feat: add function exists to ref controller

neXenio · Sep 11, 2023 · 9aefb91 · 9aefb91
1 parent 466abd5
commit 9aefb91
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 16 deletions.
diff --git a/kapitan/refs/base.py b/kapitan/refs/base.py
@@ -34,6 +34,8 @@
 
 logger = logging.getLogger(__name__)
 
+_ALREADY_EXISTING_SECRET_ = "_ALREADY_EXISTING_SECRET_"
+
 # e.g. ?{ref:my/secret/token} or ?{ref:my/secret/token||func:param1:param2}
 # e.g  ?{ref:basepayloadhere==:embedded} (for embedded refs)
 REF_TOKEN_TAG_PATTERN = r"(\?{(\w+:[\w\-\.\@\=\/\:]+)(\|(?:(?:\|\w+)(?::\S*)*)+)?\=*})"
@@ -647,6 +649,9 @@ def _eval_func_str(self, ctx, func_str):
             func_name, *func_params = func.strip().split(":")
             if func_name == "base64":  # not a real function
                 ctx.encode_base64 = True
+            elif func_name == "exists":
+                # indicating not overwriting secret (vaultkv only)
+                ctx.data = _ALREADY_EXISTING_SECRET_
             else:
                 try:
                     # call function with parameters and set generated secret to ctx.data

diff --git a/kapitan/refs/secrets/vaultkv.py b/kapitan/refs/secrets/vaultkv.py
@@ -12,7 +12,7 @@
 from hvac.exceptions import Forbidden, InvalidPath
 
 from kapitan import cached
-from kapitan.refs.base import RefError
+from kapitan.refs.base import RefError, _ALREADY_EXISTING_SECRET_
 from kapitan.refs.base64 import Base64Ref, Base64RefBackend
 from kapitan.refs.vault_resources import VaultClient, VaultError
 
@@ -143,23 +143,30 @@ def _encrypt(self, data, encode_base64=False):
                     mount_point=self.mount,
                 )
                 secrets = response["data"]["data"]
-        except InvalidPath:
-            pass  # comes up if vault is empty in specified path
+        except (InvalidPath, KeyError):
+            # comes up if vault is empty in specified path
 
-        # append new secret
-        secrets[self.key] = data.decode()
+            # throw if 'exists' was given
+            if data.decode() is _ALREADY_EXISTING_SECRET_:
+                msg = f"path '{self.mount}/{self.path}/{self.key}' does not exist on Vault, but received function 'exists'"
+                raise VaultError(msg)
 
-        # write updated secrets back to vault
-        try:
-            client.secrets.kv.v2.create_or_update_secret(
-                path=self.path, secret=secrets, mount_point=self.mount
-            )
-            client.adapter.close()
-        except Forbidden:
-            raise VaultError(
-                "Permission Denied. "
-                + "make sure the token is authorised to access '{}' on Vault".format(self.path)
-            )
+        # only write new secrets
+        if data.decode() is not _ALREADY_EXISTING_SECRET_:
+            # append / overwrite new secret
+            secrets[self.key] = data.decode()
+
+            # write updated secrets back to vault
+            try:
+                client.secrets.kv.v2.create_or_update_secret(
+                    path=self.path, secret=secrets, mount_point=self.mount
+                )
+                client.adapter.close()
+            except Forbidden:
+                raise VaultError(
+                    "Permission Denied. "
+                    + "make sure the token is authorised to access '{}' on Vault".format(self.path)
+                )
 
         # set the data to path:key
         data = f"{self.path}:{self.key}".encode()