pulumi.go 5.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package pulumi
  13. import (
  14. "context"
  15. "errors"
  16. "fmt"
  17. "strings"
  18. "dario.cat/mergo"
  19. esc "github.com/pulumi/esc-sdk/sdk/go"
  20. corev1 "k8s.io/api/core/v1"
  21. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  22. "github.com/external-secrets/external-secrets/pkg/utils"
  23. )
  24. type client struct {
  25. escClient esc.EscClient
  26. authCtx context.Context
  27. environment string
  28. organization string
  29. }
  30. const (
  31. errPushSecretsNotSupported = "pushing secrets is currently not supported by Pulumi"
  32. errDeleteSecretsNotSupported = "deleting secrets is currently not supported by Pulumi"
  33. errUnableToGetValues = "unable to get value for key %s: %w"
  34. errGettingAllSecretsNotSupported = "getting all secrets is currently not supported by Pulumi"
  35. errReadEnvironment = "error reading environment : %w"
  36. errPushSecrets = "error pushing secret: %w"
  37. errInterfaceType = "interface{} is not of type map[string]interface{}"
  38. errPushWholeSecret = "pushing the whole secret is not yet implemented"
  39. )
  40. var _ esv1beta1.SecretsClient = &client{}
  41. func (c *client) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  42. env, err := c.escClient.OpenEnvironment(c.authCtx, c.organization, c.environment)
  43. if err != nil {
  44. return nil, err
  45. }
  46. value, _, err := c.escClient.ReadEnvironmentProperty(c.authCtx, c.organization, c.environment, env.GetId(), ref.Key)
  47. if err != nil {
  48. return nil, err
  49. }
  50. return utils.GetByteValue(value.GetValue())
  51. }
  52. func createSubmaps(input map[string]interface{}) map[string]interface{} {
  53. result := make(map[string]interface{})
  54. for key, value := range input {
  55. keys := strings.Split(key, ".")
  56. current := result
  57. for i, k := range keys {
  58. if i == len(keys)-1 {
  59. current[k] = value
  60. } else {
  61. if _, exists := current[k]; !exists {
  62. current[k] = make(map[string]interface{})
  63. }
  64. current = current[k].(map[string]interface{})
  65. }
  66. }
  67. }
  68. return result
  69. }
  70. func (c *client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
  71. secretKey := data.GetSecretKey()
  72. if secretKey == "" {
  73. return errors.New(errPushWholeSecret)
  74. }
  75. value := secret.Data[secretKey]
  76. updatePayload := &esc.EnvironmentDefinition{
  77. Values: &esc.EnvironmentDefinitionValues{
  78. AdditionalProperties: map[string]interface{}{
  79. data.GetRemoteKey(): string(value),
  80. },
  81. },
  82. }
  83. _, oldValues, err := c.escClient.OpenAndReadEnvironment(c.authCtx, c.organization, c.environment)
  84. if err != nil {
  85. return fmt.Errorf(errReadEnvironment, err)
  86. }
  87. updatePayload.Values.AdditionalProperties = createSubmaps(updatePayload.Values.AdditionalProperties)
  88. if err := mergo.Merge(&updatePayload.Values.AdditionalProperties, oldValues); err != nil {
  89. return fmt.Errorf(errPushSecrets, err)
  90. }
  91. _, err = c.escClient.UpdateEnvironment(c.authCtx, c.organization, c.environment, updatePayload)
  92. if err != nil {
  93. return fmt.Errorf(errPushSecrets, err)
  94. }
  95. return nil
  96. }
  97. func (c *client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
  98. return false, errors.New(errPushSecretsNotSupported)
  99. }
  100. func (c *client) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
  101. return errors.New(errDeleteSecretsNotSupported)
  102. }
  103. func (c *client) Validate() (esv1beta1.ValidationResult, error) {
  104. return esv1beta1.ValidationResultReady, nil
  105. }
  106. func GetMapFromInterface(i interface{}) (map[string][]byte, error) {
  107. // Assert the interface{} to map[string]interface{}
  108. m, ok := i.(map[string]interface{})
  109. if !ok {
  110. return nil, errors.New(errInterfaceType)
  111. }
  112. // Create a new map to hold the result
  113. result := make(map[string][]byte)
  114. // Iterate over the map and convert each value to []byte
  115. for key, value := range m {
  116. result[key], _ = utils.GetByteValue(value)
  117. }
  118. return result, nil
  119. }
  120. func (c *client) GetSecretMap(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  121. env, err := c.escClient.OpenEnvironment(c.authCtx, c.organization, c.environment)
  122. if err != nil {
  123. return nil, err
  124. }
  125. value, _, err := c.escClient.ReadEnvironmentProperty(c.authCtx, c.organization, c.environment, env.GetId(), ref.Key)
  126. if err != nil {
  127. return nil, err
  128. }
  129. kv, _ := GetMapFromInterface(value.GetValue())
  130. secretData := make(map[string][]byte)
  131. for k, v := range kv {
  132. byteValue, err := utils.GetByteValue(v)
  133. if err != nil {
  134. return nil, err
  135. }
  136. val := esc.Value{}
  137. err = val.UnmarshalJSON(byteValue)
  138. if err != nil {
  139. return nil, err
  140. }
  141. secretData[k], err = utils.GetByteValue(val.Value)
  142. if err != nil {
  143. return nil, fmt.Errorf(errUnableToGetValues, k, err)
  144. }
  145. }
  146. return secretData, nil
  147. }
  148. func (c *client) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  149. return nil, errors.New(errGettingAllSecretsNotSupported)
  150. }
  151. func (c *client) Close(context.Context) error {
  152. return nil
  153. }