i]
  345. if c.Type == condType {
  346. return &c
  347. }
  348. }
  349. return nil
  350. }