feat(aws): support for aws tags

[ivankatliarchuk]

Problem Statement

What is the problem you're trying to solve?

Related Issue

Partially resolves #1821 . Provides a capability to create secrets with KSM key, Description and Tags.

It does not:

• modify existing keys if/when tags added/removed
• provide a way to configure capability to set KSM resource policy
• secret replication in other region

Proposed Changes

How do you like to solve the issue and why?

Added support to create a secret with

• tags
• description
• kms key default and non-default

very similar to

• azure feat: Allow to specify tags when pushing to Azure Key Vault #4507
• aws parameter store

  external-secrets/pkg/provider/aws/parameterstore/parameterstore.go

  Line 583 in 63740fc

  func (pm *ParameterStore) constructMetadataWithDefaults(data *apiextensionsv1.JSON) (*metadata.PushSecretMetadata[PushSecretMetadataSpec], error) {

There going to be a breaking change, as before it was

metada:
   secretPushFormat: string

now

      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          secretPushFormat: string # When not set, default to binary 

It is possible to support both, with slightly more code complexity. My understanding, from reading design docs https://github.com/external-secrets/external-secrets/blob/main/design/010-pushsecret-metadata.md v1alpha1 should support both, or we need to bump version of the API?

This PR only covers new secret creation. To support secrets that already managed with secrets operator, I'm planning to open a second pull request. As the code is slightly more complex.

In follow-up I'll have a look how easy is to support Secrets resources policies and region replications.

Tested in the account. Manifests below

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secretstore-sample-ik
spec:
  provider:
    aws:
      service: SecretsManager
      region: eu-west-1
      secretsManager:
        forceDeleteWithoutRecovery: true
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: awssm-secret
            key: access-key
          secretAccessKeySecretRef:
            name: awssm-secret
            key: secret-access-key
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
metadata:
  name: my-password
  namespace: external-secrets
spec:
  length: 12
  digits: 5
  symbols: 5
  symbolCharacters: "-_$@"
  noUpper: false
  allowRepeat: true
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-to-aws-example # Customisable
  namespace: external-secrets # Same of the SecretStores
  labels:
    this-is-the-label: "lol"
  annotations:
    this-is-the-annotation: "haha"
spec:
  deletionPolicy: Delete
  refreshInterval: 1m # Refresh interval for which push secret will reconcile
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: secretstore-sample-ik
      kind: SecretStore
  selector:
    generatorRef:
      apiVersion: generators.external-secrets.io/v1alpha1
      kind: Password
      name: my-password
  template:
    metadata:
      annotations:
        a-key2: value1
      labels:
        l-key2: value1
        pp.kubernetes.io/part-of: testing
  data:
    - conversionStrategy: None
      match:
        secretKey: password # Source Kubernetes secret key to be pushed
        remoteRef:
          remoteKey: teamb-my-first-parameter-6 # Remote reference (where the secret is going to be pushed)
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          kmsKeyID: bb123123-b2b0-4f60-ac3a-44a13f0e6b6c
          secretPushFormat: string
          description: "this is key description"
          tags: # Tags to be added to the secret in Azure Key Vault
            secret-store: teamb-secret-store
            refresh-interval: 1h

Secret is created with Tags, Description, and user specieif kmsKeyID

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable
• Review docs for IAM permissions https://github.com/aws/aws-sdk-go-v2/blob/d96b0023dfa1379858d52722c3626466afa26896/service/secretsmanager/api_op_CreateSecret.go#L55

Test with CLI

❯❯ aws secretsmanager list-secrets
❯❯ aws kms list-aliases
❯❯ aws kms list-keys

[Skarlso]

Thanks for doing this. Do you require me to look at it, or are you still working on things here? :)

[ivankatliarchuk]

I will be working on it thanks. Trying to better understand the setup.

[ivankatliarchuk]

Hi @Skarlso .

So it looks like I need some help with unit testing. Basically I not fully understand the framework. Example tests I would like to have, but not sure how to.

1. Validate that secret contains required metadata field. When I push secret to fake store, not sure how to retieve it for validation
2. Validate the supplied input before the secret pushed to AWS/fake-store.
3. constructMetadataWithDefaults(). It looks like, only public methods currently unit-tested. No issue with that, but how to reliably test that for example constructMetadataWithDefaults() configure default values if not set?

[Skarlso]

I'll take a look. :)

[Skarlso]

@ivankatliarchuk Need anything else with the tests? Or is this now ready to be reviewed? :)

[ivankatliarchuk]

Is ready to an extend. Pls review

[Skarlso]

Looks good to me just one tiny comment.

[gusfcarvalho]

/ok-to-test sha=df3730b5a80092a35082fe5efd6c86c06e6baf7d

[eso-service-account-app]

[Bot] - ✅ e2e for df3730b5a80092a35082fe5efd6c86c06e6baf7d passed

[Skarlso]

@ivankatliarchuk Hello. If you update your branch this is ready to merge. :)

[ivankatliarchuk]

done

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud