diff --git a/workspacehelper/k8s_secret.go b/workspacehelper/k8s_secret.go new file mode 100644 index 00000000..5ef0ecfd --- /dev/null +++ b/workspacehelper/k8s_secret.go @@ -0,0 +1,56 @@ +package workspacehelper + +import ( + "context" + "errors" + + "github.com/hashicorp/terraform-k8s/api/v1alpha1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" +) + +// GetSecretData retrieves the data from a secret in a given namespace +func (r *WorkspaceHelper) GetSecretData(namespace string, name string) (map[string][]byte, error) { + r.reqLogger.Info("Getting Secret", "Namespace", namespace, "Name", name) + + secret := &corev1.Secret{} + err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: namespace}, secret) + if err != nil { + r.reqLogger.Error(err, "Failed to get Secret", "Namespace", namespace, "Name", name) + return nil, err + } + return secret.Data, nil +} + +// GetSecretForVariable retrieves the sensitive value associated with the variable from a secret +func (r *WorkspaceHelper) GetSecretForVariable(namespace string, variable *v1alpha1.Variable) error { + if variable.Sensitive == false || variable.ValueFrom == nil { + return nil + } + + if variable.ValueFrom.SecretKeyRef == nil { + err := errors.New("Include Secret in ValueFrom") + r.reqLogger.Error(err, "No Secret specified", "Namespace", namespace, "Variable", variable.Key) + return err + } + + r.reqLogger.Info("Checking Secret for variable", "Namespace", namespace, "Variable", variable.Key) + + name := variable.ValueFrom.SecretKeyRef.LocalObjectReference.Name + key := variable.ValueFrom.SecretKeyRef.Key + + data, err := r.GetSecretData(namespace, name) + if err != nil { + return err + } + + value, ok := data[key] + if !ok { + err := errors.New("Include Secret key reference in ValueFrom") + r.reqLogger.Error(err, "No Secret key specified", "Namespace", namespace, "Name", name, "Key", key) + return err + } + + variable.Value = string(value) + return nil +} diff --git a/workspacehelper/tfc_variable.go b/workspacehelper/tfc_variable.go index 3c74040a..db012e2f 100644 --- a/workspacehelper/tfc_variable.go +++ b/workspacehelper/tfc_variable.go @@ -223,8 +223,11 @@ func (t *TerraformCloudClient) UpdateTerraformVariables(variables []*tfc.Variabl } func checkAndRetrieveIfSensitive(variable *tfc.Variable, secretsMountPath string) error { - if variable.Sensitive { + // Try to read variables with empty value from file. If the value isn't empty, + // it was already read fromValue.SecretKeyRef. + if variable.Sensitive && variable.Value == "" { filePath := fmt.Sprintf("%s/%s", secretsMountPath, variable.Key) + data, err := ioutil.ReadFile(filePath) if err != nil { return fmt.Errorf("could not get secret, %s", err) diff --git a/workspacehelper/workspace_helper.go b/workspacehelper/workspace_helper.go index 2d0a94fe..8e0ad998 100644 --- a/workspacehelper/workspace_helper.go +++ b/workspacehelper/workspace_helper.go @@ -293,6 +293,10 @@ func (r *WorkspaceHelper) updateVariables(instance *appv1alpha1.Workspace) (bool if err != nil { return false, err } + err = r.GetSecretForVariable(instance.Namespace, variable) + if err != nil { + return false, err + } } specTFCVariables := MapToTFCVariable(instance.Spec.Variables)