weaveworks · AsmaaNabilBakr · Jan 31, 2023 · Jan 15, 2023 · Jan 15, 2023 · Jan 16, 2023
diff --git a/cmd/clusters-service/api/cluster_services.proto b/cmd/clusters-service/api/cluster_services.proto
@@ -697,6 +697,7 @@ message ExternalSecretSpec {
 
 message externalSecretStoreRef {
   string name = 1;
+  string kind = 2;
 }
 
 message externalSecretTarget {

diff --git a/cmd/clusters-service/api/cluster_services.swagger.json b/cmd/clusters-service/api/cluster_services.swagger.json
@@ -3125,6 +3125,9 @@
       "properties": {
         "name": {
           "type": "string"
+        },
+        "kind": {
+          "type": "string"
         }
       }
     },

diff --git a/cmd/clusters-service/pkg/protos/cluster_services.pb.go b/cmd/clusters-service/pkg/protos/cluster_services.pb.go
diff --git a/cmd/clusters-service/pkg/protos/cluster_services.pb.gw.go b/cmd/clusters-service/pkg/protos/cluster_services.pb.gw.go
diff --git a/cmd/clusters-service/pkg/protos/cluster_services_grpc.pb.go b/cmd/clusters-service/pkg/protos/cluster_services_grpc.pb.go
diff --git a/cmd/clusters-service/pkg/server/automations.go b/cmd/clusters-service/pkg/server/automations.go
@@ -482,7 +482,7 @@ func createExternalSecretObject(es *capiv1_proto.ExternalSecret) (*esv1beta1.Ext
 		Spec: esv1beta1.ExternalSecretSpec{
 			SecretStoreRef: esv1beta1.SecretStoreRef{
 				Name: es.Spec.SecretStoreRef.Name,
-				Kind: "SecretStore",
+				Kind: es.Spec.SecretStoreRef.Kind,
 			},
 			RefreshInterval: &metav1.Duration{
 				Duration: refreshInterval,
@@ -533,6 +533,9 @@ func validateExternalSecret(externalSecret *capiv1_proto.ExternalSecret) error {
 		if externalSecret.Spec.SecretStoreRef.Name == "" {
 			err = multierror.Append(err, fmt.Errorf("secretStoreRef name must be specified in ExternalSecret %s", externalSecret.Metadata.Name))
 		}
+		if externalSecret.Spec.SecretStoreRef.Kind == "" {
+			err = multierror.Append(err, fmt.Errorf("secretStoreRef kind must be specified in ExternalSecret %s", externalSecret.Metadata.Name))
+		}
 	}
 
 	if externalSecret.Spec.Target == nil {

diff --git a/cmd/clusters-service/pkg/server/automations_test.go b/cmd/clusters-service/pkg/server/automations_test.go
@@ -685,6 +685,7 @@ status: {}
 								RefreshInterval: "1h",
 								SecretStoreRef: &capiv1_protos.ExternalSecretStoreRef{
 									Name: "testname",
+									Kind: "SecretStore",
 								},
 								Target: &capiv1_protos.ExternalSecretTarget{
 									Name: "new-secret",
@@ -751,6 +752,7 @@ status:
 								RefreshInterval: "1h",
 								SecretStoreRef: &capiv1_protos.ExternalSecretStoreRef{
 									Name: "testname",
+									Kind: "SecretStore",
 								},
 								Target: &capiv1_protos.ExternalSecretTarget{
 									Name: "new-secret",
@@ -814,6 +816,7 @@ status:
 								RefreshInterval: "1h",
 								SecretStoreRef: &capiv1_protos.ExternalSecretStoreRef{
 									Name: "testname",
+									Kind: "SecretStore",
 								},
 								Target: &capiv1_protos.ExternalSecretTarget{
 									Name: "new-secret",
@@ -880,6 +883,7 @@ status:
 								RefreshInterval: "1h",
 								SecretStoreRef: &capiv1_protos.ExternalSecretStoreRef{
 									Name: "testname",
+									Kind: "SecretStore",
 								},
 								Target: &capiv1_protos.ExternalSecretTarget{
 									Name: "new-secret",
@@ -944,7 +948,9 @@ status:
 							Metadata: testNewMetadata(t, "new-secret", "flux-system"),
 							Spec: &capiv1_protos.ExternalSecretSpec{
 								RefreshInterval: "1h",
-								SecretStoreRef:  &capiv1_protos.ExternalSecretStoreRef{},
+								SecretStoreRef: &capiv1_protos.ExternalSecretStoreRef{
+									Kind: "SecretStore",
+								},
 								Target: &capiv1_protos.ExternalSecretTarget{
 									Name: "new-secret",
 								},
@@ -1010,6 +1016,7 @@ status:
 								RefreshInterval: "1h",
 								SecretStoreRef: &capiv1_protos.ExternalSecretStoreRef{
 									Name: "testname",
+									Kind: "SecretStore",
 								},
 								Target: &capiv1_protos.ExternalSecretTarget{
 									Name: "new-secret",

diff --git a/cmd/clusters-service/pkg/server/external_secrets.go b/cmd/clusters-service/pkg/server/external_secrets.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"sort"
 	"strings"
 	"time"
 
@@ -141,10 +142,22 @@ func (s *server) GetExternalSecret(ctx context.Context, req *capiv1_proto.GetExt
 			response.Version = externalSecret.Spec.Data[0].RemoteRef.Version
 		}
 
-		//Get SecretStore
-		var externalSecretStore esv1beta1.SecretStore
-		if err := clustersClient.Get(ctx, req.ClusterName, client.ObjectKey{Name: externalSecret.Spec.SecretStoreRef.Name, Namespace: req.Namespace}, &externalSecretStore); err == nil {
-			response.SecretStoreType = getSecretStoreType(&externalSecretStore)
+		var secretStoreProvider *esv1beta1.SecretStoreProvider
+		if externalSecret.Spec.SecretStoreRef.Kind == esv1beta1.ClusterSecretStoreKind {
+			var clusterSecretStore esv1beta1.ClusterSecretStore
+			if err := clustersClient.Get(ctx, req.ClusterName, client.ObjectKey{Name: externalSecret.Spec.SecretStoreRef.Name}, &clusterSecretStore); err == nil {
+				secretStoreProvider = clusterSecretStore.Spec.Provider
+			}
+
+		} else {
+			var secretStore esv1beta1.SecretStore
+			if err := clustersClient.Get(ctx, req.ClusterName, client.ObjectKey{Name: externalSecret.Spec.SecretStoreRef.Name, Namespace: req.Namespace}, &secretStore); err == nil {
+				secretStoreProvider = secretStore.Spec.Provider
+			}
+		}
+
+		if secretStoreProvider != nil {
+			response.SecretStoreType = getSecretStoreType(secretStoreProvider)
 		}
 
 		return &response, nil
@@ -190,40 +203,61 @@ func (s *server) ListExternalSecretStores(ctx context.Context, req *capiv1_proto
 	}
 
 	var secretStores esv1beta1.SecretStoreList
+	var clusterSecretStores esv1beta1.ClusterSecretStoreList
 
 	g, gctx := errgroup.WithContext(ctx)
 	g.Go(func() error {
 		return clustersClient.List(gctx, req.ClusterName, &secretStores)
 	})
 
+	g.Go(func() error {
+		return clustersClient.List(gctx, req.ClusterName, &clusterSecretStores)
+	})
+
 	if err := g.Wait(); err != nil {
+		if strings.Contains(err.Error(), "no matches for kind") {
+			return &capiv1_proto.ListExternalSecretStoresResponse{}, nil
+		}
 		return nil, fmt.Errorf("failed to list secret stores, error %w", err)
 	}
 
 	response := capiv1_proto.ListExternalSecretStoresResponse{}
+
 	for _, item := range secretStores.Items {
 		response.Stores = append(response.Stores, &capiv1_proto.ExternalSecretStore{
 			Kind:      item.GetKind(),
 			Name:      item.GetName(),
 			Namespace: item.GetNamespace(),
-			Type:      getSecretStoreType(&item),
+			Type:      getSecretStoreType(item.Spec.Provider),
 		})
 	}
 
+	for _, item := range clusterSecretStores.Items {
+		response.Stores = append(response.Stores, &capiv1_proto.ExternalSecretStore{
+			Kind:      item.GetKind(),
+			Name:      item.GetName(),
+			Namespace: item.GetNamespace(),
+			Type:      getSecretStoreType(item.Spec.Provider),
+		})
+	}
+
+	sort.Slice(response.Stores, func(i, j int) bool {
+		return response.Stores[i].Name < response.Stores[j].Name
+	})
+
 	response.Total = int32(len(response.Stores))
 	return &response, nil
 }
 
 // getSecretStoreType gets SecretStoreType from SecretStore object
-func getSecretStoreType(secretStore *esv1beta1.SecretStore) string {
-
-	if secretStore.Spec.Provider.AWS != nil {
+func getSecretStoreType(provider *esv1beta1.SecretStoreProvider) string {
+	if provider.AWS != nil {
 		return "AWS Secrets Manager"
-	} else if secretStore.Spec.Provider.AzureKV != nil {
+	} else if provider.AzureKV != nil {
 		return "Azure Key Vault"
-	} else if secretStore.Spec.Provider.GCPSM != nil {
+	} else if provider.GCPSM != nil {
 		return "Google Cloud Platform Secret Manager"
-	} else if secretStore.Spec.Provider.Vault != nil {
+	} else if provider.Vault != nil {
 		return "HashiCorp Vault"
 	} else {
 		return "Unknown"