-
Notifications
You must be signed in to change notification settings - Fork 469
/
component.go
151 lines (131 loc) · 4.41 KB
/
component.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
/*
Copyright 2023 The Dapr Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package secrets
import (
"context"
"errors"
"fmt"
"os"
"reflect"
"strings"
"time"
"github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jwk"
metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
kubeclient "github.com/dapr/components-contrib/common/authentication/kubernetes"
contribCrypto "github.com/dapr/components-contrib/crypto"
"github.com/dapr/components-contrib/metadata"
internals "github.com/dapr/kit/crypto"
"github.com/dapr/kit/logger"
)
const (
requestTimeout = 30 * time.Second
metadataKeyDefaultNamespace = "defaultNamespace"
)
type kubeSecretsCrypto struct {
contribCrypto.LocalCryptoBaseComponent
logger logger.Logger
md secretsMetadata
kubeClient kubernetes.Interface
}
// NewKubeSecretsCrypto returns a new Kubernetes secrets crypto provider.
// The key arguments in methods can be in the format "namespace/secretName/key" or "secretName/key" if using the default namespace passed as component metadata.
func NewKubeSecretsCrypto(log logger.Logger) contribCrypto.SubtleCrypto {
k := &kubeSecretsCrypto{
logger: log,
}
k.RetrieveKeyFn = k.retrieveKeyFromSecret
return k
}
// Init the crypto provider.
func (k *kubeSecretsCrypto) Init(_ context.Context, metadata contribCrypto.Metadata) error {
// Init metadata
err := k.md.InitWithMetadata(metadata)
if err != nil {
return fmt.Errorf("failed to load metadata: %w", err)
}
// Init Kubernetes client
kubeconfigPath := k.md.KubeconfigPath
if kubeconfigPath == "" {
kubeconfigPath = kubeclient.GetKubeconfigPath(k.logger, os.Args)
}
k.kubeClient, err = kubeclient.GetKubeClient(kubeconfigPath)
if err != nil {
return fmt.Errorf("failed to init Kubernetes client: %w", err)
}
return nil
}
// Features returns the features available in this crypto provider.
func (k *kubeSecretsCrypto) Features() []contribCrypto.Feature {
return []contribCrypto.Feature{} // No Feature supported.
}
// Retrieves a key (public or private or symmetric) from a Kubernetes secret.
func (k *kubeSecretsCrypto) retrieveKeyFromSecret(parentCtx context.Context, key string) (jwk.Key, error) {
keyNamespace, keySecret, keyName, err := k.parseKeyString(key)
if err != nil {
return nil, err
}
// Retrieve the secret
ctx, cancel := context.WithTimeout(parentCtx, requestTimeout)
res, err := k.kubeClient.CoreV1().
Secrets(keyNamespace).
Get(ctx, keySecret, metaV1.GetOptions{})
cancel()
if err != nil {
return nil, err
}
if res == nil || len(res.Data) == 0 || len(res.Data[keyName]) == 0 {
return nil, contribCrypto.ErrKeyNotFound
}
// Parse the key
jwkObj, err := internals.ParseKey(res.Data[keyName], string(res.Type))
if err == nil {
switch jwkObj.KeyType() {
case jwa.EC, jwa.RSA, jwa.OKP, jwa.OctetSeq:
// Nop
default:
err = errors.New("invalid key type")
}
}
if err != nil {
return nil, fmt.Errorf("failed to parse key from secret: %w", err)
}
return jwkObj, nil
}
// parseKeyString returns the secret name, key, and optional namespace from the key parameter.
// If the key parameter doesn't contain a namespace, returns the default one.
func (k *kubeSecretsCrypto) parseKeyString(param string) (namespace string, secret string, key string, err error) {
parts := strings.Split(key, "/")
switch len(parts) {
case 3:
namespace = parts[0]
secret = parts[1]
key = parts[2]
case 2:
namespace = k.md.DefaultNamespace
secret = parts[0]
key = parts[1]
default:
err = errors.New("key is not in a valid format: required namespace/secretName/key or secretName/key")
}
if namespace == "" {
err = errors.New("key doesn't have a namespace and the default namespace isn't set")
}
return
}
func (kubeSecretsCrypto) GetComponentMetadata() (metadataInfo metadata.MetadataMap) {
metadataStruct := secretsMetadata{}
metadata.GetMetadataInfoFromStructType(reflect.TypeOf(metadataStruct), &metadataInfo, metadata.CryptoType)
return
}