mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

Merge pull request #339 from mouhsen-ibrahim/add-workload-identity-support

Browse source 
Add support for Google Cloud Identity
This commit is contained in:
paul-the-alien[bot] 2021-08-24 17:00:42 +00:00 committed by GitHub
commit 52e3e80a16
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 24 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apis/externalsecrets/v1alpha1/secretstore_gcpsm_types.go
View file

@ -31,7 +31,8 @@ type GCPSMAuthSecretRef struct {
// GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider. // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
type GCPSMProvider struct { type GCPSMProvider struct {
// Auth defines the information necessary to authenticate against GCP // Auth defines the information necessary to authenticate against GCP
Auth GCPSMAuth `json:"auth"` // +optional
Auth GCPSMAuth `json:"auth,omitempty"`
// ProjectID project where secret is located // ProjectID project where secret is located
ProjectID string `json:"projectID,omitempty"` ProjectID string `json:"projectID,omitempty"`

2
apis/meta/v1/types.go
View file

@ -18,7 +18,7 @@ package v1
// In some instances, `key` is a required field. // In some instances, `key` is a required field.
type SecretKeySelector struct { type SecretKeySelector struct {
// The name of the Secret resource being referred to. // The name of the Secret resource being referred to.
Name string `json:"name"` Name string `json:"name,omitempty"`
// Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults // Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
// to the namespace of the referent. // to the namespace of the referent.
// +optional // +optional

28
deploy/crds/external-secrets.io_clustersecretstores.yaml
View file

@ -108,8 +108,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
secretAccessKeySecretRef: secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication description: The SecretAccessKey is used for authentication
@ -130,8 +128,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
type: object type: object
@ -179,8 +175,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent. defaults to the namespace of the referent.
type: string type: string
required:
- name
type: object type: object
clientSecret: clientSecret:
description: The Azure ClientSecret of the service principle description: The Azure ClientSecret of the service principle
@ -200,8 +194,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent. defaults to the namespace of the referent.
type: string type: string
required:
- name
type: object type: object
required: required:
- clientId - clientId
@ -249,8 +241,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
required: required:
@ -259,8 +249,6 @@ spec:
projectID: projectID:
description: ProjectID project where secret is located description: ProjectID project where secret is located
type: string type: string
required:
- auth
type: object type: object
ibm: ibm:
description: IBM configures this store to sync secrets using IBM description: IBM configures this store to sync secrets using IBM
@ -291,8 +279,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
required: required:
@ -351,8 +337,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
required: required:
- path - path
@ -384,8 +368,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
secretRef: secretRef:
description: SecretRef to a key in a Secret resource description: SecretRef to a key in a Secret resource
@ -408,8 +390,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
jwt: jwt:
@ -441,8 +421,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
kubernetes: kubernetes:
@ -483,8 +461,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
serviceAccountRef: serviceAccountRef:
description: Optional service account field containing description: Optional service account field containing
@ -537,8 +513,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
username: username:
description: Username is a LDAP user name used to description: Username is a LDAP user name used to
@ -566,8 +540,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent. defaults to the namespace of the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
caBundle: caBundle:

28
deploy/crds/external-secrets.io_secretstores.yaml
View file

@ -108,8 +108,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
secretAccessKeySecretRef: secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication description: The SecretAccessKey is used for authentication
@ -130,8 +128,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
type: object type: object
@ -179,8 +175,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent. defaults to the namespace of the referent.
type: string type: string
required:
- name
type: object type: object
clientSecret: clientSecret:
description: The Azure ClientSecret of the service principle description: The Azure ClientSecret of the service principle
@ -200,8 +194,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent. defaults to the namespace of the referent.
type: string type: string
required:
- name
type: object type: object
required: required:
- clientId - clientId
@ -249,8 +241,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
required: required:
@ -259,8 +249,6 @@ spec:
projectID: projectID:
description: ProjectID project where secret is located description: ProjectID project where secret is located
type: string type: string
required:
- auth
type: object type: object
ibm: ibm:
description: IBM configures this store to sync secrets using IBM description: IBM configures this store to sync secrets using IBM
@ -291,8 +279,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
required: required:
@ -351,8 +337,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
required: required:
- path - path
@ -384,8 +368,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
secretRef: secretRef:
description: SecretRef to a key in a Secret resource description: SecretRef to a key in a Secret resource
@ -408,8 +390,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
jwt: jwt:
@ -441,8 +421,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
kubernetes: kubernetes:
@ -483,8 +461,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
serviceAccountRef: serviceAccountRef:
description: Optional service account field containing description: Optional service account field containing
@ -537,8 +513,6 @@ spec:
cluster-scoped defaults to the namespace of cluster-scoped defaults to the namespace of
the referent. the referent.
type: string type: string
required:
- name
type: object type: object
username: username:
description: Username is a LDAP user name used to description: Username is a LDAP user name used to
@ -566,8 +540,6 @@ spec:
to. Ignored if referent is not cluster-scoped. cluster-scoped to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent. defaults to the namespace of the referent.
type: string type: string
required:
- name
type: object type: object
type: object type: object
caBundle: caBundle:

31
pkg/provider/gcp/secretmanager/secretsmanager.go
View file

@ -39,12 +39,12 @@ const (
defaultVersion = "latest" defaultVersion = "latest"
errGCPSMStore = "received invalid GCPSM SecretStore resource" errGCPSMStore = "received invalid GCPSM SecretStore resource"
errGCPSMCredSecretName = "invalid GCPSM SecretStore resource: missing GCP Secret Access Key"
errClientClose = "unable to close SecretManager client: %w" errClientClose = "unable to close SecretManager client: %w"
errInvalidClusterStoreMissingSAKNamespace = "invalid ClusterSecretStore: missing GCP SecretAccessKey Namespace" errInvalidClusterStoreMissingSAKNamespace = "invalid ClusterSecretStore: missing GCP SecretAccessKey Namespace"
errFetchSAKSecret = "could not fetch SecretAccessKey secret: %w" errFetchSAKSecret = "could not fetch SecretAccessKey secret: %w"
errMissingSAK = "missing SecretAccessKey" errMissingSAK = "missing SecretAccessKey"
errUnableProcessJSONCredentials = "failed to process the provided JSON credentials: %w" errUnableProcessJSONCredentials = "failed to process the provided JSON credentials: %w"
errUnableProcessDefaultCredentials = "failed to process the default credentials: %w"
errUnableCreateGCPSMClient = "failed to create GCP secretmanager client: %w" errUnableCreateGCPSMClient = "failed to create GCP secretmanager client: %w"
errUninitalizedGCPProvider = "provider GCP is not initialized" errUninitalizedGCPProvider = "provider GCP is not initialized"
errClientGetSecretAccess = "unable to access Secret from SecretManager Client: %w" errClientGetSecretAccess = "unable to access Secret from SecretManager Client: %w"
@ -73,9 +73,6 @@ type gClient struct {
func (c *gClient) setAuth(ctx context.Context) error { func (c *gClient) setAuth(ctx context.Context) error {
credentialsSecret := &corev1.Secret{} credentialsSecret := &corev1.Secret{}
credentialsSecretName := c.store.Auth.SecretRef.SecretAccessKey.Name credentialsSecretName := c.store.Auth.SecretRef.SecretAccessKey.Name
if credentialsSecretName == "" {
return fmt.Errorf(errGCPSMCredSecretName)
}
objectKey := types.NamespacedName{ objectKey := types.NamespacedName{
Name: credentialsSecretName, Name: credentialsSecretName,
Namespace: c.namespace, Namespace: c.namespace,
@ -88,7 +85,10 @@ func (c *gClient) setAuth(ctx context.Context) error {
} }
objectKey.Namespace = *c.store.Auth.SecretRef.SecretAccessKey.Namespace objectKey.Namespace = *c.store.Auth.SecretRef.SecretAccessKey.Namespace
} }
if credentialsSecretName == "" {
c.credentials = nil
return nil
}
err := c.kube.Get(ctx, objectKey, credentialsSecret) err := c.kube.Get(ctx, objectKey, credentialsSecret)
if err != nil { if err != nil {
return fmt.Errorf(errFetchSAKSecret, err) return fmt.Errorf(errFetchSAKSecret, err)
@ -122,12 +122,23 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericSt
sm.projectID = cliStore.store.ProjectID sm.projectID = cliStore.store.ProjectID
config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole) if cliStore.credentials != nil {
if err != nil { config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole)
return nil, fmt.Errorf(errUnableProcessJSONCredentials, err) if err != nil {
return nil, fmt.Errorf(errUnableProcessJSONCredentials, err)
}
ts := config.TokenSource(ctx)
clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
if err != nil {
return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
}
sm.SecretManagerClient = clientGCPSM
return sm, nil
}
ts, err := google.DefaultTokenSource(ctx, CloudPlatformRole)
if err != nil {
return nil, fmt.Errorf(errUnableProcessDefaultCredentials, err)
} }
ts := config.TokenSource(ctx)
clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts)) clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
if err != nil { if err != nil {
return nil, fmt.Errorf(errUnableCreateGCPSMClient, err) return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)