forked from kluctl/kluctl
/
secrets_loader.go
113 lines (103 loc) · 3.18 KB
/
secrets_loader.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package seal
import (
"fmt"
"github.com/codablock/kluctl/pkg/kluctl_project"
"github.com/codablock/kluctl/pkg/types"
"github.com/codablock/kluctl/pkg/utils"
"github.com/codablock/kluctl/pkg/utils/aws"
"github.com/codablock/kluctl/pkg/utils/uo"
"os"
"path/filepath"
"strings"
)
type SecretsLoader struct {
project *kluctl_project.KluctlProjectContext
secretsDir string
}
func NewSecretsLoader(p *kluctl_project.KluctlProjectContext, secretsDir string) *SecretsLoader {
return &SecretsLoader{
project: p,
secretsDir: secretsDir,
}
}
func (s *SecretsLoader) LoadSecrets(source *types.SecretSource) (*uo.UnstructuredObject, error) {
if source.Path != nil {
return s.loadSecretsFile(source)
} else if source.SystemEnvVars != nil {
return s.loadSecretsSystemEnvs(source)
} else if source.AwsSecretsManager != nil {
return s.loadSecretsAwsSecretsManager(source)
} else {
return nil, fmt.Errorf("invalid secrets entry")
}
}
func (s *SecretsLoader) loadSecretsFile(source *types.SecretSource) (*uo.UnstructuredObject, error) {
var p string
if utils.Exists(filepath.Join(s.project.DeploymentDir, *source.Path)) {
p = filepath.Join(s.project.DeploymentDir, *source.Path)
} else if utils.Exists(filepath.Join(s.secretsDir, *source.Path)) {
p = filepath.Join(s.secretsDir, *source.Path)
}
if p == "" || !utils.Exists(p) {
return nil, fmt.Errorf("secrets file %s does not exist", *source.Path)
}
abs, err := filepath.Abs(p)
if err != nil {
return nil, err
}
if !strings.HasPrefix(abs, s.project.DeploymentDir) {
return nil, fmt.Errorf("secrets file %s is not part of the deployment project", *source.Path)
}
secrets, err := uo.FromFile(p)
if err != nil {
return nil, err
}
secrets, ok, err := secrets.GetNestedObject("secrets")
if err != nil {
return nil, err
}
if !ok {
return uo.New(), nil
}
return secrets, nil
}
func (s *SecretsLoader) loadSecretsSystemEnvs(source *types.SecretSource) (*uo.UnstructuredObject, error) {
secrets := uo.New()
err := source.SystemEnvVars.NewIterator().IterateLeafs(func(it *uo.ObjectIterator) error {
envName, ok := it.Value().(string)
if !ok {
return fmt.Errorf("value at %s is not a string", it.JsonPath())
}
envValue, ok := os.LookupEnv(envName)
if !ok {
return fmt.Errorf("environment variable %s not found for secret %s", envName, it.JsonPath())
}
err := secrets.SetNestedField(envValue, it.KeyPath()...)
if err != nil {
return fmt.Errorf("failed to set secret %s: %w", it.JsonPath(), err)
}
return nil
})
if err != nil {
return nil, err
}
return secrets, nil
}
func (s *SecretsLoader) loadSecretsAwsSecretsManager(source *types.SecretSource) (*uo.UnstructuredObject, error) {
secret, err := aws.GetAwsSecretsManagerSecret(source.AwsSecretsManager.Profile, source.AwsSecretsManager.Region, source.AwsSecretsManager.SecretName)
if err != nil {
return nil, err
}
secrets, err := uo.FromString(secret)
if err != nil {
return nil, fmt.Errorf("failed to parse yaml from AWS Secrets Manager (secretName=%s): %w", source.AwsSecretsManager.SecretName, err)
}
secrets, ok, err := secrets.GetNestedObject("secrets")
if err != nil {
return nil, err
}
if !ok {
return uo.New(), nil
}
return secrets, nil
}