diff --git a/pkg/apis/api.kusion.io/v1/types.go b/pkg/apis/api.kusion.io/v1/types.go index c5841e4b..f33ac38d 100644 --- a/pkg/apis/api.kusion.io/v1/types.go +++ b/pkg/apis/api.kusion.io/v1/types.go @@ -842,6 +842,8 @@ type Resource struct { type Spec struct { // Resources is the list of Resource this Spec contains. Resources Resources `yaml:"resources" json:"resources"` + // SecretSore represents a external secret store location for storing secrets. + SecretStore *SecretStore `yaml:"secretStore" json:"secretStore"` } // State is a record of an operation's result. It is a mapping between resources in KCL and the actual diff --git a/pkg/engine/operation/apply.go b/pkg/engine/operation/apply.go index 3bcf4ee7..eb7587ce 100644 --- a/pkg/engine/operation/apply.go +++ b/pkg/engine/operation/apply.go @@ -10,7 +10,7 @@ import ( apiv1 "kusionstack.io/kusion/pkg/apis/api.kusion.io/v1" v1 "kusionstack.io/kusion/pkg/apis/status/v1" "kusionstack.io/kusion/pkg/engine/operation/graph" - models "kusionstack.io/kusion/pkg/engine/operation/models" + "kusionstack.io/kusion/pkg/engine/operation/models" "kusionstack.io/kusion/pkg/engine/operation/parser" "kusionstack.io/kusion/pkg/engine/release" runtimeinit "kusionstack.io/kusion/pkg/engine/runtime/init" @@ -94,6 +94,7 @@ func (ao *ApplyOperation) Apply(req *ApplyRequest) (rsp *ApplyResponse, s v1.Sta Operation: models.Operation{ OperationType: models.Apply, ReleaseStorage: o.ReleaseStorage, + SecretStore: req.Release.Spec.SecretStore, CtxResourceIndex: map[string]*apiv1.Resource{}, PriorStateResourceIndex: priorStateResourceIndex, StateResourceIndex: stateResourceIndex, diff --git a/pkg/engine/operation/graph/resource_node.go b/pkg/engine/operation/graph/resource_node.go index f65cf21a..1245bc52 100644 --- a/pkg/engine/operation/graph/resource_node.go +++ b/pkg/engine/operation/graph/resource_node.go @@ -4,15 +4,21 @@ import ( "context" "errors" "fmt" + "net/url" "reflect" "strings" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + k8sruntime "k8s.io/apimachinery/pkg/runtime" + apiv1 "kusionstack.io/kusion/pkg/apis/api.kusion.io/v1" v1 "kusionstack.io/kusion/pkg/apis/status/v1" "kusionstack.io/kusion/pkg/engine" "kusionstack.io/kusion/pkg/engine/operation/models" "kusionstack.io/kusion/pkg/engine/runtime" "kusionstack.io/kusion/pkg/log" + "kusionstack.io/kusion/pkg/secrets" "kusionstack.io/kusion/pkg/util" "kusionstack.io/kusion/pkg/util/diff" "kusionstack.io/kusion/pkg/util/json" @@ -32,30 +38,78 @@ const ( func (rn *ResourceNode) PreExecute(o *models.Operation) v1.Status { value := reflect.ValueOf(rn.resource.Attributes) - var replaced reflect.Value - var s v1.Status switch o.OperationType { case models.ApplyPreview: - // first time apply. Do not replace implicit dependency ref - if len(o.PriorStateResourceIndex) == 0 { - _, replaced, s = ReplaceSecretRef(value) - } else { - _, replaced, s = ReplaceRef(value, o.CtxResourceIndex, OptionalImplicitReplaceFun) + // don't replace implicit dependency ref in the first time apply + if len(o.PriorStateResourceIndex) != 0 { + _, replaced, s := ReplaceRef(value, o.CtxResourceIndex, OptionalImplicitReplaceFun) + if v1.IsErr(s) { + return s + } + rn.resource.Attributes = replaced.Interface().(map[string]interface{}) } case models.Apply: - // replace secret ref and implicit ref - _, replaced, s = ReplaceRef(value, o.CtxResourceIndex, MustImplicitReplaceFun) + // replace implicit refs + _, replaced, s := ReplaceRef(value, o.CtxResourceIndex, MustImplicitReplaceFun) + if v1.IsErr(s) { + return s + } + rn.resource.Attributes = replaced.Interface().(map[string]interface{}) + + // replace k8s secret refs + if rn.resource.Type == apiv1.Kubernetes { + un := &unstructured.Unstructured{} + un.SetUnstructuredContent(rn.resource.Attributes) + if un.GetKind() == "Secret" { + att, s := replaceSecretRef(o, un.Object) + if v1.IsErr(s) { + return s + } + if att != nil { + rn.resource.Attributes = att + } + } + } default: return nil } - if v1.IsErr(s) { - return s + + return nil +} + +func replaceSecretRef(o *models.Operation, obj map[string]interface{}) (map[string]interface{}, v1.Status) { + secret := &corev1.Secret{} + converter := k8sruntime.DefaultUnstructuredConverter + err := converter.FromUnstructured(obj, secret) + if err != nil { + return nil, v1.NewErrorStatus(err) } - if !replaced.IsZero() { - rn.resource.Attributes = replaced.Interface().(map[string]interface{}) + for k, data := range secret.Data { + ref := string(data) + externalSecretRef, err := parseExternalSecretDataRef(ref) + if err != nil { + return nil, v1.NewErrorStatus(err) + } + provider, exist := secrets.GetProvider(o.SecretStore.Provider) + if !exist { + return nil, v1.NewErrorStatus(errors.New("no matched secret store found, please check workspace yaml")) + } + secretStore, err := provider.NewSecretStore(o.SecretStore) + if err != nil { + return nil, v1.NewErrorStatus(err) + } + secretData, err := secretStore.GetSecret(context.Background(), *externalSecretRef) + if err != nil { + return nil, v1.NewErrorStatus(err) + } + secret.Data[k] = secretData } - return nil + un, err := converter.ToUnstructured(secret) + if err != nil { + return nil, v1.NewErrorStatus(err) + } + return un, nil } func (rn *ResourceNode) Execute(operation *models.Operation) (s v1.Status) { @@ -251,6 +305,8 @@ func (rn *ResourceNode) applyResource(operation *models.Operation, prior, planed } else { res = prior } + default: + return v1.NewErrorStatus(fmt.Errorf("unknown action type: %v", rn.Action)) } if v1.IsErr(s) { return s @@ -300,10 +356,6 @@ func updateChangeOrder(ops *models.Operation, rn *ResourceNode, plan, live inter order.ChangeSteps[rn.ID] = models.NewChangeStep(rn.ID, rn.Action, plan, live) } -func ReplaceSecretRef(v reflect.Value) ([]string, reflect.Value, v1.Status) { - return ReplaceRef(v, nil, nil) -} - var MustImplicitReplaceFun = func(resourceIndex map[string]*apiv1.Resource, refPath string) (reflect.Value, v1.Status) { return implicitReplaceFun(true, resourceIndex, refPath) } @@ -435,3 +487,42 @@ func ReplaceRef( } return result, v, nil } + +// parseExternalSecretDataRef knows how to parse the remote data ref string, returns the corresponding ExternalSecretRef object. +func parseExternalSecretDataRef(dataRefStr string) (*apiv1.ExternalSecretRef, error) { + uri, err := url.Parse(dataRefStr) + if err != nil { + return nil, err + } + + ref := &apiv1.ExternalSecretRef{} + if len(uri.Path) > 0 { + partialName, property := parsePath(uri.Path) + if len(partialName) > 0 { + ref.Name = uri.Host + "/" + partialName + } else { + ref.Name = uri.Host + } + ref.Property = property + } else { + ref.Name = uri.Host + } + + query := uri.Query() + if len(query) > 0 && len(query.Get("version")) > 0 { + ref.Version = query.Get("version") + } + + return ref, nil +} + +func parsePath(path string) (partialName string, property string) { + pathParts := strings.Split(path, "/") + if len(pathParts) > 1 { + partialName = strings.Join(pathParts[1:len(pathParts)-1], "/") + property = pathParts[len(pathParts)-1] + } else { + property = pathParts[0] + } + return partialName, property +} diff --git a/pkg/engine/operation/graph/resource_node_test.go b/pkg/engine/operation/graph/resource_node_test.go index 918e6008..3e2912cf 100644 --- a/pkg/engine/operation/graph/resource_node_test.go +++ b/pkg/engine/operation/graph/resource_node_test.go @@ -2,6 +2,7 @@ package graph import ( "context" + "reflect" "sync" "testing" @@ -248,3 +249,68 @@ func Test_removeNestedField(t *testing.T) { assert.Len(t, ports[0], 2) }) } + +func TestParseExternalSecretDataRef(t *testing.T) { + tests := []struct { + name string + dataRefStr string + want *apiv1.ExternalSecretRef + wantErr bool + }{ + { + name: "invalid data ref string", + dataRefStr: "$%#//invalid", + want: nil, + wantErr: true, + }, + { + name: "only secret name", + dataRefStr: "ref://secret-name", + want: &apiv1.ExternalSecretRef{ + Name: "secret-name", + }, + wantErr: false, + }, + { + name: "secret name with version", + dataRefStr: "ref://secret-name?version=1", + want: &apiv1.ExternalSecretRef{ + Name: "secret-name", + Version: "1", + }, + wantErr: false, + }, + { + name: "secret name with property and version", + dataRefStr: "ref://secret-name/property?version=1", + want: &apiv1.ExternalSecretRef{ + Name: "secret-name", + Property: "property", + Version: "1", + }, + wantErr: false, + }, + { + name: "nested secret name with property and version", + dataRefStr: "ref://customer/acme/customer_name?version=1", + want: &apiv1.ExternalSecretRef{ + Name: "customer/acme", + Property: "customer_name", + Version: "1", + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := parseExternalSecretDataRef(tt.dataRefStr) + if (err != nil) != tt.wantErr { + t.Errorf("parseExternalSecretDataRef() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("parseExternalSecretDataRef() got = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/engine/operation/models/operation_context.go b/pkg/engine/operation/models/operation_context.go index 50a9e1bf..0ba4ef03 100644 --- a/pkg/engine/operation/models/operation_context.go +++ b/pkg/engine/operation/models/operation_context.go @@ -19,6 +19,9 @@ type Operation struct { // ReleaseStorage represents the storage where state will be saved during this operation ReleaseStorage release.Storage + // SecretStore represents the storage where secrets were saved + SecretStore *apiv1.SecretStore + // CtxResourceIndex represents resources updated by this operation CtxResourceIndex map[string]*apiv1.Resource diff --git a/pkg/modules/generators/app_configurations_generator.go b/pkg/modules/generators/app_configurations_generator.go index 770066ca..f9d93469 100644 --- a/pkg/modules/generators/app_configurations_generator.go +++ b/pkg/modules/generators/app_configurations_generator.go @@ -164,6 +164,11 @@ func (g *appConfigurationGenerator) Generate(spec *v1.Spec) error { return err } + // append secretStore in the Spec + if g.ws.SecretStore != nil { + spec.SecretStore = g.ws.SecretStore + } + return nil } diff --git a/pkg/modules/generators/workload/secret/secret_generator.go b/pkg/modules/generators/workload/secret/secret_generator.go index f50cb5f5..f3bd767c 100644 --- a/pkg/modules/generators/workload/secret/secret_generator.go +++ b/pkg/modules/generators/workload/secret/secret_generator.go @@ -1,20 +1,15 @@ package secret import ( - "context" "errors" "fmt" - "net/url" - "strings" "golang.org/x/exp/maps" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - utilerrors "k8s.io/apimachinery/pkg/util/errors" v1 "kusionstack.io/kusion/pkg/apis/api.kusion.io/v1" "kusionstack.io/kusion/pkg/modules" - "kusionstack.io/kusion/pkg/secrets" ) type secretGenerator struct { @@ -101,6 +96,7 @@ func (g *secretGenerator) generateSecret(secretName string, secretRef v1.Secret) case "certificate": return g.generateCertificate(secretName, secretRef) case "external": + // todo retrieve actual secrets in the `apply` step return g.generateSecretWithExternalProvider(secretName, secretRef) default: return nil, fmt.Errorf("unrecognized secret type %s", secretRef.Type) @@ -163,33 +159,8 @@ func (g *secretGenerator) generateSecretWithExternalProvider(secretName string, secret := initBasicSecret(g.namespace, secretName, corev1.SecretTypeOpaque, secretRef.Immutable) secret.Data = make(map[string][]byte) - var allErrs []error for key, ref := range secretRef.Data { - externalSecretRef, err := parseExternalSecretDataRef(ref) - if err != nil { - allErrs = append(allErrs, err) - continue - } - provider, exist := secrets.GetProvider(g.secretStore.Provider) - if !exist { - allErrs = append(allErrs, errors.New("no matched secret store found, please check workspace yaml")) - continue - } - secretStore, err := provider.NewSecretStore(*g.secretStore) - if err != nil { - allErrs = append(allErrs, err) - continue - } - secretData, err := secretStore.GetSecret(context.Background(), *externalSecretRef) - if err != nil { - allErrs = append(allErrs, err) - continue - } - secret.Data[key] = secretData - } - - if allErrs != nil { - return nil, utilerrors.NewAggregate(allErrs) + secret.Data[key] = []byte(ref) } return secret, nil @@ -209,46 +180,6 @@ func grabData(from map[string]string, keys ...string) map[string][]byte { return to } -// parseExternalSecretDataRef knows how to parse the remote data ref string, returns the -// corresponding ExternalSecretRef object. -func parseExternalSecretDataRef(dataRefStr string) (*v1.ExternalSecretRef, error) { - uri, err := url.Parse(dataRefStr) - if err != nil { - return nil, err - } - - ref := &v1.ExternalSecretRef{} - if len(uri.Path) > 0 { - partialName, property := parsePath(uri.Path) - if len(partialName) > 0 { - ref.Name = uri.Host + "/" + partialName - } else { - ref.Name = uri.Host - } - ref.Property = property - } else { - ref.Name = uri.Host - } - - query := uri.Query() - if len(query) > 0 && len(query.Get("version")) > 0 { - ref.Version = query.Get("version") - } - - return ref, nil -} - -func parsePath(path string) (partialName string, property string) { - pathParts := strings.Split(path, "/") - if len(pathParts) > 1 { - partialName = strings.Join(pathParts[1:len(pathParts)-1], "/") - property = pathParts[len(pathParts)-1] - } else { - property = pathParts[0] - } - return partialName, property -} - func initBasicSecret(namespace, name string, secretType corev1.SecretType, immutable bool) *corev1.Secret { secret := &corev1.Secret{ TypeMeta: metav1.TypeMeta{ diff --git a/pkg/modules/generators/workload/secret/secret_generator_test.go b/pkg/modules/generators/workload/secret/secret_generator_test.go index 8ee0dd0a..c1db2e7f 100644 --- a/pkg/modules/generators/workload/secret/secret_generator_test.go +++ b/pkg/modules/generators/workload/secret/secret_generator_test.go @@ -1,7 +1,6 @@ package secret import ( - "reflect" "testing" "github.com/stretchr/testify/require" @@ -149,21 +148,6 @@ func TestGenerateSecretWithExternalRef(t *testing.T) { }, }, }, - "create_external_secret_not_found": { - secretName: "access-token", - secretType: "external", - secretData: map[string]string{ - "accessToken": "ref://token?version=1", - }, - providerData: []v1.FakeProviderData{ - { - Key: "token-info", - Value: "some sensitive info", - Version: "1", - }, - }, - expectErr: "Secret does not exist", - }, } // run all the tests @@ -188,68 +172,3 @@ func TestGenerateSecretWithExternalRef(t *testing.T) { }) } } - -func TestParseExternalSecretDataRef(t *testing.T) { - tests := []struct { - name string - dataRefStr string - want *v1.ExternalSecretRef - wantErr bool - }{ - { - name: "invalid data ref string", - dataRefStr: "$%#//invalid", - want: nil, - wantErr: true, - }, - { - name: "only secret name", - dataRefStr: "ref://secret-name", - want: &v1.ExternalSecretRef{ - Name: "secret-name", - }, - wantErr: false, - }, - { - name: "secret name with version", - dataRefStr: "ref://secret-name?version=1", - want: &v1.ExternalSecretRef{ - Name: "secret-name", - Version: "1", - }, - wantErr: false, - }, - { - name: "secret name with property and version", - dataRefStr: "ref://secret-name/property?version=1", - want: &v1.ExternalSecretRef{ - Name: "secret-name", - Property: "property", - Version: "1", - }, - wantErr: false, - }, - { - name: "nested secret name with property and version", - dataRefStr: "ref://customer/acme/customer_name?version=1", - want: &v1.ExternalSecretRef{ - Name: "customer/acme", - Property: "customer_name", - Version: "1", - }, - wantErr: false, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got, err := parseExternalSecretDataRef(tt.dataRefStr) - if (err != nil) != tt.wantErr { - t.Errorf("parseExternalSecretDataRef() error = %v, wantErr %v", err, tt.wantErr) - return - } - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("parseExternalSecretDataRef() got = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/pkg/secrets/interfaces.go b/pkg/secrets/interfaces.go index 613cd42b..1b410724 100644 --- a/pkg/secrets/interfaces.go +++ b/pkg/secrets/interfaces.go @@ -15,7 +15,7 @@ type SecretStore interface { // SecretStoreProvider is a factory type for secret store. type SecretStoreProvider interface { // NewSecretStore constructs a usable secret store with specific provider spec. - NewSecretStore(spec v1.SecretStore) (SecretStore, error) + NewSecretStore(spec *v1.SecretStore) (SecretStore, error) } var NoSecretErr = NoSecretError{} diff --git a/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager.go b/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager.go index ea705b4d..090cac19 100644 --- a/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager.go +++ b/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager.go @@ -41,7 +41,7 @@ type smSecretStore struct { } // NewSecretStore constructs a Vault based secret store with specific secret store spec. -func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) { +func (p *DefaultSecretStoreProvider) NewSecretStore(spec *v1.SecretStore) (secrets.SecretStore, error) { providerSpec := spec.Provider if providerSpec == nil { return nil, fmt.Errorf(errMissingProviderSpec) diff --git a/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager_test.go b/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager_test.go index ad0f0942..9bb51ea2 100644 --- a/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager_test.go +++ b/pkg/secrets/providers/alicloud/secretsmanager/secretsmanager_test.go @@ -141,7 +141,7 @@ func TestNewSecretStore(t *testing.T) { factory := DefaultSecretStoreProvider{} for name, tc := range testCases { - _, err := factory.NewSecretStore(tc.spec) + _, err := factory.NewSecretStore(&tc.spec) if diff := cmp.Diff(err, tc.expectedErr, EquateErrors()); diff != "" { t.Errorf("\n%s\ngot unexpected error: \n%s", name, diff) } diff --git a/pkg/secrets/providers/aws/secretsmanager/secretsmanager.go b/pkg/secrets/providers/aws/secretsmanager/secretsmanager.go index 52aa6c9b..ebff24c7 100644 --- a/pkg/secrets/providers/aws/secretsmanager/secretsmanager.go +++ b/pkg/secrets/providers/aws/secretsmanager/secretsmanager.go @@ -30,7 +30,7 @@ var _ secrets.SecretStore = &smSecretStore{} type DefaultSecretStoreProvider struct{} // NewSecretStore constructs a Vault based secret store with specific secret store spec. -func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) { +func (p *DefaultSecretStoreProvider) NewSecretStore(spec *v1.SecretStore) (secrets.SecretStore, error) { providerSpec := spec.Provider if providerSpec == nil { return nil, fmt.Errorf(errMissingProviderSpec) diff --git a/pkg/secrets/providers/aws/secretsmanager/secretsmanager_test.go b/pkg/secrets/providers/aws/secretsmanager/secretsmanager_test.go index 9207d868..04249949 100644 --- a/pkg/secrets/providers/aws/secretsmanager/secretsmanager_test.go +++ b/pkg/secrets/providers/aws/secretsmanager/secretsmanager_test.go @@ -161,7 +161,7 @@ func TestNewSecretStore(t *testing.T) { factory := DefaultSecretStoreProvider{} for name, tc := range testCases { - _, err := factory.NewSecretStore(tc.spec) + _, err := factory.NewSecretStore(&tc.spec) if diff := cmp.Diff(err, tc.expectedErr, EquateErrors()); diff != "" { t.Errorf("\n%s\ngot unexpected error:\n%s", name, diff) } diff --git a/pkg/secrets/providers/azure/keyvault/keyvault.go b/pkg/secrets/providers/azure/keyvault/keyvault.go index da7478c2..69fd414b 100644 --- a/pkg/secrets/providers/azure/keyvault/keyvault.go +++ b/pkg/secrets/providers/azure/keyvault/keyvault.go @@ -38,7 +38,7 @@ var _ secrets.SecretStore = &kvSecretStore{} type DefaultSecretStoreProvider struct{} // NewSecretStore constructs an Azure KeyVault based secret store with specific secret store spec. -func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) { +func (p *DefaultSecretStoreProvider) NewSecretStore(spec *v1.SecretStore) (secrets.SecretStore, error) { providerSpec := spec.Provider if providerSpec == nil { return nil, fmt.Errorf(errMissingProviderSpec) diff --git a/pkg/secrets/providers/azure/keyvault/keyvault_test.go b/pkg/secrets/providers/azure/keyvault/keyvault_test.go index 373af68a..94885db5 100644 --- a/pkg/secrets/providers/azure/keyvault/keyvault_test.go +++ b/pkg/secrets/providers/azure/keyvault/keyvault_test.go @@ -156,7 +156,7 @@ func TestNewSecretStore(t *testing.T) { cleanup := fake.SetClientIDSecretInEnv() defer cleanup() } - _, err := factory.NewSecretStore(tc.spec) + _, err := factory.NewSecretStore(&tc.spec) if diff := cmp.Diff(err, tc.expectedErr, EquateErrors()); diff != "" { t.Errorf("\n%s\ngot unexpected error:\n%s", name, diff) } diff --git a/pkg/secrets/providers/fake/fake.go b/pkg/secrets/providers/fake/fake.go index 44aa2c11..16874580 100644 --- a/pkg/secrets/providers/fake/fake.go +++ b/pkg/secrets/providers/fake/fake.go @@ -30,7 +30,7 @@ var _ secrets.SecretStore = &fakeSecretStore{} type DefaultSecretStoreProvider struct{} // NewSecretStore constructs a fake secret store instance. -func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) { +func (p *DefaultSecretStoreProvider) NewSecretStore(spec *v1.SecretStore) (secrets.SecretStore, error) { providerSpec := spec.Provider if providerSpec == nil { return nil, fmt.Errorf(errMissingProviderSpec) diff --git a/pkg/secrets/providers/fake/fake_test.go b/pkg/secrets/providers/fake/fake_test.go index f4c39442..1f97ecbb 100644 --- a/pkg/secrets/providers/fake/fake_test.go +++ b/pkg/secrets/providers/fake/fake_test.go @@ -76,7 +76,7 @@ func TestGetSecret(t *testing.T) { } for _, tt := range testCases { t.Run(tt.name, func(t *testing.T) { - ss, _ := p.NewSecretStore(v1.SecretStore{ + ss, _ := p.NewSecretStore(&v1.SecretStore{ Provider: &v1.ProviderSpec{ Fake: &v1.FakeProvider{ Data: tt.input, diff --git a/pkg/secrets/providers/hashivault/vault.go b/pkg/secrets/providers/hashivault/vault.go index d2c7d4c0..cbdef680 100644 --- a/pkg/secrets/providers/hashivault/vault.go +++ b/pkg/secrets/providers/hashivault/vault.go @@ -37,7 +37,7 @@ var _ secrets.SecretStore = &vaultSecretStore{} type DefaultSecretStoreProvider struct{} // NewSecretStore constructs a Vault based secret store with specific secret store spec. -func (p *DefaultSecretStoreProvider) NewSecretStore(spec v1.SecretStore) (secrets.SecretStore, error) { +func (p *DefaultSecretStoreProvider) NewSecretStore(spec *v1.SecretStore) (secrets.SecretStore, error) { providerSpec := spec.Provider if providerSpec == nil || providerSpec.Vault == nil { return nil, errors.New(errInvalidVaultSecretStore) diff --git a/pkg/secrets/providers/hashivault/vault_test.go b/pkg/secrets/providers/hashivault/vault_test.go index 78f20d7b..c7e3b1ab 100644 --- a/pkg/secrets/providers/hashivault/vault_test.go +++ b/pkg/secrets/providers/hashivault/vault_test.go @@ -299,7 +299,7 @@ func TestNewSecretStore(t *testing.T) { factory := DefaultSecretStoreProvider{} for name, tc := range testCases { - _, err := factory.NewSecretStore(tc.spec) + _, err := factory.NewSecretStore(&tc.spec) if diff := cmp.Diff(err, tc.expectedErr, EquateErrors()); diff != "" { t.Errorf("\n%s\ngot unexpected error:\n%s", name, diff) } diff --git a/pkg/secrets/providers_test.go b/pkg/secrets/providers_test.go index 426b8aaf..01506972 100644 --- a/pkg/secrets/providers_test.go +++ b/pkg/secrets/providers_test.go @@ -21,7 +21,7 @@ func (fss *FakeSecretStore) GetSecret(_ context.Context, _ v1.ExternalSecretRef) type FakeSecretStoreProvider struct{} // Fake implementation of SecretStoreProvider.NewSecretStore. -func (fsf *FakeSecretStoreProvider) NewSecretStore(_ v1.SecretStore) (SecretStore, error) { +func (fsf *FakeSecretStoreProvider) NewSecretStore(spec *v1.SecretStore) (SecretStore, error) { return &FakeSecretStore{}, nil }