kms.go 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361
  1. /*
  2. Copyright © 2025 ESO Maintainer Team
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. https://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. package alibaba
  14. import (
  15. "context"
  16. "encoding/json"
  17. "errors"
  18. "fmt"
  19. openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
  20. kmssdk "github.com/alibabacloud-go/kms-20160120/v3/client"
  21. util "github.com/alibabacloud-go/tea-utils/v2/service"
  22. credential "github.com/aliyun/credentials-go/credentials"
  23. "github.com/avast/retry-go/v4"
  24. "github.com/tidwall/gjson"
  25. corev1 "k8s.io/api/core/v1"
  26. kclient "sigs.k8s.io/controller-runtime/pkg/client"
  27. "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
  28. esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
  29. "github.com/external-secrets/external-secrets/pkg/utils"
  30. "github.com/external-secrets/external-secrets/pkg/utils/resolvers"
  31. )
  32. const (
  33. errAlibabaClient = "cannot setup new Alibaba client: %w"
  34. errUninitalizedAlibabaProvider = "provider Alibaba is not initialized"
  35. errFetchAccessKeyID = "could not fetch AccessKeyID secret: %w"
  36. errFetchAccessKeySecret = "could not fetch AccessKeySecret secret: %w"
  37. errNotImplemented = "not implemented"
  38. )
  39. // https://github.com/external-secrets/external-secrets/issues/644
  40. var _ esv1.SecretsClient = &KeyManagementService{}
  41. var _ esv1.Provider = &KeyManagementService{}
  42. type KeyManagementService struct {
  43. Client SMInterface
  44. Config *openapi.Config
  45. }
  46. type SMInterface interface {
  47. GetSecretValue(ctx context.Context, request *kmssdk.GetSecretValueRequest) (*kmssdk.GetSecretValueResponseBody, error)
  48. Endpoint() string
  49. }
  50. func (kms *KeyManagementService) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
  51. return errors.New(errNotImplemented)
  52. }
  53. func (kms *KeyManagementService) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
  54. return errors.New(errNotImplemented)
  55. }
  56. func (kms *KeyManagementService) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
  57. return false, errors.New(errNotImplemented)
  58. }
  59. // Empty GetAllSecrets.
  60. func (kms *KeyManagementService) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
  61. // TO be implemented
  62. return nil, errors.New(errNotImplemented)
  63. }
  64. // GetSecret returns a single secret from the provider.
  65. func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
  66. if utils.IsNil(kms.Client) {
  67. return nil, errors.New(errUninitalizedAlibabaProvider)
  68. }
  69. request := &kmssdk.GetSecretValueRequest{
  70. SecretName: &ref.Key,
  71. }
  72. if ref.Version != "" {
  73. request.VersionId = &ref.Version
  74. }
  75. secretOut, err := kms.Client.GetSecretValue(ctx, request)
  76. if err != nil {
  77. return nil, SanitizeErr(err)
  78. }
  79. if ref.Property == "" {
  80. if utils.Deref(secretOut.SecretData) != "" {
  81. return []byte(utils.Deref(secretOut.SecretData)), nil
  82. }
  83. return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
  84. }
  85. var payload string
  86. if utils.Deref(secretOut.SecretData) != "" {
  87. payload = utils.Deref(secretOut.SecretData)
  88. }
  89. val := gjson.Get(payload, ref.Property)
  90. if !val.Exists() {
  91. return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
  92. }
  93. return []byte(val.String()), nil
  94. }
  95. // GetSecretMap returns multiple k/v pairs from the provider.
  96. func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  97. data, err := kms.GetSecret(ctx, ref)
  98. if err != nil {
  99. return nil, err
  100. }
  101. kv := make(map[string]string)
  102. err = json.Unmarshal(data, &kv)
  103. if err != nil {
  104. return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
  105. }
  106. secretData := make(map[string][]byte)
  107. for k, v := range kv {
  108. secretData[k] = []byte(v)
  109. }
  110. return secretData, nil
  111. }
  112. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
  113. func (kms *KeyManagementService) Capabilities() esv1.SecretStoreCapabilities {
  114. return esv1.SecretStoreReadOnly
  115. }
  116. // NewClient constructs a new secrets client based on the provided store.
  117. func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
  118. storeSpec := store.GetSpec()
  119. alibabaSpec := storeSpec.Provider.Alibaba
  120. credentials, err := newAuth(ctx, kube, store, namespace)
  121. if err != nil {
  122. return nil, fmt.Errorf("failed to create Alibaba credentials: %w", err)
  123. }
  124. config := &openapi.Config{
  125. RegionId: utils.Ptr(alibabaSpec.RegionID),
  126. Credential: credentials,
  127. }
  128. options := newOptions(store)
  129. client, err := newClient(config, options)
  130. if err != nil {
  131. return nil, fmt.Errorf(errAlibabaClient, err)
  132. }
  133. kms.Client = client
  134. kms.Config = config
  135. return kms, nil
  136. }
  137. func newOptions(store esv1.GenericStore) *util.RuntimeOptions {
  138. storeSpec := store.GetSpec()
  139. options := &util.RuntimeOptions{}
  140. // Setup retry options, if present in storeSpec
  141. if storeSpec.RetrySettings != nil {
  142. var retryAmount int
  143. if storeSpec.RetrySettings.MaxRetries != nil {
  144. retryAmount = int(*storeSpec.RetrySettings.MaxRetries)
  145. } else {
  146. retryAmount = 3
  147. }
  148. options.Autoretry = utils.Ptr(true)
  149. options.MaxAttempts = utils.Ptr(retryAmount)
  150. }
  151. return options
  152. }
  153. func newAuth(ctx context.Context, kube kclient.Client, store esv1.GenericStore, namespace string) (credential.Credential, error) {
  154. storeSpec := store.GetSpec()
  155. alibabaSpec := storeSpec.Provider.Alibaba
  156. switch {
  157. case alibabaSpec.Auth.RRSAAuth != nil:
  158. credentials, err := newRRSAAuth(store)
  159. if err != nil {
  160. return nil, fmt.Errorf("failed to create Alibaba OIDC credentials: %w", err)
  161. }
  162. return credentials, nil
  163. case alibabaSpec.Auth.SecretRef != nil:
  164. credentials, err := newAccessKeyAuth(ctx, kube, store, namespace)
  165. if err != nil {
  166. return nil, fmt.Errorf("failed to create Alibaba AccessKey credentials: %w", err)
  167. }
  168. return credentials, nil
  169. default:
  170. return nil, errors.New("alibaba authentication methods wasn't provided")
  171. }
  172. }
  173. func newRRSAAuth(store esv1.GenericStore) (credential.Credential, error) {
  174. storeSpec := store.GetSpec()
  175. alibabaSpec := storeSpec.Provider.Alibaba
  176. credentialConfig := &credential.Config{
  177. OIDCProviderArn: &alibabaSpec.Auth.RRSAAuth.OIDCProviderARN,
  178. OIDCTokenFilePath: &alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath,
  179. RoleArn: &alibabaSpec.Auth.RRSAAuth.RoleARN,
  180. RoleSessionName: &alibabaSpec.Auth.RRSAAuth.SessionName,
  181. Type: utils.Ptr("oidc_role_arn"),
  182. ConnectTimeout: utils.Ptr(30 * 1000),
  183. Timeout: utils.Ptr(60 * 1000),
  184. }
  185. return credential.NewCredential(credentialConfig)
  186. }
  187. func newAccessKeyAuth(ctx context.Context, kube kclient.Client, store esv1.GenericStore, namespace string) (credential.Credential, error) {
  188. storeSpec := store.GetSpec()
  189. alibabaSpec := storeSpec.Provider.Alibaba
  190. storeKind := store.GetObjectKind().GroupVersionKind().Kind
  191. accessKeyID, err := resolvers.SecretKeyRef(ctx, kube, storeKind, namespace, &alibabaSpec.Auth.SecretRef.AccessKeyID)
  192. if err != nil {
  193. return nil, fmt.Errorf(errFetchAccessKeyID, err)
  194. }
  195. accessKeySecret, err := resolvers.SecretKeyRef(ctx, kube, storeKind, namespace, &alibabaSpec.Auth.SecretRef.AccessKeySecret)
  196. if err != nil {
  197. return nil, fmt.Errorf(errFetchAccessKeySecret, err)
  198. }
  199. credentialConfig := &credential.Config{
  200. AccessKeyId: utils.Ptr(accessKeyID),
  201. AccessKeySecret: utils.Ptr(accessKeySecret),
  202. Type: utils.Ptr("access_key"),
  203. ConnectTimeout: utils.Ptr(30),
  204. Timeout: utils.Ptr(60),
  205. }
  206. return credential.NewCredential(credentialConfig)
  207. }
  208. func (kms *KeyManagementService) Close(_ context.Context) error {
  209. return nil
  210. }
  211. func (kms *KeyManagementService) Validate() (esv1.ValidationResult, error) {
  212. err := retry.Do(
  213. func() error {
  214. _, err := kms.Config.Credential.GetCredential()
  215. if err != nil {
  216. return err
  217. }
  218. return nil
  219. },
  220. retry.Attempts(5),
  221. )
  222. if err != nil {
  223. return esv1.ValidationResultError, SanitizeErr(err)
  224. }
  225. return esv1.ValidationResultReady, nil
  226. }
  227. func (kms *KeyManagementService) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
  228. storeSpec := store.GetSpec()
  229. alibabaSpec := storeSpec.Provider.Alibaba
  230. regionID := alibabaSpec.RegionID
  231. if regionID == "" {
  232. return nil, errors.New("missing alibaba region")
  233. }
  234. return nil, kms.validateStoreAuth(store)
  235. }
  236. func (kms *KeyManagementService) validateStoreAuth(store esv1.GenericStore) error {
  237. storeSpec := store.GetSpec()
  238. alibabaSpec := storeSpec.Provider.Alibaba
  239. switch {
  240. case alibabaSpec.Auth.RRSAAuth != nil:
  241. return kms.validateStoreRRSAAuth(store)
  242. case alibabaSpec.Auth.SecretRef != nil:
  243. return kms.validateStoreAccessKeyAuth(store)
  244. default:
  245. return errors.New("missing alibaba auth provider")
  246. }
  247. }
  248. func (kms *KeyManagementService) validateStoreRRSAAuth(store esv1.GenericStore) error {
  249. storeSpec := store.GetSpec()
  250. alibabaSpec := storeSpec.Provider.Alibaba
  251. if alibabaSpec.Auth.RRSAAuth.OIDCProviderARN == "" {
  252. return errors.New("missing alibaba OIDC proivder ARN")
  253. }
  254. if alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath == "" {
  255. return errors.New("missing alibaba OIDC token file path")
  256. }
  257. if alibabaSpec.Auth.RRSAAuth.RoleARN == "" {
  258. return errors.New("missing alibaba Assume Role ARN")
  259. }
  260. if alibabaSpec.Auth.RRSAAuth.SessionName == "" {
  261. return errors.New("missing alibaba session name")
  262. }
  263. return nil
  264. }
  265. func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1.GenericStore) error {
  266. storeSpec := store.GetSpec()
  267. alibabaSpec := storeSpec.Provider.Alibaba
  268. accessKeyID := alibabaSpec.Auth.SecretRef.AccessKeyID
  269. err := utils.ValidateSecretSelector(store, accessKeyID)
  270. if err != nil {
  271. return err
  272. }
  273. if accessKeyID.Name == "" {
  274. return errors.New("missing alibaba access ID name")
  275. }
  276. if accessKeyID.Key == "" {
  277. return errors.New("missing alibaba access ID key")
  278. }
  279. accessKeySecret := alibabaSpec.Auth.SecretRef.AccessKeySecret
  280. err = utils.ValidateSecretSelector(store, accessKeySecret)
  281. if err != nil {
  282. return err
  283. }
  284. if accessKeySecret.Name == "" {
  285. return errors.New("missing alibaba access key secret name")
  286. }
  287. if accessKeySecret.Key == "" {
  288. return errors.New("missing alibaba access key secret key")
  289. }
  290. return nil
  291. }
  292. func init() {
  293. esv1.Register(&KeyManagementService{}, &esv1.SecretStoreProvider{
  294. Alibaba: &esv1.AlibabaProvider{},
  295. }, esv1.MaintenanceStatusNotMaintained)
  296. }