use crate::error::{ErrorData, Result};
use alien_error::{Context, ContextError, IntoAlienError};
use alien_k8s_clients::secrets::SecretsApi;
use async_trait::async_trait;
use k8s_openapi::api::core::v1::Secret;
use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
use std::collections::BTreeMap;
use std::sync::Arc;
#[derive(Debug)]
pub struct KubernetesSecretVault {
client: Arc<dyn SecretsApi>,
namespace: String,
vault_prefix: String,
}
impl KubernetesSecretVault {
pub fn new(client: Arc<dyn SecretsApi>, namespace: String, vault_prefix: String) -> Self {
Self {
client,
namespace,
vault_prefix,
}
}
fn secret_resource_name(&self, secret_name: &str) -> String {
let combined = format!("{}-{}", self.vault_prefix, secret_name);
let clean = combined
.chars()
.filter(|c| c.is_alphanumeric() || *c == '-' || *c == '_')
.collect::<String>()
.to_lowercase()
.replace('_', "-");
if clean.len() > 253 {
clean[..253].to_string()
} else {
clean
}
}
}
#[async_trait]
impl crate::traits::Binding for KubernetesSecretVault {}
#[async_trait]
impl crate::traits::Vault for KubernetesSecretVault {
async fn get_secret(&self, secret_name: &str) -> Result<String> {
let secret_resource_name = self.secret_resource_name(secret_name);
let secret = self
.client
.get_secret(&self.namespace, &secret_resource_name)
.await
.context(ErrorData::CloudPlatformError {
message: format!("Failed to get secret '{}'", secret_name),
resource_id: None,
})?;
let value = secret
.data
.as_ref()
.and_then(|data| data.get("value"))
.ok_or_else(|| {
alien_error::AlienError::new(ErrorData::CloudPlatformError {
message: format!("Secret '{}' has no 'value' field", secret_name),
resource_id: None,
})
})?;
let decoded = String::from_utf8(value.0.clone())
.into_alien_error()
.context(ErrorData::CloudPlatformError {
message: format!("Failed to decode secret '{}' value", secret_name),
resource_id: None,
})?;
Ok(decoded)
}
async fn set_secret(&self, secret_name: &str, value: &str) -> Result<()> {
let secret_resource_name = self.secret_resource_name(secret_name);
let mut data = BTreeMap::new();
data.insert(
"value".to_string(),
k8s_openapi::ByteString(value.as_bytes().to_vec()),
);
let secret = Secret {
metadata: ObjectMeta {
name: Some(secret_resource_name.clone()),
namespace: Some(self.namespace.clone()),
labels: Some({
let mut labels = BTreeMap::new();
labels.insert("managed-by".to_string(), "alien".to_string());
labels.insert("vault-prefix".to_string(), self.vault_prefix.clone());
labels
}),
..Default::default()
},
data: Some(data),
..Default::default()
};
match self.client.create_secret(&self.namespace, &secret).await {
Ok(_) => Ok(()),
Err(e) => {
if matches!(
e.error,
Some(alien_client_core::ErrorData::RemoteResourceConflict { .. })
) {
self.client
.update_secret(&self.namespace, &secret_resource_name, &secret)
.await
.context(ErrorData::CloudPlatformError {
message: format!("Failed to update secret '{}'", secret_name),
resource_id: None,
})?;
Ok(())
} else {
Err(e.context(ErrorData::CloudPlatformError {
message: format!("Failed to create secret '{}'", secret_name),
resource_id: None,
}))
}
}
}
}
async fn delete_secret(&self, secret_name: &str) -> Result<()> {
let secret_resource_name = self.secret_resource_name(secret_name);
self.client
.delete_secret(&self.namespace, &secret_resource_name)
.await
.context(ErrorData::CloudPlatformError {
message: format!("Failed to delete secret '{}'", secret_name),
resource_id: None,
})
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_secret_resource_name_generation() {
let vault_prefix = "acme-monitoring-secrets";
let secret_name = "API_KEY";
let combined = format!("{}-{}", vault_prefix, secret_name);
let result = combined
.chars()
.filter(|c| c.is_alphanumeric() || *c == '-' || *c == '_')
.collect::<String>()
.to_lowercase()
.replace('_', "-");
assert_eq!(result, "acme-monitoring-secrets-api-key");
let secret_name2 = "MY_SECRET_KEY";
let combined2 = format!("{}-{}", vault_prefix, secret_name2);
let result2 = combined2
.chars()
.filter(|c| c.is_alphanumeric() || *c == '-' || *c == '_')
.collect::<String>()
.to_lowercase()
.replace('_', "-");
assert_eq!(result2, "acme-monitoring-secrets-my-secret-key");
let long_name = "A".repeat(300);
let combined3 = format!("{}-{}", vault_prefix, long_name);
let result3 = combined3
.chars()
.filter(|c| c.is_alphanumeric() || *c == '-' || *c == '_')
.collect::<String>()
.to_lowercase();
let truncated = if result3.len() > 253 {
result3[..253].to_string()
} else {
result3
};
assert!(truncated.len() <= 253);
}
}