Acasă Explorează Ajutor
Autentificare
logic855
/
helm-external-secrets
oglindă de https://github.com/external-secrets/external-secrets
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Ramură: feature/new-provider-structure
Ramuri Etichete
helm-external-s...
/
pkg
/
provider
/
device42
/
device42.go

device42.go 6.1 KB
Permalink Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package device42
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"fmt"
    21. 

  21. 	"time"
    22. 

  22. 

  23. 	corev1 "k8s.io/api/core/v1"
    24. 

  24. 	"k8s.io/apimachinery/pkg/types"
    25. 

  25. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    26. 

  26. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    27. 

  27. 

  28. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    29. 

  29. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    30. 

  30. 	"github.com/external-secrets/external-secrets/pkg/utils"
    31. 

  31. )
    32. 

  32. 

  33. const (
    34. 

  34. 	errNotImplemented                         = "not implemented"
    35. 

  35. 	errUninitializedProvider                  = "unable to get device42 client"
    36. 

  36. 	errCredSecretName                         = "credentials are empty"
    37. 

  37. 	errInvalidClusterStoreMissingSAKNamespace = "invalid clusterStore missing SAK namespace"
    38. 

  38. 	errFetchSAKSecret                         = "couldn't find secret on cluster: %w"
    39. 

  39. 	errMissingSAK                             = "missing credentials while setting auth"
    40. 

  40. )
    41. 

  41. 

  42. type Client interface {
    43. 

  43. 	GetSecret(secretID string) (D42Password, error)
    44. 

  44. }
    45. 

  45. 

  46. // Device42 Provider struct with reference to a Device42 client.
    47. 

  47. type Device42 struct {
    48. 

  48. 	client Client
    49. 

  49. }
    50. 

  50. 

  51. func (p *Device42) ApplyReferent(spec kclient.Object, _ esmeta.ReferentCallOrigin, _ string) (kclient.Object, error) {
    52. 

  52. 	return spec, nil
    53. 

  53. }
    54. 

  54. 

  55. func (p *Device42) Convert(_ esv1beta1.GenericStore) (kclient.Object, error) {
    56. 

  56. 	return nil, nil
    57. 

  57. }
    58. 

  58. 

  59. func (p *Device42) NewClientFromObj(_ context.Context, _ kclient.Object, _ kclient.Client, _ string) (esv1beta1.SecretsClient, error) {
    60. 

  60. 	return nil, fmt.Errorf("not implemented")
    61. 

  61. }
    62. 

  62. 

  63. func (p *Device42) ValidateStore(esv1beta1.GenericStore) (admission.Warnings, error) {
    64. 

  64. 	return nil, nil
    65. 

  65. }
    66. 

  66. 

  67. func (p *Device42) Capabilities() esv1beta1.SecretStoreCapabilities {
    68. 

  68. 	return esv1beta1.SecretStoreReadOnly
    69. 

  69. }
    70. 

  70. 

  71. // Client for interacting with kubernetes.
    72. 

  72. type device42Client struct {
    73. 

  73. 	kube      kclient.Client
    74. 

  74. 	store     *esv1beta1.Device42Provider
    75. 

  75. 	namespace string
    76. 

  76. 	storeKind string
    77. 

  77. }
    78. 

  78. type Provider struct{}
    79. 

  79. 

  80. func (c *device42Client) getAuth(ctx context.Context) (string, string, error) {
    81. 

  81. 	credentialsSecret := &corev1.Secret{}
    82. 

  82. 	credentialsSecretName := c.store.Auth.SecretRef.Credentials.Name
    83. 

  83. 	if credentialsSecretName == "" {
    84. 

  84. 		return "", "", errors.New(errCredSecretName)
    85. 

  85. 	}
    86. 

  86. 	objectKey := types.NamespacedName{
    87. 

  87. 		Name:      credentialsSecretName,
    88. 

  88. 		Namespace: c.namespace,
    89. 

  89. 	}
    90. 

  90. 	// only ClusterStore is allowed to set namespace (and then it's required)
    91. 

  91. 	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
    92. 

  92. 		if c.store.Auth.SecretRef.Credentials.Namespace == nil {
    93. 

  93. 			return "", "", errors.New(errInvalidClusterStoreMissingSAKNamespace)
    94. 

  94. 		}
    95. 

  95. 		objectKey.Namespace = *c.store.Auth.SecretRef.Credentials.Namespace
    96. 

  96. 	}
    97. 

  97. 

  98. 	err := c.kube.Get(ctx, objectKey, credentialsSecret)
    99. 

  99. 	if err != nil {
    100. 

  100. 		return "", "", fmt.Errorf(errFetchSAKSecret, err)
    101. 

  101. 	}
    102. 

  102. 

  103. 	username := credentialsSecret.Data["username"]
    104. 

  104. 	password := credentialsSecret.Data["password"]
    105. 

  105. 	if len(username) == 0 || len(password) == 0 {
    106. 

  106. 		return "", "", errors.New(errMissingSAK)
    107. 

  107. 	}
    108. 

  108. 

  109. 	return string(username), string(password), nil
    110. 

  110. }
    111. 

  111. 

  112. // NewDevice42Provider returns a reference to a new instance of a 'Device42' struct.
    113. 

  113. func NewDevice42Provider() *Device42 {
    114. 

  114. 	return &Device42{}
    115. 

  115. }
    116. 

  116. 

  117. func (p *Device42) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
    118. 

  118. 	storeSpec := store.GetSpec()
    119. 

  119. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Device42 == nil {
    120. 

  120. 		return nil, errors.New("no store type or wrong store type")
    121. 

  121. 	}
    122. 

  122. 	storeSpecDevice42 := storeSpec.Provider.Device42
    123. 

  123. 

  124. 	cliStore := device42Client{
    125. 

  125. 		kube:      kube,
    126. 

  126. 		store:     storeSpecDevice42,
    127. 

  127. 		namespace: namespace,
    128. 

  128. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    129. 

  129. 	}
    130. 

  130. 

  131. 	username, password, err := cliStore.getAuth(ctx)
    132. 

  132. 	if err != nil {
    133. 

  133. 		return nil, err
    134. 

  134. 	}
    135. 

  135. 	// Create a new client using credentials and options
    136. 

  136. 	p.client = NewAPI(storeSpecDevice42.Host, username, password, "443")
    137. 

  137. 

  138. 	return p, nil
    139. 

  139. }
    140. 

  140. 

  141. func (p *Device42) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
    142. 

  142. 	return false, errors.New(errNotImplemented)
    143. 

  143. }
    144. 

  144. 

  145. func (p *Device42) Validate() (esv1beta1.ValidationResult, error) {
    146. 

  146. 	timeout := 15 * time.Second
    147. 

  147. 	url := fmt.Sprintf("https://%s:%s", p.client.(*API).baseURL, p.client.(*API).hostPort)
    148. 

  148. 

  149. 	if err := utils.NetworkValidate(url, timeout); err != nil {
    150. 

  150. 		return esv1beta1.ValidationResultError, err
    151. 

  151. 	}
    152. 

  152. 	return esv1beta1.ValidationResultReady, nil
    153. 

  153. }
    154. 

  154. 

  155. func (p *Device42) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
    156. 

  156. 	return errors.New(errNotImplemented)
    157. 

  157. }
    158. 

  158. 

  159. func (p *Device42) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    160. 

  160. 	return nil, errors.New(errNotImplemented)
    161. 

  161. }
    162. 

  162. 

  163. func (p *Device42) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
    164. 

  164. 	return errors.New(errNotImplemented)
    165. 

  165. }
    166. 

  166. 

  167. func (p *Device42) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    168. 

  168. 	if utils.IsNil(p.client) {
    169. 

  169. 		return nil, errors.New(errUninitializedProvider)
    170. 

  170. 	}
    171. 

  171. 

  172. 	data, err := p.client.GetSecret(ref.Key)
    173. 

  173. 	if err != nil {
    174. 

  174. 		return nil, err
    175. 

  175. 	}
    176. 

  176. 	return []byte(data.Password), nil
    177. 

  177. }
    178. 

  178. 

  179. func (p *Device42) GetSecretMap(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    180. 

  180. 	data, err := p.client.GetSecret(ref.Key)
    181. 

  181. 	if err != nil {
    182. 

  182. 		return nil, fmt.Errorf("error getting secret %s: %w", ref.Key, err)
    183. 

  183. 	}
    184. 

  184. 

  185. 	return data.ToMap(), nil
    186. 

  186. }
    187. 

  187. 

  188. func (p *Device42) Close(_ context.Context) error {
    189. 

  189. 	return nil
    190. 

  190. }
    191. 

  191. 

  192. func init() {
    193. 

  193. 	esv1beta1.Register(&Device42{}, &esv1beta1.SecretStoreProvider{
    194. 

  194. 		Device42: &esv1beta1.Device42Provider{},
    195. 

  195. 	})
    196. 

  196. }
    197.