This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 59
/
global_secrets.go
78 lines (63 loc) · 2.43 KB
/
global_secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package webhook
import (
"context"
"fmt"
"strings"
"github.com/flyteorg/flytepropeller/pkg/webhook/config"
coreIdl "github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core"
"github.com/flyteorg/flytestdlib/logger"
corev1 "k8s.io/api/core/v1"
)
//go:generate mockery -all -case=underscore
type GlobalSecretProvider interface {
GetForSecret(ctx context.Context, secret *coreIdl.Secret) (string, error)
}
// GlobalSecrets allows the injection of secrets from the process memory space (env vars) or mounted files into pods
// intercepted through this admission webhook. Secrets injected through this type will be mounted as environment
// variables. If a secret has a mounting requirement that does not allow Env Vars, it'll fail to inject the secret.
type GlobalSecrets struct {
envSecretManager GlobalSecretProvider
}
func (g GlobalSecrets) Type() config.SecretManagerType {
return config.SecretManagerTypeGlobal
}
func (g GlobalSecrets) Inject(ctx context.Context, secret *coreIdl.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error) {
v, err := g.envSecretManager.GetForSecret(ctx, secret)
if err != nil {
return p, false, err
}
switch secret.MountRequirement {
case coreIdl.Secret_FILE:
return nil, false, fmt.Errorf("global secrets can only be injected as environment "+
"variables [%v/%v]", secret.Group, secret.Key)
case coreIdl.Secret_ANY:
fallthrough
case coreIdl.Secret_ENV_VAR:
if len(secret.Group) == 0 {
return nil, false, fmt.Errorf("mounting a secret to env var requires selecting the "+
"secret and a single key within. Key [%v]", secret.Key)
}
envVar := corev1.EnvVar{
Name: strings.ToUpper(K8sDefaultEnvVarPrefix + secret.Group + EnvVarGroupKeySeparator + secret.Key),
Value: v,
}
prefixEnvVar := corev1.EnvVar{
Name: SecretEnvVarPrefix,
Value: K8sDefaultEnvVarPrefix,
}
p.Spec.InitContainers = AppendEnvVars(p.Spec.InitContainers, prefixEnvVar)
p.Spec.Containers = AppendEnvVars(p.Spec.Containers, prefixEnvVar)
p.Spec.InitContainers = AppendEnvVars(p.Spec.InitContainers, envVar)
p.Spec.Containers = AppendEnvVars(p.Spec.Containers, envVar)
default:
err := fmt.Errorf("unrecognized mount requirement [%v] for secret [%v]", secret.MountRequirement.String(), secret.Key)
logger.Error(ctx, err)
return p, false, err
}
return p, true, nil
}
func NewGlobalSecrets(provider GlobalSecretProvider) GlobalSecrets {
return GlobalSecrets{
envSecretManager: provider,
}
}