mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

Merge pull request #339 from mouhsen-ibrahim/add-workload-identity-support

Browse source 
Add support for Google Cloud Identity
This commit is contained in:
paul-the-alien[bot] 2021-08-24 17:00:42 +00:00 committed by GitHub
commit 52e3e80a16
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 24 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apis/externalsecrets/v1alpha1/secretstore_gcpsm_types.go
View file

@ -31,7 +31,8 @@ type GCPSMAuthSecretRef struct {
// GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
type GCPSMProvider struct {
// Auth defines the information necessary to authenticate against GCP
Auth GCPSMAuth `json:"auth"`
// +optional
Auth GCPSMAuth `json:"auth,omitempty"`
// ProjectID project where secret is located
ProjectID string `json:"projectID,omitempty"`

2
apis/meta/v1/types.go
View file

@ -18,7 +18,7 @@ package v1
// In some instances, `key` is a required field.
type SecretKeySelector struct {
// The name of the Secret resource being referred to.
Name string `json:"name"`
Name string `json:"name,omitempty"`
// Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
// to the namespace of the referent.
// +optional

28
deploy/crds/external-secrets.io_clustersecretstores.yaml
View file

@ -108,8 +108,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
@ -130,8 +128,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
type: object
@ -179,8 +175,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
required:
- name
type: object
clientSecret:
description: The Azure ClientSecret of the service principle
@ -200,8 +194,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
required:
- name
type: object
required:
- clientId
@ -249,8 +241,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
required:
@ -259,8 +249,6 @@ spec:
projectID:
description: ProjectID project where secret is located
type: string
required:
- auth
type: object
ibm:
description: IBM configures this store to sync secrets using IBM
@ -291,8 +279,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
required:
@ -351,8 +337,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
required:
- path
@ -384,8 +368,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
secretRef:
description: SecretRef to a key in a Secret resource
@ -408,8 +390,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
jwt:
@ -441,8 +421,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
kubernetes:
@ -483,8 +461,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
serviceAccountRef:
description: Optional service account field containing
@ -537,8 +513,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
username:
description: Username is a LDAP user name used to
@ -566,8 +540,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
required:
- name
type: object
type: object
caBundle:

28
deploy/crds/external-secrets.io_secretstores.yaml
View file

@ -108,8 +108,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
@ -130,8 +128,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
type: object
@ -179,8 +175,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
required:
- name
type: object
clientSecret:
description: The Azure ClientSecret of the service principle
@ -200,8 +194,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
required:
- name
type: object
required:
- clientId
@ -249,8 +241,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
required:
@ -259,8 +249,6 @@ spec:
projectID:
description: ProjectID project where secret is located
type: string
required:
- auth
type: object
ibm:
description: IBM configures this store to sync secrets using IBM
@ -291,8 +279,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
required:
@ -351,8 +337,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
required:
- path
@ -384,8 +368,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
secretRef:
description: SecretRef to a key in a Secret resource
@ -408,8 +390,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
jwt:
@ -441,8 +421,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
type: object
kubernetes:
@ -483,8 +461,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
serviceAccountRef:
description: Optional service account field containing
@ -537,8 +513,6 @@ spec:
cluster-scoped defaults to the namespace of
the referent.
type: string
required:
- name
type: object
username:
description: Username is a LDAP user name used to
@ -566,8 +540,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
required:
- name
type: object
type: object
caBundle:

31
pkg/provider/gcp/secretmanager/secretsmanager.go
View file

@ -39,12 +39,12 @@ const (
defaultVersion = "latest"
errGCPSMStore = "received invalid GCPSM SecretStore resource"
errGCPSMCredSecretName = "invalid GCPSM SecretStore resource: missing GCP Secret Access Key"
errClientClose = "unable to close SecretManager client: %w"
errInvalidClusterStoreMissingSAKNamespace = "invalid ClusterSecretStore: missing GCP SecretAccessKey Namespace"
errFetchSAKSecret = "could not fetch SecretAccessKey secret: %w"
errMissingSAK = "missing SecretAccessKey"
errUnableProcessJSONCredentials = "failed to process the provided JSON credentials: %w"
errUnableProcessDefaultCredentials = "failed to process the default credentials: %w"
errUnableCreateGCPSMClient = "failed to create GCP secretmanager client: %w"
errUninitalizedGCPProvider = "provider GCP is not initialized"
errClientGetSecretAccess = "unable to access Secret from SecretManager Client: %w"
@ -73,9 +73,6 @@ type gClient struct {
func (c *gClient) setAuth(ctx context.Context) error {
credentialsSecret := &corev1.Secret{}
credentialsSecretName := c.store.Auth.SecretRef.SecretAccessKey.Name
if credentialsSecretName == "" {
return fmt.Errorf(errGCPSMCredSecretName)
}
objectKey := types.NamespacedName{
Name: credentialsSecretName,
Namespace: c.namespace,
@ -88,7 +85,10 @@ func (c *gClient) setAuth(ctx context.Context) error {
}
objectKey.Namespace = *c.store.Auth.SecretRef.SecretAccessKey.Namespace
}
if credentialsSecretName == "" {
c.credentials = nil
return nil
}
err := c.kube.Get(ctx, objectKey, credentialsSecret)
if err != nil {
return fmt.Errorf(errFetchSAKSecret, err)
@ -122,12 +122,23 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericSt
sm.projectID = cliStore.store.ProjectID
config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole)
if err != nil {
return nil, fmt.Errorf(errUnableProcessJSONCredentials, err)
if cliStore.credentials != nil {
config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole)
if err != nil {
return nil, fmt.Errorf(errUnableProcessJSONCredentials, err)
}
ts := config.TokenSource(ctx)
clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
if err != nil {
return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
}
sm.SecretManagerClient = clientGCPSM
return sm, nil
}
ts, err := google.DefaultTokenSource(ctx, CloudPlatformRole)
if err != nil {
return nil, fmt.Errorf(errUnableProcessDefaultCredentials, err)
}
ts := config.TokenSource(ctx)
clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
if err != nil {
return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)