Home Esplora Aiuto
Accedi
logic855
/
helm-external-secrets
mirror da https://github.com/external-secrets/external-secrets
1
0
Forka 0
File Problemi 0 Wiki
Albero (Tree): 86d7710727
Rami (Branch) Tag
helm-externa...
/
e2e
/
suite
/
aws
/
provider.go

provider.go 7.0 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package aws
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"os"
    20. 

  20. 	"time"
    21. 

  21. 

  22. 	"github.com/aws/aws-sdk-go/aws"
    23. 

  23. 	"github.com/aws/aws-sdk-go/aws/credentials"
    24. 

  24. 	"github.com/aws/aws-sdk-go/aws/session"
    25. 

  25. 	"github.com/aws/aws-sdk-go/service/secretsmanager"
    26. 

  26. 

  27. 	//nolint
    28. 

  28. 	. "github.com/onsi/ginkgo/v2"
    29. 

  29. 

  30. 	// nolint
    31. 

  31. 	. "github.com/onsi/gomega"
    32. 

  32. 	v1 "k8s.io/api/core/v1"
    33. 

  33. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    34. 

  34. 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
    35. 

  35. 

  36. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    37. 

  37. 	esmetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
    38. 

  38. 	"github.com/external-secrets/external-secrets/e2e/framework"
    39. 

  39. 	"github.com/external-secrets/external-secrets/e2e/framework/log"
    40. 

  40. )
    41. 

  41. 

  42. type SMProvider struct {
    43. 

  43. 	ServiceAccountName      string
    44. 

  44. 	ServiceAccountNamespace string
    45. 

  45. 

  46. 	kid       string
    47. 

  47. 	sak       string
    48. 

  48. 	region    string
    49. 

  49. 	client    *secretsmanager.SecretsManager
    50. 

  50. 	framework *framework.Framework
    51. 

  51. }
    52. 

  52. 

  53. const (
    54. 

  54. 	staticCredentialsSecretName = "provider-secret"
    55. 

  55. )
    56. 

  56. 

  57. func NewSMProvider(f *framework.Framework, kid, sak, region, saName, saNamespace string) *SMProvider {
    58. 

  58. 	sess, err := session.NewSessionWithOptions(session.Options{
    59. 

  59. 		Config: aws.Config{
    60. 

  60. 			Credentials: credentials.NewStaticCredentials(kid, sak, ""),
    61. 

  61. 			Region:      aws.String(region),
    62. 

  62. 		},
    63. 

  63. 	})
    64. 

  64. 	if err != nil {
    65. 

  65. 		Fail(err.Error())
    66. 

  66. 	}
    67. 

  67. 	sm := secretsmanager.New(sess)
    68. 

  68. 	prov := &SMProvider{
    69. 

  69. 		ServiceAccountName:      saName,
    70. 

  70. 		ServiceAccountNamespace: saNamespace,
    71. 

  71. 		kid:                     kid,
    72. 

  72. 		sak:                     sak,
    73. 

  73. 		region:                  region,
    74. 

  74. 		client:                  sm,
    75. 

  75. 		framework:               f,
    76. 

  76. 	}
    77. 

  77. 

  78. 	BeforeEach(func() {
    79. 

  79. 		prov.SetupStaticStore()
    80. 

  80. 		prov.SetupReferencedIRSAStore()
    81. 

  81. 		prov.SetupMountedIRSAStore()
    82. 

  82. 	})
    83. 

  83. 

  84. 	AfterEach(func() {
    85. 

  85. 		// Cleanup ClusterSecretStore
    86. 

  86. 		err := prov.framework.CRClient.Delete(context.Background(), &esv1alpha1.ClusterSecretStore{
    87. 

  87. 			ObjectMeta: metav1.ObjectMeta{
    88. 

  88. 				Name: prov.ReferencedIRSAStoreName(),
    89. 

  89. 			},
    90. 

  90. 		})
    91. 

  91. 		Expect(err).ToNot(HaveOccurred())
    92. 

  92. 	})
    93. 

  93. 

  94. 	return prov
    95. 

  95. }
    96. 

  96. 

  97. func NewFromEnv(f *framework.Framework) *SMProvider {
    98. 

  98. 	kid := os.Getenv("AWS_ACCESS_KEY_ID")
    99. 

  99. 	sak := os.Getenv("AWS_SECRET_ACCESS_KEY")
    100. 

  100. 	region := "eu-west-1"
    101. 

  101. 	saName := os.Getenv("AWS_SA_NAME")
    102. 

  102. 	saNamespace := os.Getenv("AWS_SA_NAMESPACE")
    103. 

  103. 	return NewSMProvider(f, kid, sak, region, saName, saNamespace)
    104. 

  104. }
    105. 

  105. 

  106. // CreateSecret creates a secret at the provider.
    107. 

  107. func (s *SMProvider) CreateSecret(key, val string) {
    108. 

  108. 	// we re-use some secret names throughout our test suite
    109. 

  109. 	// due to the fact that there is a short delay before the secret is actually deleted
    110. 

  110. 	// we have to retry creating the secret
    111. 

  111. 	attempts := 20
    112. 

  112. 	for {
    113. 

  113. 		log.Logf("creating secret %s / attempts left: %d", key, attempts)
    114. 

  114. 		_, err := s.client.CreateSecret(&secretsmanager.CreateSecretInput{
    115. 

  115. 			Name:         aws.String(key),
    116. 

  116. 			SecretString: aws.String(val),
    117. 

  117. 		})
    118. 

  118. 		if err == nil {
    119. 

  119. 			return
    120. 

  120. 		}
    121. 

  121. 		attempts--
    122. 

  122. 		if attempts < 0 {
    123. 

  123. 			Fail("unable to create secret: " + err.Error())
    124. 

  124. 		}
    125. 

  125. 		<-time.After(time.Second * 5)
    126. 

  126. 	}
    127. 

  127. }
    128. 

  128. 

  129. // DeleteSecret deletes a secret at the provider.
    130. 

  130. // There may be a short delay between calling this function
    131. 

  131. // and the removal of the secret on the provider side.
    132. 

  132. func (s *SMProvider) DeleteSecret(key string) {
    133. 

  133. 	log.Logf("deleting secret %s", key)
    134. 

  134. 	_, err := s.client.DeleteSecret(&secretsmanager.DeleteSecretInput{
    135. 

  135. 		SecretId:                   aws.String(key),
    136. 

  136. 		ForceDeleteWithoutRecovery: aws.Bool(true),
    137. 

  137. 	})
    138. 

  138. 	Expect(err).ToNot(HaveOccurred())
    139. 

  139. }
    140. 

  140. 

  141. // MountedIRSAStore is a SecretStore without auth config
    142. 

  142. // ESO relies on the pod-mounted ServiceAccount when using this store.
    143. 

  143. func (s *SMProvider) SetupMountedIRSAStore() {
    144. 

  144. 	secretStore := &esv1alpha1.SecretStore{
    145. 

  145. 		ObjectMeta: metav1.ObjectMeta{
    146. 

  146. 			Name:      s.MountedIRSAStoreName(),
    147. 

  147. 			Namespace: s.framework.Namespace.Name,
    148. 

  148. 		},
    149. 

  149. 		Spec: esv1alpha1.SecretStoreSpec{
    150. 

  150. 			Provider: &esv1alpha1.SecretStoreProvider{
    151. 

  151. 				AWS: &esv1alpha1.AWSProvider{
    152. 

  152. 					Service: esv1alpha1.AWSServiceSecretsManager,
    153. 

  153. 					Region:  s.region,
    154. 

  154. 					Auth:    esv1alpha1.AWSAuth{},
    155. 

  155. 				},
    156. 

  156. 			},
    157. 

  157. 		},
    158. 

  158. 	}
    159. 

  159. 	err := s.framework.CRClient.Create(context.Background(), secretStore)
    160. 

  160. 	Expect(err).ToNot(HaveOccurred())
    161. 

  161. }
    162. 

  162. 

  163. func (s *SMProvider) MountedIRSAStoreName() string {
    164. 

  164. 	return "irsa-mounted-" + s.framework.Namespace.Name
    165. 

  165. }
    166. 

  166. 

  167. // ReferncedIRSAStore is a ClusterStore
    168. 

  168. // that references a (IRSA-) ServiceAccount in the default namespace.
    169. 

  169. func (s *SMProvider) SetupReferencedIRSAStore() {
    170. 

  170. 	log.Logf("creating IRSA ClusterSecretStore %s", s.framework.Namespace.Name)
    171. 

  171. 	secretStore := &esv1alpha1.ClusterSecretStore{
    172. 

  172. 		ObjectMeta: metav1.ObjectMeta{
    173. 

  173. 			Name: s.ReferencedIRSAStoreName(),
    174. 

  174. 		},
    175. 

  175. 	}
    176. 

  176. 	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, secretStore, func() error {
    177. 

  177. 		secretStore.Spec.Provider = &esv1alpha1.SecretStoreProvider{
    178. 

  178. 			AWS: &esv1alpha1.AWSProvider{
    179. 

  179. 				Service: esv1alpha1.AWSServiceSecretsManager,
    180. 

  180. 				Region:  s.region,
    181. 

  181. 				Auth: esv1alpha1.AWSAuth{
    182. 

  182. 					JWTAuth: &esv1alpha1.AWSJWTAuth{
    183. 

  183. 						ServiceAccountRef: &esmetav1.ServiceAccountSelector{
    184. 

  184. 							Name:      s.ServiceAccountName,
    185. 

  185. 							Namespace: &s.ServiceAccountNamespace,
    186. 

  186. 						},
    187. 

  187. 					},
    188. 

  188. 				},
    189. 

  189. 			},
    190. 

  190. 		}
    191. 

  191. 		return nil
    192. 

  192. 	})
    193. 

  193. 	Expect(err).ToNot(HaveOccurred())
    194. 

  194. }
    195. 

  195. 

  196. func (s *SMProvider) ReferencedIRSAStoreName() string {
    197. 

  197. 	return "irsa-ref-" + s.framework.Namespace.Name
    198. 

  198. }
    199. 

  199. 

  200. // StaticStore is namespaced and references
    201. 

  201. // static credentials from a secret.
    202. 

  202. func (s *SMProvider) SetupStaticStore() {
    203. 

  203. 	awsCreds := &v1.Secret{
    204. 

  204. 		ObjectMeta: metav1.ObjectMeta{
    205. 

  205. 			Name:      staticCredentialsSecretName,
    206. 

  206. 			Namespace: s.framework.Namespace.Name,
    207. 

  207. 		},
    208. 

  208. 		StringData: map[string]string{
    209. 

  209. 			"kid": s.kid,
    210. 

  210. 			"sak": s.sak,
    211. 

  211. 		},
    212. 

  212. 	}
    213. 

  213. 	err := s.framework.CRClient.Create(context.Background(), awsCreds)
    214. 

  214. 	Expect(err).ToNot(HaveOccurred())
    215. 

  215. 

  216. 	secretStore := &esv1alpha1.SecretStore{
    217. 

  217. 		ObjectMeta: metav1.ObjectMeta{
    218. 

  218. 			Name:      s.framework.Namespace.Name,
    219. 

  219. 			Namespace: s.framework.Namespace.Name,
    220. 

  220. 		},
    221. 

  221. 		Spec: esv1alpha1.SecretStoreSpec{
    222. 

  222. 			Provider: &esv1alpha1.SecretStoreProvider{
    223. 

  223. 				AWS: &esv1alpha1.AWSProvider{
    224. 

  224. 					Service: esv1alpha1.AWSServiceSecretsManager,
    225. 

  225. 					Region:  s.region,
    226. 

  226. 					Auth: esv1alpha1.AWSAuth{
    227. 

  227. 						SecretRef: &esv1alpha1.AWSAuthSecretRef{
    228. 

  228. 							AccessKeyID: esmetav1.SecretKeySelector{
    229. 

  229. 								Name: staticCredentialsSecretName,
    230. 

  230. 								Key:  "kid",
    231. 

  231. 							},
    232. 

  232. 							SecretAccessKey: esmetav1.SecretKeySelector{
    233. 

  233. 								Name: staticCredentialsSecretName,
    234. 

  234. 								Key:  "sak",
    235. 

  235. 							},
    236. 

  236. 						},
    237. 

  237. 					},
    238. 

  238. 				},
    239. 

  239. 			},
    240. 

  240. 		},
    241. 

  241. 	}
    242. 

  242. 	err = s.framework.CRClient.Create(context.Background(), secretStore)
    243. 

  243. 	Expect(err).ToNot(HaveOccurred())
    244. 

  244. }
    245.