From ad3cbcea137c3051f5e984da52e6f3073ef9a5e3 Mon Sep 17 00:00:00 2001
From: Hakan Memisoglu <hakan@kasten.io>
Date: Thu, 19 Sep 2019 15:53:41 -0700
Subject: [PATCH] Add secret type for Param.Credentials (#300)

* Add AWS secret support for Param

* Change crendential unionn type to v1.Secret

* Refactor validation

* Remove unused function
---
 pkg/param/param.go     | 22 ++++++++++++++++++++++
 pkg/secrets/secrets.go | 21 +++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 pkg/secrets/secrets.go

diff --git a/pkg/param/param.go b/pkg/param/param.go
index 091870ca8e..9ea5990164 100644
--- a/pkg/param/param.go
+++ b/pkg/param/param.go
@@ -29,6 +29,7 @@ import (
 	crv1alpha1 "github.com/kanisterio/kanister/pkg/apis/cr/v1alpha1"
 	"github.com/kanisterio/kanister/pkg/client/clientset/versioned"
 	"github.com/kanisterio/kanister/pkg/kube"
+	"github.com/kanisterio/kanister/pkg/secrets"
 )
 
 const timeFormat = time.RFC3339Nano
@@ -90,12 +91,14 @@ type CredentialType string
 
 const (
 	CredentialTypeKeyPair CredentialType = "keyPair"
+	CredentialTypeSecret  CredentialType = "secret"
 )
 
 // Credential resolves the storage
 type Credential struct {
 	Type    CredentialType
 	KeyPair *KeyPair
+	Secret  *v1.Secret
 }
 
 // KeyPair is a credential that contains two strings: an ID and a secret.
@@ -209,6 +212,8 @@ func fetchCredential(ctx context.Context, cli kubernetes.Interface, c crv1alpha1
 	switch c.Type {
 	case crv1alpha1.CredentialTypeKeyPair:
 		return fetchKeyPairCredential(ctx, cli, c.KeyPair)
+	case crv1alpha1.CredentialTypeSecret:
+		return fetchSecretCredential(ctx, cli, c.Secret)
 	default:
 		return nil, errors.Errorf("CredentialType '%s' not supported", c.Type)
 	}
@@ -237,6 +242,23 @@ func fetchKeyPairCredential(ctx context.Context, cli kubernetes.Interface, c *cr
 	}, nil
 }
 
+func fetchSecretCredential(ctx context.Context, cli kubernetes.Interface, sr *crv1alpha1.ObjectReference) (*Credential, error) {
+	if sr == nil {
+		return nil, errors.New("Secret reference cannot be nil")
+	}
+	s, err := cli.CoreV1().Secrets(sr.Namespace).Get(sr.Name, metav1.GetOptions{})
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to fetch the secret")
+	}
+	if err = secrets.ValidateCredentials(s); err != nil {
+		return nil, err
+	}
+	return &Credential{
+		Type:   CredentialTypeSecret,
+		Secret: s,
+	}, nil
+}
+
 func filterByKind(refs map[string]crv1alpha1.ObjectReference, kind string) map[string]crv1alpha1.ObjectReference {
 	filtered := make(map[string]crv1alpha1.ObjectReference, len(refs))
 	for name, ref := range refs {
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
new file mode 100644
index 0000000000..07d06ee508
--- /dev/null
+++ b/pkg/secrets/secrets.go
@@ -0,0 +1,21 @@
+package secrets
+
+import (
+	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
+)
+
+// ValidateCredentials returns error if secret is failed at validation.
+// Currently supports following:
+// - AWS typed secret with required AWS secret fields.
+func ValidateCredentials(secret *v1.Secret) error {
+	if secret == nil {
+		return errors.New("Nil secret")
+	}
+	switch string(secret.Type) {
+	case AWSSecretType:
+		return ValidateAWSCredentials(secret)
+	default:
+		return errors.Errorf("Unsupported type '%s' for secret '%s:%s'", string(secret.Type), secret.Namespace, secret.Name)
+	}
+}