Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Branch: main
Branches Tags
helm-externa...
/
providers
/
v1
/
fortanix
/
provider.go

provider.go 4.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8. 	https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package fortanix provides a Fortanix provider implementation.
    18. 

  18. package fortanix
    19. 

  19. 

  20. import (
    21. 

  21. 	"context"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 	"net/http"
    25. 

  25. 

  26. 	"github.com/fortanix/sdkms-client-go/sdkms"
    27. 

  27. 	kubeclient "sigs.k8s.io/controller-runtime/pkg/client"
    28. 

  28. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    29. 

  29. 

  30. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    31. 

  31. 	"github.com/external-secrets/external-secrets/runtime/esutils"
    32. 

  32. 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
    33. 

  33. )
    34. 

  34. 

  35. // Provider implements provider interface for Fortanix Key Management.
    36. 

  36. type Provider struct{}
    37. 

  37. 

  38. const (
    39. 

  39. 	errCannotResolveSecretKeyRef     = "cannot resolve secret key ref: %w"
    40. 

  40. 	errStoreIsNil                    = "store is nil"
    41. 

  41. 	errNoStoreTypeOrWrongStoreType   = "no store type or wrong store type"
    42. 

  42. 	errAPIKeyIsRequired              = "apiKey is required"
    43. 

  43. 	errAPIKeySecretRefIsRequired     = "apiKey.secretRef is required"
    44. 

  44. 	errAPIKeySecretRefNameIsRequired = "apiKey.secretRef.name is required"
    45. 

  45. 	errAPIKeySecretRefKeyIsRequired  = "apiKey.secretRef.key is required"
    46. 

  46. )
    47. 

  47. 

  48. var _ esv1.Provider = &Provider{}
    49. 

  49. 

  50. // Capabilities returns the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    51. 

  51. func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
    52. 

  52. 	return esv1.SecretStoreReadOnly
    53. 

  53. }
    54. 

  54. 

  55. // NewClient creates a new Fortanix Key Management client.
    56. 

  56. func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kubeclient.Client, namespace string) (esv1.SecretsClient, error) {
    57. 

  57. 	config, err := getConfig(store)
    58. 

  58. 	if err != nil {
    59. 

  59. 		return nil, err
    60. 

  60. 	}
    61. 

  61. 

  62. 	apiKey, err := resolvers.SecretKeyRef(ctx, kube, store.GetKind(), namespace, config.APIKey.SecretRef)
    63. 

  63. 	if err != nil {
    64. 

  64. 		return nil, fmt.Errorf(errCannotResolveSecretKeyRef, err)
    65. 

  65. 	}
    66. 

  66. 

  67. 	sdkmsClient := sdkms.Client{
    68. 

  68. 		HTTPClient: http.DefaultClient,
    69. 

  69. 		Auth:       sdkms.APIKey(apiKey),
    70. 

  70. 		Endpoint:   config.APIURL,
    71. 

  71. 	}
    72. 

  72. 

  73. 	return &client{
    74. 

  74. 		sdkms: sdkmsClient,
    75. 

  75. 	}, nil
    76. 

  76. }
    77. 

  77. 

  78. // ValidateStore validates the Fortanix Key Management store configuration.
    79. 

  79. func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    80. 

  80. 	_, err := getConfig(store)
    81. 

  81. 	return nil, err
    82. 

  82. }
    83. 

  83. 

  84. func getConfig(store esv1.GenericStore) (*esv1.FortanixProvider, error) {
    85. 

  85. 	if store == nil {
    86. 

  86. 		return nil, errors.New(errStoreIsNil)
    87. 

  87. 	}
    88. 

  88. 

  89. 	spec := store.GetSpec()
    90. 

  90. 	if spec == nil || spec.Provider == nil || spec.Provider.Fortanix == nil {
    91. 

  91. 		return nil, errors.New(errNoStoreTypeOrWrongStoreType)
    92. 

  92. 	}
    93. 

  93. 

  94. 	config := spec.Provider.Fortanix
    95. 

  95. 

  96. 	if config.APIURL == "" {
    97. 

  97. 		config.APIURL = "https://sdkms.fortanix.com"
    98. 

  98. 	}
    99. 

  99. 

  100. 	err := validateSecretStoreRef(store, config.APIKey)
    101. 

  101. 	if err != nil {
    102. 

  102. 		return nil, err
    103. 

  103. 	}
    104. 

  104. 

  105. 	return config, nil
    106. 

  106. }
    107. 

  107. 

  108. func validateSecretStoreRef(store esv1.GenericStore, ref *esv1.FortanixProviderSecretRef) error {
    109. 

  109. 	if ref == nil {
    110. 

  110. 		return errors.New(errAPIKeyIsRequired)
    111. 

  111. 	}
    112. 

  112. 

  113. 	if ref.SecretRef == nil {
    114. 

  114. 		return errors.New(errAPIKeySecretRefIsRequired)
    115. 

  115. 	}
    116. 

  116. 

  117. 	if ref.SecretRef.Name == "" {
    118. 

  118. 		return errors.New(errAPIKeySecretRefNameIsRequired)
    119. 

  119. 	}
    120. 

  120. 

  121. 	if ref.SecretRef.Key == "" {
    122. 

  122. 		return errors.New(errAPIKeySecretRefKeyIsRequired)
    123. 

  123. 	}
    124. 

  124. 

  125. 	return esutils.ValidateReferentSecretSelector(store, *ref.SecretRef)
    126. 

  126. }
    127. 

  127. 

  128. // NewProvider creates a new Provider instance.
    129. 

  129. func NewProvider() esv1.Provider {
    130. 

  130. 	return &Provider{}
    131. 

  131. }
    132. 

  132. 

  133. // ProviderSpec returns the provider specification for registration.
    134. 

  134. func ProviderSpec() *esv1.SecretStoreProvider {
    135. 

  135. 	return &esv1.SecretStoreProvider{
    136. 

  136. 		Fortanix: &esv1.FortanixProvider{},
    137. 

  137. 	}
    138. 

  138. }
    139. 

  139. 

  140. // MaintenanceStatus returns the maintenance status of the provider.
    141. 

  141. func MaintenanceStatus() esv1.MaintenanceStatus {
    142. 

  142. 	return esv1.MaintenanceStatusMaintained
    143. 

  143. }
    144.