refactor: vault secret

Signed-off-by: kjuulh <contact@kjuulh.io>
This commit is contained in:
Kasper Juul Hermansen 2024-05-24 09:19:00 +02:00
parent f2e85f7114
commit 4fce7751a1
Signed by: kjuulh
GPG Key ID: 57B6E1465221F912
2 changed files with 128 additions and 132 deletions

View File

@ -1,134 +1,3 @@
pub mod cluster_vars;
pub mod cuddle_vars;
pub mod vault_secret {
use minijinja::{value::Object, Value};
use crate::Component;
#[derive(Debug)]
pub struct VaultSecretValues {
name: String,
secrets: VaultSecretsLookup,
}
#[derive(Debug, Clone)]
pub struct VaultSecretsLookup {
secrets: Vec<String>,
}
impl From<Vec<String>> for VaultSecretsLookup {
fn from(value: Vec<String>) -> Self {
Self { secrets: value }
}
}
#[derive(Default, Clone)]
pub struct VaultSecret {}
impl Component for VaultSecret {
fn name(&self) -> String {
"vault/secret".into()
}
fn validate(&self, value: &serde_yaml::Value) -> anyhow::Result<()> {
Ok(())
}
fn render_value(
&self,
environment: &str,
value: &serde_yaml::Value,
) -> Option<anyhow::Result<minijinja::Value>> {
if let Some(values) = value
.as_mapping()
.and_then(|map| map.get("env"))
.and_then(|v| v.as_mapping())
.map(|v| {
v.iter()
.filter_map(|(k, v)| {
if v.as_mapping()
.map(|m| m.get("vault").filter(|v| v.as_bool() == Some(true)))
.is_some()
{
Some(k)
} else {
None
}
})
.filter_map(|k| k.as_str())
.collect::<Vec<_>>()
})
{
let vault_values = VaultSecretValues {
name: self.name().replace("/", "-"),
secrets: values
.into_iter()
.map(|i| i.into())
.collect::<Vec<_>>()
.into(),
};
return Some(Ok(minijinja::Value::from_object(vault_values)));
}
None
}
fn render(
&self,
_environment: &str,
_value: &serde_yaml::Value,
) -> Option<anyhow::Result<(String, String)>> {
Some(Ok((
format!("{}.yaml", self.name().replace("/", "_")),
r#"apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: {{ vars.cuddle_vars.service }}-{{ vars.vault_secret.name }}
namespace: {{ vars.cluster_vars.namespace }}
spec:
destination:
create: true
name: {{ vars.cuddle_vars.service }}-{{ vars.vault_secret.name }}
mount: kvv2
path: {{ vars.cuddle_vars.service }}/{{ environment }}
refreshAfter: 30s
type: kv-v2
"#
.into(),
)))
}
}
impl Object for VaultSecretValues {
fn get_value(
self: &std::sync::Arc<Self>,
key: &minijinja::Value,
) -> Option<minijinja::Value> {
let name = self.name.clone();
let obj = match key.as_str()? {
"name" => Value::from_safe_string(self.name.clone()),
"secrets" => Value::from_object(self.secrets.clone()),
"has_values" => Value::from_serialize(!self.secrets.secrets.is_empty()),
"file_name" => Value::from_function(move |file_name: String| {
format!("{}-{}", file_name, name.replace("/", "-"))
}),
_ => return None,
};
Some(obj)
}
}
impl Object for VaultSecretsLookup {
fn get_value(self: &std::sync::Arc<Self>, key: &Value) -> Option<Value> {
let idx = key.as_usize()?;
self.secrets.get(idx).cloned().map(Value::from_safe_string)
}
fn enumerate(self: &std::sync::Arc<Self>) -> minijinja::value::Enumerator {
minijinja::value::Enumerator::Seq(self.secrets.len())
}
}
}
pub mod vault_secret;

View File

@ -0,0 +1,127 @@
use minijinja::{value::Object, Value};
use crate::Component;
#[derive(Debug)]
pub struct VaultSecretValues {
name: String,
secrets: VaultSecretsLookup,
}
#[derive(Debug, Clone)]
pub struct VaultSecretsLookup {
secrets: Vec<String>,
}
impl From<Vec<String>> for VaultSecretsLookup {
fn from(value: Vec<String>) -> Self {
Self { secrets: value }
}
}
#[derive(Default, Clone)]
pub struct VaultSecret {}
impl Component for VaultSecret {
fn name(&self) -> String {
"vault/secret".into()
}
fn validate(&self, value: &serde_yaml::Value) -> anyhow::Result<()> {
Ok(())
}
fn render_value(
&self,
environment: &str,
value: &serde_yaml::Value,
) -> Option<anyhow::Result<minijinja::Value>> {
if let Some(values) = value
.as_mapping()
.and_then(|map| map.get("env"))
.and_then(|v| v.as_mapping())
.map(|v| {
v.iter()
.filter_map(|(k, v)| {
if v.as_mapping()
.map(|m| m.get("vault").filter(|v| v.as_bool() == Some(true)))
.is_some()
{
Some(k)
} else {
None
}
})
.filter_map(|k| k.as_str())
.collect::<Vec<_>>()
})
{
let vault_values = VaultSecretValues {
name: self.name().replace("/", "-"),
secrets: values
.into_iter()
.map(|i| i.into())
.collect::<Vec<_>>()
.into(),
};
return Some(Ok(minijinja::Value::from_object(vault_values)));
}
None
}
fn render(
&self,
_environment: &str,
_value: &serde_yaml::Value,
) -> Option<anyhow::Result<(String, String)>> {
Some(Ok((
format!("{}.yaml", self.name().replace("/", "_")),
r#"apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: {{ vars.cuddle_vars.service }}-{{ vars.vault_secret.name }}
namespace: {{ vars.cluster_vars.namespace }}
spec:
destination:
create: true
name: {{ vars.cuddle_vars.service }}-{{ vars.vault_secret.name }}
mount: kvv2
path: {{ vars.cuddle_vars.service }}/{{ environment }}
refreshAfter: 30s
type: kv-v2
"#
.into(),
)))
}
}
impl Object for VaultSecretValues {
fn get_value(self: &std::sync::Arc<Self>, key: &minijinja::Value) -> Option<minijinja::Value> {
let name = self.name.clone();
let obj = match key.as_str()? {
"name" => Value::from_safe_string(self.name.clone()),
"secrets" => Value::from_object(self.secrets.clone()),
"has_values" => Value::from_serialize(!self.secrets.secrets.is_empty()),
"file_name" => Value::from_function(move |file_name: String| {
format!("{}-{}", file_name, name.replace("/", "-"))
}),
_ => return None,
};
Some(obj)
}
}
impl Object for VaultSecretsLookup {
fn get_value(self: &std::sync::Arc<Self>, key: &Value) -> Option<Value> {
let idx = key.as_usize()?;
self.secrets.get(idx).cloned().map(Value::from_safe_string)
}
fn enumerate(self: &std::sync::Arc<Self>) -> minijinja::value::Enumerator {
minijinja::value::Enumerator::Seq(self.secrets.len())
}
}