From ab1e95a4586514a078a1160832b7882e482c2af0 Mon Sep 17 00:00:00 2001
From: barucoh <20933964+barucoh@users.noreply.github.com>
Date: Thu, 11 Jan 2024 00:11:03 +0200
Subject: [PATCH] Akeyless Provider - Add support for Certificate items
 Signed-off-by: barucoh <20933964+barucoh@users.noreply.github.com> (#3013)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: “barucoh” <“ohadbaruch1@gmail.com”>
---
 pkg/provider/akeyless/akeyless.go     |  6 +++++
 pkg/provider/akeyless/akeyless_api.go | 39 +++++++++++++++++++++++++--
 2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/pkg/provider/akeyless/akeyless.go b/pkg/provider/akeyless/akeyless.go
index 1d76a8960..589c8f2d3 100644
--- a/pkg/provider/akeyless/akeyless.go
+++ b/pkg/provider/akeyless/akeyless.go
@@ -69,6 +69,12 @@ type Akeyless struct {
 	url    string
 }
 
+type Item struct {
+	ItemName    string `json:"item_name"`
+	ItemType    string `json:"item_type"`
+	LastVersion int32  `json:"last_version"`
+}
+
 type akeylessVaultInterface interface {
 	GetSecretByType(ctx context.Context, secretName, token string, version int32) (string, error)
 	TokenFromSecretRef(ctx context.Context) (string, error)
diff --git a/pkg/provider/akeyless/akeyless_api.go b/pkg/provider/akeyless/akeyless_api.go
index ec0627d78..66d610715 100644
--- a/pkg/provider/akeyless/akeyless_api.go
+++ b/pkg/provider/akeyless/akeyless_api.go
@@ -93,6 +93,8 @@ func (a *akeylessBase) GetSecretByType(ctx context.Context, secretName, token st
 		return a.GetDynamicSecrets(ctx, secretName, token)
 	case "ROTATED_SECRET":
 		return a.GetRotatedSecrets(ctx, secretName, token, version)
+	case "CERTIFICATE":
+		return a.GetCertificate(ctx, secretName, token, version)
 	default:
 		return "", fmt.Errorf("invalid item type: %v", secretType)
 	}
@@ -110,15 +112,48 @@ func (a *akeylessBase) DescribeItem(ctx context.Context, itemName, token string)
 	gsvOut, res, err := a.RestAPI.DescribeItem(ctx).Body(body).Execute()
 	if err != nil {
 		if errors.As(err, &apiErr) {
-			return nil, fmt.Errorf("can't describe item: %v", string(apiErr.Body()))
+			var item *Item
+			err = json.Unmarshal(apiErr.Body(), &item)
+			if err != nil {
+				return nil, fmt.Errorf("can't describe item: %v, error: %v", itemName, string(apiErr.Body()))
+			}
+		} else {
+			return nil, fmt.Errorf("can't describe item: %w", err)
 		}
-		return nil, fmt.Errorf("can't describe item: %w", err)
 	}
 	defer res.Body.Close()
 
 	return &gsvOut, nil
 }
 
+func (a *akeylessBase) GetCertificate(ctx context.Context, certificateName, token string, version int32) (string, error) {
+	body := akeyless.GetCertificateValue{
+		Name:    certificateName,
+		Version: &version,
+	}
+	if strings.HasPrefix(token, "u-") {
+		body.UidToken = &token
+	} else {
+		body.Token = &token
+	}
+
+	gcvOut, res, err := a.RestAPI.GetCertificateValue(ctx).Body(body).Execute()
+	if err != nil {
+		if errors.As(err, &apiErr) {
+			return "", fmt.Errorf("can't get certificate value: %v", string(apiErr.Body()))
+		}
+		return "", fmt.Errorf("can't get certificate value: %w", err)
+	}
+	defer res.Body.Close()
+
+	out, err := json.Marshal(gcvOut)
+	if err != nil {
+		return "", fmt.Errorf("can't marshal certificate value: %w", err)
+	}
+
+	return string(out), nil
+}
+
 func (a *akeylessBase) GetRotatedSecrets(ctx context.Context, secretName, token string, version int32) (string, error) {
 	body := akeyless.GetRotatedSecretValue{
 		Names:   secretName,