test: e2e test setup for azure

e2e/run.sh

@@ -53,5 +53,9 @@ kubectl run --rm \
   --restart=Never \
   --env="FOCUS=${FOCUS}" \
   --env="GCP_SM_SA_JSON=${GCP_SM_SA_JSON}" \
+  --env="AZURE_CLIENT_ID=${AZURE_CLIENT_ID}" \
+  --env="AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" \
+  --env="TENANT_ID=${TENANT_ID}" \
+  --env="VAULT_URL=${VAULT_URL}" \
   --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "external-secrets-e2e"}}' \
   e2e --image=local/external-secrets-e2e:test

e2e/suite/azure/azure.go

@@ -0,0 +1,130 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+limitations under the License.
+*/
+package azure
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	// nolint
+	. "github.com/onsi/ginkgo"
+	// nolint
+	. "github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/e2e/framework"
+)
+
+const (
+	targetSecret = "target-secret"
+)
+
+var _ = Describe("[azure] ", func() {
+	f := framework.New("eso-azure")
+	var secretStore *esv1alpha1.SecretStore
+	vaultURL := os.Getenv("VAULT_URL")
+	tenantID := os.Getenv("TENANT_ID")
+	clientID := os.Getenv("AZURE_CLIENT_ID")
+	clientSecret := os.Getenv("AZURE_CLIENT_SECRET")
+	BeforeEach(func() {
+		By("creating a secret in AzureKV")
+		azureCreds := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      f.Namespace.Name,
+				Namespace: f.Namespace.Name,
+			},
+			StringData: map[string]string{
+				"ClientID":     clientID,
+				"ClientSecret": clientSecret,
+			},
+		}
+		err := f.CRClient.Create(context.Background(), azureCreds)
+		Expect(err).ToNot(HaveOccurred())
+		secretStore = &esv1alpha1.SecretStore{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      f.Namespace.Name,
+				Namespace: f.Namespace.Name,
+			},
+			Spec: esv1alpha1.SecretStoreSpec{
+				Provider: &esv1alpha1.SecretStoreProvider{
+					AzureKV: &esv1alpha1.AzureKVProvider{
+						TenantID: &tenantID,
+						VaultURL: &vaultURL,
+						AuthSecretRef: &esv1alpha1.AzureKVAuth{
+							ClientID: &esmeta.SecretKeySelector{
+								Name: f.Namespace.Name,
+								Key:  "ClientID",
+							},
+							ClientSecret: &esmeta.SecretKeySelector{
+								Name: f.Namespace.Name,
+								Key:  "ClientSecret",
+							},
+						},
+					},
+				},
+			},
+		}
+		err = f.CRClient.Create(context.Background(), secretStore)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+	It("should sync secrets", func() {
+		By("creating a AzureKV Secret")
+		secretKey1 := fmt.Sprintf("%s-%s", f.Namespace.Name, "one")
+		secretValue := "great-value-test"
+		_, err := createAzureKVSecret(
+			secretKey1,
+			secretValue,
+			clientID,
+			clientSecret,
+			tenantID,
+			vaultURL)
+		Expect(err).ToNot(HaveOccurred())
+		err = f.CRClient.Create(context.Background(), &esv1alpha1.ExternalSecret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "simple-sync",
+				Namespace: f.Namespace.Name,
+			},
+			Spec: esv1alpha1.ExternalSecretSpec{
+				SecretStoreRef: esv1alpha1.SecretStoreRef{
+					Name: f.Namespace.Name,
+				},
+				Target: esv1alpha1.ExternalSecretTarget{
+					Name: targetSecret,
+				},
+				Data: []esv1alpha1.ExternalSecretData{
+					{
+						SecretKey: secretKey1,
+						RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+							Key: secretKey1,
+						},
+					},
+				},
+			},
+		})
+		Expect(err).ToNot(HaveOccurred())
+
+		_, err = f.WaitForSecretValue(f.Namespace.Name, targetSecret, map[string][]byte{
+			secretKey1: []byte(secretValue),
+		})
+		Expect(err).ToNot(HaveOccurred())
+
+		err = deleteAzureKVSecret(secretKey1, clientID, clientSecret, tenantID, vaultURL)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+})

e2e/suite/azure/util.go

@@ -0,0 +1,82 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+limitations under the License.
+*/
+package azure
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/profiles/latest/keyvault/keyvault"
+	kvauth "github.com/Azure/go-autorest/autorest/azure/auth"
+	utilpointer "k8s.io/utils/pointer"
+)
+
+// CreateAWSSecretsManagerSecret creates a sm secret with the given value.
+func createAzureKVSecret(secretName, secretValue, clientID, clientSecret, tenantID, vaultURL string) (result keyvault.SecretBundle, err error) {
+	ctx := context.Background()
+
+	clientCredentialsConfig := kvauth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
+	clientCredentialsConfig.Resource = "https://vault.azure.net"
+	authorizer, err := clientCredentialsConfig.Authorizer()
+	if err != nil {
+		return keyvault.SecretBundle{}, fmt.Errorf("could not configure azure authorizer: %w", err)
+	}
+
+	basicClient := keyvault.New()
+	basicClient.Authorizer = authorizer
+	deletionRecoveryLevel := keyvault.Purgeable
+	result, err = basicClient.SetSecret(
+		ctx,
+		vaultURL,
+		secretName,
+		keyvault.SecretSetParameters{
+			Value: &secretValue,
+			SecretAttributes: &keyvault.SecretAttributes{
+				RecoveryLevel: deletionRecoveryLevel,
+				Enabled:       utilpointer.BoolPtr(true),
+			},
+		})
+	if err != nil {
+		return keyvault.SecretBundle{}, fmt.Errorf("could not create secret key %s: %w", secretName, err)
+	}
+
+	return result, err
+}
+
+// deleteSecret deletes the secret with the given name and all of its versions.
+func deleteAzureKVSecret(secretName, clientID, clientSecret, tenantID, vaultURL string) error {
+	ctx := context.Background()
+
+	clientCredentialsConfig := kvauth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
+	clientCredentialsConfig.Resource = "https://vault.azure.net"
+	authorizer, err := clientCredentialsConfig.Authorizer()
+	if err != nil {
+		return fmt.Errorf("could not configure azure authorizer: %w", err)
+	}
+
+	basicClient := keyvault.New()
+	basicClient.Authorizer = authorizer
+
+	_, err = basicClient.DeleteSecret(
+		ctx,
+		vaultURL,
+		secretName)
+	if err != nil {
+		return fmt.Errorf("could not delete secret: %w", err)
+	}
+
+	if err != nil {
+		return fmt.Errorf("could not purge secret: %w", err)
+	}
+	return err
+}

e2e/suite/import.go

@@ -17,6 +17,7 @@ import (
 
 	// import different e2e test suites.
 	_ "github.com/external-secrets/external-secrets/e2e/suite/aws"
+	_ "github.com/external-secrets/external-secrets/e2e/suite/azure"
 	_ "github.com/external-secrets/external-secrets/e2e/suite/gcp"
 	_ "github.com/external-secrets/external-secrets/e2e/suite/vault"
 )

go.mod

@@ -73,6 +73,7 @@ require (
 	k8s.io/api v0.21.2
 	k8s.io/apimachinery v0.21.2
 	k8s.io/client-go v0.21.2
+	k8s.io/utils v0.0.0-20210527160623-6fdb442a123b
 	sigs.k8s.io/controller-runtime v0.9.2
 	sigs.k8s.io/controller-tools v0.5.0
 )