This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 59
/
secrets.go
80 lines (64 loc) · 2.34 KB
/
secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
package webhook
import (
"context"
"github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core"
secretUtils "github.com/flyteorg/flyteplugins/go/tasks/pluginmachinery/utils/secrets"
"github.com/flyteorg/flytepropeller/pkg/controller/nodes/task/secretmanager"
"github.com/flyteorg/flytepropeller/pkg/webhook/config"
"github.com/flyteorg/flytestdlib/logger"
"github.com/flyteorg/flytestdlib/promutils"
corev1 "k8s.io/api/core/v1"
)
const (
SecretPathDefaultDirEnvVar = "FLYTE_SECRETS_DEFAULT_DIR" // #nosec
SecretPathFilePrefixEnvVar = "FLYTE_SECRETS_FILE_PREFIX" // #nosec
SecretEnvVarPrefix = "FLYTE_SECRETS_ENV_PREFIX" // #nosec
)
type SecretsMutator struct {
cfg *config.Config
injectors []SecretsInjector
}
type SecretsInjector interface {
Type() config.SecretManagerType
Inject(ctx context.Context, secrets *core.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)
}
func (s SecretsMutator) ID() string {
return "secrets"
}
func (s *SecretsMutator) Mutate(ctx context.Context, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error) {
secrets, err := secretUtils.UnmarshalStringMapToSecrets(p.GetAnnotations())
if err != nil {
return p, false, err
}
for _, secret := range secrets {
for _, injector := range s.injectors {
if injector.Type() != config.SecretManagerTypeGlobal && injector.Type() != s.cfg.SecretManagerType {
logger.Infof(ctx, "Skipping SecretManager [%v] since it's not enabled.", injector.Type())
continue
}
p, injected, err = injector.Inject(ctx, secret, p)
if err != nil {
logger.Infof(ctx, "Failed to inject a secret using injector [%v]. Error: %v", injector.Type(), err)
} else if injected {
break
}
}
if err != nil {
return p, false, err
}
}
return p, injected, nil
}
// NewSecretsMutator creates a new SecretsMutator with all available plugins. Depending on the selected plugins in the
// config, only the global plugin and one other plugin can be enabled.
func NewSecretsMutator(cfg *config.Config, _ promutils.Scope) *SecretsMutator {
return &SecretsMutator{
cfg: cfg,
injectors: []SecretsInjector{
NewGlobalSecrets(secretmanager.NewFileEnvSecretManager(secretmanager.GetConfig())),
NewK8sSecretsInjector(),
NewAWSSecretManagerInjector(cfg.AWSSecretManagerConfig),
NewVaultSecretManagerInjector(cfg.VaultSecretManagerConfig),
},
}
}