-
-
Notifications
You must be signed in to change notification settings - Fork 751
/
provider.go
119 lines (94 loc) · 3.59 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implieclient.
See the License for the specific language governing permissions and
limitations under the License.
*/
package doppler
import (
"context"
"fmt"
"os"
"strconv"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
dClient "github.com/external-secrets/external-secrets/pkg/provider/doppler/client"
"github.com/external-secrets/external-secrets/pkg/utils"
)
const (
errNewClient = "unable to create DopplerClient : %s"
errInvalidStore = "invalid store: %s"
errDopplerStore = "missing or invalid Doppler SecretStore"
)
// Provider is a Doppler secrets provider implementing NewClient and ValidateStore for the esv1beta1.Provider interface.
type Provider struct{}
// https://github.com/external-secrets/external-secrets/issues/644
var _ esv1beta1.SecretsClient = &Client{}
var _ esv1beta1.Provider = &Provider{}
func init() {
esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
Doppler: &esv1beta1.DopplerProvider{},
})
}
func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
return esv1beta1.SecretStoreReadOnly
}
func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
storeSpec := store.GetSpec()
if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Doppler == nil {
return nil, fmt.Errorf(errDopplerStore)
}
dopplerStoreSpec := storeSpec.Provider.Doppler
// Default Key to dopplerToken if not specified
if dopplerStoreSpec.Auth.SecretRef.DopplerToken.Key == "" {
storeSpec.Provider.Doppler.Auth.SecretRef.DopplerToken.Key = "dopplerToken"
}
client := &Client{
kube: kube,
store: dopplerStoreSpec,
namespace: namespace,
storeKind: store.GetObjectKind().GroupVersionKind().Kind,
}
if err := client.setAuth(ctx); err != nil {
return nil, err
}
doppler, err := dClient.NewDopplerClient(client.dopplerToken)
if err != nil {
return nil, fmt.Errorf(errNewClient, err)
}
if customBaseURL, found := os.LookupEnv(customBaseURLEnvVar); found {
if err := doppler.SetBaseURL(customBaseURL); err != nil {
return nil, fmt.Errorf(errNewClient, err)
}
}
if customVerifyTLS, found := os.LookupEnv(verifyTLSOverrideEnvVar); found {
customVerifyTLS, err := strconv.ParseBool(customVerifyTLS)
if err == nil {
doppler.VerifyTLS = customVerifyTLS
}
}
client.doppler = doppler
client.project = client.store.Project
client.config = client.store.Config
client.nameTransformer = client.store.NameTransformer
client.format = client.store.Format
return client, nil
}
func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
storeSpec := store.GetSpec()
dopplerStoreSpec := storeSpec.Provider.Doppler
dopplerTokenSecretRef := dopplerStoreSpec.Auth.SecretRef.DopplerToken
if err := utils.ValidateSecretSelector(store, dopplerTokenSecretRef); err != nil {
return nil, fmt.Errorf(errInvalidStore, err)
}
if dopplerTokenSecretRef.Name == "" {
return nil, fmt.Errorf(errInvalidStore, "dopplerToken.name cannot be empty")
}
return nil, nil
}