Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: ea3b1ffc73
Branches Tags
helm-externa...
/
pkg
/
provider
/
previder
/
provider.go

provider.go 4.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package previder
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"errors"
    19. 

  19. 	"fmt"
    20. 

  20. 

  21. 	previderclient "github.com/previder/vault-cli/pkg"
    22. 

  22. 	corev1 "k8s.io/api/core/v1"
    23. 

  23. 	"sigs.k8s.io/controller-runtime/pkg/client"
    24. 

  24. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    25. 

  25. 

  26. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    27. 

  27. 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
    28. 

  28. )
    29. 

  29. 

  30. const (
    31. 

  31. 	errNotImplemented = "not implemented"
    32. 

  32. )
    33. 

  33. 

  34. var _ esv1.Provider = &SecretManager{}
    35. 

  35. 

  36. type SecretManager struct {
    37. 

  37. 	VaultClient previderclient.PreviderVaultClient
    38. 

  38. }
    39. 

  39. 

  40. func init() {
    41. 

  41. 	esv1.Register(&SecretManager{}, &esv1.SecretStoreProvider{
    42. 

  42. 		Previder: &esv1.PreviderProvider{},
    43. 

  43. 	}, esv1.MaintenanceStatusMaintained)
    44. 

  44. }
    45. 

  45. 

  46. func (s *SecretManager) NewClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
    47. 

  47. 	if store == nil {
    48. 

  48. 		return nil, fmt.Errorf("secret store not found: %v", "nil store")
    49. 

  49. 	}
    50. 

  50. 	storeSpec := store.GetSpec().Provider.Previder
    51. 

  51. 

  52. 	storeKind := store.GetObjectKind().GroupVersionKind().Kind
    53. 

  53. 	accessToken, err := resolvers.SecretKeyRef(ctx, kube, storeKind, namespace, &storeSpec.Auth.SecretRef.AccessToken)
    54. 

  54. 	if err != nil {
    55. 

  55. 		return nil, fmt.Errorf(accessToken, err)
    56. 

  56. 	}
    57. 

  57. 

  58. 	s.VaultClient, err = previderclient.NewVaultClient(storeSpec.BaseURI, accessToken)
    59. 

  59. 

  60. 	if err != nil {
    61. 

  61. 		return nil, err
    62. 

  62. 	}
    63. 

  63. 	return s, nil
    64. 

  64. }
    65. 

  65. 

  66. func (s *SecretManager) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    67. 

  67. 	storeSpec := store.GetSpec()
    68. 

  68. 	previderSpec := storeSpec.Provider.Previder
    69. 

  69. 	if previderSpec == nil {
    70. 

  70. 		return nil, errors.New("missing Previder spec")
    71. 

  71. 	}
    72. 

  72. 	if previderSpec.Auth.SecretRef == nil {
    73. 

  73. 		return nil, errors.New("missing Previder Auth SecretRef")
    74. 

  74. 	}
    75. 

  75. 	accessToken := previderSpec.Auth.SecretRef.AccessToken
    76. 

  76. 

  77. 	if accessToken.Name == "" {
    78. 

  78. 		return nil, errors.New("missing Previder accessToken name")
    79. 

  79. 	}
    80. 

  80. 	if accessToken.Key == "" {
    81. 

  81. 		return nil, errors.New("missing Previder accessToken key")
    82. 

  82. 	}
    83. 

  83. 

  84. 	return nil, nil
    85. 

  85. }
    86. 

  86. 

  87. func (s *SecretManager) Capabilities() esv1.SecretStoreCapabilities {
    88. 

  88. 	return esv1.SecretStoreReadOnly
    89. 

  89. }
    90. 

  90. 

  91. func (s *SecretManager) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
    92. 

  92. 	secret, err := s.VaultClient.DecryptSecret(ref.Key)
    93. 

  93. 	if err != nil {
    94. 

  94. 		return nil, err
    95. 

  95. 	}
    96. 

  96. 	return []byte(secret.Secret), nil
    97. 

  97. }
    98. 

  98. 

  99. func (s *SecretManager) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
    100. 

  100. 	return errors.New(errNotImplemented)
    101. 

  101. }
    102. 

  102. 

  103. func (s *SecretManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
    104. 

  104. 	return errors.New(errNotImplemented)
    105. 

  105. }
    106. 

  106. 

  107. func (s *SecretManager) SecretExists(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) (bool, error) {
    108. 

  108. 	return false, errors.New(errNotImplemented)
    109. 

  109. }
    110. 

  110. 

  111. func (s *SecretManager) Validate() (esv1.ValidationResult, error) {
    112. 

  112. 	_, err := s.VaultClient.GetSecrets()
    113. 

  113. 	if err != nil {
    114. 

  114. 		return esv1.ValidationResultError, err
    115. 

  115. 	}
    116. 

  116. 

  117. 	return esv1.ValidationResultReady, nil
    118. 

  118. }
    119. 

  119. 

  120. func (s *SecretManager) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    121. 

  121. 	secrets, err := s.GetSecret(ctx, ref)
    122. 

  122. 	if err != nil {
    123. 

  123. 		return nil, err
    124. 

  124. 	}
    125. 

  125. 	secretData := make(map[string][]byte)
    126. 

  126. 	secretData[ref.Key] = secrets
    127. 

  127. 	return secretData, nil
    128. 

  128. }
    129. 

  129. 

  130. func (s *SecretManager) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
    131. 

  131. 	return nil, errors.New(errNotImplemented)
    132. 

  132. }
    133. 

  133. 

  134. func (s *SecretManager) Close(ctx context.Context) error {
    135. 

  135. 	return nil
    136. 

  136. }
    137.