From 4a7193d64c2ad8222faecb3d1aa9f55f955bdce3 Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Sun, 26 Apr 2020 14:57:30 +0200
Subject: [PATCH] support for labels

---
 README.md                       |  2 +-
 cmd/gcloud-load-secrets/main.go |  6 ++++--
 pkg/gcloud/secrets/read.go      | 20 ++++++++++++++++++--
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index eabe6cb..ba4b004 100644
--- a/README.md
+++ b/README.md
@@ -5,5 +5,5 @@ Execute binary with secrets loaded as environment variables
 Run bash command and inject environment variables that start with "myapp"
 ```
 export GOOGLE_APPLICATION_CREDENTIALS=credentials.json
-./gcloud-load-secrets-darwin-amd64 -prefix myapp -cmd '/bin/bash -c ls -ahl' -debug true
+./gcloud-load-secrets-darwin-amd64 -label app=myapp -cmd '/bin/bash -c ls -ahl' -debug true
 ```
diff --git a/cmd/gcloud-load-secrets/main.go b/cmd/gcloud-load-secrets/main.go
index e825efc..9206905 100644
--- a/cmd/gcloud-load-secrets/main.go
+++ b/cmd/gcloud-load-secrets/main.go
@@ -15,10 +15,12 @@ func main() {
 
 	var (
 		secretsPrefix string
+		secretsLabel  string
 		cmd           string
 		debug         bool
 	)
-	flag.StringVar(&secretsPrefix, "prefix", "", "prefix to use when retrieving secrets")
+	flag.StringVar(&secretsPrefix, "prefix", "", "prefix to filter on when retrieving secrets")
+	flag.StringVar(&secretsLabel, "label", "", "label to filter on when retrieving secrets")
 	flag.StringVar(&cmd, "cmd", "", "execute command")
 	flag.BoolVar(&debug, "debug", false, "enable debug output")
 
@@ -35,7 +37,7 @@ func main() {
 		panic(err)
 	}
 
-	secrets, err := readSecrets.ListSecrets(secretsPrefix)
+	secrets, err := readSecrets.ListSecrets(secretsPrefix, secretsLabel)
 	if err != nil {
 		panic(err)
 	}
diff --git a/pkg/gcloud/secrets/read.go b/pkg/gcloud/secrets/read.go
index 38cb621..a577fc8 100644
--- a/pkg/gcloud/secrets/read.go
+++ b/pkg/gcloud/secrets/read.go
@@ -39,7 +39,7 @@ func NewReadSecrets() (*ReadSecrets, error) {
 	}, nil
 }
 
-func (r *ReadSecrets) ListSecrets(secretsPrefix string) ([]Secret, error) {
+func (r *ReadSecrets) ListSecrets(secretsPrefix, secretsLabel string) ([]Secret, error) {
 	ctx := context.Background()
 
 	req := &secretmanagerpb.ListSecretsRequest{
@@ -60,7 +60,7 @@ func (r *ReadSecrets) ListSecrets(secretsPrefix string) ([]Secret, error) {
 			return secrets, fmt.Errorf("secret name in unexpected format: %s", resp.Name)
 		}
 		secretName := strings.Join(secretElements[3:], "/")
-		if strings.HasPrefix(secretName, secretsPrefix) {
+		if strings.HasPrefix(secretName, secretsPrefix) && r.MatchLabel(secretsLabel, resp.Labels) {
 			secrets = append(secrets, Secret{ID: resp.Name, Name: secretName})
 		}
 	}
@@ -90,3 +90,19 @@ func (r *ReadSecrets) GetKV(secrets []Secret) []string {
 	}
 	return ret
 }
+
+func (r *ReadSecrets) MatchLabel(label string, labels map[string]string) bool {
+	if label == "" {
+		return true
+	}
+	split := strings.Split(label, "=")
+	if len(split) != 2 {
+		return false
+	}
+	for k, v := range labels {
+		if k == split[0] && v == split[1] {
+			return true
+		}
+	}
+	return false
+}