Adding support for variable value from secretKeyRef

workspacehelper/k8s_secret.go

@@ -0,0 +1,56 @@
+package workspacehelper
+
+import (
+	"context"
+	"errors"
+
+	"github.com/hashicorp/terraform-k8s/api/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// GetSecretData retrieves the data from a secret in a given namespace
+func (r *WorkspaceHelper) GetSecretData(namespace string, name string) (map[string][]byte, error) {
+	r.reqLogger.Info("Getting Secret", "Namespace", namespace, "Name", name)
+
+	secret := &corev1.Secret{}
+	err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: namespace}, secret)
+	if err != nil {
+		r.reqLogger.Error(err, "Failed to get Secret", "Namespace", namespace, "Name", name)
+		return nil, err
+	}
+	return secret.Data, nil
+}
+
+// GetSecretForVariable retrieves the sensitive value associated with the variable from a secret
+func (r *WorkspaceHelper) GetSecretForVariable(namespace string, variable *v1alpha1.Variable) error {
+	if variable.Sensitive == false || variable.ValueFrom == nil {
+		return nil
+	}
+
+	if variable.ValueFrom.SecretKeyRef == nil {
+		err := errors.New("Include Secret in ValueFrom")
+		r.reqLogger.Error(err, "No Secret specified", "Namespace", namespace, "Variable", variable.Key)
+		return err
+	}
+
+	r.reqLogger.Info("Checking Secret for variable", "Namespace", namespace, "Variable", variable.Key)
+
+	name := variable.ValueFrom.SecretKeyRef.LocalObjectReference.Name
+	key := variable.ValueFrom.SecretKeyRef.Key
+
+	data, err := r.GetSecretData(namespace, name)
+	if err != nil {
+		return err
+	}
+
+	value, ok := data[key]
+	if !ok {
+		err := errors.New("Include Secret key reference in ValueFrom")
+		r.reqLogger.Error(err, "No Secret key specified", "Namespace", namespace, "Name", name, "Key", key)
+		return err
+	}
+
+	variable.Value = string(value)
+	return nil
+}

workspacehelper/tfc_variable.go

@@ -223,8 +223,11 @@ func (t *TerraformCloudClient) UpdateTerraformVariables(variables []*tfc.Variabl
 }
 
 func checkAndRetrieveIfSensitive(variable *tfc.Variable, secretsMountPath string) error {
-	if variable.Sensitive {
+	// Try to read variables with empty value from file. If the value isn't empty,
+	// it was already read fromValue.SecretKeyRef.
+	if variable.Sensitive && variable.Value == "" {
 		filePath := fmt.Sprintf("%s/%s", secretsMountPath, variable.Key)
+
 		data, err := ioutil.ReadFile(filePath)
 		if err != nil {
 			return fmt.Errorf("could not get secret, %s", err)

workspacehelper/workspace_helper.go

@@ -293,6 +293,10 @@ func (r *WorkspaceHelper) updateVariables(instance *appv1alpha1.Workspace) (bool
 		if err != nil {
 			return false, err
 		}
+		err = r.GetSecretForVariable(instance.Namespace, variable)
+		if err != nil {
+			return false, err
+		}
 	}
 
 	specTFCVariables := MapToTFCVariable(instance.Spec.Variables)