Adding support for variable value from secretRef

jtyr · jtyr · commit 46d9b36d5f90 · 2022-04-19T18:00:10.000+01:00
diff --git a/workspacehelper/k8s_secret.go b/workspacehelper/k8s_secret.go
@@ -0,0 +1,69 @@
+package workspacehelper
+
+import (
+	"context"
+	"errors"
+
+	"github.com/hashicorp/terraform-k8s/api/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// GetSecretData retrieves the data from a secret in a given namespace
+func (r *WorkspaceHelper) GetSecretData(namespace string, name string) (map[string][]byte, error) {
+	// If no secretName defined, return empty map
+	if name == "" {
+		return make(map[string][]byte), nil
+	}
+
+	r.reqLogger.Info("Getting Secret", "Namespace", namespace, "Name", name)
+
+	secret := &corev1.Secret{}
+	err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: namespace}, secret)
+
+	if err != nil {
+		r.reqLogger.Error(err, "Failed to get Secret", "Namespace", namespace, "Name", name)
+
+		return nil, err
+	}
+
+	return secret.Data, nil
+}
+
+// GetSecretForVariable retrieves the sensitive value associated with the variable from a secret
+func (r *WorkspaceHelper) GetSecretForVariable(namespace string, variable *v1alpha1.Variable) error {
+	if variable.Sensitive == false {
+		return nil
+	}
+
+	if variable.ValueFrom.SecretKeyRef == nil {
+		err := errors.New("Include Secret in ValueFrom")
+
+		r.reqLogger.Error(err, "No Secret specified", "Namespace", namespace, "Variable", variable.Key)
+
+		return err
+	}
+
+	r.reqLogger.Info("Checking Secret for variable", "Namespace", namespace, "Variable", variable.Key)
+
+	name := variable.ValueFrom.SecretKeyRef.LocalObjectReference.Name
+	key := variable.ValueFrom.SecretKeyRef.Key
+
+	data, err := r.GetSecretData(namespace, name)
+	if err != nil {
+		return err
+	}
+
+	value, ok := data[key]
+	if !ok {
+		err := errors.New("Include Secret key reference in ValueFrom")
+
+		r.reqLogger.Error(err, "No Secret key specified", "Namespace", namespace, "Name", name, "Key", key)
+
+		return err
+	}
+
+	variable.Value = string(value)
+
+	return nil
+}
diff --git a/workspacehelper/tfc_variable.go b/workspacehelper/tfc_variable.go
@@ -223,8 +223,11 @@ func (t *TerraformCloudClient) UpdateTerraformVariables(variables []*tfc.Variabl
 }
 
 func checkAndRetrieveIfSensitive(variable *tfc.Variable, secretsMountPath string) error {
-	if variable.Sensitive {
+	// Try to read variables with empty value from file. If the value isn't empty,
+	// it was already read fromValue.SecretKeyRef.
+	if variable.Sensitive && variable.Value == "" {
 		filePath := fmt.Sprintf("%s/%s", secretsMountPath, variable.Key)
+
 		data, err := ioutil.ReadFile(filePath)
 		if err != nil {
 			return fmt.Errorf("could not get secret, %s", err)
diff --git a/workspacehelper/workspace_helper.go b/workspacehelper/workspace_helper.go
@@ -293,6 +293,10 @@ func (r *WorkspaceHelper) updateVariables(instance *appv1alpha1.Workspace) (bool
 		if err != nil {
 			return false, err
 		}
+		err = r.GetSecretForVariable(instance.Namespace, variable)
+		if err != nil {
+			return false, err
+		}
 	}
 
 	specTFCVariables := MapToTFCVariable(instance.Spec.Variables)

Original file line number	Diff line number	Diff line change
`@@ -293,6 +293,10 @@ func (r WorkspaceHelper) updateVariables(instance appv1alpha1.Workspace) (bool`
`293`	`293`	`if err != nil {`
`294`	`294`	`return false, err`
`295`	`295`	`}`
	`296`	`+ err = r.GetSecretForVariable(instance.Namespace, variable)`
	`297`	`+ if err != nil {`
	`298`	`+ return false, err`
	`299`	`+ }`
`296`	`300`	`}`
`297`	`301`
`298`	`302`	`specTFCVariables := MapToTFCVariable(instance.Spec.Variables)`