common.go 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package common
  13. import (
  14. "context"
  15. // nolint
  16. . "github.com/onsi/gomega"
  17. corev1 "k8s.io/api/core/v1"
  18. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  19. "github.com/external-secrets/external-secrets-e2e/framework"
  20. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  21. esmetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
  22. )
  23. const (
  24. WithReferencedIRSA = "with referenced IRSA"
  25. WithMountedIRSA = "with mounted IRSA"
  26. StaticCredentialsSecretName = "provider-secret"
  27. StaticReferentCredentialsSecretName = "referent-provider-secret"
  28. )
  29. func ReferencedIRSAStoreName(f *framework.Framework) string {
  30. return "irsa-ref-" + f.Namespace.Name
  31. }
  32. func MountedIRSAStoreName(f *framework.Framework) string {
  33. return "irsa-mounted-" + f.Namespace.Name
  34. }
  35. func UseClusterSecretStore(tc *framework.TestCase) {
  36. tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1beta1.ClusterSecretStoreKind
  37. tc.ExternalSecret.Spec.SecretStoreRef.Name = ReferencedIRSAStoreName(tc.Framework)
  38. }
  39. func UseMountedIRSAStore(tc *framework.TestCase) {
  40. tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1beta1.SecretStoreKind
  41. tc.ExternalSecret.Spec.SecretStoreRef.Name = MountedIRSAStoreName(tc.Framework)
  42. }
  43. const (
  44. StaticStoreName = "aws-static-creds"
  45. staticKeyID = "kid"
  46. staticSecretAccessKey = "sak"
  47. staticySessionToken = "st"
  48. )
  49. func newStaticStoreProvider(serviceType esv1beta1.AWSServiceType, region, secretName string) *esv1beta1.SecretStoreProvider {
  50. return &esv1beta1.SecretStoreProvider{
  51. AWS: &esv1beta1.AWSProvider{
  52. Service: serviceType,
  53. Region: region,
  54. Auth: esv1beta1.AWSAuth{
  55. SecretRef: &esv1beta1.AWSAuthSecretRef{
  56. AccessKeyID: esmetav1.SecretKeySelector{
  57. Name: StaticReferentCredentialsSecretName,
  58. Key: staticKeyID,
  59. },
  60. SecretAccessKey: esmetav1.SecretKeySelector{
  61. Name: StaticReferentCredentialsSecretName,
  62. Key: staticSecretAccessKey,
  63. },
  64. SessionToken: &esmetav1.SecretKeySelector{
  65. Name: StaticReferentCredentialsSecretName,
  66. Key: staticySessionToken,
  67. },
  68. },
  69. },
  70. },
  71. }
  72. }
  73. // StaticStore is namespaced and references
  74. // static credentials from a secret.
  75. func SetupStaticStore(f *framework.Framework, kid, sak, st, region string, serviceType esv1beta1.AWSServiceType) {
  76. awsCreds := &corev1.Secret{
  77. ObjectMeta: metav1.ObjectMeta{
  78. Name: StaticCredentialsSecretName,
  79. Namespace: f.Namespace.Name,
  80. },
  81. StringData: map[string]string{
  82. staticKeyID: kid,
  83. staticSecretAccessKey: sak,
  84. staticySessionToken: st,
  85. },
  86. }
  87. err := f.CRClient.Create(context.Background(), awsCreds)
  88. Expect(err).ToNot(HaveOccurred())
  89. secretStore := &esv1beta1.SecretStore{
  90. ObjectMeta: metav1.ObjectMeta{
  91. Name: StaticStoreName,
  92. Namespace: f.Namespace.Name,
  93. },
  94. Spec: esv1beta1.SecretStoreSpec{
  95. Provider: newStaticStoreProvider(serviceType, region, StaticCredentialsSecretName),
  96. },
  97. }
  98. err = f.CRClient.Create(context.Background(), secretStore)
  99. Expect(err).ToNot(HaveOccurred())
  100. }
  101. // CreateReferentStaticStore creates a CSS with referent auth and
  102. // creates a secret with static authentication credentials in the ExternalSecret namespace.
  103. func CreateReferentStaticStore(f *framework.Framework, kid, sak, st, region string, serviceType esv1beta1.AWSServiceType) {
  104. ns := f.Namespace.Name
  105. awsCreds := &corev1.Secret{
  106. ObjectMeta: metav1.ObjectMeta{
  107. Name: StaticReferentCredentialsSecretName,
  108. Namespace: ns,
  109. },
  110. StringData: map[string]string{
  111. staticKeyID: kid,
  112. staticSecretAccessKey: sak,
  113. staticySessionToken: st,
  114. },
  115. }
  116. err := f.CRClient.Create(context.Background(), awsCreds)
  117. Expect(err).ToNot(HaveOccurred())
  118. secretStore := &esv1beta1.ClusterSecretStore{
  119. ObjectMeta: metav1.ObjectMeta{
  120. Name: ReferentSecretStoreName(f),
  121. },
  122. Spec: esv1beta1.SecretStoreSpec{
  123. Provider: newStaticStoreProvider(serviceType, region, StaticReferentCredentialsSecretName),
  124. },
  125. }
  126. err = f.CRClient.Create(context.Background(), secretStore)
  127. Expect(err).ToNot(HaveOccurred())
  128. }
  129. func ReferentSecretStoreName(f *framework.Framework) string {
  130. return "referent-auth" + f.Namespace.Name
  131. }