Skip to content

Commit

Permalink
Updated the external secret
Browse files Browse the repository at this point in the history
  • Loading branch information
Shifna12Zarnaz committed May 29, 2024
1 parent 5e9d948 commit 680c11a
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 43 deletions.
66 changes: 26 additions & 40 deletions internal/api/vault_secret_api.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ package api
import (
"context"
"fmt"
"log"

//"log"

"github.com/intelops/vault-cred/internal/client"
"github.com/intelops/vault-cred/proto/pb/vaultcredpb"
Expand Down Expand Up @@ -126,28 +127,26 @@ var (
// func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vaultcredpb.ConfigureVaultSecretRequest) (*vaultcredpb.ConfigureVaultSecretResponse, error) {
// v.log.Infof("Configure Vault Secret Request received for secret %s", request.SecretName)

// type SecretData struct {
// Path string
// Property string
// }
// secretDataMap := map[string][]SecretData{}
// secretPathsData := make(map[string][]string)
// propertiesData := make(map[string][]string)
// secretPaths := []string{}

// log.Println("Request path data", request.SecretPathData)

// for _, secretPathData := range request.SecretPathData {
// secretDataMap[secretPathData.SecretKey] = append(secretDataMap[secretPathData.SecretKey], SecretData{
// Path: secretPathData.SecretPath,
// Property: secretPathData.Property,
// })
// secretPathsData[secretPathData.SecretKey] = append(secretPathsData[secretPathData.SecretKey], secretPathData.SecretPath)
// secretPaths = append(secretPaths, secretPathData.SecretPath)
// if secretPathData.Property != "" {
// propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.Property)
// } else {
// propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.SecretKey) // default to secretKey if property is not provided
// }
// }

// log.Println("secretDataMap:", secretDataMap)
// log.Println("Secret Paths data while configuring", secretPathsData)
// log.Println("Properties while configuring", propertiesData)

// appRoleName := kadAppRolePrefix + request.SecretName
// secretPaths := make([]string, 0)
// for _, secretDataArray := range secretDataMap {
// for _, secretData := range secretDataArray {
// secretPaths = append(secretPaths, secretData.Path)
// }
// }
// token, err := v.createAppRoleToken(context.Background(), appRoleName, secretPaths)
// if err != nil {
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
Expand All @@ -171,23 +170,16 @@ var (
// secretStoreName := "ext-store-" + request.SecretName
// err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, request.Namespace, vaultAddressStr, vaultTokenSecretName, "token")
// if err != nil {
// v.log.Errorf("failed to create cluster vault token secret store, %v", err)
// v.log.Errorf("failed to create cluster vault secret store, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }
// v.log.Infof("created secret store %s/%s", request.Namespace, secretStoreName)

// externalSecretName := "ext-secret-" + request.SecretName
// for secretKey, secretDataArray := range secretDataMap {
// secretPathsData := make(map[string]string)
// for _, secretData := range secretDataArray {
// secretPathsData[secretKey] = secretData.Path
// }

// err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName, request.SecretName, "", secretPathsData)
// if err != nil {
// v.log.Errorf("failed to create vault external secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }
// err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName, request.SecretName, "", secretPathsData, propertiesData)
// if err != nil {
// v.log.Errorf("failed to create vault external secret, %v", err)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
// }
// v.log.Infof("created external secret %s/%s", request.Namespace, externalSecretName)
// return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_OK}, nil
Expand All @@ -196,25 +188,20 @@ var (
func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vaultcredpb.ConfigureVaultSecretRequest) (*vaultcredpb.ConfigureVaultSecretResponse, error) {
v.log.Infof("Configure Vault Secret Request received for secret %s", request.SecretName)

secretPathsData := make(map[string][]string)
propertiesData := make(map[string][]string)
secretPathsData := map[string][]string{}
propertiesData := map[string][]string{}
secretPaths := []string{}

log.Println("Request path data", request.SecretPathData)

for _, secretPathData := range request.SecretPathData {
secretPathsData[secretPathData.SecretKey] = append(secretPathsData[secretPathData.SecretKey], secretPathData.SecretPath)
secretPaths = append(secretPaths, secretPathData.SecretPath)
if secretPathData.Property != "" {
propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.Property)
} else {
propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.SecretKey) // default to secretKey if property is not provided
propertiesData[secretPathData.SecretKey] = append(propertiesData[secretPathData.SecretKey], secretPathData.SecretKey)
}
}

log.Println("Secret Paths data while configuring", secretPathsData)
log.Println("Properties while configuring", propertiesData)

appRoleName := kadAppRolePrefix + request.SecretName
token, err := v.createAppRoleToken(context.Background(), appRoleName, secretPaths)
if err != nil {
Expand All @@ -239,17 +226,16 @@ func (v *VaultCredServ) ConfigureVaultSecret(ctx context.Context, request *vault
secretStoreName := "ext-store-" + request.SecretName
err = k8sclient.CreateOrUpdateSecretStore(ctx, secretStoreName, request.Namespace, vaultAddressStr, vaultTokenSecretName, "token")
if err != nil {
v.log.Errorf("failed to create cluster vault secret store, %v", err)
v.log.Errorf("failed to create secret store, %v", err)
return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
}
v.log.Infof("created secret store %s/%s", request.Namespace, secretStoreName)

externalSecretName := "ext-secret-" + request.SecretName
err = k8sclient.CreateOrUpdateExternalSecret(ctx, externalSecretName, request.Namespace, secretStoreName, request.SecretName, "", secretPathsData, propertiesData)
if err != nil {
v.log.Errorf("failed to create vault external secret, %v", err)
return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_INTERNRAL_ERROR}, err
}
v.log.Infof("created external secret %s/%s", request.Namespace, externalSecretName)

return &vaultcredpb.ConfigureVaultSecretResponse{Status: vaultcredpb.StatusCode_OK}, nil
}
6 changes: 3 additions & 3 deletions internal/client/external_secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -292,8 +292,8 @@ func (k *K8SClient) CreateOrUpdateExternalSecret(ctx context.Context, externalSe
},
}
secretKeysData = append(secretKeysData, secretKeyData)
log.Println("Secret keys data", secretKeysData)
log.Println("property", property)

// log.Println("property", property)
}
}
externalSecret := ExternalSecret{
Expand All @@ -315,7 +315,7 @@ func (k *K8SClient) CreateOrUpdateExternalSecret(ctx context.Context, externalSe
Data: secretKeysData,
},
}

log.Println("Secret keys data", secretKeysData)

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

Sensitive data returned by an access to secretKeysData
flows to a logging call.
externalSecretData, err := yaml.Marshal(&externalSecret)
if err != nil {
return
Expand Down

0 comments on commit 680c11a

Please sign in to comment.