Add secret type for Param.Credentials (#300)

* Add AWS secret support for Param * Change crendential unionn type to v1.Secret * Refactor validation * Remove unused function
kanisterio · Sep 19, 2019 · ad3cbce · ad3cbce
1 parent f2dc494
commit ad3cbce
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/pkg/param/param.go b/pkg/param/param.go
@@ -29,6 +29,7 @@ import (
 	crv1alpha1 "github.com/kanisterio/kanister/pkg/apis/cr/v1alpha1"
 	"github.com/kanisterio/kanister/pkg/client/clientset/versioned"
 	"github.com/kanisterio/kanister/pkg/kube"
+	"github.com/kanisterio/kanister/pkg/secrets"
 )
 
 const timeFormat = time.RFC3339Nano
@@ -90,12 +91,14 @@ type CredentialType string
 
 const (
 	CredentialTypeKeyPair CredentialType = "keyPair"
+	CredentialTypeSecret  CredentialType = "secret"
 )
 
 // Credential resolves the storage
 type Credential struct {
 	Type    CredentialType
 	KeyPair *KeyPair
+	Secret  *v1.Secret
 }
 
 // KeyPair is a credential that contains two strings: an ID and a secret.
@@ -209,6 +212,8 @@ func fetchCredential(ctx context.Context, cli kubernetes.Interface, c crv1alpha1
 	switch c.Type {
 	case crv1alpha1.CredentialTypeKeyPair:
 		return fetchKeyPairCredential(ctx, cli, c.KeyPair)
+	case crv1alpha1.CredentialTypeSecret:
+		return fetchSecretCredential(ctx, cli, c.Secret)
 	default:
 		return nil, errors.Errorf("CredentialType '%s' not supported", c.Type)
 	}
@@ -237,6 +242,23 @@ func fetchKeyPairCredential(ctx context.Context, cli kubernetes.Interface, c *cr
 	}, nil
 }
 
+func fetchSecretCredential(ctx context.Context, cli kubernetes.Interface, sr *crv1alpha1.ObjectReference) (*Credential, error) {
+	if sr == nil {
+		return nil, errors.New("Secret reference cannot be nil")
+	}
+	s, err := cli.CoreV1().Secrets(sr.Namespace).Get(sr.Name, metav1.GetOptions{})
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to fetch the secret")
+	}
+	if err = secrets.ValidateCredentials(s); err != nil {
+		return nil, err
+	}
+	return &Credential{
+		Type:   CredentialTypeSecret,
+		Secret: s,
+	}, nil
+}
+
 func filterByKind(refs map[string]crv1alpha1.ObjectReference, kind string) map[string]crv1alpha1.ObjectReference {
 	filtered := make(map[string]crv1alpha1.ObjectReference, len(refs))
 	for name, ref := range refs {

diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
@@ -0,0 +1,21 @@
+package secrets
+
+import (
+	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
+)
+
+// ValidateCredentials returns error if secret is failed at validation.
+// Currently supports following:
+// - AWS typed secret with required AWS secret fields.
+func ValidateCredentials(secret *v1.Secret) error {
+	if secret == nil {
+		return errors.New("Nil secret")
+	}
+	switch string(secret.Type) {
+	case AWSSecretType:
+		return ValidateAWSCredentials(secret)
+	default:
+		return errors.Errorf("Unsupported type '%s' for secret '%s:%s'", string(secret.Type), secret.Namespace, secret.Name)
+	}
+}