test(e2e): add managed v2 IRSA suite for parameter store

e2e/suites/provider/cases/aws/parameterstore/parameterstore_v2_managed.go

@@ -0,0 +1,72 @@
+/*
+Copyright © The ESO Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+
+	"github.com/external-secrets/external-secrets-e2e/framework"
+	"github.com/external-secrets/external-secrets-e2e/framework/addon"
+	awscommon "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/aws"
+	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
+)
+
+var _ = Describe("[awsmanaged] v2 IRSA via referenced service account", Label("aws", "parameterstore", "managed", "v2"), Ordered, func() {
+	f := framework.New("eso-aws-managed-v2-ref")
+	prov := NewProviderV2(f)
+
+	BeforeEach(func() {
+		if !framework.IsV2ProviderMode() {
+			Skip("v2 mode only")
+		}
+		skipIfAWSManagedIRSAEnvMissing(prov.access)
+	})
+
+	DescribeTable("sync parameterstore secrets",
+		framework.TableFuncWithExternalSecret(f, prov),
+		framework.Compose(awscommon.WithReferencedIRSA, f, common.SimpleDataSync, useV2ReferencedIRSA(prov)),
+		framework.Compose(awscommon.WithReferencedIRSA, f, FindByName, useV2ReferencedIRSA(prov)),
+	)
+})
+
+var _ = Describe("[awsmanaged] v2 with mounted IRSA", Label("aws", "parameterstore", "managed", "v2"), Ordered, func() {
+	f := framework.New("eso-aws-managed-v2-mounted")
+	prov := NewProviderV2(f)
+
+	BeforeEach(func() {
+		if !framework.IsV2ProviderMode() {
+			Skip("v2 mode only")
+		}
+		skipIfAWSManagedIRSAEnvMissing(prov.access)
+
+		f.Install(addon.NewESO(
+			addon.WithControllerClass(f.BaseName+"-mounted"),
+			addon.WithReleaseName(f.Namespace.Name),
+			addon.WithNamespace(prov.access.SANamespace),
+			addon.WithoutWebhook(),
+			addon.WithoutCertController(),
+			addon.WithV2AWSProvider(),
+			addon.WithV2ProviderServiceAccount("aws", prov.access.SAName),
+		))
+	})
+
+	DescribeTable("sync parameterstore secrets",
+		framework.TableFuncWithExternalSecret(f, prov),
+		framework.Compose(awscommon.WithMountedIRSA, f, common.SimpleDataSync, useV2MountedIRSA(prov)),
+		framework.Compose(awscommon.WithMountedIRSA, f, FindByName, useV2MountedIRSA(prov)),
+	)
+})

e2e/suites/provider/cases/aws/parameterstore/parameterstore_v2_managed_test.go

@@ -0,0 +1,48 @@
+/*
+Copyright © The ESO Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"testing"
+
+	"github.com/external-secrets/external-secrets-e2e/framework"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+)
+
+func TestConfigureV2ReferencedIRSAStoreRefUsesClusterProvider(t *testing.T) {
+	t.Parallel()
+
+	tc := &framework.TestCase{
+		ExternalSecret: &esv1.ExternalSecret{
+			Spec: esv1.ExternalSecretSpec{
+				SecretStoreRef: esv1.SecretStoreRef{
+					Name: "placeholder",
+					Kind: esv1.ProviderKindStr,
+				},
+			},
+		},
+	}
+
+	configureV2ReferencedIRSAStoreRef(tc, "aws-irsa-cluster-provider")
+
+	if got := tc.ExternalSecret.Spec.SecretStoreRef.Kind; got != esv1.ClusterProviderKindStr {
+		t.Fatalf("expected cluster provider kind %q, got %q", esv1.ClusterProviderKindStr, got)
+	}
+	if got := tc.ExternalSecret.Spec.SecretStoreRef.Name; got != "aws-irsa-cluster-provider" {
+		t.Fatalf("expected cluster provider ref %q, got %q", "aws-irsa-cluster-provider", got)
+	}
+}

e2e/suites/provider/cases/aws/parameterstore/provider_support_v2.go

@@ -541,6 +541,48 @@ func useV2SessionTagsAuth(prov *ProviderV2) func(*framework.TestCase) {
 	}
 }
 
+func useV2ReferencedIRSA(prov *ProviderV2) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		tc.Prepare = func(tc *framework.TestCase, _ framework.SecretStoreProvider) {
+			configName := prov.providerConfigName(awsV2AuthProfileReferencedIRSA)
+			clusterProviderName := referencedIRSAClusterProviderName(prov.framework.Namespace.Name)
+
+			createParameterStoreV2Config(prov.framework, prov.framework.Namespace.Name, configName, prov.access, awsV2AuthProfileReferencedIRSA)
+			frameworkv2.CreateClusterProviderConnection(
+				prov.framework,
+				clusterProviderName,
+				frameworkv2.ProviderAddress("aws"),
+				awsProviderAPIVersion,
+				awsv2alpha1.ParameterStoreKind,
+				configName,
+				prov.framework.Namespace.Name,
+				esv1.AuthenticationScopeManifestNamespace,
+				nil,
+			)
+			frameworkv2.WaitForClusterProviderReady(prov.framework, clusterProviderName, defaultV2WaitTimeout)
+			configureV2ReferencedIRSAStoreRef(tc, clusterProviderName)
+		}
+	}
+}
+
+func useV2MountedIRSA(prov *ProviderV2) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		tc.Prepare = prov.prepareNamespacedProviderAtAddress(
+			awsV2AuthProfileMountedIRSA,
+			frameworkv2.ProviderAddressInNamespace("aws", prov.access.SANamespace),
+		)
+	}
+}
+
+func referencedIRSAClusterProviderName(namespace string) string {
+	return namespace + "-referenced-irsa"
+}
+
+func configureV2ReferencedIRSAStoreRef(tc *framework.TestCase, clusterProviderName string) {
+	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1.ClusterProviderKindStr
+	tc.ExternalSecret.Spec.SecretStoreRef.Name = clusterProviderName
+}
+
 func (p *ProviderV2) prepareNamespacedProvider(profile ...awsV2AuthProfile) func(*framework.TestCase, framework.SecretStoreProvider) {
 	authProfile := awsV2AuthProfileStatic
 	if len(profile) > 0 {