Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Branch: main
Branches Tags
helm-externa...
/
providers
/
v1
/
volcengine
/
client.go

client.go 4.7 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package volcengine
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 

  25. 	"github.com/volcengine/volcengine-go-sdk/service/kms"
    26. 

  26. 	corev1 "k8s.io/api/core/v1"
    27. 

  27. 

  28. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    29. 

  29. )
    30. 

  30. 

  31. const (
    32. 

  32. 	notImplemented = "not implemented"
    33. 

  33. )
    34. 

  34. 

  35. var _ esapi.SecretsClient = &Client{}
    36. 

  36. 

  37. // Client is a client for the Volcengine provider.
    38. 

  38. type Client struct {
    39. 

  39. 	kms kms.KMSAPI
    40. 

  40. }
    41. 

  41. 

  42. // NewClient creates a new Volcengine client.
    43. 

  43. func NewClient(kms kms.KMSAPI) *Client {
    44. 

  44. 	return &Client{
    45. 

  45. 		kms: kms,
    46. 

  46. 	}
    47. 

  47. }
    48. 

  48. 

  49. // GetSecret retrieves a secret value from Volcengine Secrets Manager.
    50. 

  50. func (c *Client) GetSecret(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) ([]byte, error) {
    51. 

  51. 	return c.getSecretValue(ctx, ref)
    52. 

  52. }
    53. 

  53. 

  54. // SecretExists checks if a secret exists in Volcengine Secrets Manager.
    55. 

  55. func (c *Client) SecretExists(ctx context.Context, remoteRef esapi.PushSecretRemoteRef) (bool, error) {
    56. 

  56. 	secretName := remoteRef.GetRemoteKey()
    57. 

  57. 	if secretName == "" {
    58. 

  58. 		return false, errors.New("secret name is empty")
    59. 

  59. 	}
    60. 

  60. 	_, err := c.kms.DescribeSecretWithContext(ctx, &kms.DescribeSecretInput{
    61. 

  61. 		SecretName: &secretName,
    62. 

  62. 	})
    63. 

  63. 	if err != nil {
    64. 

  64. 		return false, err
    65. 

  65. 	}
    66. 

  66. 	return true, nil
    67. 

  67. }
    68. 

  68. 

  69. // Validate checks if the provider is configured correctly.
    70. 

  70. func (c *Client) Validate() (esapi.ValidationResult, error) {
    71. 

  71. 	if c.kms != nil {
    72. 

  72. 		return esapi.ValidationResultReady, nil
    73. 

  73. 	}
    74. 

  74. 	return esapi.ValidationResultError, errors.New("kms client is not initialized")
    75. 

  75. }
    76. 

  76. 

  77. // GetSecretMap retrieves a secret value and unmarshals it as a map.
    78. 

  78. func (c *Client) GetSecretMap(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    79. 

  79. 	value, err := c.getSecretValue(ctx, ref)
    80. 

  80. 	if err != nil {
    81. 

  81. 		return nil, err
    82. 

  82. 	}
    83. 

  83. 

  84. 	var rawSecretMap map[string]json.RawMessage
    85. 

  85. 	if err := json.Unmarshal(value, &rawSecretMap); err != nil {
    86. 

  86. 		// Do not wrap the original error as json.Unmarshal errors may contain
    87. 

  87. 		// sensitive secret data in the error message
    88. 

  88. 		return nil, errors.New("failed to unmarshal secret: invalid JSON format")
    89. 

  89. 	}
    90. 

  90. 

  91. 	secretMap := make(map[string][]byte, len(rawSecretMap))
    92. 

  92. 	for key, value := range rawSecretMap {
    93. 

  93. 		secretMap[key] = []byte(value)
    94. 

  94. 	}
    95. 

  95. 	return secretMap, nil
    96. 

  96. }
    97. 

  97. 

  98. // GetAllSecrets retrieves all secrets matching the given criteria.
    99. 

  99. func (c *Client) GetAllSecrets(_ context.Context, _ esapi.ExternalSecretFind) (map[string][]byte, error) {
    100. 

  100. 	return nil, errors.New(notImplemented)
    101. 

  101. }
    102. 

  102. 

  103. // PushSecret creates or updates a secret in Volcengine Secrets Manager.
    104. 

  104. func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esapi.PushSecretData) error {
    105. 

  105. 	return errors.New(notImplemented)
    106. 

  106. }
    107. 

  107. 

  108. // DeleteSecret deletes a secret from Volcengine Secrets Manager.
    109. 

  109. func (c *Client) DeleteSecret(_ context.Context, _ esapi.PushSecretRemoteRef) error {
    110. 

  110. 	return errors.New(notImplemented)
    111. 

  111. }
    112. 

  112. 

  113. // Close is a no-op for the Volcengine client.
    114. 

  114. func (c *Client) Close(_ context.Context) error {
    115. 

  115. 	return nil
    116. 

  116. }
    117. 

  117. 

  118. func (c *Client) getSecretValue(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) ([]byte, error) {
    119. 

  119. 	output, err := c.kms.GetSecretValueWithContext(ctx, &kms.GetSecretValueInput{
    120. 

  120. 		SecretName: &ref.Key,
    121. 

  121. 		VersionID:  resolveVersion(ref),
    122. 

  122. 	})
    123. 

  123. 	if err != nil {
    124. 

  124. 		return nil, err
    125. 

  125. 	}
    126. 

  126. 

  127. 	if output.SecretValue == nil {
    128. 

  128. 		return nil, fmt.Errorf("secret %s has no value", ref.Key)
    129. 

  129. 	}
    130. 

  130. 

  131. 	secret := []byte(*output.SecretValue)
    132. 

  132. 

  133. 	if ref.Property == "" {
    134. 

  134. 		return secret, nil
    135. 

  135. 	}
    136. 

  136. 

  137. 	return extractProperty(secret, ref.Property)
    138. 

  138. }
    139. 

  139. 

  140. func extractProperty(secret []byte, property string) ([]byte, error) {
    141. 

  141. 	var secretMap map[string]json.RawMessage
    142. 

  142. 	if err := json.Unmarshal(secret, &secretMap); err != nil {
    143. 

  143. 		// Do not wrap the original error as json.Unmarshal errors may contain
    144. 

  144. 		// sensitive secret data in the error message
    145. 

  145. 		return nil, errors.New("failed to unmarshal secret: invalid JSON format")
    146. 

  146. 	}
    147. 

  147. 

  148. 	value, ok := secretMap[property]
    149. 

  149. 	if !ok {
    150. 

  150. 		return nil, fmt.Errorf("property %q not found in secret", property)
    151. 

  151. 	}
    152. 

  152. 

  153. 	var s string
    154. 

  154. 	if json.Unmarshal(value, &s) == nil {
    155. 

  155. 		return []byte(s), nil
    156. 

  156. 	}
    157. 

  157. 	return value, nil
    158. 

  158. }
    159. 

  159. 

  160. func resolveVersion(ref esapi.ExternalSecretDataRemoteRef) *string {
    161. 

  161. 	if ref.Version != "" {
    162. 

  162. 		return &ref.Version
    163. 

  163. 	}
    164. 

  164. 	return nil
    165. 

  165. }
    166.