Skip to content

Commit d64a133

Browse files
tvorantvoran
committed
HVS: rotating secret support
1 parent 89ec0a2 commit d64a133

File tree

3 files changed

+79
-18
lines changed

3 files changed

+79
-18
lines changed

controllers/hcpvaultsecretsapp_controller.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,7 @@ func (r *HCPVaultSecretsAppReconciler) Reconcile(ctx context.Context, req ctrl.R
124124
AppName: o.Spec.AppName,
125125
Types: []string{
126126
helpers.HVSSecretTypeKV,
127+
helpers.HVSSecretTypeRotating,
127128
},
128129
}
129130

internal/helpers/secrets.go

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,9 @@ import (
2525
)
2626

2727
const (
28-
SecretDataKeyRaw = "_raw"
29-
HVSSecretTypeKV = "kv"
28+
SecretDataKeyRaw = "_raw"
29+
HVSSecretTypeKV = "kv"
30+
HVSSecretTypeRotating = "rotating"
3031
)
3132

3233
var SecretDataErrorContainsRaw = fmt.Errorf("key '%s' not permitted in Secret data", SecretDataKeyRaw)
@@ -497,11 +498,21 @@ func (s *SecretDataBuilder) WithHVSAppSecrets(resp *hvsclient.OpenAppSecretsOK,
497498
data := make(map[string][]byte)
498499
hasTemplates := len(opt.KeyedTemplates) > 0
499500
for _, v := range p.Secrets {
500-
if v.StaticVersion == nil {
501+
if v.StaticVersion == nil && v.RotatingVersion == nil {
501502
continue
502503
}
503504

504-
if v.Type != HVSSecretTypeKV {
505+
switch v.Type {
506+
case HVSSecretTypeKV:
507+
secrets[v.Name] = v.StaticVersion.Value
508+
case HVSSecretTypeRotating:
509+
// Since rotating secrets have multiple values, prefix each key with
510+
// the secret name to avoid collisions.
511+
for rvk, rvv := range v.RotatingVersion.Values {
512+
rName := fmt.Sprintf("%s_%s", v.Name, rvk)
513+
secrets[rName] = rvv
514+
}
515+
default:
505516
continue
506517
}
507518

@@ -515,7 +526,6 @@ func (s *SecretDataBuilder) WithHVSAppSecrets(resp *hvsclient.OpenAppSecretsOK,
515526
// maps secret name to its secret metadata
516527
metadata[v.Name] = m
517528
}
518-
secrets[v.Name] = v.StaticVersion.Value
519529
}
520530

521531
if hasTemplates {

internal/helpers/secrets_test.go

Lines changed: 63 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1304,6 +1304,29 @@ func TestSecretDataBuilder_WithHVSAppSecrets(t *testing.T) {
13041304
},
13051305
Type: HVSSecretTypeKV,
13061306
},
1307+
{
1308+
CreatedAt: strfmt.NewDateTime(),
1309+
CreatedByID: "vso-2 uuid",
1310+
LatestVersion: 1,
1311+
Name: "rotatingfoo",
1312+
Provider: "providerfoo",
1313+
SyncStatus: nil,
1314+
RotatingVersion: &models.Secrets20231128OpenSecretRotatingVersion{
1315+
CreatedAt: strfmt.DateTime{},
1316+
CreatedByID: "vault-secrets-rotator",
1317+
ExpiresAt: strfmt.DateTime{},
1318+
Keys: []string{
1319+
"api_key_one",
1320+
"api_key_two",
1321+
},
1322+
Values: map[string]string{
1323+
"api_key_one": "123456",
1324+
"api_key_two": "654321",
1325+
},
1326+
Version: 1,
1327+
},
1328+
Type: HVSSecretTypeRotating,
1329+
},
13071330
},
13081331
},
13091332
}
@@ -1366,9 +1389,11 @@ func TestSecretDataBuilder_WithHVSAppSecrets(t *testing.T) {
13661389
name: "valid",
13671390
resp: respValid,
13681391
want: map[string][]byte{
1369-
"bar": []byte("foo"),
1370-
"foo": []byte("qux"),
1371-
SecretDataKeyRaw: rawValid,
1392+
"bar": []byte("foo"),
1393+
"foo": []byte("qux"),
1394+
"rotatingfoo_api_key_one": []byte("123456"),
1395+
"rotatingfoo_api_key_two": []byte("654321"),
1396+
SecretDataKeyRaw: rawValid,
13721397
},
13731398
wantErr: assert.NoError,
13741399
},
@@ -1387,9 +1412,11 @@ func TestSecretDataBuilder_WithHVSAppSecrets(t *testing.T) {
13871412
},
13881413
},
13891414
want: map[string][]byte{
1390-
"bar": []byte("FOO"),
1391-
"foo": []byte("qux"),
1392-
SecretDataKeyRaw: rawValid,
1415+
"bar": []byte("FOO"),
1416+
"foo": []byte("qux"),
1417+
"rotatingfoo_api_key_one": []byte("123456"),
1418+
"rotatingfoo_api_key_two": []byte("654321"),
1419+
SecretDataKeyRaw: rawValid,
13931420
},
13941421
wantErr: assert.NoError,
13951422
},
@@ -1428,12 +1455,31 @@ func TestSecretDataBuilder_WithHVSAppSecrets(t *testing.T) {
14281455
"version": 2
14291456
},
14301457
"type": "kv"
1458+
},
1459+
"rotatingfoo": {
1460+
"created_at": "1970-01-01T00:00:00.000Z",
1461+
"latest_version": 1,
1462+
"name": "rotatingfoo",
1463+
"provider": "providerfoo",
1464+
"rotating_version": {
1465+
"created_at": "0001-01-01T00:00:00.000Z",
1466+
"expires_at": "0001-01-01T00:00:00.000Z",
1467+
"keys": [
1468+
"api_key_one",
1469+
"api_key_two"
1470+
],
1471+
"revoked_at": "0001-01-01T00:00:00.000Z",
1472+
"version": 1
1473+
},
1474+
"type": "rotating"
14311475
}
14321476
}`,
14331477
),
1434-
"bar": []byte("foo"),
1435-
"foo": []byte("qux"),
1436-
SecretDataKeyRaw: rawValid,
1478+
"bar": []byte("foo"),
1479+
"foo": []byte("qux"),
1480+
"rotatingfoo_api_key_one": []byte("123456"),
1481+
"rotatingfoo_api_key_two": []byte("654321"),
1482+
SecretDataKeyRaw: rawValid,
14371483
},
14381484
wantErr: assert.NoError,
14391485
},
@@ -1465,8 +1511,10 @@ func TestSecretDataBuilder_WithHVSAppSecrets(t *testing.T) {
14651511
Includes: []string{"foo"},
14661512
},
14671513
want: map[string][]byte{
1468-
"foo": []byte("qux"),
1469-
SecretDataKeyRaw: rawValid,
1514+
"foo": []byte("qux"),
1515+
"rotatingfoo_api_key_one": []byte("123456"),
1516+
"rotatingfoo_api_key_two": []byte("654321"),
1517+
SecretDataKeyRaw: rawValid,
14701518
},
14711519
wantErr: assert.NoError,
14721520
},
@@ -1517,8 +1565,10 @@ func TestSecretDataBuilder_WithHVSAppSecrets(t *testing.T) {
15171565
ExcludeRaw: true,
15181566
},
15191567
want: map[string][]byte{
1520-
"bar": []byte("foo"),
1521-
"foo": []byte("qux"),
1568+
"bar": []byte("foo"),
1569+
"foo": []byte("qux"),
1570+
"rotatingfoo_api_key_one": []byte("123456"),
1571+
"rotatingfoo_api_key_two": []byte("654321"),
15221572
},
15231573
wantErr: assert.NoError,
15241574
},

0 commit comments

Comments
 (0)