GO-2024-3126: External Secrets Operator vulnerable to privilege escalation in github.com/external-secrets/external-secrets

secretmanager

package

v0.9.14 Latest Latest Go to latest Published: Mar 30, 2024 License: Apache-2.0 Imports: 46 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/external-secrets/external-secrets

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func NewTokenSource(ctx context.Context, auth esv1beta1.GCPSMAuth, projectID, storeKind string, ...) (oauth2.TokenSource, error)
type Client
type GoogleSecretManagerClient
type IamClient
type Metadata
type Provider

Constants ¶

View Source

const (
	CloudPlatformRole = "https://www.googleapis.com/auth/cloud-platform"
)

Variables ¶

This section is empty.

Functions ¶

func NewTokenSource ¶ added in v0.6.0

func NewTokenSource(ctx context.Context, auth esv1beta1.GCPSMAuth, projectID, storeKind string, kube kclient.Client, namespace string) (oauth2.TokenSource, error)

Types ¶

type Client ¶ added in v0.6.0

type Client struct {
	// contains filtered or unexported fields
}

func (*Client) Close ¶ added in v0.6.0

func (c *Client) Close(_ context.Context) error

func (*Client) DeleteSecret ¶ added in v0.7.0

func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error

func (*Client) GetAllSecrets ¶ added in v0.6.0

func (c *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error)

GetAllSecrets syncs multiple secrets from gcp provider into a single Kubernetes Secret.

func (*Client) GetSecret ¶ added in v0.6.0

func (c *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error)

GetSecret returns a single secret from the provider.

func (*Client) GetSecretMap ¶ added in v0.6.0

func (c *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error)

GetSecretMap returns multiple k/v pairs from the provider.

func (*Client) PushSecret ¶ added in v0.7.0

func (c *Client) PushSecret(ctx context.Context, secret *corev1.Secret, pushSecretData esv1beta1.PushSecretData) error

PushSecret pushes a kubernetes secret key into gcp provider Secret.

func (*Client) SecretExists ¶ added in v0.9.14

func (c *Client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error)

func (*Client) Validate ¶ added in v0.6.0

func (c *Client) Validate() (esv1beta1.ValidationResult, error)

type GoogleSecretManagerClient ¶

type GoogleSecretManagerClient interface {
	DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
	ListSecrets(ctx context.Context, req *secretmanagerpb.ListSecretsRequest, opts ...gax.CallOption) *secretmanager.SecretIterator
	AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
	CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
	Close() error
	GetSecret(ctx context.Context, req *secretmanagerpb.GetSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
	UpdateSecret(context.Context, *secretmanagerpb.UpdateSecretRequest, ...gax.CallOption) (*secretmanagerpb.Secret, error)
}

type IamClient ¶ added in v0.3.11

type IamClient interface {
	GenerateAccessToken(ctx context.Context, req *credentialspb.GenerateAccessTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
	Close() error
}

interface to GCP IAM API.

type Metadata ¶ added in v0.9.5

type Metadata struct {
	Annotations map[string]string `json:"annotations"`
	Labels      map[string]string `json:"labels"`
}

type Provider ¶ added in v0.6.0

type Provider struct{}

Provider is a secrets provider for GCP Secret Manager. It implements the necessary NewClient() and ValidateStore() funcs.

func (*Provider) Capabilities ¶ added in v0.7.0

func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities

func (*Provider) NewClient ¶ added in v0.6.0

func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error)

NewClient constructs a GCP Provider.

func (*Provider) ValidateStore ¶ added in v0.6.0

func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
fake

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL