Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 95080340ba
Branches Tags
helm-externa...
/
e2e
/
suites
/
provider
/
cases
/
aws
/
secretsmanager
/
provider.go

provider.go 6.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package aws
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"os"
    21. 

  21. 	"time"
    22. 

  22. 

  23. 	"github.com/aws/aws-sdk-go/aws"
    24. 

  24. 	"github.com/aws/aws-sdk-go/aws/credentials"
    25. 

  25. 	"github.com/aws/aws-sdk-go/aws/session"
    26. 

  26. 	"github.com/aws/aws-sdk-go/service/secretsmanager"
    27. 

  27. 

  28. 	//nolint
    29. 

  29. 	. "github.com/onsi/ginkgo/v2"
    30. 

  30. 

  31. 	// nolint
    32. 

  32. 	. "github.com/onsi/gomega"
    33. 

  33. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    34. 

  34. 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
    35. 

  35. 

  36. 	"github.com/external-secrets/external-secrets-e2e/framework"
    37. 

  37. 	"github.com/external-secrets/external-secrets-e2e/framework/log"
    38. 

  38. 	awscommon "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/aws"
    39. 

  39. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    40. 

  40. 	esmetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
    41. 

  41. )
    42. 

  42. 

  43. type Provider struct {
    44. 

  44. 	ServiceAccountName      string
    45. 

  45. 	ServiceAccountNamespace string
    46. 

  46. 

  47. 	region    string
    48. 

  48. 	client    *secretsmanager.SecretsManager
    49. 

  49. 	framework *framework.Framework
    50. 

  50. }
    51. 

  51. 

  52. func NewProvider(f *framework.Framework, kid, sak, st, region, saName, saNamespace string) *Provider {
    53. 

  53. 	sess, err := session.NewSessionWithOptions(session.Options{
    54. 

  54. 		Config: aws.Config{
    55. 

  55. 			Credentials: credentials.NewStaticCredentials(kid, sak, st),
    56. 

  56. 			Region:      aws.String(region),
    57. 

  57. 		},
    58. 

  58. 	})
    59. 

  59. 	if err != nil {
    60. 

  60. 		Fail(err.Error())
    61. 

  61. 	}
    62. 

  62. 	sm := secretsmanager.New(sess)
    63. 

  63. 	prov := &Provider{
    64. 

  64. 		ServiceAccountName:      saName,
    65. 

  65. 		ServiceAccountNamespace: saNamespace,
    66. 

  66. 		region:                  region,
    67. 

  67. 		client:                  sm,
    68. 

  68. 		framework:               f,
    69. 

  69. 	}
    70. 

  70. 

  71. 	BeforeEach(func() {
    72. 

  72. 		awscommon.SetupStaticStore(f, awscommon.AccessOpts{KID: kid, SAK: sak, ST: st, Region: region}, esv1.AWSServiceSecretsManager)
    73. 

  73. 		awscommon.SetupExternalIDStore(
    74. 

  74. 			f,
    75. 

  75. 			awscommon.AccessOpts{KID: kid, SAK: sak, ST: st, Region: region, Role: awscommon.IAMRoleExternalID},
    76. 

  76. 			awscommon.IAMTrustedExternalID,
    77. 

  77. 			nil,
    78. 

  78. 			esv1.AWSServiceSecretsManager,
    79. 

  79. 		)
    80. 

  80. 		awscommon.SetupSessionTagsStore(
    81. 

  81. 			f,
    82. 

  82. 			awscommon.AccessOpts{KID: kid, SAK: sak, ST: st, Region: region, Role: awscommon.IAMRoleSessionTags},
    83. 

  83. 			nil,
    84. 

  84. 			esv1.AWSServiceSecretsManager,
    85. 

  85. 		)
    86. 

  86. 		awscommon.CreateReferentStaticStore(f, awscommon.AccessOpts{KID: kid, SAK: sak, ST: st, Region: region}, esv1.AWSServiceSecretsManager)
    87. 

  87. 		prov.SetupReferencedIRSAStore()
    88. 

  88. 		prov.SetupMountedIRSAStore()
    89. 

  89. 	})
    90. 

  90. 

  91. 	AfterEach(func() {
    92. 

  92. 		prov.TeardownReferencedIRSAStore()
    93. 

  93. 		prov.TeardownMountedIRSAStore()
    94. 

  94. 	})
    95. 

  95. 

  96. 	return prov
    97. 

  97. }
    98. 

  98. 

  99. func NewFromEnv(f *framework.Framework) *Provider {
    100. 

  100. 	kid := os.Getenv("AWS_ACCESS_KEY_ID")
    101. 

  101. 	sak := os.Getenv("AWS_SECRET_ACCESS_KEY")
    102. 

  102. 	st := os.Getenv("AWS_SESSION_TOKEN")
    103. 

  103. 	region := os.Getenv("AWS_REGION")
    104. 

  104. 	saName := os.Getenv("AWS_SA_NAME")
    105. 

  105. 	saNamespace := os.Getenv("AWS_SA_NAMESPACE")
    106. 

  106. 	return NewProvider(f, kid, sak, st, region, saName, saNamespace)
    107. 

  107. }
    108. 

  108. 

  109. // CreateSecret creates a secret at the provider.
    110. 

  110. func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
    111. 

  111. 	smTags := make([]*secretsmanager.Tag, 0)
    112. 

  112. 	for k, v := range val.Tags {
    113. 

  113. 		smTags = append(smTags, &secretsmanager.Tag{
    114. 

  114. 			Key:   aws.String(k),
    115. 

  115. 			Value: aws.String(v),
    116. 

  116. 		})
    117. 

  117. 	}
    118. 

  118. 

  119. 	// we re-use some secret names throughout our test suite
    120. 

  120. 	// due to the fact that there is a short delay before the secret is actually deleted
    121. 

  121. 	// we have to retry creating the secret
    122. 

  122. 	attempts := 20
    123. 

  123. 	for {
    124. 

  124. 		log.Logf("creating secret %s / attempts left: %d", key, attempts)
    125. 

  125. 		_, err := s.client.CreateSecret(&secretsmanager.CreateSecretInput{
    126. 

  126. 			Name:         aws.String(key),
    127. 

  127. 			SecretString: aws.String(val.Value),
    128. 

  128. 			Tags:         smTags,
    129. 

  129. 		})
    130. 

  130. 		if err == nil {
    131. 

  131. 			return
    132. 

  132. 		}
    133. 

  133. 		attempts--
    134. 

  134. 		if attempts < 0 {
    135. 

  135. 			Fail("unable to create secret: " + err.Error())
    136. 

  136. 		}
    137. 

  137. 		<-time.After(time.Second * 5)
    138. 

  138. 	}
    139. 

  139. }
    140. 

  140. 

  141. // DeleteSecret deletes a secret at the provider.
    142. 

  142. // There may be a short delay between calling this function
    143. 

  143. // and the removal of the secret on the provider side.
    144. 

  144. func (s *Provider) DeleteSecret(key string) {
    145. 

  145. 	log.Logf("deleting secret %s", key)
    146. 

  146. 	_, err := s.client.DeleteSecret(&secretsmanager.DeleteSecretInput{
    147. 

  147. 		SecretId:                   aws.String(key),
    148. 

  148. 		ForceDeleteWithoutRecovery: aws.Bool(true),
    149. 

  149. 	})
    150. 

  150. 	var nf *secretsmanager.ResourceNotFoundException
    151. 

  151. 	if errors.As(err, &nf) {
    152. 

  152. 		return
    153. 

  153. 	}
    154. 

  154. 	Expect(err).ToNot(HaveOccurred())
    155. 

  155. }
    156. 

  156. 

  157. // MountedIRSAStore is a SecretStore without auth config
    158. 

  158. // ESO relies on the pod-mounted ServiceAccount when using this store.
    159. 

  159. func (s *Provider) SetupMountedIRSAStore() {
    160. 

  160. 	secretStore := &esv1.SecretStore{
    161. 

  161. 		ObjectMeta: metav1.ObjectMeta{
    162. 

  162. 			Name:      awscommon.MountedIRSAStoreName(s.framework),
    163. 

  163. 			Namespace: s.framework.Namespace.Name,
    164. 

  164. 		},
    165. 

  165. 		Spec: esv1.SecretStoreSpec{
    166. 

  166. 			Provider: &esv1.SecretStoreProvider{
    167. 

  167. 				AWS: &esv1.AWSProvider{
    168. 

  168. 					Service: esv1.AWSServiceSecretsManager,
    169. 

  169. 					Region:  s.region,
    170. 

  170. 					Auth:    esv1.AWSAuth{},
    171. 

  171. 				},
    172. 

  172. 			},
    173. 

  173. 		},
    174. 

  174. 	}
    175. 

  175. 	err := s.framework.CRClient.Create(context.Background(), secretStore)
    176. 

  176. 	Expect(err).ToNot(HaveOccurred())
    177. 

  177. }
    178. 

  178. 

  179. func (s *Provider) TeardownMountedIRSAStore() {
    180. 

  180. 	s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
    181. 

  181. 		ObjectMeta: metav1.ObjectMeta{
    182. 

  182. 			Name: awscommon.MountedIRSAStoreName(s.framework),
    183. 

  183. 		},
    184. 

  184. 	})
    185. 

  185. }
    186. 

  186. 

  187. // ReferncedIRSAStore is a ClusterStore
    188. 

  188. // that references a (IRSA-) ServiceAccount in the default namespace.
    189. 

  189. func (s *Provider) SetupReferencedIRSAStore() {
    190. 

  190. 	log.Logf("creating IRSA ClusterSecretStore %s", s.framework.Namespace.Name)
    191. 

  191. 	secretStore := &esv1.ClusterSecretStore{
    192. 

  192. 		ObjectMeta: metav1.ObjectMeta{
    193. 

  193. 			Name: awscommon.ReferencedIRSAStoreName(s.framework),
    194. 

  194. 		},
    195. 

  195. 	}
    196. 

  196. 	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, secretStore, func() error {
    197. 

  197. 		secretStore.Spec.Provider = &esv1.SecretStoreProvider{
    198. 

  198. 			AWS: &esv1.AWSProvider{
    199. 

  199. 				Service: esv1.AWSServiceSecretsManager,
    200. 

  200. 				Region:  s.region,
    201. 

  201. 				Auth: esv1.AWSAuth{
    202. 

  202. 					JWTAuth: &esv1.AWSJWTAuth{
    203. 

  203. 						ServiceAccountRef: &esmetav1.ServiceAccountSelector{
    204. 

  204. 							Name:      s.ServiceAccountName,
    205. 

  205. 							Namespace: &s.ServiceAccountNamespace,
    206. 

  206. 						},
    207. 

  207. 					},
    208. 

  208. 				},
    209. 

  209. 			},
    210. 

  210. 		}
    211. 

  211. 		return nil
    212. 

  212. 	})
    213. 

  213. 	Expect(err).ToNot(HaveOccurred())
    214. 

  214. }
    215. 

  215. 

  216. func (s *Provider) TeardownReferencedIRSAStore() {
    217. 

  217. 	s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
    218. 

  218. 		ObjectMeta: metav1.ObjectMeta{
    219. 

  219. 			Name: awscommon.ReferencedIRSAStoreName(s.framework),
    220. 

  220. 		},
    221. 

  221. 	})
    222. 

  222. }
    223.