akuity · krancour · Jan 11, 2025 · Nov 20, 2024 · Nov 20, 2024 · Nov 21, 2024
@@ -536,11 +536,14 @@ message CreateCredentialsRequest {
   string project = 1;
   string name = 2;
   string description = 8;
+  // type is git, helm, image or generic
   string type = 3;
   string repo_url = 4 [json_name = "repoURL"];
   bool repo_url_is_regex = 5 [json_name = "repoURLIsRegex"];
   string username = 6;
   string password = 7;
+  // when type is generic, this field as to create kubernetes Secret resource
+  map<string, string> data = 9;
 }
 
 message CreateCredentialsResponse {

@@ -8,6 +8,8 @@
 	CredentialTypeLabelValueGit   = "git"
 	CredentialTypeLabelValueHelm  = "helm"
 	CredentialTypeLabelValueImage = "image"
+	// TODO: Should we explicitly keep this label or agree that absence of this label should implicitly say that credential is generic?
+	CredentialTypeLabelValueGeneric = "generic"
 
 	// Kargo core API
 	FreightCollectionLabelKey = "kargo.akuity.io/freight-collection"

@@ -14,7 +14,7 @@
 	svcv1alpha1 "github.com/akuity/kargo/pkg/api/service/v1alpha1"
 )
 
-type credentials struct {
+type specificCredentials struct {
 	project        string
 	name           string
 	credType       string
@@ -25,6 +25,13 @@
 	description    string
 }
 
+type genericCredentials struct {
+	project     string
+	name        string
+	description string
+	data        map[string]string
+}
+
 func (s *server) CreateCredentials(
 	ctx context.Context,
 	req *connect.Request[svcv1alpha1.CreateCredentialsRequest],
@@ -34,34 +41,137 @@
 		return nil, connect.NewError(connect.CodeUnimplemented, errSecretManagementDisabled)
 	}
 
-	creds := credentials{
-		project:        req.Msg.GetProject(),
-		name:           req.Msg.GetName(),
-		description:    req.Msg.GetDescription(),
-		credType:       req.Msg.GetType(),
-		repoURL:        req.Msg.GetRepoUrl(),
-		repoURLIsRegex: req.Msg.GetRepoUrlIsRegex(),
-		username:       req.Msg.GetUsername(),
-		password:       req.Msg.GetPassword(),
+	credType := req.Msg.GetType()
+
+	if err := validateFieldNotEmpty("type", credType); err != nil {
+		return nil, err
 	}
 
+	switch credType {
+	case kargoapi.CredentialTypeLabelValueGit:
+	case kargoapi.CredentialTypeLabelValueHelm:
+	case kargoapi.CredentialTypeLabelValueImage:
+		creds := specificCredentials{
+			project:        req.Msg.GetProject(),
+			name:           req.Msg.GetName(),
+			description:    req.Msg.GetDescription(),
+			credType:       req.Msg.GetType(),
+			repoURL:        req.Msg.GetRepoUrl(),
+			repoURLIsRegex: req.Msg.GetRepoUrlIsRegex(),
+			username:       req.Msg.GetUsername(),
+			password:       req.Msg.GetPassword(),
+		}
+
+		kubernetesSecret, err := s.createSpecificCredentials(ctx, creds)
+
+		if err != nil {
+			return nil, err
+		}
+
+		return connect.NewResponse(
+			&svcv1alpha1.CreateCredentialsResponse{
+				Credentials: kubernetesSecret,
+			},
+		), nil
+	case kargoapi.CredentialTypeLabelValueGeneric:
+		creds := genericCredentials{
+			project:     req.Msg.GetProject(),
+			name:        req.Msg.GetName(),
+			data:        req.Msg.GetData(),
+			description: req.Msg.GetDescription(),
+		}
+
+		kubernetesSecret, err := s.createGenericCredentials(ctx, creds)
+
+		if err != nil {
+			return nil, err
+		}
+
+		return connect.NewResponse(&svcv1alpha1.CreateCredentialsResponse{
+			Credentials: kubernetesSecret,
+		}), nil
+	}
+
+	return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("type should be one of git, helm, image or generic"))
+}
+
+func (s *server) createGenericCredentials(ctx context.Context, creds genericCredentials) (*corev1.Secret, error) {
+	if err := s.validateGenericCredentials(creds); err != nil {
+		return nil, err
+	}
+
+	kubernetesSecret := s.genericCredentialsToSecret(creds)
+
+	if err := s.client.Create(ctx, kubernetesSecret); err != nil {
+		return nil, fmt.Errorf("create secret: %w", err)
+	}
+
+	// redact
+	// TODO: current function does not redact some keys, create new function
+	redactedSecret := sanitizeCredentialSecret(*kubernetesSecret)
+
+	return redactedSecret, nil
+}
+
+func (s *server) validateGenericCredentials(creds genericCredentials) error {
+	if err := validateFieldNotEmpty("project", creds.project); err != nil {
+		return err
+	}
+
+	if err := validateFieldNotEmpty("name", creds.name); err != nil {
+		return err
+	}
+
+	if len(creds.data) == 0 {
+		return connect.NewError(connect.CodeInvalidArgument, errors.New("cannot create empty secret"))
+	}
+
+	return nil
+}
+
+func (s *server) genericCredentialsToSecret(creds genericCredentials) *corev1.Secret {
+	secretsData := map[string][]byte{}
+
+	for key, value := range creds.data {
+		secretsData[key] = []byte(value)
+	}
+
+	kubernetesSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: creds.project,
+			Name:      creds.name,
+			Labels: map[string]string{
+				kargoapi.CredentialTypeLabelKey: kargoapi.CredentialTypeLabelValueGeneric,
+			},
+		},
+		Data: secretsData,
+	}
+
+	if creds.description != "" {
+		kubernetesSecret.Annotations = map[string]string{
+			kargoapi.AnnotationKeyDescription: creds.description,
+		}
+	}
+
+	return kubernetesSecret
+}
+
+// creates credentials used for known purpose; specifically external subscriptions to private git repo or helm OCI or docker image
+func (s *server) createSpecificCredentials(ctx context.Context, creds specificCredentials) (*corev1.Secret, error) {
 	if err := s.validateCredentials(creds); err != nil {
 		return nil, err
 	}
 
 	secret := credentialsToSecret(creds)
+
 	if err := s.client.Create(ctx, secret); err != nil {
 		return nil, fmt.Errorf("create secret: %w", err)
 	}
 
-	return connect.NewResponse(
-		&svcv1alpha1.CreateCredentialsResponse{
-			Credentials: sanitizeCredentialSecret(*secret),
-		},
-	), nil
+	return sanitizeCredentialSecret(*secret), nil
 }
 
-func (s *server) validateCredentials(creds credentials) error {
+func (s *server) validateCredentials(creds specificCredentials) error {
 	if err := validateFieldNotEmpty("project", creds.project); err != nil {
 		return err
 	}
@@ -93,7 +203,7 @@
 	return validateFieldNotEmpty("password", creds.password)
 }
 
-func credentialsToSecret(creds credentials) *corev1.Secret {
+func credentialsToSecret(creds specificCredentials) *corev1.Secret {
 	s := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: creds.project,