1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00

fix: v1 templates with metadata + always cleanup orphaned secrets (#4174)

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
This commit is contained in:
Mathew Wicks 2024-12-06 13:22:59 -08:00 committed by GitHub
parent 5350b03308
commit 2d5829b790
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 177 additions and 93 deletions

View file

@ -470,6 +470,7 @@ const (
ReasonCreated = "Created" ReasonCreated = "Created"
ReasonUpdated = "Updated" ReasonUpdated = "Updated"
ReasonDeleted = "Deleted" ReasonDeleted = "Deleted"
ReasonMissingProviderSecret = "MissingProviderSecret"
) )
type ExternalSecretStatus struct { type ExternalSecretStatus struct {

View file

@ -4,6 +4,10 @@
Templating Engine v1 is **deprecated** and will be removed in the future. Please migrate to engine v2 and take a look at our [upgrade guide](templating.md#migrating-from-v1) for changes. Templating Engine v1 is **deprecated** and will be removed in the future. Please migrate to engine v2 and take a look at our [upgrade guide](templating.md#migrating-from-v1) for changes.
!!! note
Templating Engine v1 does NOT support templating the `spec.target.template.metadata` fields, or the keys of the `spec.target.template.data` map, it will treat them as plain strings.
To use templates in annotations/labels/data-keys, please use Templating Engine v2.
With External Secrets Operator you can transform the data from the external secret provider before it is stored as `Kind=Secret`. You can do this with the `Spec.Target.Template`. With External Secrets Operator you can transform the data from the external secret provider before it is stored as `Kind=Secret`. You can do this with the `Spec.Target.Template`.
@ -18,7 +22,7 @@ You can use templates to inject your secrets into a configuration file that you
You can also use pre-defined functions to extract data from your secrets. Here: extract key/cert from a pkcs12 archive and store it as PEM. You can also use pre-defined functions to extract data from your secrets. Here: extract key/cert from a pkcs12 archive and store it as PEM.
``` yaml ``` yaml
{% include 'pkcs12-template-v2-external-secret.yaml' %} {% include 'pkcs12-template-v1-external-secret.yaml' %}
``` ```
### TemplateFrom ### TemplateFrom

View file

@ -13,6 +13,7 @@ spec:
# this is how the Kind=Secret will look like # this is how the Kind=Secret will look like
template: template:
type: kubernetes.io/tls type: kubernetes.io/tls
engineVersion: v1
data: data:
tls.crt: "{{ .mysecret | pkcs12cert | pemCertificate }}" tls.crt: "{{ .mysecret | pkcs12cert | pemCertificate }}"
tls.key: "{{ .mysecret | pkcs12key | pemPrivateKey }}" tls.key: "{{ .mysecret | pkcs12key | pemPrivateKey }}"

View file

@ -93,11 +93,11 @@ const (
logErrorUnmanagedStore = "unable to determine if store is managed" logErrorUnmanagedStore = "unable to determine if store is managed"
// error formats. // error formats.
errConvert = "could not apply conversion strategy to keys: %v" errConvert = "error applying conversion strategy %s to keys: %w"
errDecode = "could not apply decoding strategy to %v[%d]: %v" errRewrite = "error applying rewrite to keys: %w"
errGenerate = "could not generate [%d]: %w" errDecode = "error applying decoding strategy %s to data: %w"
errRewrite = "could not rewrite spec.dataFrom[%d]: %v" errGenerate = "error using generator: %w"
errInvalidKeys = "secret keys from spec.dataFrom.%v[%d] can only have alphanumeric, '-', '_' or '.' characters. Convert them using rewrite (https://external-secrets.io/latest/guides/datafrom-rewrite/)" errInvalidKeys = "invalid secret keys (TIP: use rewrite or conversionStrategy to change keys): %w"
errFetchTplFrom = "error fetching templateFrom data: %w" errFetchTplFrom = "error fetching templateFrom data: %w"
errApplyTemplate = "could not apply template: %w" errApplyTemplate = "could not apply template: %w"
errExecTpl = "could not execute template: %w" errExecTpl = "could not execute template: %w"
@ -106,6 +106,14 @@ const (
errUpdateNotFound = "unable to update secret %s: not found" errUpdateNotFound = "unable to update secret %s: not found"
errDeleteCreatePolicy = "unable to delete secret %s: creationPolicy=%s is not Owner" errDeleteCreatePolicy = "unable to delete secret %s: creationPolicy=%s is not Owner"
errSecretCachesNotSynced = "controller caches for secret %s are not in sync" errSecretCachesNotSynced = "controller caches for secret %s are not in sync"
// event messages.
eventCreated = "secret created"
eventUpdated = "secret updated"
eventDeleted = "secret deleted due to DeletionPolicy=Delete"
eventDeletedOrphaned = "secret deleted because it was orphaned"
eventMissingProviderSecret = "secret does not exist at provider using spec.dataFrom[%d]"
eventMissingProviderSecretKey = "secret does not exist at provider using spec.dataFrom[%d] (key=%s)"
) )
// these errors are explicitly defined so we can detect them with `errors.Is()`. // these errors are explicitly defined so we can detect them with `errors.Is()`.
@ -333,17 +341,19 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
// NOTE: this error cant be fixed by retrying so we don't return an error (which would requeue immediately) // NOTE: this error cant be fixed by retrying so we don't return an error (which would requeue immediately)
creationPolicy := externalSecret.Spec.Target.CreationPolicy creationPolicy := externalSecret.Spec.Target.CreationPolicy
if creationPolicy != esv1beta1.CreatePolicyOwner { if creationPolicy != esv1beta1.CreatePolicyOwner {
err := fmt.Errorf(errDeleteCreatePolicy, secretName, creationPolicy) err = fmt.Errorf(errDeleteCreatePolicy, secretName, creationPolicy)
r.markAsFailed(msgErrorDeleteSecret, err, externalSecret, syncCallsError.With(resourceLabels)) r.markAsFailed(msgErrorDeleteSecret, err, externalSecret, syncCallsError.With(resourceLabels))
return ctrl.Result{}, nil return ctrl.Result{}, nil
} }
// delete the secret, if it exists // delete the secret, if it exists
if existingSecret.UID != "" { if existingSecret.UID != "" {
if err := r.Delete(ctx, existingSecret); err != nil && !apierrors.IsNotFound(err) { err = r.Delete(ctx, existingSecret)
if err != nil && !apierrors.IsNotFound(err) {
r.markAsFailed(msgErrorDeleteSecret, err, externalSecret, syncCallsError.With(resourceLabels)) r.markAsFailed(msgErrorDeleteSecret, err, externalSecret, syncCallsError.With(resourceLabels))
return ctrl.Result{}, err return ctrl.Result{}, err
} }
r.recorder.Event(externalSecret, v1.EventTypeNormal, esv1beta1.ReasonDeleted, eventDeleted)
} }
r.markAsDone(externalSecret, start, log, esv1beta1.ConditionReasonSecretDeleted, msgDeleted) r.markAsDone(externalSecret, start, log, esv1beta1.ConditionReasonSecretDeleted, msgDeleted)
@ -446,7 +456,10 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
return nil return nil
} }
switch externalSecret.Spec.Target.CreationPolicy { //nolint:exhaustive switch externalSecret.Spec.Target.CreationPolicy {
case esv1beta1.CreatePolicyNone:
log.V(1).Info("secret creation skipped due to CreationPolicy=None")
err = nil
case esv1beta1.CreatePolicyMerge: case esv1beta1.CreatePolicyMerge:
// update the secret, if it exists // update the secret, if it exists
if existingSecret.UID != "" { if existingSecret.UID != "" {
@ -457,25 +470,28 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
r.markAsDone(externalSecret, start, log, esv1beta1.ConditionReasonSecretMissing, msgMissing) r.markAsDone(externalSecret, start, log, esv1beta1.ConditionReasonSecretMissing, msgMissing)
return r.getRequeueResult(externalSecret), nil return r.getRequeueResult(externalSecret), nil
} }
case esv1beta1.CreatePolicyNone: case esv1beta1.CreatePolicyOrphan:
log.V(1).Info("secret creation skipped due to creationPolicy=None")
err = nil
default:
// create the secret, if it does not exist // create the secret, if it does not exist
if existingSecret.UID == "" { if existingSecret.UID == "" {
err = r.createSecret(ctx, mutationFunc, externalSecret, secretName) err = r.createSecret(ctx, mutationFunc, externalSecret, secretName)
} else {
// if the secret exists, we should update it
err = r.updateSecret(ctx, existingSecret, mutationFunc, externalSecret, secretName)
}
case esv1beta1.CreatePolicyOwner:
// we may have orphaned secrets to clean up, // we may have orphaned secrets to clean up,
// for example, if the target secret name was changed // for example, if the target secret name was changed
if err == nil { err = r.deleteOrphanedSecrets(ctx, externalSecret, secretName)
delErr := deleteOrphanedSecrets(ctx, r.Client, externalSecret, secretName) if err != nil {
if delErr != nil { r.markAsFailed(msgErrorDeleteOrphaned, err, externalSecret, syncCallsError.With(resourceLabels))
r.markAsFailed(msgErrorDeleteOrphaned, delErr, externalSecret, syncCallsError.With(resourceLabels)) return ctrl.Result{}, err
return ctrl.Result{}, delErr
}
} }
// create the secret, if it does not exist
if existingSecret.UID == "" {
err = r.createSecret(ctx, mutationFunc, externalSecret, secretName)
} else { } else {
// update the secret, if it exists // if the secret exists, we should update it
err = r.updateSecret(ctx, existingSecret, mutationFunc, externalSecret, secretName) err = r.updateSecret(ctx, existingSecret, mutationFunc, externalSecret, secretName)
} }
} }
@ -581,9 +597,11 @@ func (r *Reconciler) markAsFailed(msg string, err error, externalSecret *esv1bet
counter.Inc() counter.Inc()
} }
func deleteOrphanedSecrets(ctx context.Context, cl client.Client, externalSecret *esv1beta1.ExternalSecret, secretName string) error { func (r *Reconciler) deleteOrphanedSecrets(ctx context.Context, externalSecret *esv1beta1.ExternalSecret, secretName string) error {
ownerLabel := utils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name)) ownerLabel := utils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
// we use a PartialObjectMetadataList to avoid loading the full secret objects
// and because the Secrets partials are always cached due to WatchesMetadata() in SetupWithManager()
secretListPartial := &metav1.PartialObjectMetadataList{} secretListPartial := &metav1.PartialObjectMetadataList{}
secretListPartial.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("SecretList")) secretListPartial.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("SecretList"))
listOpts := &client.ListOptions{ listOpts := &client.ListOptions{
@ -592,16 +610,18 @@ func deleteOrphanedSecrets(ctx context.Context, cl client.Client, externalSecret
}), }),
Namespace: externalSecret.Namespace, Namespace: externalSecret.Namespace,
} }
if err := cl.List(ctx, secretListPartial, listOpts); err != nil { if err := r.List(ctx, secretListPartial, listOpts); err != nil {
return err return err
} }
// delete all secrets that are not the target secret // delete all secrets that are not the target secret
for _, secretPartial := range secretListPartial.Items { for _, secretPartial := range secretListPartial.Items {
if secretPartial.GetName() != secretName { if secretPartial.GetName() != secretName {
if err := cl.Delete(ctx, &secretPartial); err != nil { err := r.Delete(ctx, &secretPartial)
if err != nil && !apierrors.IsNotFound(err) {
return err return err
} }
r.recorder.Event(externalSecret, v1.EventTypeNormal, esv1beta1.ReasonDeleted, eventDeletedOrphaned)
} }
} }
@ -633,7 +653,7 @@ func (r *Reconciler) createSecret(ctx context.Context, mutationFunc func(secret
// https://github.com/external-secrets/external-secrets/pull/2263 // https://github.com/external-secrets/external-secrets/pull/2263
es.Status.Binding = v1.LocalObjectReference{Name: newSecret.Name} es.Status.Binding = v1.LocalObjectReference{Name: newSecret.Name}
r.recorder.Event(es, v1.EventTypeNormal, esv1beta1.ReasonCreated, "Created Secret") r.recorder.Event(es, v1.EventTypeNormal, esv1beta1.ReasonCreated, eventCreated)
return nil return nil
} }
@ -709,7 +729,7 @@ func (r *Reconciler) updateSecret(ctx context.Context, existingSecret *v1.Secret
return fmt.Errorf(errUpdate, updatedSecret.Name, err) return fmt.Errorf(errUpdate, updatedSecret.Name, err)
} }
r.recorder.Event(es, v1.EventTypeNormal, esv1beta1.ReasonUpdated, "Updated Secret") r.recorder.Event(es, v1.EventTypeNormal, esv1beta1.ReasonUpdated, eventUpdated)
return nil return nil
} }

View file

@ -49,55 +49,68 @@ func (r *Reconciler) getProviderSecretData(ctx context.Context, externalSecret *
var err error var err error
if remoteRef.Find != nil { if remoteRef.Find != nil {
secretMap, err = r.handleFindAllSecrets(ctx, externalSecret, remoteRef, mgr, i) secretMap, err = r.handleFindAllSecrets(ctx, externalSecret, remoteRef, mgr)
} else if remoteRef.Extract != nil { if err != nil {
secretMap, err = r.handleExtractSecrets(ctx, externalSecret, remoteRef, mgr, i) err = fmt.Errorf("error processing spec.dataFrom[%d].find, err: %w", i, err)
} else if remoteRef.SourceRef != nil && remoteRef.SourceRef.GeneratorRef != nil {
secretMap, err = r.handleGenerateSecrets(ctx, externalSecret.Namespace, remoteRef, i)
} }
} else if remoteRef.Extract != nil {
secretMap, err = r.handleExtractSecrets(ctx, externalSecret, remoteRef, mgr)
if err != nil {
err = fmt.Errorf("error processing spec.dataFrom[%d].extract, err: %w", i, err)
}
} else if remoteRef.SourceRef != nil && remoteRef.SourceRef.GeneratorRef != nil {
secretMap, err = r.handleGenerateSecrets(ctx, externalSecret.Namespace, remoteRef)
if err != nil {
err = fmt.Errorf("error processing spec.dataFrom[%d].sourceRef.generatorRef, err: %w", i, err)
}
}
if errors.Is(err, esv1beta1.NoSecretErr) && externalSecret.Spec.Target.DeletionPolicy != esv1beta1.DeletionPolicyRetain { if errors.Is(err, esv1beta1.NoSecretErr) && externalSecret.Spec.Target.DeletionPolicy != esv1beta1.DeletionPolicyRetain {
r.recorder.Event( r.recorder.Eventf(externalSecret, v1.EventTypeNormal, esv1beta1.ReasonMissingProviderSecret, eventMissingProviderSecret, i)
externalSecret,
v1.EventTypeNormal,
esv1beta1.ReasonDeleted,
fmt.Sprintf("secret does not exist at provider using .dataFrom[%d]", i),
)
continue continue
} }
if err != nil { if err != nil {
return nil, err return nil, err
} }
providerData = utils.MergeByteMap(providerData, secretMap) providerData = utils.MergeByteMap(providerData, secretMap)
} }
for i, secretRef := range externalSecret.Spec.Data { for i, secretRef := range externalSecret.Spec.Data {
err := r.handleSecretData(ctx, i, *externalSecret, secretRef, providerData, mgr) err := r.handleSecretData(ctx, *externalSecret, secretRef, providerData, mgr)
if errors.Is(err, esv1beta1.NoSecretErr) && externalSecret.Spec.Target.DeletionPolicy != esv1beta1.DeletionPolicyRetain { if errors.Is(err, esv1beta1.NoSecretErr) && externalSecret.Spec.Target.DeletionPolicy != esv1beta1.DeletionPolicyRetain {
r.recorder.Event(externalSecret, v1.EventTypeNormal, esv1beta1.ReasonDeleted, fmt.Sprintf("secret does not exist at provider using .data[%d] key=%s", i, secretRef.RemoteRef.Key)) r.recorder.Eventf(externalSecret, v1.EventTypeNormal, esv1beta1.ReasonMissingProviderSecret, eventMissingProviderSecretKey, i, secretRef.RemoteRef.Key)
continue continue
} }
if err != nil { if err != nil {
return nil, fmt.Errorf("error retrieving secret at .data[%d], key: %s, err: %w", i, secretRef.RemoteRef.Key, err) return nil, fmt.Errorf("error processing spec.data[%d] (key: %s), err: %w", i, secretRef.RemoteRef.Key, err)
} }
} }
return providerData, nil return providerData, nil
} }
func (r *Reconciler) handleSecretData(ctx context.Context, i int, externalSecret esv1beta1.ExternalSecret, secretRef esv1beta1.ExternalSecretData, providerData map[string][]byte, cmgr *secretstore.Manager) error { func (r *Reconciler) handleSecretData(ctx context.Context, externalSecret esv1beta1.ExternalSecret, secretRef esv1beta1.ExternalSecretData, providerData map[string][]byte, cmgr *secretstore.Manager) error {
client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, toStoreGenSourceRef(secretRef.SourceRef)) client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, toStoreGenSourceRef(secretRef.SourceRef))
if err != nil { if err != nil {
return err return err
} }
// get a single secret from the store
secretData, err := client.GetSecret(ctx, secretRef.RemoteRef) secretData, err := client.GetSecret(ctx, secretRef.RemoteRef)
if err != nil { if err != nil {
return err return err
} }
// decode the secret if needed
secretData, err = utils.Decode(secretRef.RemoteRef.DecodingStrategy, secretData) secretData, err = utils.Decode(secretRef.RemoteRef.DecodingStrategy, secretData)
if err != nil { if err != nil {
return fmt.Errorf(errDecode, "spec.data", i, err) return fmt.Errorf(errDecode, secretRef.RemoteRef.DecodingStrategy, err)
} }
// store the secret data
providerData[secretRef.SecretKey] = secretData providerData[secretRef.SecretKey] = secretData
return nil return nil
} }
@ -110,83 +123,108 @@ func toStoreGenSourceRef(ref *esv1beta1.StoreSourceRef) *esv1beta1.StoreGenerato
} }
} }
func (r *Reconciler) handleGenerateSecrets(ctx context.Context, namespace string, remoteRef esv1beta1.ExternalSecretDataFromRemoteRef, i int) (map[string][]byte, error) { func (r *Reconciler) handleGenerateSecrets(ctx context.Context, namespace string, remoteRef esv1beta1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
gen, obj, err := resolvers.GeneratorRef(ctx, r.Client, r.Scheme, namespace, remoteRef.SourceRef.GeneratorRef) gen, obj, err := resolvers.GeneratorRef(ctx, r.Client, r.Scheme, namespace, remoteRef.SourceRef.GeneratorRef)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to resolve generator: %w", err) return nil, err
} }
// We still pass the namespace to the generate function because it needs to create
// namespace based objects. // use the generator
secretMap, err := gen.Generate(ctx, obj, r.Client, namespace) secretMap, err := gen.Generate(ctx, obj, r.Client, namespace)
if err != nil { if err != nil {
return nil, fmt.Errorf(errGenerate, i, err) return nil, fmt.Errorf(errGenerate, err)
} }
// rewrite the keys if needed
secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap) secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
if err != nil { if err != nil {
return nil, fmt.Errorf(errRewrite, i, err) return nil, fmt.Errorf(errRewrite, err)
} }
if !utils.ValidateKeys(secretMap) {
return nil, fmt.Errorf(errInvalidKeys, "generator", i) // validate the keys
err = utils.ValidateKeys(secretMap)
if err != nil {
return nil, fmt.Errorf(errInvalidKeys, err)
} }
return secretMap, err return secretMap, err
} }
func (r *Reconciler) handleExtractSecrets(ctx context.Context, externalSecret *esv1beta1.ExternalSecret, remoteRef esv1beta1.ExternalSecretDataFromRemoteRef, cmgr *secretstore.Manager, i int) (map[string][]byte, error) { //nolint:dupl
func (r *Reconciler) handleExtractSecrets(ctx context.Context, externalSecret *esv1beta1.ExternalSecret, remoteRef esv1beta1.ExternalSecretDataFromRemoteRef, cmgr *secretstore.Manager) (map[string][]byte, error) {
client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, remoteRef.SourceRef) client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, remoteRef.SourceRef)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// get multiple secrets from the store
secretMap, err := client.GetSecretMap(ctx, *remoteRef.Extract) secretMap, err := client.GetSecretMap(ctx, *remoteRef.Extract)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// rewrite the keys if needed
secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap) secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
if err != nil { if err != nil {
return nil, fmt.Errorf(errRewrite, i, err) return nil, fmt.Errorf(errRewrite, err)
} }
if len(remoteRef.Rewrite) == 0 { if len(remoteRef.Rewrite) == 0 {
secretMap, err = utils.ConvertKeys(remoteRef.Extract.ConversionStrategy, secretMap) secretMap, err = utils.ConvertKeys(remoteRef.Extract.ConversionStrategy, secretMap)
if err != nil { if err != nil {
return nil, fmt.Errorf(errConvert, err) return nil, fmt.Errorf(errConvert, remoteRef.Extract.ConversionStrategy, err)
} }
} }
if !utils.ValidateKeys(secretMap) {
return nil, fmt.Errorf(errInvalidKeys, "extract", i) // validate the keys
err = utils.ValidateKeys(secretMap)
if err != nil {
return nil, fmt.Errorf(errInvalidKeys, err)
} }
// decode the secrets if needed
secretMap, err = utils.DecodeMap(remoteRef.Extract.DecodingStrategy, secretMap) secretMap, err = utils.DecodeMap(remoteRef.Extract.DecodingStrategy, secretMap)
if err != nil { if err != nil {
return nil, fmt.Errorf(errDecode, "spec.dataFrom", i, err) return nil, fmt.Errorf(errDecode, remoteRef.Extract.DecodingStrategy, err)
} }
return secretMap, err return secretMap, err
} }
func (r *Reconciler) handleFindAllSecrets(ctx context.Context, externalSecret *esv1beta1.ExternalSecret, remoteRef esv1beta1.ExternalSecretDataFromRemoteRef, cmgr *secretstore.Manager, i int) (map[string][]byte, error) { //nolint:dupl
func (r *Reconciler) handleFindAllSecrets(ctx context.Context, externalSecret *esv1beta1.ExternalSecret, remoteRef esv1beta1.ExternalSecretDataFromRemoteRef, cmgr *secretstore.Manager) (map[string][]byte, error) {
client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, remoteRef.SourceRef) client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, remoteRef.SourceRef)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// get all secrets from the store that match the selector
secretMap, err := client.GetAllSecrets(ctx, *remoteRef.Find) secretMap, err := client.GetAllSecrets(ctx, *remoteRef.Find)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// rewrite the keys if needed
secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap) secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
if err != nil { if err != nil {
return nil, fmt.Errorf(errRewrite, i, err) return nil, fmt.Errorf(errRewrite, err)
} }
if len(remoteRef.Rewrite) == 0 { if len(remoteRef.Rewrite) == 0 {
// ConversionStrategy is deprecated. Use RewriteMap instead.
r.recorder.Event(externalSecret, v1.EventTypeWarning, esv1beta1.ReasonDeprecated, fmt.Sprintf("dataFrom[%d].find.conversionStrategy=%v is deprecated and will be removed in further releases. Use dataFrom.rewrite instead", i, remoteRef.Find.ConversionStrategy))
secretMap, err = utils.ConvertKeys(remoteRef.Find.ConversionStrategy, secretMap) secretMap, err = utils.ConvertKeys(remoteRef.Find.ConversionStrategy, secretMap)
if err != nil { if err != nil {
return nil, fmt.Errorf(errConvert, err) return nil, fmt.Errorf(errConvert, remoteRef.Find.ConversionStrategy, err)
} }
} }
if !utils.ValidateKeys(secretMap) {
return nil, fmt.Errorf(errInvalidKeys, "find", i) // validate the keys
err = utils.ValidateKeys(secretMap)
if err != nil {
return nil, fmt.Errorf(errInvalidKeys, err)
} }
// decode the secrets if needed
secretMap, err = utils.DecodeMap(remoteRef.Find.DecodingStrategy, secretMap) secretMap, err = utils.DecodeMap(remoteRef.Find.DecodingStrategy, secretMap)
if err != nil { if err != nil {
return nil, fmt.Errorf(errDecode, "spec.dataFrom", i, err) return nil, fmt.Errorf(errDecode, remoteRef.Find.DecodingStrategy, err)
} }
return secretMap, err return secretMap, err
} }

View file

@ -79,18 +79,23 @@ func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1beta1.ExternalSe
if err != nil { if err != nil {
return fmt.Errorf(errFetchTplFrom, err) return fmt.Errorf(errFetchTplFrom, err)
} }
// explicitly defined template.Data takes precedence over templateFrom
// apply data templates
// NOTE: explicitly defined template.data templates take precedence over templateFrom
err = p.MergeMap(es.Spec.Target.Template.Data, esv1beta1.TemplateTargetData) err = p.MergeMap(es.Spec.Target.Template.Data, esv1beta1.TemplateTargetData)
if err != nil { if err != nil {
return fmt.Errorf(errExecTpl, err) return fmt.Errorf(errExecTpl, err)
} }
// get template data for labels // apply templates for labels
// NOTE: this only works for v2 templates
err = p.MergeMap(es.Spec.Target.Template.Metadata.Labels, esv1beta1.TemplateTargetLabels) err = p.MergeMap(es.Spec.Target.Template.Metadata.Labels, esv1beta1.TemplateTargetLabels)
if err != nil { if err != nil {
return fmt.Errorf(errExecTpl, err) return fmt.Errorf(errExecTpl, err)
} }
// get template data for annotations
// apply template for annotations
// NOTE: this only works for v2 templates
err = p.MergeMap(es.Spec.Target.Template.Metadata.Annotations, esv1beta1.TemplateTargetAnnotations) err = p.MergeMap(es.Spec.Target.Template.Metadata.Annotations, esv1beta1.TemplateTargetAnnotations)
if err != nil { if err != nil {
return fmt.Errorf(errExecTpl, err) return fmt.Errorf(errExecTpl, err)

View file

@ -14,6 +14,8 @@ limitations under the License.
package template package template
import ( import (
"fmt"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1" esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@ -30,8 +32,5 @@ func EngineForVersion(version esapi.TemplateEngineVersion) (ExecFunc, error) {
case esapi.TemplateEngineV2: case esapi.TemplateEngineV2:
return v2.Execute, nil return v2.Execute, nil
} }
return nil, fmt.Errorf("unsupported template engine version: %s", version)
// in case we run with a old v1alpha1 CRD
// we must return v1 as default
return v1.Execute, nil
} }

View file

@ -73,10 +73,21 @@ const (
) )
// Execute renders the secret data as template. If an error occurs processing is stopped immediately. // Execute renders the secret data as template. If an error occurs processing is stopped immediately.
func Execute(tpl, data map[string][]byte, _ esapi.TemplateScope, _ esapi.TemplateTarget, secret *corev1.Secret) error { func Execute(tpl, data map[string][]byte, scope esapi.TemplateScope, target esapi.TemplateTarget, secret *corev1.Secret) error {
if tpl == nil { if len(tpl) == 0 {
return nil return nil
} }
if scope != "" && scope != esapi.TemplateScopeValues {
return fmt.Errorf("template scope %s is not supported in v1 templates, please only use Values", scope)
}
switch target {
case esapi.TemplateTargetAnnotations:
// Annotations are not supported in v1 templates
case esapi.TemplateTargetLabels:
// Labels are not supported in v1 templates
case esapi.TemplateTargetData, "":
for k, v := range tpl { for k, v := range tpl {
val, err := execute(k, string(v), data) val, err := execute(k, string(v), data)
if err != nil { if err != nil {
@ -84,6 +95,7 @@ func Execute(tpl, data map[string][]byte, _ esapi.TemplateScope, _ esapi.Templat
} }
secret.Data[k] = val secret.Data[k] = val
} }
}
return nil return nil
} }

View file

@ -192,19 +192,23 @@ func Decode(strategy esv1beta1.ExternalSecretDecodingStrategy, in []byte) ([]byt
} }
} }
func ValidateKeys(in map[string][]byte) bool { // ValidateKeys checks if the keys in the secret map are valid keys for a Kubernetes secret.
func ValidateKeys(in map[string][]byte) error {
for key := range in { for key := range in {
for _, v := range key { keyLength := len(key)
if !unicode.IsNumber(v) && if keyLength == 0 {
!unicode.IsLetter(v) && return fmt.Errorf("found empty key")
v != '-' && }
v != '.' && if keyLength > 253 {
v != '_' { return fmt.Errorf("key has length %d but max is 253: (following is truncated): %s", keyLength, key[:253])
return false }
for _, c := range key {
if !unicode.IsLetter(c) && !unicode.IsNumber(c) && c != '-' && c != '.' && c != '_' {
return fmt.Errorf("key has invalid character %c, only alphanumeric, '-', '.' and '_' are allowed: %s", c, key)
} }
} }
} }
return true return nil
} }
// ConvertKeys converts a secret map into a valid key. // ConvertKeys converts a secret map into a valid key.