Add support for IBM Secrets Manager's Private Certificate (#1160)

* Use gsed on macos.

Signed-off-by: Marcin Kubica <marcin.kubica@engineerbetter.com>

* Add private_cert support

* Add private_cert support

Co-authored-by: Marcin Kubica <marcin.kubica@engineerbetter.com>

docs/provider-ibm-secrets-manager.md

@@ -51,12 +51,13 @@ See here for a list of [publicly available endpoints](https://cloud.ibm.com/apid
 ### Secret Types
 We support the following secret types of [IBM Secrets Manager](https://cloud.ibm.com/apidocs/secrets-manager):
 
-* `arbitrary` 
+* `arbitrary`
 * `username_password`
 * `iam_credentials`
 * `imported_cert`
 * `public_cert`
-* `kv` 
+* `private_cert`
+* `kv`
 
 To define the type of secret you would like to sync you need to prefix the secret id with the desired type. If the secret type is not specified it is defaulted to `arbitrary`:
 
@@ -80,7 +81,7 @@ The behavior for the different secret types is as following:
 * `remoteRef` retrieves an apikey from secrets manager and sets it for specified `secretKey`
 * `dataFrom` retrieves an apikey from secrets manager and sets it for the `apikey` Kubernetes secret key
 
-#### imported_cert and public_cert
+#### imported_cert, public_cert and private_cert
 * `remoteRef` requires a `property` to be set for either `certificate`, `private_key` or `intermediate` to retrieve respective fields from the secrets manager secret and set in specified `secretKey`
 * `dataFrom` retrieves all `certificate`, `private_key` and `intermediate` fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret
 
@@ -127,7 +128,7 @@ data:
   key3_keyB: ... #valB
   special_key: ... #special-content
   key_all: ... #{"key1":"val1","key2":"val2", ..."special.key":"special-content"}
-  
+
   # secrets from dataFrom
   keyA: ... #valA
   keyB: ... #valB

docs/snippets/ibm-es-types.yaml

@@ -9,21 +9,25 @@ spec:
     remoteRef:
       # defaults to type=arbitrary
       key: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-  - secretKey: foo
+  - secretKey: usr_pass
     remoteRef:
       key: username_password/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
       property: username
-  - secretKey: bar
+  - secretKey: iam_cred
     remoteRef:
       key: iam_credentials/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
-  - secretKey: baz
+  - secretKey: imp_cert
     remoteRef:
       key: imported_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
       property: certificate
-  - secretKey: bap
+  - secretKey: pub_cert
     remoteRef:
       key: public_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
       property: certificate
+  - secretKey: prvt_cert
+      remoteRef:
+        key: private_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
+        property: certificate
   - secretKey: kv_without_key
     remoteRef:
       key: kv/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
@@ -36,4 +40,4 @@ spec:
       key: kv/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
       property: 'key.path'
   dataFrom:
-  
+

pkg/provider/ibm/provider.go

@@ -152,6 +152,14 @@ func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1beta1.ExternalSec
 
 		return getPublicCertSecret(ibm, &secretName, ref)
 
+	case sm.CreateSecretOptionsSecretTypePrivateCertConst:
+
+		if ref.Property == "" {
+			return nil, fmt.Errorf("remoteRef.property required for secret type private_cert")
+		}
+
+		return getPrivateCertSecret(ibm, &secretName, ref)
+
 	case sm.CreateSecretOptionsSecretTypeKvConst:
 
 		return getKVSecret(ibm, &secretName, ref)
@@ -215,6 +223,25 @@ func getPublicCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.Ext
 	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 }
 
+func getPrivateCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
+	response, _, err := ibm.IBMClient.GetSecret(
+		&sm.GetSecretOptions{
+			SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypePrivateCertConst),
+			ID:         secretName,
+		})
+	if err != nil {
+		return nil, err
+	}
+
+	secret := response.Resources[0].(*sm.SecretResource)
+	secretData := secret.SecretData.(map[string]interface{})
+
+	if val, ok := secretData[ref.Property]; ok {
+		return []byte(val.(string)), nil
+	}
+	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
+}
+
 func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, error) {
 	response, _, err := ibm.IBMClient.GetSecret(
 		&sm.GetSecretOptions{
@@ -437,6 +464,23 @@ func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1beta1.External
 
 		return secretMap, nil
 
+	case sm.CreateSecretOptionsSecretTypePrivateCertConst:
+		response, _, err := ibm.IBMClient.GetSecret(
+			&sm.GetSecretOptions{
+				SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypePrivateCertConst),
+				ID:         &secretName,
+			})
+		if err != nil {
+			return nil, err
+		}
+
+		secret := response.Resources[0].(*sm.SecretResource)
+		secretData := secret.SecretData.(map[string]interface{})
+
+		secretMap := byteArrayMap(secretData)
+
+		return secretMap, nil
+
 	case sm.CreateSecretOptionsSecretTypeKvConst:
 		secret, err := getKVSecret(ibm, &secretName, ref)
 		if err != nil {

pkg/provider/ibm/provider_test.go

@@ -34,6 +34,7 @@ import (
 
 const (
 	errExpectedErr = "wanted error got nil"
+	secretKey      = "test-secret"
 )
 
 type secretManagerTestCase struct {
@@ -67,7 +68,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 
 func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
 	return &esv1beta1.ExternalSecretDataRemoteRef{
-		Key:     "test-secret",
+		Key:     secretKey,
 		Version: "default",
 	}
 }
@@ -75,7 +76,7 @@ func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
 func makeValidAPIInput() *sm.GetSecretOptions {
 	return &sm.GetSecretOptions{
 		SecretType: core.StringPtr(sm.GetSecretOptionsSecretTypeArbitraryConst),
-		ID:         utilpointer.StringPtr("test-secret"),
+		ID:         utilpointer.StringPtr(secretKey),
 	}
 }
 
@@ -239,69 +240,44 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 		smtc.expectedSecret = secretAPIKey
 	}
 
-	// good case: imported_cert type with property
-	secretCert := "imported_cert/test-secret"
-	setSecretCert := func(smtc *secretManagerTestCase) {
-		resources := []sm.SecretResourceIntf{
-			&sm.SecretResource{
-				SecretType: utilpointer.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst),
-				Name:       utilpointer.StringPtr("testyname"),
-				SecretData: secretData,
-			}}
-
-		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
-		smtc.apiOutput.Resources = resources
-		smtc.ref.Key = secretCert
-		smtc.ref.Property = "certificate"
-		smtc.expectedSecret = secretCertificate
+	funcSetCertSecretTest := func(certType string, good bool) func(*secretManagerTestCase) {
+		return func(smtc *secretManagerTestCase) {
+			resources := []sm.SecretResourceIntf{
+				&sm.SecretResource{
+					SecretType: utilpointer.StringPtr(certType),
+					Name:       utilpointer.StringPtr("testyname"),
+					SecretData: secretData,
+				}}
+
+			smtc.apiInput.SecretType = core.StringPtr(certType)
+			smtc.apiOutput.Resources = resources
+			smtc.ref.Key = certType + "/" + secretKey
+			if good {
+				smtc.ref.Property = "certificate"
+				smtc.expectedSecret = secretCertificate
+			} else {
+				smtc.expectError = "remoteRef.property required for secret type " + certType
+			}
+		}
 	}
 
-	// bad case: imported_cert type without property
-	badSecretCert := func(smtc *secretManagerTestCase) {
-		resources := []sm.SecretResourceIntf{
-			&sm.SecretResource{
-				SecretType: utilpointer.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst),
-				Name:       utilpointer.StringPtr("testyname"),
-				SecretData: secretData,
-			}}
+	// good case: imported_cert type with property
+	setSecretCert := funcSetCertSecretTest(sm.CreateSecretOptionsSecretTypeImportedCertConst, true)
 
-		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
-		smtc.apiOutput.Resources = resources
-		smtc.ref.Key = secretCert
-		smtc.expectError = "remoteRef.property required for secret type imported_cert"
-	}
+	// bad case: imported_cert type without property
+	badSecretCert := funcSetCertSecretTest(sm.CreateSecretOptionsSecretTypeImportedCertConst, false)
 
 	// good case: public_cert type with property
-	secretPublicCert := "public_cert/test-secret"
-	setSecretPublicCert := func(smtc *secretManagerTestCase) {
-		resources := []sm.SecretResourceIntf{
-			&sm.SecretResource{
-				SecretType: utilpointer.StringPtr(sm.CreateSecretOptionsSecretTypePublicCertConst),
-				Name:       utilpointer.StringPtr("testyname"),
-				SecretData: secretData,
-			}}
-
-		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypePublicCertConst)
-		smtc.apiOutput.Resources = resources
-		smtc.ref.Key = secretPublicCert
-		smtc.ref.Property = "certificate"
-		smtc.expectedSecret = secretCertificate
-	}
+	setSecretPublicCert := funcSetCertSecretTest(sm.CreateSecretOptionsSecretTypePublicCertConst, true)
 
 	// bad case: public_cert type without property
-	badSecretPublicCert := func(smtc *secretManagerTestCase) {
-		resources := []sm.SecretResourceIntf{
-			&sm.SecretResource{
-				SecretType: utilpointer.StringPtr(sm.CreateSecretOptionsSecretTypePublicCertConst),
-				Name:       utilpointer.StringPtr("testyname"),
-				SecretData: secretData,
-			}}
+	badSecretPublicCert := funcSetCertSecretTest(sm.CreateSecretOptionsSecretTypePublicCertConst, false)
 
-		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypePublicCertConst)
-		smtc.apiOutput.Resources = resources
-		smtc.ref.Key = secretPublicCert
-		smtc.expectError = "remoteRef.property required for secret type public_cert"
-	}
+	// good case: private_cert type with property
+	setSecretPrivateCert := funcSetCertSecretTest(sm.CreateSecretOptionsSecretTypePrivateCertConst, true)
+
+	// bad case: private_cert type without property
+	badSecretPrivateCert := funcSetCertSecretTest(sm.CreateSecretOptionsSecretTypePrivateCertConst, false)
 
 	secretDataKV := make(map[string]interface{})
 	secretKVPayload := make(map[string]interface{})
@@ -428,6 +404,8 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 		makeValidSecretManagerTestCaseCustom(badSecretKV),
 		makeValidSecretManagerTestCaseCustom(setSecretPublicCert),
 		makeValidSecretManagerTestCaseCustom(badSecretPublicCert),
+		makeValidSecretManagerTestCaseCustom(setSecretPrivateCert),
+		makeValidSecretManagerTestCaseCustom(badSecretPrivateCert),
 	}
 
 	sm := providerIBM{}
@@ -529,49 +507,35 @@ func TestGetSecretMap(t *testing.T) {
 		smtc.expectedData["apikey"] = []byte(secretAPIKey)
 	}
 
-	// good case: imported_cert
-	setSecretCert := func(smtc *secretManagerTestCase) {
-		secretData := make(map[string]interface{})
-		secretData["certificate"] = secretCertificate
-		secretData["private_key"] = secretPrivateKey
-		secretData["intermediate"] = secretIntermediate
-
-		resources := []sm.SecretResourceIntf{
-			&sm.SecretResource{
-				SecretType: utilpointer.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst),
-				Name:       utilpointer.StringPtr("testyname"),
-				SecretData: secretData,
-			}}
-
-		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
-		smtc.apiOutput.Resources = resources
-		smtc.ref.Key = "imported_cert/test-secret"
-		smtc.expectedData["certificate"] = []byte(secretCertificate)
-		smtc.expectedData["private_key"] = []byte(secretPrivateKey)
-		smtc.expectedData["intermediate"] = []byte(secretIntermediate)
+	funcCertTest := func(certType string) func(*secretManagerTestCase) {
+		return func(smtc *secretManagerTestCase) {
+			secretData := make(map[string]interface{})
+			secretData["certificate"] = secretCertificate
+			secretData["private_key"] = secretPrivateKey
+			secretData["intermediate"] = secretIntermediate
+
+			resources := []sm.SecretResourceIntf{
+				&sm.SecretResource{
+					SecretType: utilpointer.StringPtr(certType),
+					Name:       utilpointer.StringPtr("testyname"),
+					SecretData: secretData,
+				}}
+
+			smtc.apiInput.SecretType = core.StringPtr(certType)
+			smtc.apiOutput.Resources = resources
+			smtc.ref.Key = certType + "/test-secret"
+			smtc.expectedData["certificate"] = []byte(secretCertificate)
+			smtc.expectedData["private_key"] = []byte(secretPrivateKey)
+			smtc.expectedData["intermediate"] = []byte(secretIntermediate)
+		}
 	}
 
+	// good case: imported_cert
+	setSecretCert := funcCertTest(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 	// good case: public_cert
-	setSecretPublicCert := func(smtc *secretManagerTestCase) {
-		secretData := make(map[string]interface{})
-		secretData["certificate"] = secretCertificate
-		secretData["private_key"] = secretPrivateKey
-		secretData["intermediate"] = secretIntermediate
-
-		resources := []sm.SecretResourceIntf{
-			&sm.SecretResource{
-				SecretType: utilpointer.StringPtr(sm.CreateSecretOptionsSecretTypePublicCertConst),
-				Name:       utilpointer.StringPtr("testyname"),
-				SecretData: secretData,
-			}}
-
-		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypePublicCertConst)
-		smtc.apiOutput.Resources = resources
-		smtc.ref.Key = "public_cert/test-secret"
-		smtc.expectedData["certificate"] = []byte(secretCertificate)
-		smtc.expectedData["private_key"] = []byte(secretPrivateKey)
-		smtc.expectedData["intermediate"] = []byte(secretIntermediate)
-	}
+	setSecretPublicCert := funcCertTest(sm.CreateSecretOptionsSecretTypePublicCertConst)
+	// good case: public_cert
+	setSecretPrivateCert := funcCertTest(sm.CreateSecretOptionsSecretTypePrivateCertConst)
 
 	// good case: kv, no property, return entire payload as key:value pairs
 	setSecretKV := func(smtc *secretManagerTestCase) {
@@ -664,6 +628,7 @@ func TestGetSecretMap(t *testing.T) {
 		makeValidSecretManagerTestCaseCustom(setSecretKVWithPathAndProperty),
 		makeValidSecretManagerTestCaseCustom(badSecretKVWithUnknownProperty),
 		makeValidSecretManagerTestCaseCustom(setSecretPublicCert),
+		makeValidSecretManagerTestCaseCustom(setSecretPrivateCert),
 	}
 
 	sm := providerIBM{}