This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch 4743 in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 389fd1404d76ba10631bb9f60e1ec67f270793d7 Author: Andrea Cosentino <anco...@gmail.com> AuthorDate: Wed Oct 4 14:15:48 2023 +0200 Kamelet - Inject secret in Vaults - AWS Secret Manager Signed-off-by: Andrea Cosentino <anco...@gmail.com> --- addons/vault/aws/aws_secrets_manager.go | 26 ++++++++++++++++---- addons/vault/aws/aws_secrets_manager_test.go | 22 +++++++++++++++++ docs/modules/traits/pages/aws-secrets-manager.adoc | 8 +++++-- resources/traits.yaml | 28 ++++++++++++++++++++-- 4 files changed, 76 insertions(+), 8 deletions(-) diff --git a/addons/vault/aws/aws_secrets_manager.go b/addons/vault/aws/aws_secrets_manager.go index 8ad20e026..87dd892c2 100644 --- a/addons/vault/aws/aws_secrets_manager.go +++ b/addons/vault/aws/aws_secrets_manager.go @@ -18,6 +18,7 @@ limitations under the License. package aws import ( + "regexp" "strconv" v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1" @@ -46,9 +47,13 @@ type Trait struct { traitv1.Trait `property:",squash"` // Enables automatic configuration of the trait. Auto *bool `property:"auto" json:"auto,omitempty"` - // The AWS Access Key to use + // The AWS Access Key to use. This could be a plain text or a configmap/secret + // The content of the aws access key is expected to be a text containing a valid AWS access key. + // Syntax: [configmap|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-access-key). AccessKey string `property:"access-key" json:"accessKey,omitempty"` - // The AWS Secret Key to use + // The AWS Secret Key to use. This could be a plain text or a configmap/secret + // // The content of the aws secret key is expected to be a text containing a valid AWS secret key. + // // Syntax: [configmap|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-secret-key). SecretKey string `property:"secret-key" json:"secretKey,omitempty"` // The AWS Region to use Region string `property:"region" json:"region,omitempty"` @@ -98,6 +103,7 @@ func (t *awsSecretsManagerTrait) Configure(environment *trait.Environment) (bool } func (t *awsSecretsManagerTrait) Apply(environment *trait.Environment) error { + rex := regexp.MustCompile(`^(configmap|secret):([a-zA-Z0-9][a-zA-Z0-9-]*)(/([a-zA-Z0-9].*))?$`) if environment.IntegrationInPhase(v1.IntegrationPhaseInitialization) { util.StringSliceUniqueAdd(&environment.Integration.Status.Capabilities, v1.CapabilityAwsSecretsManager) // Deprecated @@ -106,8 +112,20 @@ func (t *awsSecretsManagerTrait) Apply(environment *trait.Environment) error { } if environment.IntegrationInRunningPhases() { - environment.ApplicationProperties["camel.vault.aws.accessKey"] = t.AccessKey - environment.ApplicationProperties["camel.vault.aws.secretKey"] = t.SecretKey + hits := rex.FindAllStringSubmatch(t.AccessKey, -1) + if len(hits) >= 1 { + var res, _ = v1.DecodeValueSource(t.AccessKey, "aws-access-key", "The access Key provided is not valid") + environment.ApplicationProperties["camel.vault.aws.accessKey"] = res.SecretKeyRef.Key + } else { + environment.ApplicationProperties["camel.vault.aws.accessKey"] = t.AccessKey + } + hits = rex.FindAllStringSubmatch(t.SecretKey, -1) + if len(hits) >= 1 { + var res, _ = v1.DecodeValueSource(t.SecretKey, "aws-secret-key", "The secret Key provided is not valid") + environment.ApplicationProperties["camel.vault.aws.secretKey"] = res.SecretKeyRef.Key + } else { + environment.ApplicationProperties["camel.vault.aws.secretKey"] = t.SecretKey + } environment.ApplicationProperties["camel.vault.aws.region"] = t.Region environment.ApplicationProperties["camel.vault.aws.defaultCredentialsProvider"] = strconv.FormatBool(*t.UseDefaultCredentialsProvider) environment.ApplicationProperties["camel.vault.aws.refreshEnabled"] = strconv.FormatBool(*t.RefreshEnabled) diff --git a/addons/vault/aws/aws_secrets_manager_test.go b/addons/vault/aws/aws_secrets_manager_test.go index a1084c3b0..2d5dbcd51 100644 --- a/addons/vault/aws/aws_secrets_manager_test.go +++ b/addons/vault/aws/aws_secrets_manager_test.go @@ -75,6 +75,28 @@ func TestAwsSecretsManagerTraitNoDefaultCreds(t *testing.T) { assert.Equal(t, "false", e.ApplicationProperties["camel.vault.aws.defaultCredentialsProvider"]) } +func TestAwsSecretsManagerTraitWithSecrets(t *testing.T) { + e := createEnvironment(t, camel.QuarkusCatalog) + aws := NewAwsSecretsManagerTrait() + secrets, _ := aws.(*awsSecretsManagerTrait) + secrets.Enabled = pointer.Bool(true) + secrets.Region = "eu-west-1" + secrets.AccessKey = "secret:my-secret/accessKey" + secrets.SecretKey = "secret:my-secret/secretKey" + ok, err := secrets.Configure(e) + assert.Nil(t, err) + assert.True(t, ok) + + err = secrets.Apply(e) + assert.Nil(t, err) + + assert.Empty(t, e.ApplicationProperties["quarkus.jaeger.enabled"]) + assert.Equal(t, "eu-west-1", e.ApplicationProperties["camel.vault.aws.region"]) + assert.Equal(t, "accessKey", e.ApplicationProperties["camel.vault.aws.accessKey"]) + assert.Equal(t, "secretKey", e.ApplicationProperties["camel.vault.aws.secretKey"]) + assert.Equal(t, "false", e.ApplicationProperties["camel.vault.aws.defaultCredentialsProvider"]) +} + func createEnvironment(t *testing.T, catalogGen func() (*camel.RuntimeCatalog, error)) *trait.Environment { t.Helper() diff --git a/docs/modules/traits/pages/aws-secrets-manager.adoc b/docs/modules/traits/pages/aws-secrets-manager.adoc index 03383744a..4a67be3c1 100644 --- a/docs/modules/traits/pages/aws-secrets-manager.adoc +++ b/docs/modules/traits/pages/aws-secrets-manager.adoc @@ -43,11 +43,15 @@ The following configuration options are available: | aws-secrets-manager.access-key | string -| The AWS Access Key to use +| The AWS Access Key to use. This could be a plain text or a configmap/secret +The content of the aws access key is expected to be a text containing a valid AWS access key. +Syntax: [configmap\|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-access-key). | aws-secrets-manager.secret-key | string -| The AWS Secret Key to use +| The AWS Secret Key to use. This could be a plain text or a configmap/secret + // The content of the aws secret key is expected to be a text containing a valid AWS secret key. + // Syntax: [configmap\|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-secret-key). | aws-secrets-manager.region | string diff --git a/resources/traits.yaml b/resources/traits.yaml index 8a0e7c586..826996269 100755 --- a/resources/traits.yaml +++ b/resources/traits.yaml @@ -1,3 +1,19 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- traits: - name: 3scale platform: false @@ -93,10 +109,18 @@ traits: description: Enables automatic configuration of the trait. - name: access-key type: string - description: The AWS Access Key to use + description: 'The AWS Access Key to use. This could be a plain text or a configmap/secret + The content of the aws access key is expected to be a text containing a valid + AWS access key. Syntax: [configmap|secret]:name[/key], where name represents + the resource name, key optionally represents the resource key to be filtered + (default key value = aws-access-key).' - name: secret-key type: string - description: The AWS Secret Key to use + description: "The AWS Secret Key to use. This could be a plain text or a configmap/secret + \t// The content of the aws secret key is expected to be a text containing a + valid AWS secret key. \t// Syntax: [configmap|secret]:name[/key], where name + represents the resource name, key optionally represents the resource key to + be filtered (default key value = aws-secret-key)." - name: region type: string description: The AWS Region to use