feat: Add support for container auth to IBM provider. (#1177)

apis/externalsecrets/v1beta1/secretstore_ibm_types.go

@@ -28,12 +28,25 @@ type IBMProvider struct {
 	ServiceURL *string `json:"serviceUrl,omitempty"`
 }
 
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
 type IBMAuth struct {
-	SecretRef IBMAuthSecretRef `json:"secretRef"`
+	SecretRef     IBMAuthSecretRef     `json:"secretRef,omitempty"`
+	ContainerAuth IBMAuthContainerAuth `json:"containerAuth,omitempty"`
 }
 
 type IBMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
-	// +optional
 	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
 }
+
+// IBM Container-based auth with IAM Trusted Profile.
+type IBMAuthContainerAuth struct {
+	// the IBM Trusted Profile
+	Profile string `json:"profile"`
+
+	// Location the token is mounted on the pod
+	TokenLocation string `json:"tokenLocation,omitempty"`
+
+	IAMEndpoint string `json:"iamEndpoint,omitempty"`
+}

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -1035,6 +1035,7 @@ func (in *GitlabSecretRef) DeepCopy() *GitlabSecretRef {
 func (in *IBMAuth) DeepCopyInto(out *IBMAuth) {
 	*out = *in
 	in.SecretRef.DeepCopyInto(&out.SecretRef)
+	out.ContainerAuth = in.ContainerAuth
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuth.
@@ -1048,6 +1049,21 @@ func (in *IBMAuth) DeepCopy() *IBMAuth {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuthContainerAuth) DeepCopyInto(out *IBMAuthContainerAuth) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthContainerAuth.
+func (in *IBMAuthContainerAuth) DeepCopy() *IBMAuthContainerAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuthContainerAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IBMAuthSecretRef) DeepCopyInto(out *IBMAuthSecretRef) {
 	*out = *in
 	in.SecretAPIKey.DeepCopyInto(&out.SecretAPIKey)

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -1905,7 +1905,25 @@ spec:
                       auth:
                         description: Auth configures how secret-manager authenticates
                           with the IBM secrets manager.
+                        maxProperties: 1
+                        minProperties: 1
                         properties:
+                          containerAuth:
+                            description: IBM Container-based auth with IAM Trusted
+                              Profile.
+                            properties:
+                              iamEndpoint:
+                                type: string
+                              profile:
+                                description: the IBM Trusted Profile
+                                type: string
+                              tokenLocation:
+                                description: Location the token is mounted on the
+                                  pod
+                                type: string
+                            required:
+                            - profile
+                            type: object
                           secretRef:
                             properties:
                               secretApiKeySecretRef:
@@ -1929,8 +1947,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                       serviceUrl:
                         description: ServiceURL is the Endpoint URL that is specific

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -1905,7 +1905,25 @@ spec:
                       auth:
                         description: Auth configures how secret-manager authenticates
                           with the IBM secrets manager.
+                        maxProperties: 1
+                        minProperties: 1
                         properties:
+                          containerAuth:
+                            description: IBM Container-based auth with IAM Trusted
+                              Profile.
+                            properties:
+                              iamEndpoint:
+                                type: string
+                              profile:
+                                description: the IBM Trusted Profile
+                                type: string
+                              tokenLocation:
+                                description: Location the token is mounted on the
+                                  pod
+                                type: string
+                            required:
+                            - profile
+                            type: object
                           secretRef:
                             properties:
                               secretApiKeySecretRef:
@@ -1929,8 +1947,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                       serviceUrl:
                         description: ServiceURL is the Endpoint URL that is specific

deploy/crds/bundle.yaml

@@ -1771,7 +1771,23 @@ spec:
                       properties:
                         auth:
                           description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+                          maxProperties: 1
+                          minProperties: 1
                           properties:
+                            containerAuth:
+                              description: IBM Container-based auth with IAM Trusted Profile.
+                              properties:
+                                iamEndpoint:
+                                  type: string
+                                profile:
+                                  description: the IBM Trusted Profile
+                                  type: string
+                                tokenLocation:
+                                  description: Location the token is mounted on the pod
+                                  type: string
+                              required:
+                                - profile
+                              type: object
                             secretRef:
                               properties:
                                 secretApiKeySecretRef:
@@ -1788,8 +1804,6 @@ spec:
                                       type: string
                                   type: object
                               type: object
-                          required:
-                            - secretRef
                           type: object
                         serviceUrl:
                           description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
@@ -4457,7 +4471,23 @@ spec:
                       properties:
                         auth:
                           description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+                          maxProperties: 1
+                          minProperties: 1
                           properties:
+                            containerAuth:
+                              description: IBM Container-based auth with IAM Trusted Profile.
+                              properties:
+                                iamEndpoint:
+                                  type: string
+                                profile:
+                                  description: the IBM Trusted Profile
+                                  type: string
+                                tokenLocation:
+                                  description: Location the token is mounted on the pod
+                                  type: string
+                              required:
+                                - profile
+                              type: object
                             secretRef:
                               properties:
                                 secretApiKeySecretRef:
@@ -4474,8 +4504,6 @@ spec:
                                       type: string
                                   type: object
                               type: object
-                          required:
-                            - secretRef
                           type: object
                         serviceUrl:
                           description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance

docs/provider-ibm-secrets-manager.md

@@ -4,7 +4,11 @@ External Secrets Operator integrates with [IBM Secret Manager](https://www.ibm.c
 
 ### Authentication
 
-At the moment, we only support API key authentication for this provider. To generate your key (for test purposes we are going to generate from your user), first got to your (Access IAM) page:
+We support API key and trusted profile container authentication for this provider.
+
+#### API key secret
+
+To generate your key (for test purposes we are going to generate from your user), first got to your (Access IAM) page:
 
 ![iam](./pictures/screenshot_api_keys_iam.png)
 
@@ -24,16 +28,68 @@ You have created a key. Press the eyeball to show the key. Copy or save it becau
 
 ![iam-create-success](./pictures/screenshot_api_keys_create_successful.png)
 
-
-
-#### API key secret
-
 Create a secret containing your apiKey:
 
 ```shell
 kubectl create secret generic ibm-secret --from-literal=apiKey='API_KEY_VALUE'
 ```
 
+#### Trusted Profile Container Auth
+
+To create the trusted profile, first got to your (Access IAM) page:
+
+![iam](./pictures/screenshot_api_keys_iam.png)
+
+On the left, click "Access groups":
+
+![iam-left](./pictures/screenshot_container_auth_create_group.png)
+
+Pick a name and description for your group:
+
+![iam-left](./pictures/screenshot_container_auth_create_group_1.png)
+
+Click on "Access Policies":
+
+![iam-left](./pictures/screenshot_container_auth_create_group_2.png)
+
+Click on "Assign Access", select "IAM services", and pick "Secrets Manager" from the pick-list:
+
+![iam-left](./pictures/screenshot_container_auth_create_group_3.png)
+
+Scope to "All resources" or "Resources based on selected attributes", select "SecretsReader":
+
+![iam-left](./pictures/screenshot_container_auth_create_group_4.png)
+
+Click "Add" and "Assign" to save the access group.
+
+Next, on the left, click "Trusted profiles":
+
+![iam-left](./pictures/screenshot_container_auth_iam_left.png)
+
+Press "Create":
+
+![iam-create-button](./pictures/screenshot_container_auth_create_button.png)
+
+Pick a name and description for your profile:
+
+![iam-create-key](./pictures/screenshot_container_auth_create_1.png)
+
+Scope the profile's access.
+
+The compute service type will be "Red Hat OpenShift on IBM Cloud".  Additional restriction can be configured based on cloud or cluster metadata, or if "Specific resources" is selected, restriction to a specific cluster.
+
+![iam-create-key](./pictures/screenshot_container_auth_create_2.png)
+
+Click "Add" next to the previously created access group and then "Create", to associate the necessary service permissions.
+
+![iam-create-key](./pictures/screenshot_container_auth_create_3.png)
+
+To use the container-based authentication, it is necessary to map the API server `serviceAccountToken` auth token to the "external-secrets" and "external-secrets-webhook" deployment descriptors. Example below:
+
+```yaml
+{% include 'ibm-container-auth-volume.yaml' %}
+```
+
 ### Update secret store
 Be sure the `ibm` provider is listed in the `Kind=SecretStore`
 
@@ -42,6 +98,9 @@ Be sure the `ibm` provider is listed in the `Kind=SecretStore`
 ```
 **NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretApiKeySecretRef` with the namespace where the secret resides.
 
+**NOTE:** Only `secretApiKeySecretRef` or `containerAuth` should be specified, depending on authentication me
+thod being used.
+
 To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left.
 Note: Use the url without the `/api` suffix that is presented in the UI.
 See here for a list of [publicly available endpoints](https://cloud.ibm.com/apidocs/secrets-manager#getting-started-endpoints).
@@ -51,13 +110,13 @@ See here for a list of [publicly available endpoints](https://cloud.ibm.com/apid
 ### Secret Types
 We support the following secret types of [IBM Secrets Manager](https://cloud.ibm.com/apidocs/secrets-manager):
 
-* `arbitrary`
+* `arbitrary` 
 * `username_password`
 * `iam_credentials`
 * `imported_cert`
 * `public_cert`
 * `private_cert`
-* `kv`
+* `kv` 
 
 To define the type of secret you would like to sync you need to prefix the secret id with the desired type. If the secret type is not specified it is defaulted to `arbitrary`:
 

docs/snippets/ibm-container-auth-volume.yaml

@@ -0,0 +1,22 @@
+...
+spec:
+  ...
+  template:
+    ...
+    spec:
+      containers:
+        ...
+        volumeMounts:
+        - mountPath: /var/run/secrets/tokens
+           name: sa-token
+      ...
+      volumes:
+      - name: sa-token
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              audience: iam
+              expirationSeconds: 3600
+              path: sa-token
+...

docs/snippets/ibm-secret-store.yaml

@@ -7,6 +7,10 @@ spec:
     ibm:
       serviceUrl: "https://SECRETS_MANAGER_ID.REGION.secrets-manager.appdomain.cloud"
       auth:
+        containerAuth:
+          profile: "test container auth profile"
+          tokenLocation: "/var/run/secrets/tokens/sa-token"
+          iamEndpoint: "https://iam.cloud.ibm.com"
         secretRef:
           secretApiKeySecretRef:
             name: ibm-secret

docs/spec.md

@@ -2615,6 +2615,69 @@ IBMAuthSecretRef
 <td>
 </td>
 </tr>
+<tr>
+<td>
+<code>containerAuth</code></br>
+<em>
+<a href="#external-secrets.io/v1beta1.IBMAuthContainerAuth">
+IBMAuthContainerAuth
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="external-secrets.io/v1beta1.IBMAuthContainerAuth">IBMAuthContainerAuth
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1beta1.IBMAuth">IBMAuth</a>)
+</p>
+<p>
+<p>IBM Container-based auth with IAM Trusted Profile.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>profile</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>the IBM Trusted Profile</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>tokenLocation</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Location the token is mounted on the pod</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>iamEndpoint</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1beta1.IBMAuthSecretRef">IBMAuthSecretRef
@@ -2641,7 +2704,6 @@ github.com/external-secrets/external-secrets/apis/meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
-<em>(Optional)</em>
 <p>The SecretAccessKey is used for authentication</p>
 </td>
 </tr>

pkg/provider/ibm/provider.go

@@ -17,6 +17,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -550,16 +551,29 @@ func (ibm *providerIBM) ValidateStore(store esv1beta1.GenericStore) error {
 	if ibmSpec.ServiceURL == nil {
 		return fmt.Errorf("serviceURL is required")
 	}
-	secretRef := ibmSpec.Auth.SecretRef.SecretAPIKey
-	err := utils.ValidateSecretSelector(store, secretRef)
-	if err != nil {
-		return err
-	}
-	if secretRef.Name == "" {
-		return fmt.Errorf("secretAPIKey.name cannot be empty")
-	}
-	if secretRef.Key == "" {
-		return fmt.Errorf("secretAPIKey.key cannot be empty")
+
+	containerRef := ibmSpec.Auth.ContainerAuth
+	secretKeyRef := ibmSpec.Auth.SecretRef.SecretAPIKey
+	if utils.IsNil(containerRef.Profile) || (containerRef.Profile == "") {
+		// proceed with API Key Auth validation
+		err := utils.ValidateSecretSelector(store, secretKeyRef)
+		if err != nil {
+			return err
+		}
+		if secretKeyRef.Name == "" {
+			return fmt.Errorf("secretAPIKey.name cannot be empty")
+		}
+		if secretKeyRef.Key == "" {
+			return fmt.Errorf("secretAPIKey.key cannot be empty")
+		}
+	} else {
+		// proceed with container auth
+		if containerRef.TokenLocation == "" {
+			containerRef.TokenLocation = "/var/run/secrets/tokens/vault-token"
+		}
+		if _, err := os.Open(containerRef.TokenLocation); err != nil {
+			return fmt.Errorf("cannot read container auth token %s. %w", containerRef.TokenLocation, err)
+		}
 	}
 	return nil
 }
@@ -575,16 +589,51 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1beta1.GenericSt
 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
 	}
 
-	if err := iStore.setAuth(ctx); err != nil {
-		return nil, err
-	}
+	var err error
+	var secretsManager *sm.SecretsManagerV1
+	containerAuthProfile := iStore.store.Auth.ContainerAuth.Profile
+	if containerAuthProfile != "" {
+		// container-based auth
+		containerAuthToken := iStore.store.Auth.ContainerAuth.TokenLocation
+		containerAuthEndpoint := iStore.store.Auth.ContainerAuth.IAMEndpoint
+
+		if containerAuthToken == "" {
+			// API default path
+			containerAuthToken = "/var/run/secrets/tokens/vault-token"
+		}
+		if containerAuthEndpoint == "" {
+			// API default path
+			containerAuthEndpoint = "https://iam.cloud.ibm.com"
+		}
 
-	secretsManager, err := sm.NewSecretsManagerV1(&sm.SecretsManagerV1Options{
-		URL: *storeSpec.Provider.IBM.ServiceURL,
-		Authenticator: &core.IamAuthenticator{
-			ApiKey: string(iStore.credentials),
-		},
-	})
+		authenticator, err := core.NewContainerAuthenticatorBuilder().
+			SetIAMProfileName(containerAuthProfile).
+			SetCRTokenFilename(containerAuthToken).
+			SetURL(containerAuthEndpoint).
+			Build()
+		if err != nil {
+			return nil, fmt.Errorf(errIBMClient, err)
+		}
+		secretsManager, err = sm.NewSecretsManagerV1(&sm.SecretsManagerV1Options{
+			URL:           *storeSpec.Provider.IBM.ServiceURL,
+			Authenticator: authenticator,
+		})
+		if err != nil {
+			return nil, fmt.Errorf(errIBMClient, err)
+		}
+	} else {
+		// API Key-based auth
+		if err := iStore.setAuth(ctx); err != nil {
+			return nil, err
+		}
+
+		secretsManager, err = sm.NewSecretsManagerV1(&sm.SecretsManagerV1Options{
+			URL: *storeSpec.Provider.IBM.ServiceURL,
+			Authenticator: &core.IamAuthenticator{
+				ApiKey: string(iStore.credentials),
+			},
+		})
+	}
 
 	// Setup retry options, but only if present
 	if storeSpec.RetrySettings != nil {

pkg/provider/ibm/provider_test.go

@@ -134,6 +134,8 @@ func TestValidateStore(t *testing.T) {
 	}
 	url := "my-url"
 	store.Spec.Provider.IBM.ServiceURL = &url
+	var nilProfile esv1beta1.IBMAuthContainerAuth
+	store.Spec.Provider.IBM.Auth.ContainerAuth = nilProfile
 	err = p.ValidateStore(store)
 	if err == nil {
 		t.Errorf(errExpectedErr)
@@ -150,6 +152,17 @@ func TestValidateStore(t *testing.T) {
 	} else if err.Error() != "namespace not allowed with namespaced SecretStore" {
 		t.Errorf("KeySelector test failed: expected namespace not allowed, got %v", err)
 	}
+
+	// add container auth test
+	store.Spec.Provider.IBM = &esv1beta1.IBMProvider{}
+	store.Spec.Provider.IBM.ServiceURL = &url
+	store.Spec.Provider.IBM.Auth.ContainerAuth.Profile = "Trusted IAM Profile"
+	store.Spec.Provider.IBM.Auth.ContainerAuth.TokenLocation = "/a/path/to/nowhere/that/should/exist"
+	err = p.ValidateStore(store)
+	expected := "cannot read container auth token"
+	if !ErrorContains(err, expected) {
+		t.Errorf("ProfileSelector test failed: %s, expected: '%s'", err.Error(), expected)
+	}
 }
 
 // test the sm<->gcp interface