Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

feat: support override IAM endpoint in IBM provider for APIkey auth (#5550)

* feat: support override IAM endpoint in IBM provider for APIkey auth

Issues: external-secrets/external-secrets/issues/2963

Signed-off-by: Fidel Ruiz <fidelruiz1617@gmail.com>

* feat: support override IAM endpoint in IBM provider for APIkey auth

Issues: external-secrets/external-secrets/issues/2963

Signed-off-by: Fidel Ruiz <fidelruiz1617@gmail.com>

* run make check-diff

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

On-behalf-of: Gergely Brautigam <gergely.brautigam@sap.com>

---------

Signed-off-by: Fidel Ruiz <fidelruiz1617@gmail.com>
Co-authored-by: Fidel Ruiz <fidel.ruiz@ibm.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Fidel Ruiz 5 months ago
parent
8afd6469d8
commit
db0c841ecd
10 changed files with 39 additions and 1 deletions
Split View Show Diff Stats
  1. 3 0
      apis/externalsecrets/v1/secretstore_ibm_types.go
  2. 3 0
      config/crds/bases/external-secrets.io_clustersecretstores.yaml
  3. 3 0
      config/crds/bases/external-secrets.io_secretstores.yaml
  4. 6 0
      deploy/crds/bundle.yaml
  5. 11 0
      docs/api/spec.md
  6. 1 0
      docs/snippets/ibm-secret-store.yaml
  7. 9 1
      providers/v1/ibm/provider.go
  8. 1 0
      providers/v1/ibm/provider_test.go
  9. 1 0
      tests/__snapshot__/clustersecretstore-v1.yaml
  10. 1 0
      tests/__snapshot__/secretstore-v1.yaml

+ 3 - 0
apis/externalsecrets/v1/secretstore_ibm_types.go
View File 

@@ -42,6 +42,9 @@ type IBMAuth struct {
 
 type IBMAuthSecretRef struct {
 
 	// The SecretAccessKey is used for authentication
 
 	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
 
+
 
+	// The IAM endpoint used to obain a token
 
+	IAMEndpoint string `json:"iamEndpoint,omitempty"`
 
 }
 
 
 // IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.

+ 3 - 0
config/crds/bases/external-secrets.io_clustersecretstores.yaml
View File 

@@ -2320,6 +2320,9 @@ spec:
 
                             description: IBMAuthSecretRef contains the secret reference
 
                               for IBM Cloud API key authentication.
 
                             properties:
 
+                              iamEndpoint:
 
+                                description: The IAM endpoint used to obain a token
 
+                                type: string
 
                               secretApiKeySecretRef:
 
                                 description: The SecretAccessKey is used for authentication
 
                                 properties:

+ 3 - 0
config/crds/bases/external-secrets.io_secretstores.yaml
View File 

@@ -2320,6 +2320,9 @@ spec:
 
                             description: IBMAuthSecretRef contains the secret reference
 
                               for IBM Cloud API key authentication.
 
                             properties:
 
+                              iamEndpoint:
 
+                                description: The IAM endpoint used to obain a token
 
+                                type: string
 
                               secretApiKeySecretRef:
 
                                 description: The SecretAccessKey is used for authentication
 
                                 properties:

+ 6 - 0
deploy/crds/bundle.yaml
View File 

@@ -4238,6 +4238,9 @@ spec:
 
                             secretRef:
 
                               description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
 
                               properties:
 
+                                iamEndpoint:
 
+                                  description: The IAM endpoint used to obain a token
 
+                                  type: string
 
                                 secretApiKeySecretRef:
 
                                   description: The SecretAccessKey is used for authentication
 
                                   properties:
 
@@ -15551,6 +15554,9 @@ spec:
 
                             secretRef:
 
                               description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
 
                               properties:
 
+                                iamEndpoint:
 
+                                  description: The IAM endpoint used to obain a token
 
+                                  type: string
 
                                 secretApiKeySecretRef:
 
                                   description: The SecretAccessKey is used for authentication
 
                                   properties:

+ 11 - 0
docs/api/spec.md
View File 

@@ -6113,6 +6113,17 @@ External Secrets meta/v1.SecretKeySelector
 
 <p>The SecretAccessKey is used for authentication</p>
 
 </td>
 
 </tr>
 
+<tr>
 
+<td>
 
+<code>iamEndpoint</code></br>
 
+<em>
 
+string
 
+</em>
 
+</td>
 
+<td>
 
+<p>The IAM endpoint used to obain a token</p>
 
+</td>
 
+</tr>
 
 </tbody>
 
 </table>
 
 <h3 id="external-secrets.io/v1.IBMProvider">IBMProvider

+ 1 - 0
docs/snippets/ibm-secret-store.yaml
View File 

@@ -15,3 +15,4 @@ spec:
 
           secretApiKeySecretRef:
 
             name: ibm-secret
 
             key: apiKey
 
+          iamEndpoint: "https://iam.cloud.ibm.com"

+ 9 - 1
providers/v1/ibm/provider.go
View File 

@@ -62,6 +62,8 @@ const (
 
 	errNotImplemented           = "not implemented"
 
 	errKeyDoesNotExist          = "key %s does not exist in secret %s"
 
 	errFieldIsEmpty             = "warn: %s is empty for secret %s\n"
 
+
 
+	iamDefaultEndpoint = "https://iam.cloud.ibm.com"
 
 )
 
 
 var contextTimeout = time.Minute * 2
 
@@ -666,7 +668,7 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1.GenericStore,
 
 		}
 
 		if containerAuthEndpoint == "" {
 
 			// API default path
 
-			containerAuthEndpoint = "https://iam.cloud.ibm.com"
 
+			containerAuthEndpoint = iamDefaultEndpoint
 
 		}
 
 
 		authenticator, err := core.NewContainerAuthenticatorBuilder().
 
@@ -690,10 +692,16 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1.GenericStore,
 
 			return nil, err
 
 		}
 
 
+		iamEndpoint := iStore.store.Auth.SecretRef.IAMEndpoint
 
+		if iamEndpoint == "" {
 
+			// API default path
 
+			iamEndpoint = iamDefaultEndpoint
 
+		}
 
 		secretsManager, err = sm.NewSecretsManagerV2(&sm.SecretsManagerV2Options{
 
 			URL: *storeSpec.Provider.IBM.ServiceURL,
 
 			Authenticator: &core.IamAuthenticator{
 
 				ApiKey: string(iStore.credentials),
 
+				URL:    iamEndpoint,
 
 			},
 
 		})
 
 	}

+ 1 - 0
providers/v1/ibm/provider_test.go
View File 

@@ -178,6 +178,7 @@ func TestValidateStore(t *testing.T) {
 
 			Key:       "bar",
 
 			Namespace: &ns,
 
 		},
 
+		IAMEndpoint: "https://iam.cloud.ibm.com",
 
 	}
 
 	_, err = p.ValidateStore(store)
 
 	if err == nil {

+ 1 - 0
tests/__snapshot__/clustersecretstore-v1.yaml
View File 

@@ -358,6 +358,7 @@ spec:
 
           profile: string
 
           tokenLocation: string
 
         secretRef:
 
+          iamEndpoint: string
 
           secretApiKeySecretRef:
 
             key: string
 
             name: string

+ 1 - 0
tests/__snapshot__/secretstore-v1.yaml
View File 

@@ -358,6 +358,7 @@ spec:
 
           profile: string
 
           tokenLocation: string
 
         secretRef:
 
+          iamEndpoint: string
 
           secretApiKeySecretRef:
 
             key: string
 
             name: string