Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(SecretProviderClass): add support for objectAlias #941

Merged
merged 5 commits into from
Mar 4, 2024
Merged

feat(SecretProviderClass): add support for objectAlias #941

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
531c68c
feat(SecretProviderClass): add support for objectAlias
a-bigelow Mar 1, 2024
5307a61
test: add basic string assertion test for the presence of objectAlias…
a-bigelow Mar 1, 2024
2527673
chore: linebreak between methods
a-bigelow Mar 1, 2024
4d3d09a
fix: only assign objectAlias when secretAlias is passed
a-bigelow Mar 1, 2024
249a72c
docs(secret-store): describe secretAlias input
a-bigelow Mar 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions lib/addons/secrets-store/csi-driver-provider-aws-secrets.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ export interface CsiSecretProps {
secretProvider: SecretProvider;

/**
* For secrets containing JSON structure, an optional JMES Path (https://jmespath.org/) object to decompose individual keys as separate
* secret object data.
* For secrets containing JSON structure, an optional JMES Path (https://jmespath.org/) object to decompose individual keys as separate
* secret object data.
*/
jmesPath?: JmesPathObject[];

Expand All @@ -44,6 +44,11 @@ export interface KubernetesSecret {
*/
secretName: string;

/**
* An alias for the AWS secret once it is synced as a Kubernetes secret.
*/
secretAlias?: string;
shapirov103 marked this conversation as resolved.
Show resolved Hide resolved

/**
* Type of Kubernetes Secret
*/
Expand All @@ -66,7 +71,7 @@ export interface KubernetesSecret {
interface KubernetesSecretObjectData {

/**
* Name of the AWS Secret that is syncd
* Name of the AWS Secret that is synced
*/
objectName?: string;

Expand Down Expand Up @@ -95,13 +100,15 @@ export enum KubernetesSecretType {
interface ParameterObject {
objectName: string;
objectType: string;
objectAlias?: string;
jmesPath?: JmesPathObject[];
}

function createParameterObject(csiSecret: CsiSecretProps, secretName: string, secretType: AwsSecretType) {
function createParameterObject(csiSecret: CsiSecretProps, secretName: string, secretType: AwsSecretType, secretAlias?: string) {
const result: ParameterObject = {
objectName: secretName,
objectType: secretType,
objectAlias: secretAlias,
a-bigelow marked this conversation as resolved.
Show resolved Hide resolved
};
if (csiSecret.jmesPath) {
result.jmesPath = csiSecret.jmesPath;
Expand Down Expand Up @@ -158,7 +165,7 @@ export class SecretProviderClass {

/**
* Setup CSI secrets
* @param clusterInfo
* @param clusterInfo
*/
protected setupSecrets(): Promise<Construct> {
const secretsDriverPromise = this.clusterInfo.getScheduledAddOn(SecretsStoreAddOn.name);
Expand All @@ -184,18 +191,19 @@ export class SecretProviderClass {
let kubernetesSecret: KubernetesSecret;
let secretName: string;
const secret: ISecret | IStringParameter = csiSecret.secretProvider.provide(this.clusterInfo);
const secretAlias: string | undefined = csiSecret.kubernetesSecret?.secretAlias;

if (Object.hasOwnProperty.call(secret, 'secretArn')) {
const secretManagerSecret = secret as ISecret;
secretName = secretManagerSecret.secretName;
const parameterObject = createParameterObject(csiSecret, secretName, AwsSecretType.SECRETSMANAGER);
const parameterObject = createParameterObject(csiSecret, secretName, AwsSecretType.SECRETSMANAGER, secretAlias);
this.parameterObjects.push(parameterObject);
secretManagerSecret.grantRead(this.serviceAccount);
}
else {
const ssmSecret = secret as IStringParameter;
secretName = ssmSecret.parameterName;
const parameterObject = createParameterObject(csiSecret, secretName, AwsSecretType.SSMPARAMETER);
const parameterObject = createParameterObject(csiSecret, secretName, AwsSecretType.SSMPARAMETER, secretAlias);
this.parameterObjects.push(parameterObject);
ssmSecret.grantRead(this.serviceAccount);
}
Expand Down
46 changes: 46 additions & 0 deletions test/secretproviderclass.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
import * as cdk from "aws-cdk-lib";
import * as blueprints from "../lib";
import {
ClusterAddOn,
ClusterInfo,
GenerateSecretManagerProvider,
SecretProviderClass,
SecretsStoreAddOn
} from "../lib";
import {ServiceAccount} from "aws-cdk-lib/aws-eks";

class TestSecretAddon implements ClusterAddOn {
public deploy(clusterInfo: ClusterInfo): void {
const sa = new ServiceAccount(clusterInfo.cluster.stack, "sa", {name: "acme-sa", cluster: clusterInfo.cluster});
new SecretProviderClass(clusterInfo, sa, "acme-aws-secrets",
{
secretProvider: new GenerateSecretManagerProvider("acme-secret", "real-secret-name"),
kubernetesSecret: {
secretName: "real-secret-name",
secretAlias: "aliased-secret-name",
}
}
);
}
}
a-bigelow marked this conversation as resolved.
Show resolved Hide resolved
describe('Unit tests for SecretProviderClass', () => {

test("SecretProviderClass contains objectAlas when configured.", async () => {

const app = new cdk.App();
const stack = new blueprints.EksBlueprint(app, {
id: 'MySecretTestStack',
version: "auto",
addOns: [
new SecretsStoreAddOn(),
new TestSecretAddon(),
],
});

const stackResolved = await stack.waitForAsyncTasks();
const template = app.synth().getStackArtifact(stackResolved.artifactId).template;
const stringTemplate = JSON.stringify(template);
const expectedSubstring = "\\\\\\\"objectAlias\\\\\\\":\\\\\\\"aliased-secret-name\\\\\\";
expect(stringTemplate).toContain(expectedSubstring);
});
});