diff --git a/pkg/provider/aws/common.go b/pkg/provider/aws/common.go index 653fd08..6bf5b89 100644 --- a/pkg/provider/aws/common.go +++ b/pkg/provider/aws/common.go @@ -39,31 +39,31 @@ func getDataFromStore(ctx context.Context, storeClient client, storeType string, func getDataFromSM(ctx context.Context, storeClient client, data map[string]string) (map[string]string, error) { var secretsMap = make(map[string]string, len(data)) for key, value := range data { - if strings.Contains(value, "secretsmanager:") { - secret, err := storeClient.smClient.GetSecretValueWithContext( - ctx, - &secretsmanager.GetSecretValueInput{ - SecretId: aws.String(value), - }) - if err != nil { - return nil, fmt.Errorf("failed to get secret from AWS secrets manager: %w", err) - } - - secretBytes, err := extractSecretValueFromSM(secret) - if err != nil { - return nil, fmt.Errorf("failed to extract secret value from AWS secrets manager: %w", err) - } - - secretValue, err := parseSecretValueFromSM(secretBytes) - if err != nil { - return nil, fmt.Errorf("failed to parse secret value from AWS secrets manager: %w", err) - } - - secretsMap[key] = string(secretValue) + if !strings.Contains(value, "secretsmanager:") { + secretsMap[key] = value continue } - secretsMap[key] = value + secret, err := storeClient.smClient.GetSecretValueWithContext( + ctx, + &secretsmanager.GetSecretValueInput{ + SecretId: aws.String(value), + }) + if err != nil { + return nil, fmt.Errorf("failed to get secret from AWS secrets manager: %w", err) + } + + secretBytes, err := extractSecretValueFromSM(secret) + if err != nil { + return nil, fmt.Errorf("failed to extract secret value from AWS secrets manager: %w", err) + } + + secretValue, err := parseSecretValueFromSM(secretBytes) + if err != nil { + return nil, fmt.Errorf("failed to parse secret value from AWS secrets manager: %w", err) + } + + secretsMap[key] = string(secretValue) } return secretsMap, nil @@ -126,39 +126,43 @@ func parseSecretValueFromSM(secretBytes []byte) ([]byte, error) { func getDataFromSSM(ctx context.Context, storeClient client, data map[string]string) (map[string]string, error) { var secretsMap = make(map[string]string, len(data)) for key, value := range data { - if strings.Contains(value, "ssm:") { - parameteredSecret, err := storeClient.ssmClient.GetParameterWithContext( - ctx, - &ssm.GetParameterInput{ - Name: aws.String(value), - WithDecryption: aws.Bool(true), - }) - if err != nil { - return nil, fmt.Errorf("failed to get secret from AWS SSM: %w", err) - } - - secretsMap[key] = aws.StringValue(parameteredSecret.Parameter.Value) + if !strings.Contains(value, "ssm:") { + secretsMap[key] = value continue } - secretsMap[key] = value + parameteredSecret, err := storeClient.ssmClient.GetParameterWithContext( + ctx, + &ssm.GetParameterInput{ + Name: aws.String(value), + WithDecryption: aws.Bool(true), + }) + if err != nil { + return nil, fmt.Errorf("failed to get secret from AWS SSM: %w", err) + } + + secretsMap[key] = aws.StringValue(parameteredSecret.Parameter.Value) } return secretsMap, nil } func checkOtherStoreForSecrets(ctx context.Context, storeClient client, data map[string]string) (map[string]string, error) { - // we might ARN's that are from the other store type + // we might have ARN's that are from the other store type for k, v := range data { - if valid, storeType := isValidPrefixWithStoreType(v); valid { - secretFromOtherStore, err := getDataFromStore(ctx, storeClient, storeType, map[string]string{k: v}) - if err != nil { - return nil, fmt.Errorf("getting data from store failed: %w", err) - } - - for key, value := range secretFromOtherStore { - data[key] = value - } + valid, storeType := isValidPrefixWithStoreType(v) + if !valid { + continue + } + + secretFromOtherStore, err := getDataFromStore(ctx, storeClient, storeType, map[string]string{k: v}) + if err != nil { + return nil, fmt.Errorf("getting data from store failed: %w", err) } + + for key, value := range secretFromOtherStore { + data[key] = value + } + } return data, nil diff --git a/pkg/provider/aws/secret.go b/pkg/provider/aws/secret.go index cd7796e..a3502cb 100644 --- a/pkg/provider/aws/secret.go +++ b/pkg/provider/aws/secret.go @@ -159,7 +159,7 @@ func secretNeedsMutation(secret *corev1.Secret) (bool, string, error) { return false, "", fmt.Errorf("invalid auth type") } - // check if any of the sub-keys have a vault prefix + // check if any of the sub-keys have a valid prefix for _, v := range authMap { if valid, storeType := isValidPrefixWithStoreType(v.(string)); valid { return true, storeType, nil diff --git a/pkg/provider/bao/configmap.go b/pkg/provider/bao/configmap.go index d939ba2..d851315 100644 --- a/pkg/provider/bao/configmap.go +++ b/pkg/provider/bao/configmap.go @@ -41,7 +41,7 @@ func (m *mutator) MutateConfigMap(ctx context.Context, mutateRequest provider.Co TransitKeyID: m.config.TransitKeyID, TransitPath: m.config.TransitPath, TransitBatchSize: m.config.TransitBatchSize, - }, m.client, nil, m.logger) + }, m.client, nil /* baoinjector.SecretRenewer */, m.logger) mutateRequest.ConfigMap.Data, err = injector.GetDataFromBao(mutateRequest.ConfigMap.Data) if err != nil { diff --git a/pkg/provider/vault/configmap.go b/pkg/provider/vault/configmap.go index 289fc25..4ad6373 100644 --- a/pkg/provider/vault/configmap.go +++ b/pkg/provider/vault/configmap.go @@ -36,11 +36,12 @@ func (m *mutator) MutateConfigMap(ctx context.Context, mutateRequest provider.Co } defer m.client.Close() - injector := vaultinjector.NewSecretInjector(vaultinjector.Config{ - TransitKeyID: m.config.TransitKeyID, - TransitPath: m.config.TransitPath, - TransitBatchSize: m.config.TransitBatchSize, - }, m.client, nil, m.logger) + injector := vaultinjector.NewSecretInjector( + vaultinjector.Config{ + TransitKeyID: m.config.TransitKeyID, + TransitPath: m.config.TransitPath, + TransitBatchSize: m.config.TransitBatchSize, + }, m.client, nil /* vaultinjector.SecretRenewer */, m.logger) mutateRequest.ConfigMap.Data, err = injector.GetDataFromVault(mutateRequest.ConfigMap.Data) if err != nil {