onepassword-operator/pkg/kubernetessecrets/kubernetes_secrets_builder.go

package kubernetessecrets

import (
	"context"
	"errors"
	"fmt"
	"reflect"
	"regexp"
	"strings"

	"github.com/1Password/onepassword-operator/pkg/onepassword/model"
	"github.com/1Password/onepassword-operator/pkg/utils"
	corev1 "k8s.io/api/core/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/types"
	kubeValidate "k8s.io/apimachinery/pkg/util/validation"

	kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
	logf "sigs.k8s.io/controller-runtime/pkg/log"
)

const OnepasswordPrefix = "operator.1password.io"
const NameAnnotation = OnepasswordPrefix + "/item-name"
const VersionAnnotation = OnepasswordPrefix + "/item-version"
const ItemPathAnnotation = OnepasswordPrefix + "/item-path"
const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"

var ErrCannotUpdateSecretType = errors.New("cannot change secret type: secret type is immutable")

var log = logf.Log

func CreateKubernetesSecretFromItem(
	ctx context.Context,
	kubeClient kubernetesClient.Client,
	secretName, namespace string,
	item *model.Item,
	autoRestart string,
	labels map[string]string,
	secretType string,
	ownerRef *metav1.OwnerReference,
) error {
	itemVersion := fmt.Sprint(item.Version)
	secretAnnotations := map[string]string{
		VersionAnnotation:  itemVersion,
		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.VaultID, item.ID),
	}

	if autoRestart != "" {
		_, err := utils.StringToBool(autoRestart)
		if err != nil {
			return fmt.Errorf("error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false",
				RestartDeploymentsAnnotation, secretName,
			)
		}
		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
	}

	// "Opaque" and "" secret types are treated the same by Kubernetes.
	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels,
		secretType, *item, ownerRef)

	currentSecret := &corev1.Secret{}
	err := kubeClient.Get(ctx, types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
	if err != nil && apierrors.IsNotFound(err) {
		log.Info(fmt.Sprintf("Creating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
		return kubeClient.Create(ctx, secret)
	} else if err != nil {
		return err
	}

	// Check if the secret types are being changed on the update.
	// Avoid Opaque and "" are treated as different on check.
	wantSecretType := secretType
	if wantSecretType == "" {
		wantSecretType = string(corev1.SecretTypeOpaque)
	}
	currentSecretType := string(currentSecret.Type)
	if currentSecretType == "" {
		currentSecretType = string(corev1.SecretTypeOpaque)
	}
	if currentSecretType != wantSecretType {
		return ErrCannotUpdateSecretType
	}

	currentAnnotations := currentSecret.Annotations
	currentLabels := currentSecret.Labels
	if !reflect.DeepEqual(currentAnnotations, secretAnnotations) || !reflect.DeepEqual(currentLabels, labels) {
		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
		currentSecret.Annotations = secretAnnotations
		currentSecret.Labels = labels
		currentSecret.Data = secret.Data
		if err := kubeClient.Update(ctx, currentSecret); err != nil {
			return fmt.Errorf("kubernetes secret update failed: %w", err)
		}
		return nil
	}

	log.Info(fmt.Sprintf("Secret with name %v and version %v already exists",
		secret.Name, secret.Annotations[VersionAnnotation],
	))
	return nil
}

func BuildKubernetesSecretFromOnePasswordItem(
	name, namespace string,
	annotations map[string]string,
	labels map[string]string,
	secretType string,
	item model.Item,
	ownerRef *metav1.OwnerReference,
) *corev1.Secret {
	var ownerRefs []metav1.OwnerReference
	if ownerRef != nil {
		ownerRefs = []metav1.OwnerReference{*ownerRef}
	}

	return &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name:            formatSecretName(name),
			Namespace:       namespace,
			Annotations:     annotations,
			Labels:          labels,
			OwnerReferences: ownerRefs,
		},
		Data: BuildKubernetesSecretData(item.Fields, item.Files),
		Type: corev1.SecretType(secretType),
	}
}

func BuildKubernetesSecretData(fields []model.ItemField, files []model.File) map[string][]byte {
	secretData := map[string][]byte{}
	for i := 0; i < len(fields); i++ {
		if fields[i].Value != "" {
			key := formatSecretDataName(fields[i].Label)
			secretData[key] = []byte(fields[i].Value)
		}
	}

	// populate unpopulated fields from files
	for _, file := range files {
		content, err := file.Content()
		if err != nil {
			log.Error(err, fmt.Sprintf("Could not load contents of file %s", file.Name))
			continue
		}
		if content != nil {
			key := file.Name
			if secretData[key] == nil {
				secretData[key] = content
			} else {
				log.Info(fmt.Sprintf("File '%s' ignored because of a field with the same name", file.Name))
			}
		}
	}
	return secretData
}

// formatSecretName rewrites a value to be a valid Secret name.
//
// The Secret meta.name and data keys must be valid DNS subdomain names
// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
func formatSecretName(value string) string {
	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
		return value
	}
	return createValidSecretName(value)
}

// formatSecretDataName rewrites a value to be a valid Secret data key.
//
// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
func formatSecretDataName(value string) string {
	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
		return value
	}
	return createValidSecretDataName(value)
}

var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")

func createValidSecretName(value string) string {
	result := strings.ToLower(value)
	result = invalidDNS1123Chars.ReplaceAllString(result, "-")

	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
	}

	// first and last character MUST be alphanumeric
	return strings.Trim(result, "-.")
}

var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")

func createValidSecretDataName(value string) string {
	result := invalidStartEndChars.ReplaceAllString(value, "")
	result = invalidDataChars.ReplaceAllString(result, "-")

	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
	}

	return result
}