Add support for Generate, Revoke command (#138)

Signed-off-by: sakibalamin sakibalamin@appscode.com

go.mod

@@ -7,32 +7,28 @@ require (
 	cloud.google.com/go/storage v1.6.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.12.0
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.3.0
-	github.com/Azure/go-autorest/autorest v0.11.19 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.14 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/aws/aws-sdk-go v1.27.0
+	github.com/go-errors/errors v1.0.1
+	github.com/mitchellh/mapstructure v1.4.2 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20211115234514-b4de73f9ece8 // indirect
-	golang.org/x/net v0.0.0-20211116231205-47ca1ff31462 // indirect
-	golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c // indirect
-	golang.org/x/text v0.3.7 // indirect
 	gomodules.xyz/kglog v0.0.1
 	gomodules.xyz/runtime v0.2.0
 	gomodules.xyz/x v0.0.8
-	google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a
-	google.golang.org/grpc v1.29.1 // indirect
-	google.golang.org/protobuf v1.25.0
-	k8s.io/api v0.21.1
-	k8s.io/apimachinery v0.21.1
+	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c
+	google.golang.org/protobuf v1.26.0
+	k8s.io/api v0.22.2
+	k8s.io/apimachinery v0.22.2
 	k8s.io/cli-runtime v0.21.1
-	k8s.io/client-go v0.21.1
-	k8s.io/component-base v0.21.1
+	k8s.io/client-go v0.22.2
+	k8s.io/component-base v0.22.0
 	k8s.io/kubectl v0.21.0
 	kmodules.xyz/client-go v0.0.0-20211028132207-0cf6ea46b030
 	kmodules.xyz/custom-resources v0.0.0-20211007080833-72bd9e8cae6e
 	kubevault.dev/apimachinery v0.5.2-0.20211222093623-2fa206cc7bc6
+	sigs.k8s.io/secrets-store-csi-driver v1.0.0
+	sigs.k8s.io/yaml v1.2.0
 )
 
 replace bitbucket.org/ww/goautoneg => gomodules.xyz/goautoneg v0.0.0-20120707110453-a547fc61f48d

pkg/cmds/approve.go

@@ -17,22 +17,14 @@ limitations under the License.
 package cmds
 
 import (
-	"context"
 	"fmt"
 	"os"
 	"strings"
 
-	engineapi "kubevault.dev/apimachinery/apis/engine/v1alpha1"
-	enginecs "kubevault.dev/apimachinery/client/clientset/versioned/typed/engine/v1alpha1"
-	engineutil "kubevault.dev/apimachinery/client/clientset/versioned/typed/engine/v1alpha1/util"
-
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	core "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/cli-runtime/pkg/resource"
-	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	kmapi "kmodules.xyz/client-go/api/v1"
 )
@@ -63,7 +55,7 @@ func NewCmdApprove(clientGetter genericclioptions.RESTClientGetter) *cobra.Comma
 				ObjectNames = args[1:]
 			}
 
-			if err := modifyStatusCondition(clientGetter, true); err != nil {
+			if err := modifyStatusCondition(clientGetter, secretAccessApprovedCond); err != nil {
 				Fatal(err)
 			} else {
 				fmt.Printf("secretaccessrequests %s approved\n", strings.Join(ObjectNames, ", "))
@@ -75,80 +67,3 @@ func NewCmdApprove(clientGetter genericclioptions.RESTClientGetter) *cobra.Comma
 	cmdutil.AddFilenameOptionFlags(cmd, &FilenameOptions, "identifying the resource to update")
 	return cmd
 }
-
-func modifyStatusCondition(clientGetter genericclioptions.RESTClientGetter, isApproveReq bool) error {
-	var resourceName string
-	switch ResourceName {
-	case engineapi.ResourceSecretAccessRequest, engineapi.ResourceSecretAccessRequests:
-		resourceName = engineapi.ResourceSecretAccessRequest
-	case "":
-		resourceName = ""
-	default:
-		return errors.New("unknown/unsupported resource")
-	}
-
-	cfg, err := clientGetter.ToRESTConfig()
-	if err != nil {
-		return errors.Wrap(err, "failed to read kubeconfig")
-	}
-
-	namespace, _, err := clientGetter.ToRawKubeConfigLoader().Namespace()
-	if err != nil {
-		return err
-	}
-
-	builder := cmdutil.NewFactory(clientGetter).NewBuilder()
-
-	engineClient, err := enginecs.NewForConfig(cfg)
-	if err != nil {
-		return err
-	}
-
-	r := builder.
-		WithScheme(clientsetscheme.Scheme, clientsetscheme.Scheme.PrioritizedVersionsAllGroups()...).
-		ContinueOnError().
-		NamespaceParam(namespace).DefaultNamespace().
-		FilenameParam(false, &FilenameOptions).
-		ResourceNames(resourceName, ObjectNames...).
-		RequireObject(true).
-		Flatten().
-		Latest().
-		Do()
-
-	err = r.Visit(func(info *resource.Info, err error) error {
-		if err != nil {
-			return err
-		}
-
-		var err2 error
-		switch info.Object.(type) {
-		case *engineapi.SecretAccessRequest:
-			obj := info.Object.(*engineapi.SecretAccessRequest)
-			cond := secretAccessDeniedCond
-			if isApproveReq {
-				cond = secretAccessApprovedCond
-			}
-
-			if cond == secretAccessDeniedCond && kmapi.IsConditionTrue(obj.Status.Conditions, kmapi.ConditionRequestApproved) {
-				return errors.New("failed to deny, request already approved")
-			}
-
-			cond.ObservedGeneration = obj.Generation
-			err2 = UpdateSecretAccessRequestCondition(engineClient, obj.ObjectMeta, cond)
-		default:
-			err2 = errors.New("unknown/unsupported type")
-		}
-		return err2
-	})
-	return err
-}
-
-func UpdateSecretAccessRequestCondition(c enginecs.EngineV1alpha1Interface, req metav1.ObjectMeta, cond kmapi.Condition) error {
-	_, err := engineutil.UpdateSecretAccessRequestStatus(context.TODO(), c, req, func(in *engineapi.SecretAccessRequestStatus) *engineapi.SecretAccessRequestStatus {
-		cond.LastTransitionTime = metav1.Now()
-		in.Conditions = kmapi.SetCondition(in.Conditions, cond)
-		in.ObservedGeneration = req.Generation
-		return in
-	}, metav1.UpdateOptions{})
-	return err
-}

pkg/cmds/deny.go

@@ -49,7 +49,7 @@ func NewCmdDeny(clientGetter genericclioptions.RESTClientGetter) *cobra.Command
 				ObjectNames = args[1:]
 			}
 
-			if err := modifyStatusCondition(clientGetter, false); err != nil {
+			if err := modifyStatusCondition(clientGetter, secretAccessDeniedCond); err != nil {
 				Fatal(err)
 			} else {
 				fmt.Printf("secretaccessrequests %s denied\n", strings.Join(ObjectNames, ", "))