fix: secret store doesn't work (#1142)

- import the secrets register pkg in the app config generator to register supported secret providers - rename SecretStoreSpec to SecretStore to prevent misunderstanding of the concept Spec
KusionStack · Jun 5, 2024 · ed07c4e · ed07c4e
1 parent aabbb5e
commit ed07c4e
Show file tree

Hide file tree

Showing 19 changed files with 74 additions and 69 deletions.
diff --git a/pkg/apis/api.kusion.io/v1/types.go b/pkg/apis/api.kusion.io/v1/types.go
@@ -90,7 +90,7 @@ type Workspace struct {
 	Modules ModuleConfigs `yaml:"modules,omitempty" json:"modules,omitempty"`
 
 	// SecretStore represents a secure external location for storing secrets.
-	SecretStore *SecretStoreSpec `yaml:"secretStore,omitempty" json:"secretStore,omitempty"`
+	SecretStore *SecretStore `yaml:"secretStore,omitempty" json:"secretStore,omitempty"`
 
 	// Context contains workspace-level configurations, such as topologies, server endpoints, metadata, etc.
 	Context GenericConfig `yaml:"context,omitempty" json:"context,omitempty"`
@@ -700,8 +700,8 @@ type ExternalSecretRef struct {
 	Property string `yaml:"property,omitempty" json:"property,omitempty"`
 }
 
-// SecretStoreSpec contains configuration to describe target secret store.
-type SecretStoreSpec struct {
+// SecretStore contains configuration to describe target secret store.
+type SecretStore struct {
 	Provider *ProviderSpec `yaml:"provider" json:"provider"`
 }
 

diff --git a/pkg/modules/generators/app_configurations_generator.go b/pkg/modules/generators/app_configurations_generator.go
@@ -34,6 +34,8 @@ import (
 	"kusionstack.io/kusion/pkg/modules"
 	"kusionstack.io/kusion/pkg/modules/generators/workload"
 	"kusionstack.io/kusion/pkg/modules/proto"
+	// import the secrets register pkg to register supported secret providers
+	_ "kusionstack.io/kusion/pkg/secrets/providers/register"
 	jsonutil "kusionstack.io/kusion/pkg/util/json"
 	"kusionstack.io/kusion/pkg/workspace"
 )
@@ -125,6 +127,7 @@ func (g *appConfigurationGenerator) Generate(spec *v1.Spec) error {
 			Namespace:       namespace,
 			Workload:        g.app.Workload,
 			PlatformConfigs: projectModuleConfigs,
+			SecretStoreSpec: g.ws.SecretStore,
 		}),
 	}
 	if err = modules.CallGenerators(spec, gfs...); err != nil {

diff --git a/pkg/modules/generators/workload/secret/secret_generator.go b/pkg/modules/generators/workload/secret/secret_generator.go
@@ -18,10 +18,10 @@ import (
 )
 
 type secretGenerator struct {
-	project         string
-	namespace       string
-	secrets         map[string]v1.Secret
-	secretStoreSpec *v1.SecretStoreSpec
+	project     string
+	namespace   string
+	secrets     map[string]v1.Secret
+	secretStore *v1.SecretStore
 }
 
 type GeneratorRequest struct {
@@ -31,8 +31,8 @@ type GeneratorRequest struct {
 	Namespace string
 	// Workload represents the Workload configuration
 	Workload *v1.Workload
-	// SecretStoreSpec contains configuration to describe target secret store.
-	SecretStoreSpec *v1.SecretStoreSpec
+	// SecretStore contains configuration to describe target secret store.
+	SecretStore *v1.SecretStore
 }
 
 func NewSecretGenerator(request *GeneratorRequest) (modules.Generator, error) {
@@ -48,10 +48,10 @@ func NewSecretGenerator(request *GeneratorRequest) (modules.Generator, error) {
 	}
 
 	return &secretGenerator{
-		project:         request.Project,
-		secrets:         secretMap,
-		namespace:       request.Namespace,
-		secretStoreSpec: request.SecretStoreSpec,
+		project:     request.Project,
+		secrets:     secretMap,
+		namespace:   request.Namespace,
+		secretStore: request.SecretStore,
 	}, nil
 }
 
@@ -156,7 +156,7 @@ func (g *secretGenerator) generateCertificate(secretName string, secretRef v1.Se
 // generateSecretWithExternalProvider retrieves target sensitive information from external secret provider and
 // generates corresponding Kubernetes Secret object.
 func (g *secretGenerator) generateSecretWithExternalProvider(secretName string, secretRef v1.Secret) (*corev1.Secret, error) {
-	if g.secretStoreSpec == nil {
+	if g.secretStore == nil {
 		return nil, errors.New("secret store is missing, please add valid secret store spec in workspace")
 	}
 
@@ -170,12 +170,12 @@ func (g *secretGenerator) generateSecretWithExternalProvider(secretName string,
 			allErrs = append(allErrs, err)
 			continue
 		}
-		provider, exist := secrets.GetProvider(g.secretStoreSpec.Provider)
+		provider, exist := secrets.GetProvider(g.secretStore.Provider)
 		if !exist {
 			allErrs = append(allErrs, errors.New("no matched secret store found, please check workspace yaml"))
 			continue
 		}
-		secretStore, err := provider.NewSecretStore(*g.secretStoreSpec)
+		secretStore, err := provider.NewSecretStore(*g.secretStore)
 		if err != nil {
 			allErrs = append(allErrs, err)
 			continue

diff --git a/pkg/modules/generators/workload/secret/secret_generator_test.go b/pkg/modules/generators/workload/secret/secret_generator_test.go
@@ -16,7 +16,7 @@ var testProject = "helloworld"
 func initGeneratorRequest(
 	project string,
 	secrets map[string]v1.Secret,
-	secretStoreSpec *v1.SecretStoreSpec,
+	secretStoreSpec *v1.SecretStore,
 ) *GeneratorRequest {
 	return &GeneratorRequest{
 		Project: project,
@@ -27,13 +27,13 @@ func initGeneratorRequest(
 				},
 			},
 		},
-		Namespace:       project,
-		SecretStoreSpec: secretStoreSpec,
+		Namespace:   project,
+		SecretStore: secretStoreSpec,
 	}
 }
 
-func initSecretStoreSpec(data []v1.FakeProviderData) *v1.SecretStoreSpec {
-	return &v1.SecretStoreSpec{
+func initSecretStoreSpec(data []v1.FakeProviderData) *v1.SecretStore {
+	return &v1.SecretStore{
 		Provider: &v1.ProviderSpec{
 			Fake: &v1.FakeProvider{
 				Data: data,

diff --git a/pkg/modules/generators/workload/workload_generator.go b/pkg/modules/generators/workload/workload_generator.go
@@ -35,7 +35,7 @@ type Generator struct {
 	// PlatformConfigs represents the module platform configurations
 	PlatformConfigs map[string]v1.GenericConfig
 	// SecretStoreSpec contains configuration to describe target secret store.
-	SecretStoreSpec *v1.SecretStoreSpec
+	SecretStoreSpec *v1.SecretStore
 }
 
 func NewWorkloadGeneratorFunc(g *Generator) modules.NewGeneratorFunc {
@@ -67,17 +67,17 @@ func (g *Generator) Generate(spec *v1.Spec) error {
 		switch g.Workload.Header.Type {
 		case v1.TypeService:
 			gfs = append(gfs, NewWorkloadServiceGeneratorFunc(g), secret.NewSecretGeneratorFunc(&secret.GeneratorRequest{
-				Project:         g.Project,
-				Namespace:       g.Namespace,
-				Workload:        g.Workload,
-				SecretStoreSpec: g.SecretStoreSpec,
+				Project:     g.Project,
+				Namespace:   g.Namespace,
+				Workload:    g.Workload,
+				SecretStore: g.SecretStoreSpec,
 			}))
 		case v1.TypeJob:
 			gfs = append(gfs, NewJobGeneratorFunc(g), secret.NewSecretGeneratorFunc(&secret.GeneratorRequest{
-				Project:         g.Project,
-				Namespace:       g.Namespace,
-				Workload:        g.Workload,
-				SecretStoreSpec: g.SecretStoreSpec,
+				Project:     g.Project,
+				Namespace:   g.Namespace,
+				Workload:    g.Workload,
+				SecretStore: g.SecretStoreSpec,
 			}))
 		}
 

diff --git a/pkg/secrets/interfaces.go b/pkg/secrets/interfaces.go
@@ -15,7 +15,7 @@ type SecretStore interface {
 // SecretStoreProvider is a factory type for secret store.
 type SecretStoreProvider interface {
 	// NewSecretStore constructs a usable secret store with specific provider spec.
-	NewSecretStore(spec v1.SecretStoreSpec) (SecretStore, error)
+	NewSecretStore(spec v1.SecretStore) (SecretStore, error)
 }
 
 var NoSecretErr = NoSecretError{}

diff --git a/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager.go b/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager.go
@@ -41,7 +41,7 @@ type smSecretStore struct {
 }
 
 // NewSecretStore constructs a Vault based secret store with specific secret store spec.
-func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStoreSpec) (secrets.SecretStore, error) {
+func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) {
 	providerSpec := spec.Provider
 	if providerSpec == nil {
 		return nil, fmt.Errorf(errMissingProviderSpec)

diff --git a/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager_test.go b/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager_test.go
@@ -114,21 +114,21 @@ func TestGetSecret(t *testing.T) {
 
 func TestNewSecretStore(t *testing.T) {
 	testCases := map[string]struct {
-		spec        v1.SecretStoreSpec
+		spec        v1.SecretStore
 		expectedErr error
 	}{
 		"InvalidSecretStoreSpec": {
-			spec:        v1.SecretStoreSpec{},
+			spec:        v1.SecretStore{},
 			expectedErr: errors.New(errMissingProviderSpec),
 		},
 		"InvalidProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{},
 			},
 			expectedErr: errors.New(errMissingAlicloudProvider),
 		},
 		"ValidVaultProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					Alicloud: &v1.AlicloudProvider{
 						Region: "cn-beijing",

diff --git a/pkg/secrets/providers/aws/secretsmanager/secretsmanager.go b/pkg/secrets/providers/aws/secretsmanager/secretsmanager.go
@@ -30,7 +30,7 @@ var _ secrets.SecretStore = &smSecretStore{}
 type DefaultSecretStoreProvider struct{}
 
 // NewSecretStore constructs a Vault based secret store with specific secret store spec.
-func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStoreSpec) (secrets.SecretStore, error) {
+func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) {
 	providerSpec := spec.Provider
 	if providerSpec == nil {
 		return nil, fmt.Errorf(errMissingProviderSpec)
@@ -126,6 +126,8 @@ func (s *smSecretStore) convertSecretToGjson(secretValueOutput *secretsmanager.G
 }
 
 func init() {
+	fmt.Printf("init aws secret")
+
 	secrets.Register(&DefaultSecretStoreProvider{}, &v1.ProviderSpec{
 		AWS: &v1.AWSProvider{},
 	})

diff --git a/pkg/secrets/providers/aws/secretsmanager/secretsmanager_test.go b/pkg/secrets/providers/aws/secretsmanager/secretsmanager_test.go
@@ -134,21 +134,21 @@ func TestGetSecret(t *testing.T) {
 
 func TestNewSecretStore(t *testing.T) {
 	testCases := map[string]struct {
-		spec        v1.SecretStoreSpec
+		spec        v1.SecretStore
 		expectedErr error
 	}{
 		"InvalidSecretStoreSpec": {
-			spec:        v1.SecretStoreSpec{},
+			spec:        v1.SecretStore{},
 			expectedErr: errors.New(errMissingProviderSpec),
 		},
 		"InvalidProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{},
 			},
 			expectedErr: errors.New(errMissingAWSProvider),
 		},
 		"ValidVaultProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					AWS: &v1.AWSProvider{
 						Region: "us-east-1",

diff --git a/pkg/secrets/providers/azure/keyvault/keyvault.go b/pkg/secrets/providers/azure/keyvault/keyvault.go
@@ -38,7 +38,7 @@ var _ secrets.SecretStore = &kvSecretStore{}
 type DefaultSecretStoreProvider struct{}
 
 // NewSecretStore constructs an Azure KeyVault based secret store with specific secret store spec.
-func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStoreSpec) (secrets.SecretStore, error) {
+func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) {
 	providerSpec := spec.Provider
 	if providerSpec == nil {
 		return nil, fmt.Errorf(errMissingProviderSpec)

diff --git a/pkg/secrets/providers/azure/keyvault/keyvault_test.go b/pkg/secrets/providers/azure/keyvault/keyvault_test.go
@@ -100,22 +100,22 @@ func TestGetSecret(t *testing.T) {
 
 func TestNewSecretStore(t *testing.T) {
 	testCases := map[string]struct {
-		spec        v1.SecretStoreSpec
+		spec        v1.SecretStore
 		initEnv     bool
 		expectedErr error
 	}{
 		"InvalidSecretStoreSpec": {
-			spec:        v1.SecretStoreSpec{},
+			spec:        v1.SecretStore{},
 			expectedErr: errors.New(errMissingProviderSpec),
 		},
 		"InvalidProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{},
 			},
 			expectedErr: errors.New(errMissingAzureProvider),
 		},
 		"InvalidAzureKVProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					Azure: &v1.AzureKVProvider{
 						VaultURL: &fakeVaultURL,
@@ -125,7 +125,7 @@ func TestNewSecretStore(t *testing.T) {
 			expectedErr: errors.New(errMissingTenant),
 		},
 		"NoClientIDSecretEnvFound": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					Azure: &v1.AzureKVProvider{
 						VaultURL: &fakeVaultURL,
@@ -136,7 +136,7 @@ func TestNewSecretStore(t *testing.T) {
 			expectedErr: errors.New(errMissingClientIDSecret),
 		},
 		"ValidVaultProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					Azure: &v1.AzureKVProvider{
 						VaultURL: &fakeVaultURL,

diff --git a/pkg/secrets/providers/fake/fake.go b/pkg/secrets/providers/fake/fake.go
@@ -30,7 +30,7 @@ var _ secrets.SecretStore = &fakeSecretStore{}
 type DefaultSecretStoreProvider struct{}
 
 // NewSecretStore constructs a fake secret store instance.
-func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStoreSpec) (secrets.SecretStore, error) {
+func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) {
 	providerSpec := spec.Provider
 	if providerSpec == nil {
 		return nil, fmt.Errorf(errMissingProviderSpec)

diff --git a/pkg/secrets/providers/fake/fake_test.go b/pkg/secrets/providers/fake/fake_test.go
@@ -76,7 +76,7 @@ func TestGetSecret(t *testing.T) {
 	}
 	for _, tt := range testCases {
 		t.Run(tt.name, func(t *testing.T) {
-			ss, _ := p.NewSecretStore(v1.SecretStoreSpec{
+			ss, _ := p.NewSecretStore(v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					Fake: &v1.FakeProvider{
 						Data: tt.input,
@@ -98,29 +98,29 @@ func TestGetSecret(t *testing.T) {
 
 func TestNewSecretStore(t *testing.T) {
 	testCases := map[string]struct {
-		spec        v1.SecretStoreSpec
+		spec        v1.SecretStore
 		expectedErr error
 	}{
 		"InvalidSecretStoreSpec": {
-			spec:        v1.SecretStoreSpec{},
+			spec:        v1.SecretStore{},
 			expectedErr: errors.New(errMissingProviderSpec),
 		},
 		"InvalidProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{},
 			},
 			expectedErr: errors.New(errMissingFakeProvider),
 		},
 		"ValidFakeProviderSpec": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					Fake: &v1.FakeProvider{},
 				},
 			},
 			expectedErr: nil,
 		},
 		"ValidFakeProviderSpec_WithData": {
-			spec: v1.SecretStoreSpec{
+			spec: v1.SecretStore{
 				Provider: &v1.ProviderSpec{
 					Fake: &v1.FakeProvider{
 						Data: []v1.FakeProviderData{

diff --git a/pkg/secrets/providers/hashivault/vault.go b/pkg/secrets/providers/hashivault/vault.go
@@ -37,7 +37,7 @@ var _ secrets.SecretStore = &vaultSecretStore{}
 type DefaultSecretStoreProvider struct{}
 
 // NewSecretStore constructs a Vault based secret store with specific secret store spec.
-func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStoreSpec) (secrets.SecretStore, error) {
+func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) {
 	providerSpec := spec.Provider
 	if providerSpec == nil || providerSpec.Vault == nil {
 		return nil, errors.New(errInvalidVaultSecretStore)