Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configuring secret in vault with secretkey #81

Merged
merged 13 commits into from
Jun 4, 2024
Merged

Configuring secret in vault with secretkey #81

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
52fb3bd
Updated the vault
Shifna12Zarnaz May 27, 2024
9cd1ee1
Updated ext secret
Shifna12Zarnaz May 27, 2024
c0dad8d
Updated ext secret
Shifna12Zarnaz May 27, 2024
ca3bec5
Updated the ext secret
Shifna12Zarnaz May 27, 2024
5e9d948
Updated the ext secret
Shifna12Zarnaz May 27, 2024
680c11a
Updated the external secret
Shifna12Zarnaz May 29, 2024
727099e
UPdated the external doc
Shifna12Zarnaz May 29, 2024
982eafc
Updated external secret without interchanging the values
Shifna12Zarnaz May 30, 2024
205951f
Minor fix made
Shifna12Zarnaz May 30, 2024
2e09025
Updated the external secret
Shifna12Zarnaz May 31, 2024
7baaf00
Added logs for ext secret
Shifna12Zarnaz May 31, 2024
9be0b25
Added logs for ext secret
Shifna12Zarnaz May 31, 2024
b0dfd92
External secret is updated with SecretKey field
Shifna12Zarnaz May 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
265 changes: 255 additions & 10 deletions internal/api/vault_secret_api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@
import (
"context"
"fmt"
"log"
"sort"

//"log"

"github.com/intelops/vault-cred/internal/client"
"github.com/intelops/vault-cred/proto/pb/vaultcredpb"
Expand All @@ -14,16 +18,259 @@
vaultAddress = "http://vault.%s"
)

// func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vaultcredpb.ConfigureVaultSecretRequest) (*vaultcredpb.ConfigureVaultSecretResponse, error) {
// v.log.Infof("Configure Vault Secret Request recieved for secret ", request.SecretName)

// secretPathsData := map[string]string{}
// secretPaths := []string{}
// for _, secretPathData := range request.SecretPathData {
// secretPathsData[secretPathData.SecretKey] = secretPathData.SecretPath
// secretPaths = append(secretPaths, secretPathData.SecretPath)
// }

// appRoleName := kadAppRolePrefix + request.SecretName
// token, err := v.createAppRoleToken(context.Background(), appRoleName, secretPaths)
// if err != nil {
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// k8sclient, err := client.NewK8SClient(v.log)
// if err != nil {
// v.log.Errorf("failed to initalize k8s client, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// cred := map[string][]byte{"token": []byte(token)}
// vaultTokenSecretName := "vault-token-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecret(ctx, request.Namespace, vaultTokenSecretName, v1.SecretTypeOpaque, cred, nil)
// if err != nil {
// v.log.Errorf("failed to create cluter vault token secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// vaultAddressStr := fmt.Sprintf(vaultAddress, request.DomainName)
// secretStoreName := "ext-store-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, request.Namespace, vaultAddressStr, vaultTokenSecretName, "token")
// if err != nil {
// v.log.Errorf("failed to create cluter vault token secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }
// v.log.Infof("created secret store %s/%s", request.Namespace, secretStoreName)

// externalSecretName := "ext-secret-" + request.SecretName
// err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName,
// request.SecretName, "", secretPathsData)
// if err != nil {
// v.log.Errorf("failed to create vault external secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }
// v.log.Infof("created external secret %s/%s", request.Namespace, externalSecretName)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_OK}, nil
// }

// func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vaultcredpb.ConfigureVaultSecretRequest) (*vaultcredpb.ConfigureVaultSecretResponse, error) {
// v.log.Infof("Configure Vault Secret Request received for secret %s", request.SecretName)

// secretPathsData := map[string]string{}
// secretPaths := []string{}
// properties := map[string]string{}
// for _, secretPathData := range request.SecretPathData {
// secretPathsData[secretPathData.SecretKey] = secretPathData.SecretPath
// secretPaths = append(secretPaths, secretPathData.SecretPath)
// properties[secretPathData.SecretKey] = secretPathData.Property
// }
// log.Println("Prop", properties)
// log.Println("secretpath data in configuring vault secret", secretPathsData)
// appRoleName := kadAppRolePrefix + request.SecretName
// token, err := v.createAppRoleToken(context.Background(), appRoleName, secretPaths)
// if err != nil {
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err

// }

// k8sclient, err := client.NewK8SClient(v.log)
// if err != nil {
// v.log.Errorf("failed to initialize k8s client, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err

// }

// cred := map[string][]byte{"token": []byte(token)}
// vaultTokenSecretName := "vault-token-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecret(ctx, request.Namespace, vaultTokenSecretName, v1.SecretTypeOpaque, cred, nil)
// if err != nil {
// v.log.Errorf("failed to create cluster vault token secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err

// }

// vaultAddressStr := fmt.Sprintf(vaultAddress, request.DomainName)
// secretStoreName := "ext-store-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, request.Namespace, vaultAddressStr, vaultTokenSecretName, "token")
// if err != nil {
// v.log.Errorf("failed to create cluster vault token secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err

// }
// v.log.Infof("created secret store %s/%s", request.Namespace, secretStoreName)

// externalSecretName := "ext-secret-" + request.SecretName
// err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName,
// request.SecretName, "", secretPathsData, properties)
// if err != nil {
// v.log.Errorf("failed to create vault external secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err

// }
// v.log.Infof("created external secret %s/%s", request.Namespace, externalSecretName)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_OK}, nil
// }

// func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vaultcredpb.ConfigureVaultSecretRequest) (*vaultcredpb.ConfigureVaultSecretResponse, error) {
// v.log.Infof("Configure Vault Secret Request received for secret %s", request.SecretName)

// secretPathsData := make(map[string][]string)
// propertiesData := make(map[string][]string)
// secretPaths := []string{}

// log.Println("Request path data", request.SecretPathData)

// for _, secretPathData := range request.SecretPathData {
// secretPathsData[secretPathData.SecretKey] = append(secretPathsData[secretPathData.SecretKey], secretPathData.SecretPath)
// secretPaths = append(secretPaths, secretPathData.SecretPath)
// if secretPathData.Property != "" {
// propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.Property)
// } else {
// propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.SecretKey) // default to secretKey if property is not provided
// }
// }

// log.Println("Secret Paths data while configuring", secretPathsData)
// log.Println("Properties while configuring", propertiesData)

// appRoleName := kadAppRolePrefix + request.SecretName
// token, err := v.createAppRoleToken(context.Background(), appRoleName, secretPaths)
// if err != nil {
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// k8sclient, err := client.NewK8SClient(v.log)
// if err != nil {
// v.log.Errorf("failed to initialize k8s client, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// cred := map[string][]byte{"token": []byte(token)}
// vaultTokenSecretName := "vault-token-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecret(ctx, request.Namespace, vaultTokenSecretName, v1.SecretTypeOpaque, cred, nil)
// if err != nil {
// v.log.Errorf("failed to create cluster vault token secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// vaultAddressStr := fmt.Sprintf(vaultAddress, request.DomainName)
// secretStoreName := "ext-store-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, request.Namespace, vaultAddressStr, vaultTokenSecretName, "token")
// if err != nil {
// v.log.Errorf("failed to create cluster vault secret store, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }
// v.log.Infof("created secret store %s/%s", request.Namespace, secretStoreName)

// externalSecretName := "ext-secret-" + request.SecretName
// err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName, request.SecretName, "", secretPathsData, propertiesData)
// if err != nil {
// v.log.Errorf("failed to create vault external secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }
// v.log.Infof("created external secret %s/%s", request.Namespace, externalSecretName)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_OK}, nil
// }

// func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vaultcredpb.ConfigureVaultSecretRequest) (*vaultcredpb.ConfigureVaultSecretResponse, error) {
// v.log.Infof("Configure Vault Secret Request received for secret %s", request.SecretName)

// secretPathsData := map[string][]string{}
// propertiesData := map[string][]string{}
// secretPaths := []string{}

// for _, secretPathData := range request.SecretPathData {
// secretPathsData[secretPathData.SecretKey] = append(secretPathsData[secretPathData.SecretKey], secretPathData.SecretPath)
// secretPaths = append(secretPaths, secretPathData.SecretPath)
// if secretPathData.Property != "" {
// propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.Property)
// } else {
// propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.SecretKey)
// }
// }

// appRoleName := kadAppRolePrefix + request.SecretName
// token, err := v.createAppRoleToken(context.Background(), appRoleName, secretPaths)
// if err != nil {
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// k8sclient, err := client.NewK8SClient(v.log)
// if err != nil {
// v.log.Errorf("failed to initialize k8s client, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// cred := map[string][]byte{"token": []byte(token)}
// vaultTokenSecretName := "vault-token-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecret(ctx, request.Namespace, vaultTokenSecretName, v1.SecretTypeOpaque, cred, nil)
// if err != nil {
// v.log.Errorf("failed to create cluster vault token secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// vaultAddressStr := fmt.Sprintf(vaultAddress, request.DomainName)
// secretStoreName := "ext-store-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, request.Namespace, vaultAddressStr, vaultTokenSecretName, "token")
// if err != nil {
// v.log.Errorf("failed to create secret store, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// externalSecretName := "ext-secret-" + request.SecretName
// log.Println("Secret Paths Data", secretPathsData)
// log.Println("Properties data", propertiesData)
// err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName, request.SecretName, "", secretPathsData, propertiesData)
// if err != nil {
// v.log.Errorf("failed to create vault external secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }

// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_OK}, nil
// }
func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vaultcredpb.ConfigureVaultSecretRequest) (*vaultcredpb.ConfigureVaultSecretResponse, error) {
v.log.Infof("Configure Vault Secret Request recieved for secret ", request.SecretName)
v.log.Infof("Configure Vault Secret Request received for secret %s", request.SecretName)

secretPathsData := map[string]string{}
secretPathsData := map[string][]string{}
propertiesData := map[string][]string{}
secretPaths := []string{}

// Populate the secretPathsData and propertiesData maps
for _, secretPathData := range request.SecretPathData {
secretPathsData[secretPathData.SecretKey] = secretPathData.SecretPath
secretPathsData[secretPathData.SecretKey] = append(secretPathsData[secretPathData.SecretKey], secretPathData.SecretPath)
secretPaths = append(secretPaths, secretPathData.SecretPath)
if secretPathData.Property != "" {
propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.Property)
} else {
propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.SecretKey)
}
}

// Sort the paths and properties to ensure consistent ordering
for key := range secretPathsData {
sort.Strings(secretPathsData[key])
sort.Strings(propertiesData[key])
}

// Log the sorted maps for debugging purposes
log.Println("Sorted Secret Paths Data", secretPathsData)
log.Println("Sorted Properties Data", propertiesData)

appRoleName := kadAppRolePrefix + request.SecretName
token, err := v.createAppRoleToken(context.Background(), appRoleName, secretPaths)
if err != nil {
Expand All @@ -32,34 +279,32 @@

k8sclient, err := client.NewK8SClient(v.log)
if err != nil {
v.log.Errorf("failed to initalize k8s client, %v", err)
v.log.Errorf("failed to initialize k8s client, %v", err)
return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
}

cred := map[string][]byte{"token": []byte(token)}
vaultTokenSecretName := "vault-token-" + request.SecretName
err = k8sclient.CreateOrUpdateSecret(ctx, request.Namespace, vaultTokenSecretName, v1.SecretTypeOpaque, cred, nil)
if err != nil {
v.log.Errorf("failed to create cluter vault token secret, %v", err)
v.log.Errorf("failed to create cluster vault token secret, %v", err)
return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
}

vaultAddressStr := fmt.Sprintf(vaultAddress, request.DomainName)
secretStoreName := "ext-store-" + request.SecretName
err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, request.Namespace, vaultAddressStr, vaultTokenSecretName, "token")
if err != nil {
v.log.Errorf("failed to create cluter vault token secret, %v", err)
v.log.Errorf("failed to create secret store, %v", err)
return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
}
v.log.Infof("created secret store %s/%s", request.Namespace, secretStoreName)

externalSecretName := "ext-secret-" + request.SecretName
err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName,
request.SecretName, "", secretPathsData)
err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName, request.SecretName, "", secretPathsData, propertiesData)
if err != nil {
v.log.Errorf("failed to create vault external secret, %v", err)
return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
}
v.log.Infof("created external secret %s/%s", request.Namespace, externalSecretName)

return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_OK}, nil
}
Loading
Loading