logic855
/
helm-external-secrets
Mirror von https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190
							package remote

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"log"

	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
	pb "github.com/external-secrets/external-secrets/pkg/plugin/grpc"
	"google.golang.org/grpc"
	"sigs.k8s.io/controller-runtime/pkg/client"
)

// Client is a small wrapper to map ESO SecretsClient to gRPC calls
type Client struct {
	store     esv1beta1.GenericStore
	namespace string
	kube      client.Client

	conn       *grpc.ClientConn
	grpcClient pb.SecretsClientClient
}

func (s *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
	storeBytes, err := json.Marshal(s.store)
	if err != nil {
		return nil, err
	}
	objects, err := aggregateObjects(ctx, s.store, s.kube, s.namespace)
	if err != nil {
		return nil, err
	}
	log.Printf("rpc sending objects=%s", string(objects))
	res, err := s.grpcClient.GetSecret(ctx, &pb.GetSecretRequest{
		Store:     storeBytes,
		Namespace: s.namespace,
		Objects:   objects,
		RemoteRef: &pb.RemoteRef{
			Key:                ref.Key,
			Property:           ref.Property,
			Version:            ref.Version,
			MetadataPolicy:     string(ref.MetadataPolicy),
			ConversionStrategy: string(ref.ConversionStrategy),
			DecodingStrategy:   string(ref.DecodingStrategy),
		},
	})
	if err != nil {
		return nil, fmt.Errorf("unable to rpc: %w", err)
	}
	log.Printf("rpc secret=%s, err=%s", string(res.Secret), res.Error)
	if res.Error != "" {
		nse := esv1beta1.NoSecretError{}
		if res.Error == nse.Error() {
			return nil, nse
		}
		return nil, errors.New(res.Error)
	}
	return res.Secret, nil
}

func (s *Client) PushSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
	storeBytes, err := json.Marshal(s.store)
	if err != nil {
		return err
	}
	objects, err := aggregateObjects(ctx, s.store, s.kube, s.namespace)
	if err != nil {
		return err
	}
	res, err := s.grpcClient.PushSecret(ctx, &pb.PushSecretRequest{
		Store:     storeBytes,
		Namespace: s.namespace,
		Objects:   objects,
		Secret:    value,
		RemoteRef: &pb.PushRemoteRef{
			RemoteKey: remoteRef.GetRemoteKey(),
			Property:  remoteRef.GetProperty(),
		},
	})
	if err != nil {
		return fmt.Errorf("unable to rpc: %w", err)
	}
	if res.Error != "" {
		return fmt.Errorf("rpc error: %s", res.Error)
	}
	return nil
}

func (s *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
	storeBytes, err := json.Marshal(s.store)
	if err != nil {
		return err
	}
	objects, err := aggregateObjects(ctx, s.store, s.kube, s.namespace)
	if err != nil {
		return err
	}
	res, err := s.grpcClient.DeleteSecret(ctx, &pb.DeleteSecretRequest{
		Store:     storeBytes,
		Namespace: s.namespace,
		Objects:   objects,
		RemoteRef: &pb.PushRemoteRef{
			RemoteKey: remoteRef.GetRemoteKey(),
			Property:  remoteRef.GetProperty(),
		},
	})
	if err != nil {
		return fmt.Errorf("unable to rpc: %w", err)
	}
	if res.Error != "" {
		return fmt.Errorf("rpc error: %s", res.Error)
	}
	return nil
}

func (s *Client) Validate() (esv1beta1.ValidationResult, error) {
	return esv1beta1.ValidationResultUnknown, nil
}

func (s *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
	storeBytes, err := json.Marshal(s.store)
	if err != nil {
		return nil, err
	}
	objects, err := aggregateObjects(ctx, s.store, s.kube, s.namespace)
	if err != nil {
		return nil, err
	}
	res, err := s.grpcClient.GetSecretMap(ctx, &pb.GetSecretMapRequest{
		Store:     storeBytes,
		Namespace: s.namespace,
		Objects:   objects,
		RemoteRef: &pb.RemoteRef{
			Key:                ref.Key,
			Property:           ref.Property,
			Version:            ref.Version,
			MetadataPolicy:     string(ref.MetadataPolicy),
			ConversionStrategy: string(ref.ConversionStrategy),
			DecodingStrategy:   string(ref.DecodingStrategy),
		},
	})
	if err != nil {
		return nil, fmt.Errorf("unable to rpc: %w", err)
	}
	if res.Error != "" {
		return nil, fmt.Errorf("rpc error: %s", res.Error)
	}
	return res.Data, nil
}

func (s *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
	storeBytes, err := json.Marshal(s.store)
	if err != nil {
		return nil, err
	}
	findRef := &pb.ExternalSecretFind{
		Tags:               ref.Tags,
		ConversionStrategy: string(ref.ConversionStrategy),
		DecodingStrategy:   string(ref.DecodingStrategy),
	}
	if ref.Path != nil {
		findRef.Path = *ref.Path
	}
	if ref.Name != nil {
		findRef.FindNameRegexp = ref.Name.RegExp
	}
	objects, err := aggregateObjects(ctx, s.store, s.kube, s.namespace)
	if err != nil {
		return nil, err
	}
	res, err := s.grpcClient.GetAllSecrets(ctx, &pb.GetAllSecretsRequest{
		Store:     storeBytes,
		Namespace: s.namespace,
		Objects:   objects,
		RemoteRef: findRef,
	})
	if err != nil {
		return nil, fmt.Errorf("unable to rpc: %w", err)
	}
	if res.Error != "" {
		return nil, fmt.Errorf("rpc error: %s", res.Error)
	}
	return res.Data, nil
}

func (s *Client) Close(ctx context.Context) error {
	return s.conn.Close()
}