// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package k8s import ( "context" "encoding/json" "fmt" corekccv1alpha1 "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/apis/core/v1alpha1" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" ) func GetSecretVal(secretKeyRef *corekccv1alpha1.SecretKeyReference, secretNamespace string, kubeClient client.Client) (secretVal string, secretVersion string, err error) { nn := types.NamespacedName{ Name: secretKeyRef.Name, Namespace: secretNamespace, } secret := v1.Secret{} if err := kubeClient.Get(context.TODO(), nn, &secret); err != nil { if errors.IsNotFound(err) { return "", "", NewSecretNotFoundError(nn) } return "", "", fmt.Errorf("error getting Secret %v: %v", nn, err) } secretValBytes, ok := secret.Data[secretKeyRef.Key] if !ok { return "", "", NewKeyInSecretNotFoundError(secretKeyRef.Key, nn) } return string(secretValBytes), secret.GetResourceVersion(), nil } func GetSecretVersionsFromAnnotations(resource *Resource) (map[string]string, error) { annotationVal, ok := GetAnnotation(ObservedSecretVersionsAnnotation, resource) if !ok { return nil, nil } secretVersions := make(map[string]string) if err := json.Unmarshal([]byte(annotationVal), &secretVersions); err != nil { return nil, fmt.Errorf("error unmarshalling value of %v: %v", ObservedSecretVersionsAnnotation, err) } return secretVersions, nil } func UpdateOrRemoveObservedSecretVersionsAnnotation(resource *Resource, secretVersions map[string]string, hasSensitiveFields bool) error { // The annotation should only be set for resources with sensitive fields. if !hasSensitiveFields { RemoveAnnotation(ObservedSecretVersionsAnnotation, resource) return nil } b, err := json.Marshal(secretVersions) if err != nil { return err } SetAnnotation(ObservedSecretVersionsAnnotation, string(b), resource) return nil }