1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00

Add Support for fips regions. (#2805)

Signed-off-by: Tom Elliot <thomas.elliot@acquia.com>
This commit is contained in:
Tom Elliot 2023-10-25 18:32:59 -04:00 committed by GitHub
parent 7fbae000d6
commit 0612404f64
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 77 additions and 12 deletions

View file

@ -97,12 +97,21 @@ func validateRegion(prov *esv1beta1.AWSProvider) error {
partitions := resolver.(endpoints.EnumPartitions).Partitions()
found := false
for _, p := range partitions {
for id := range p.Regions() {
if id == prov.Region {
var serviceskey string
if prov.Service == esv1beta1.AWSServiceSecretsManager {
serviceskey = "secretsmanager"
} else if prov.Service == esv1beta1.AWSServiceParameterStore {
serviceskey = "ssm"
}
service, ok := p.Services()[serviceskey]
if ok {
for region := range service.Endpoints() {
if region == prov.Region {
found = true
}
}
}
}
if !found {
return fmt.Errorf(errRegionNotFound, prov.Region)
}

View file

@ -151,7 +151,11 @@ func TestProvider(t *testing.T) {
}
}
const validRegion = "eu-central-1"
const (
validRegion = "eu-central-1"
validFipsSecretManagerRegion = "us-east-1-fips"
validFipsSsmRegion = "fips-us-east-1"
)
func TestValidateStore(t *testing.T) {
type args struct {
@ -178,13 +182,59 @@ func TestValidateStore(t *testing.T) {
},
},
{
name: "valid region",
name: "valid region secrets manager",
args: args{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
},
},
},
},
},
},
{
name: "valid region secrets manager",
args: args{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
},
},
},
},
},
},
{
name: "valid fips region secrets manager",
args: args{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validFipsSecretManagerRegion,
Service: esv1beta1.AWSServiceSecretsManager,
},
},
},
},
},
},
{
name: "valid fips region parameter store",
args: args{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validFipsSsmRegion,
Service: esv1beta1.AWSServiceParameterStore,
},
},
},
@ -200,6 +250,7 @@ func TestValidateStore(t *testing.T) {
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
@ -223,6 +274,7 @@ func TestValidateStore(t *testing.T) {
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
SecretAccessKey: esmeta.SecretKeySelector{
@ -249,6 +301,7 @@ func TestValidateStore(t *testing.T) {
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
SecretAccessKey: esmeta.SecretKeySelector{
@ -274,6 +327,7 @@ func TestValidateStore(t *testing.T) {
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
@ -299,6 +353,7 @@ func TestValidateStore(t *testing.T) {
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
Auth: esv1beta1.AWSAuth{
JWTAuth: &esv1beta1.AWSJWTAuth{
ServiceAccountRef: &esmeta.ServiceAccountSelector{
@ -321,6 +376,7 @@ func TestValidateStore(t *testing.T) {
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Region: validRegion,
Service: esv1beta1.AWSServiceSecretsManager,
Auth: esv1beta1.AWSAuth{
JWTAuth: &esv1beta1.AWSJWTAuth{
ServiceAccountRef: &esmeta.ServiceAccountSelector{