-
Notifications
You must be signed in to change notification settings - Fork 10
/
provide_conjur_secrets.go
122 lines (108 loc) · 3.24 KB
/
provide_conjur_secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package pushtofile
import (
"context"
"os"
"strings"
"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
"github.com/cyberark/conjur-opentelemetry-tracer/pkg/trace"
"github.com/cyberark/secrets-provider-for-k8s/pkg/log/messages"
"github.com/cyberark/secrets-provider-for-k8s/pkg/secrets/clients/conjur"
"go.opentelemetry.io/otel"
)
type fileProvider struct {
retrieveSecretsFunc conjur.RetrieveSecretsFunc
secretGroups []*SecretGroup
traceContext context.Context
sanitizeEnabled bool
}
type fileProviderDepFuncs struct {
retrieveSecretsFunc conjur.RetrieveSecretsFunc
depOpenWriteCloser openWriteCloserFunc
depPushToWriter pushToWriterFunc
}
// P2FProviderConfig provides config specific to Push-to-File provider
type P2FProviderConfig struct {
SecretFileBasePath string
TemplateFileBasePath string
AnnotationsMap map[string]string
}
// NewProvider creates a new provider for Push-to-File mode.
func NewProvider(
retrieveSecretsFunc conjur.RetrieveSecretsFunc,
sanitizeEnabled bool,
config P2FProviderConfig,
) (*fileProvider, []error) {
secretGroups, err := NewSecretGroups(config.SecretFileBasePath,
config.TemplateFileBasePath, config.AnnotationsMap)
if err != nil {
return nil, err
}
return &fileProvider{
retrieveSecretsFunc: retrieveSecretsFunc,
secretGroups: secretGroups,
traceContext: nil,
sanitizeEnabled: sanitizeEnabled,
}, nil
}
// Provide implements a ProviderFunc to retrieve and push secrets to the filesystem.
func (p fileProvider) Provide() (bool, error) {
return provideWithDeps(
p.traceContext,
p.secretGroups,
p.sanitizeEnabled,
fileProviderDepFuncs{
retrieveSecretsFunc: p.retrieveSecretsFunc,
depOpenWriteCloser: openFileAsWriteCloser,
depPushToWriter: pushToWriter,
},
)
}
func (p *fileProvider) SetTraceContext(ctx context.Context) {
p.traceContext = ctx
}
func provideWithDeps(
traceContext context.Context,
groups []*SecretGroup,
sanitizeEnabled bool,
depFuncs fileProviderDepFuncs,
) (bool, error) {
// Use the global TracerProvider
tr := trace.NewOtelTracer(otel.Tracer("secrets-provider"))
spanCtx, span := tr.Start(traceContext, "Fetch Conjur Secrets")
secretsByGroup, err := FetchSecretsForGroups(depFuncs.retrieveSecretsFunc, groups, spanCtx)
if err != nil {
// Delete secret files for variables that no longer exist or the user no longer has permissions to
if (strings.Contains(err.Error(), "403") || strings.Contains(err.Error(), "404")) && sanitizeEnabled {
for _, group := range groups {
os.Remove(group.FilePath)
log.Info(messages.CSPFK019I)
}
}
span.RecordErrorAndSetStatus(err)
span.End()
return false, err
}
span.End()
spanCtx, span = tr.Start(traceContext, "Write Secret Files")
defer span.End()
var updated bool
for _, group := range groups {
_, childSpan := tr.Start(spanCtx, "Write Secret Files for group")
defer childSpan.End()
groupUpdated, err := group.pushToFileWithDeps(
depFuncs.depOpenWriteCloser,
depFuncs.depPushToWriter,
secretsByGroup[group.Name],
)
if err != nil {
childSpan.RecordErrorAndSetStatus(err)
span.RecordErrorAndSetStatus(err)
return updated, err
}
if groupUpdated {
updated = true
}
}
log.Info(messages.CSPFK015I)
return updated, nil
}