client.go 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. /*
  2. Copyright © The ESO Authors
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. https://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. package conjur
  14. import (
  15. "context"
  16. "errors"
  17. "fmt"
  18. "github.com/cyberark/conjur-api-go/conjurapi"
  19. "github.com/cyberark/conjur-api-go/conjurapi/authn"
  20. corev1 "k8s.io/api/core/v1"
  21. typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
  22. "sigs.k8s.io/controller-runtime/pkg/client"
  23. esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
  24. conjurutil "github.com/external-secrets/external-secrets/providers/v1/conjur/util"
  25. "github.com/external-secrets/external-secrets/runtime/esutils"
  26. "github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
  27. )
  28. var (
  29. errConjurClient = "cannot setup new Conjur client: %w"
  30. errBadServiceUser = "could not get Auth.Apikey.UserRef: %w"
  31. errBadServiceAPIKey = "could not get Auth.Apikey.ApiKeyRef: %w"
  32. errGetKubeSATokenRequest = "cannot request Kubernetes service account token for service account %q: %w"
  33. errSecretKeyFmt = "cannot find secret data for key: %q"
  34. )
  35. // Client is a provider for Conjur.
  36. type Client struct {
  37. StoreKind string
  38. kube client.Client
  39. store esv1.GenericStore
  40. namespace string
  41. corev1 typedcorev1.CoreV1Interface
  42. clientAPI SecretsClientFactory
  43. client SecretsClient
  44. }
  45. // GetConjurClient returns an authenticated Conjur client.
  46. // If a client is already initialized, it returns the existing client.
  47. // Otherwise, it creates a new client based on the authentication method specified.
  48. func (c *Client) GetConjurClient(ctx context.Context) (SecretsClient, error) {
  49. // if the client is initialized already, return it
  50. if c.client != nil {
  51. return c.client, nil
  52. }
  53. prov, err := conjurutil.GetConjurProvider(c.store)
  54. if err != nil {
  55. return nil, err
  56. }
  57. cert, getCertErr := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
  58. CABundle: []byte(prov.CABundle),
  59. CAProvider: prov.CAProvider,
  60. StoreKind: c.store.GetKind(),
  61. Namespace: c.namespace,
  62. Client: c.kube,
  63. })
  64. if getCertErr != nil {
  65. return nil, getCertErr
  66. }
  67. config := conjurapi.Config{
  68. ApplianceURL: prov.URL,
  69. SSLCert: string(cert),
  70. // disable credential storage, as it depends on a writable
  71. // file system, which we can't rely on - it would fail.
  72. CredentialStorage: conjurapi.CredentialStorageNone,
  73. }
  74. if prov.Auth.APIKey != nil {
  75. return c.conjurClientFromAPIKey(ctx, config, prov)
  76. }
  77. if prov.Auth.Jwt != nil {
  78. return c.conjurClientFromJWT(ctx, config, prov)
  79. }
  80. // Should not happen because validate func should catch this
  81. return nil, errors.New("no authentication method provided")
  82. }
  83. // PushSecret will write a single secret into the provider.
  84. func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
  85. return errors.New("pushing secrets is not implemented for the Conjur provider")
  86. }
  87. // DeleteSecret removes a secret from the provider.
  88. func (c *Client) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
  89. return errors.New("deleting secrets is not implemented for the Conjur provider")
  90. }
  91. // SecretExists checks if a secret exists in the provider.
  92. func (c *Client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
  93. return false, errors.New("not implemented")
  94. }
  95. // Validate validates the provider configuration.
  96. func (c *Client) Validate() (esv1.ValidationResult, error) {
  97. return esv1.ValidationResultReady, nil
  98. }
  99. // Close closes the provider.
  100. func (c *Client) Close(_ context.Context) error {
  101. return nil
  102. }
  103. // conjurClientFromAPIKey creates a new Conjur client using API key authentication.
  104. func (c *Client) conjurClientFromAPIKey(ctx context.Context, config conjurapi.Config, prov *esv1.ConjurProvider) (SecretsClient, error) {
  105. config.Account = prov.Auth.APIKey.Account
  106. conjUser, secErr := resolvers.SecretKeyRef(
  107. ctx,
  108. c.kube,
  109. c.StoreKind,
  110. c.namespace, prov.Auth.APIKey.UserRef)
  111. if secErr != nil {
  112. return nil, fmt.Errorf(errBadServiceUser, secErr)
  113. }
  114. conjAPIKey, secErr := resolvers.SecretKeyRef(
  115. ctx,
  116. c.kube,
  117. c.StoreKind,
  118. c.namespace,
  119. prov.Auth.APIKey.APIKeyRef)
  120. if secErr != nil {
  121. return nil, fmt.Errorf(errBadServiceAPIKey, secErr)
  122. }
  123. conjur, newClientFromKeyError := c.clientAPI.NewClientFromKey(config,
  124. authn.LoginPair{
  125. Login: conjUser,
  126. APIKey: conjAPIKey,
  127. },
  128. )
  129. if newClientFromKeyError != nil {
  130. return nil, fmt.Errorf(errConjurClient, newClientFromKeyError)
  131. }
  132. c.client = conjur
  133. return conjur, nil
  134. }
  135. func (c *Client) conjurClientFromJWT(ctx context.Context, config conjurapi.Config, prov *esv1.ConjurProvider) (SecretsClient, error) {
  136. config.AuthnType = "jwt"
  137. config.Account = prov.Auth.Jwt.Account
  138. config.JWTHostID = prov.Auth.Jwt.HostID
  139. config.ServiceID = prov.Auth.Jwt.ServiceID
  140. jwtToken, getJWTError := c.getJWTToken(ctx, prov.Auth.Jwt)
  141. if getJWTError != nil {
  142. return nil, getJWTError
  143. }
  144. config.JWTContent = jwtToken
  145. conjur, clientError := c.clientAPI.NewClientFromJWT(config)
  146. if clientError != nil {
  147. return nil, fmt.Errorf(errConjurClient, clientError)
  148. }
  149. c.client = conjur
  150. return conjur, nil
  151. }