From 6d6bb0d85bc4ba1f0fe9bbf6e59a34e3aa376bde Mon Sep 17 00:00:00 2001 From: dnitsch Date: Thu, 29 Sep 2022 11:05:35 +0100 Subject: [PATCH] fix: add KMSKeyId option to AWS Secrets Manager - signed (#227) --- .gitignore | 2 ++ README.md | 1 + api/v1alpha1/secretagentconfiguration_types.go | 1 + ...ent.secrets.forgerock.io_secretagentconfigurations.yaml | 2 ++ pkg/secretsmanager/secretsmanager.go | 7 ++++++- 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 41f4d3f..d56feef 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,5 @@ testConfiguration2.yaml secret-agent.yaml secret-agent-ha.yaml +# vendor +vendor/ \ No newline at end of file diff --git a/README.md b/README.md index 0545303..67efb52 100644 --- a/README.md +++ b/README.md @@ -294,6 +294,7 @@ Parameter | Description | Default `spec.appConfig.credentialsSecretName` | Name of the Kubernetes secret containing the credentials to access the cloud provider. | "" `spec.appConfig.gcpProjectID` | When using GCP as the secret mgr, specify the project ID. | "" `spec.appConfig.awsRegion` | When using AWS as the secret mgr, specify the region. | "" +`spec.appConfig.awsKmsKeyId` | When using AWS as the secret mgr, you can specifiy the KMS Key Id else will use the default AWS managed KMS key, which poses some limitations on the secret. | "" `spec.appConfig.azureVaultName` | When using Azure as the secret mgr, specify the vault name. | "" `spec.secrets` | List of Kubernetes secrets to create. See [Secret Config](#secret-config). | [] diff --git a/api/v1alpha1/secretagentconfiguration_types.go b/api/v1alpha1/secretagentconfiguration_types.go index 09826c9..485f183 100644 --- a/api/v1alpha1/secretagentconfiguration_types.go +++ b/api/v1alpha1/secretagentconfiguration_types.go @@ -189,6 +189,7 @@ type AppConfig struct { CredentialsSecretName string `json:"credentialsSecretName,omitempty"` GCPProjectID string `json:"gcpProjectID,omitempty"` AWSRegion string `json:"awsRegion,omitempty"` + AWSKmsKeyId string `json:"awsKmsKeyId,omitempty"` AzureVaultName string `json:"azureVaultName,omitempty"` // Optional timeout value to generate a individual secret. Defaults to 40 diff --git a/config/crd/bases/secret-agent.secrets.forgerock.io_secretagentconfigurations.yaml b/config/crd/bases/secret-agent.secrets.forgerock.io_secretagentconfigurations.yaml index fb281ad..42ee573 100644 --- a/config/crd/bases/secret-agent.secrets.forgerock.io_secretagentconfigurations.yaml +++ b/config/crd/bases/secret-agent.secrets.forgerock.io_secretagentconfigurations.yaml @@ -67,6 +67,8 @@ spec: description: AppConfig is the configuration for the forgeops-secrets application properties: + awsKmsKeyId: + type: string awsRegion: type: string azureVaultName: diff --git a/pkg/secretsmanager/secretsmanager.go b/pkg/secretsmanager/secretsmanager.go index d09442f..8c6e013 100644 --- a/pkg/secretsmanager/secretsmanager.go +++ b/pkg/secretsmanager/secretsmanager.go @@ -55,7 +55,7 @@ type SecretManager interface { CloseClient() } -// secretManagerGCP container for GCP secret manager properties +// secretManagerGCP container for GCP secret manager properties type secretManagerGCP struct { client *secretmanager.Client secretsManagerPrefix string @@ -68,6 +68,7 @@ type secretManagerAWS struct { region string secretsManagerPrefix string cancel context.CancelFunc + config v1alpha1.AppConfig } // secretManagerAzure container for Azure secret manager properties @@ -240,6 +241,7 @@ func newAWS(config *v1alpha1.AppConfig, rClient client.Client, cloudCredNS strin client: client, secretsManagerPrefix: config.SecretsManagerPrefix, region: config.AWSRegion, + config: *config, // cancel: cancel, }, nil } @@ -430,6 +432,9 @@ func (sm *secretManagerAWS) EnsureSecret(ctx context.Context, secretName string, input := &awssecretsmanager.CreateSecretInput{ Name: aws.String(secretID), } + if sm.config.AWSKmsKeyId != "" { + input.KmsKeyId = aws.String(sm.config.AWSKmsKeyId) + } _, err = sm.client.CreateSecret(input) if err != nil { return errors.WithStack(err)