refactor: use secret types in core v1 pkg (#714)

pkg/apis/core/v1/workspace.go

@@ -194,6 +194,18 @@ const (
 	VaultKVStoreV2 VaultKVStoreVersion = "v2"
 )
 
+// ExternalSecretRef contains information that points to the secret store data location.
+type ExternalSecretRef struct {
+	// Specifies the name of the secret in Provider to read, mandatory.
+	Name string `yaml:"name" json:"name"`
+
+	// Specifies the version of the secret to return, if supported.
+	Version string `yaml:"version,omitempty" json:"version,omitempty"`
+
+	// Used to select a specific property of the secret data (if a map), if supported.
+	Property string `yaml:"property,omitempty" json:"property,omitempty"`
+}
+
 // SecretStoreSpec contains configuration to describe target secret store.
 type SecretStoreSpec struct {
 	Provider *ProviderSpec `yaml:"provider" json:"provider"`
@@ -209,6 +221,9 @@ type ProviderSpec struct {
 
 	// Vault configures a store to retrieve secrets from HashiCorp Vault.
 	Vault *VaultProvider `yaml:"vault,omitempty" json:"vault,omitempty"`
+
+	// Azure configures a store to retrieve secrets from Azure KeyVault.
+	Azure *AzureKVProvider `yaml:"azure,omitempty" json:"azure,omitempty"`
 }
 
 // AlicloudProvider configures a store to retrieve secrets from Alicloud Secrets Manager.
@@ -241,3 +256,28 @@ type VaultProvider struct {
 	// "v2", defaults to "v2".
 	Version VaultKVStoreVersion `yaml:"version" json:"version"`
 }
+
+// AzureEnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure.
+type AzureEnvironmentType string
+
+const (
+	AzureEnvironmentPublicCloud       AzureEnvironmentType = "PublicCloud"
+	AzureEnvironmentUSGovernmentCloud AzureEnvironmentType = "USGovernmentCloud"
+	AzureEnvironmentChinaCloud        AzureEnvironmentType = "ChinaCloud"
+	AzureEnvironmentGermanCloud       AzureEnvironmentType = "GermanCloud"
+)
+
+// AzureKVProvider configures a store to retrieve secrets from Azure KeyVault
+type AzureKVProvider struct {
+	// Vault Url from which the secrets to be fetched from.
+	VaultURL *string `yaml:"vaultUrl" json:"vaultUrl"`
+
+	// TenantID configures the Azure Tenant to send requests to.
+	TenantID *string `yaml:"tenantId" json:"tenantId"`
+
+	// EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure.
+	// By-default it points to the public cloud AAD endpoint, and the following endpoints are available:
+	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+	// Ref: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+	EnvironmentType AzureEnvironmentType `yaml:"environmentType,omitempty" json:"environmentType,omitempty"`
+}

pkg/secrets/interfaces.go

@@ -3,17 +3,17 @@ package secrets
 import (
 	"context"
 
-	secretsapi "kusionstack.io/kusion/pkg/apis/secrets"
+	v1 "kusionstack.io/kusion/pkg/apis/core/v1"
 )
 
 // SecretStore provides the interface to interact with various cloud secret manager.
 type SecretStore interface {
 	// GetSecret retrieves ref secret from various cloud secret manager.
-	GetSecret(ctx context.Context, ref secretsapi.ExternalSecretRef) ([]byte, error)
+	GetSecret(ctx context.Context, ref v1.ExternalSecretRef) ([]byte, error)
 }
 
 // SecretStoreFactory is a factory type for secret store.
 type SecretStoreFactory interface {
 	// NewSecretStore constructs a usable secret store with specific provider spec.
-	NewSecretStore(spec secretsapi.SecretStoreSpec) (SecretStore, error)
+	NewSecretStore(spec v1.SecretStoreSpec) (SecretStore, error)
 }

pkg/secrets/providers.go

@@ -7,7 +7,7 @@ import (
 
 	"golang.org/x/exp/maps"
 
-	"kusionstack.io/kusion/pkg/apis/secrets"
+	v1 "kusionstack.io/kusion/pkg/apis/core/v1"
 	"kusionstack.io/kusion/pkg/log"
 )
 
@@ -25,7 +25,7 @@ func init() {
 }
 
 // Register a secret store provider with target spec.
-func Register(ssf SecretStoreFactory, spec *secrets.ProviderSpec) {
+func Register(ssf SecretStoreFactory, spec *v1.ProviderSpec) {
 	secretStoreProviders.register(ssf, spec)
 }
 
@@ -41,7 +41,7 @@ type Providers struct {
 
 // register registers a provider with associated spec. This
 // is expected to happen during app startup.
-func (ps *Providers) register(ssf SecretStoreFactory, spec *secrets.ProviderSpec) {
+func (ps *Providers) register(ssf SecretStoreFactory, spec *v1.ProviderSpec) {
 	providerName, err := getProviderName(spec)
 	if err != nil {
 		panic(fmt.Sprintf("provider registery failed to parse spec: %s", err.Error()))
@@ -70,7 +70,7 @@ func (ps *Providers) getProviderByName(providerName string) (SecretStoreFactory,
 	return provider, found
 }
 
-func getProviderName(spec *secrets.ProviderSpec) (string, error) {
+func getProviderName(spec *v1.ProviderSpec) (string, error) {
 	specBytes, err := json.Marshal(spec)
 	if err != nil || specBytes == nil {
 		return "", fmt.Errorf("failed to marshal secret store provider spec: %w", err)

pkg/secrets/providers/alicloud/secretsmanager/secretsmanager.go

@@ -6,7 +6,7 @@ import (
 	"os"
 	"strings"
 
-	secretsapi "kusionstack.io/kusion/pkg/apis/secrets"
+	"kusionstack.io/kusion/pkg/apis/core/v1"
 	"kusionstack.io/kusion/pkg/secrets"
 
 	"github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
@@ -41,7 +41,7 @@ type smSecretStore struct {
 }
 
 // NewSecretStore constructs a Vault based secret store with specific secret store spec.
-func (p *DefaultFactory) NewSecretStore(spec secretsapi.SecretStoreSpec) (secrets.SecretStore, error) {
+func (p *DefaultFactory) NewSecretStore(spec v1.SecretStoreSpec) (secrets.SecretStore, error) {
 	providerSpec := spec.Provider
 	if providerSpec == nil {
 		return nil, fmt.Errorf(errMissingProviderSpec)
@@ -70,7 +70,7 @@ func getAlicloudClient(region string) (*sdk.SecretManagerCacheClient, error) {
 }
 
 // GetSecret retrieves ref secret value from Alicloud Secrets Manager.
-func (s *smSecretStore) GetSecret(ctx context.Context, ref secretsapi.ExternalSecretRef) ([]byte, error) {
+func (s *smSecretStore) GetSecret(ctx context.Context, ref v1.ExternalSecretRef) ([]byte, error) {
 	secretInfo, err := s.client.GetSecretInfo(ref.Name)
 	if err != nil {
 		return nil, err
@@ -115,7 +115,7 @@ func (s *smSecretStore) convertSecretToGjson(secretInfo *models.SecretInfo, refP
 }
 
 func init() {
-	secrets.Register(&DefaultFactory{}, &secretsapi.ProviderSpec{
-		Alicloud: &secretsapi.AlicloudProvider{},
+	secrets.Register(&DefaultFactory{}, &v1.ProviderSpec{
+		Alicloud: &v1.AlicloudProvider{},
 	})
 }

pkg/secrets/providers/alicloud/secretsmanager/secretsmanager_test.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 
-	secretsapi "kusionstack.io/kusion/pkg/apis/secrets"
+	"kusionstack.io/kusion/pkg/apis/core/v1"
 	"kusionstack.io/kusion/pkg/secrets/providers/alicloud/secretsmanager/fake"
 )
 
@@ -94,7 +94,7 @@ func TestGetSecret(t *testing.T) {
 
 	for name, tc := range testCases {
 		store := &smSecretStore{client: tc.client}
-		ref := secretsapi.ExternalSecretRef{
+		ref := v1.ExternalSecretRef{
 			Name:     tc.name,
 			Property: tc.property,
 		}
@@ -114,23 +114,23 @@ func TestGetSecret(t *testing.T) {
 
 func TestNewSecretStore(t *testing.T) {
 	testCases := map[string]struct {
-		spec        secretsapi.SecretStoreSpec
+		spec        v1.SecretStoreSpec
 		expectedErr error
 	}{
 		"InvalidSecretStoreSpec": {
-			spec:        secretsapi.SecretStoreSpec{},
+			spec:        v1.SecretStoreSpec{},
 			expectedErr: errors.New(errMissingProviderSpec),
 		},
 		"InvalidProviderSpec": {
-			spec: secretsapi.SecretStoreSpec{
-				Provider: &secretsapi.ProviderSpec{},
+			spec: v1.SecretStoreSpec{
+				Provider: &v1.ProviderSpec{},
 			},
 			expectedErr: errors.New(errMissingAlicloudProvider),
 		},
 		"ValidVaultProviderSpec": {
-			spec: secretsapi.SecretStoreSpec{
-				Provider: &secretsapi.ProviderSpec{
-					Alicloud: &secretsapi.AlicloudProvider{
+			spec: v1.SecretStoreSpec{
+				Provider: &v1.ProviderSpec{
+					Alicloud: &v1.AlicloudProvider{
 						Region: "cn-beijing",
 					},
 				},

pkg/secrets/providers/aws/secretsmanager/secretsmanager.go

@@ -10,7 +10,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/tidwall/gjson"
 
-	secretsapi "kusionstack.io/kusion/pkg/apis/secrets"
+	"kusionstack.io/kusion/pkg/apis/core/v1"
 	"kusionstack.io/kusion/pkg/secrets"
 	"kusionstack.io/kusion/pkg/secrets/providers/aws/auth"
 )
@@ -30,7 +30,7 @@ var _ secrets.SecretStore = &smSecretStore{}
 type DefaultFactory struct{}
 
 // NewSecretStore constructs a Vault based secret store with specific secret store spec.
-func (p *DefaultFactory) NewSecretStore(spec secretsapi.SecretStoreSpec) (secrets.SecretStore, error) {
+func (p *DefaultFactory) NewSecretStore(spec v1.SecretStoreSpec) (secrets.SecretStore, error) {
 	providerSpec := spec.Provider
 	if providerSpec == nil {
 		return nil, fmt.Errorf(errMissingProviderSpec)
@@ -54,7 +54,7 @@ type smSecretStore struct {
 }
 
 // GetSecret retrieves ref secret value from AWS Secrets Manager.
-func (s *smSecretStore) GetSecret(ctx context.Context, ref secretsapi.ExternalSecretRef) ([]byte, error) {
+func (s *smSecretStore) GetSecret(ctx context.Context, ref v1.ExternalSecretRef) ([]byte, error) {
 	getSecretValueInput := s.buildGetSecretValueInput(ref)
 	secretValueOutput, err := s.client.GetSecretValue(ctx, getSecretValueInput)
 	var nf *types.ResourceNotFoundException
@@ -81,7 +81,7 @@ func (s *smSecretStore) GetSecret(ctx context.Context, ref secretsapi.ExternalSe
 }
 
 // buildGetSecretValueInput constructs target GetSecretValueInput request with specific external secret ref.
-func (s *smSecretStore) buildGetSecretValueInput(ref secretsapi.ExternalSecretRef) *secretsmanager.GetSecretValueInput {
+func (s *smSecretStore) buildGetSecretValueInput(ref v1.ExternalSecretRef) *secretsmanager.GetSecretValueInput {
 	version := "AWSCURRENT"
 	if ref.Version != "" {
 		version = ref.Version
@@ -126,7 +126,7 @@ func (s *smSecretStore) convertSecretToGjson(secretValueOutput *secretsmanager.G
 }
 
 func init() {
-	secrets.Register(&DefaultFactory{}, &secretsapi.ProviderSpec{
-		AWS: &secretsapi.AWSProvider{},
+	secrets.Register(&DefaultFactory{}, &v1.ProviderSpec{
+		AWS: &v1.AWSProvider{},
 	})
 }

pkg/secrets/providers/aws/secretsmanager/secretsmanager_test.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 
-	secretsapi "kusionstack.io/kusion/pkg/apis/secrets"
+	"kusionstack.io/kusion/pkg/apis/core/v1"
 	"kusionstack.io/kusion/pkg/secrets/providers/aws/secretsmanager/fake"
 )
 
@@ -113,7 +113,7 @@ func TestGetSecret(t *testing.T) {
 
 	for name, tc := range testCases {
 		store := &smSecretStore{client: tc.client}
-		ref := secretsapi.ExternalSecretRef{
+		ref := v1.ExternalSecretRef{
 			Name:     tc.name,
 			Version:  tc.version,
 			Property: tc.property,
@@ -134,23 +134,23 @@ func TestGetSecret(t *testing.T) {
 
 func TestNewSecretStore(t *testing.T) {
 	testCases := map[string]struct {
-		spec        secretsapi.SecretStoreSpec
+		spec        v1.SecretStoreSpec
 		expectedErr error
 	}{
 		"InvalidSecretStoreSpec": {
-			spec:        secretsapi.SecretStoreSpec{},
+			spec:        v1.SecretStoreSpec{},
 			expectedErr: errors.New(errMissingProviderSpec),
 		},
 		"InvalidProviderSpec": {
-			spec: secretsapi.SecretStoreSpec{
-				Provider: &secretsapi.ProviderSpec{},
+			spec: v1.SecretStoreSpec{
+				Provider: &v1.ProviderSpec{},
 			},
 			expectedErr: errors.New(errMissingAWSProvider),
 		},
 		"ValidVaultProviderSpec": {
-			spec: secretsapi.SecretStoreSpec{
-				Provider: &secretsapi.ProviderSpec{
-					AWS: &secretsapi.AWSProvider{
+			spec: v1.SecretStoreSpec{
+				Provider: &v1.ProviderSpec{
+					AWS: &v1.AWSProvider{
 						Region: "us-east-1",
 					},
 				},