Kamelet - Inject secret in Vaults - AWS Secret Manager

Signed-off-by: Andrea Cosentino <[email protected]>

addons/vault/aws/aws_secrets_manager.go

@@ -18,6 +18,7 @@ limitations under the License.
 package aws
 
 import (
+	"regexp"
 	"strconv"
 
 	v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1"
@@ -46,9 +47,13 @@ type Trait struct {
 	traitv1.Trait `property:",squash"`
 	// Enables automatic configuration of the trait.
 	Auto *bool `property:"auto" json:"auto,omitempty"`
-	// The AWS Access Key to use
+	// The AWS Access Key to use. This could be a plain text or a configmap/secret
+	// The content of the aws access key is expected to be a text containing a valid AWS access key.
+	// Syntax: [configmap|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-access-key).
 	AccessKey string `property:"access-key" json:"accessKey,omitempty"`
-	// The AWS Secret Key to use
+	// The AWS Secret Key to use. This could be a plain text or a configmap/secret
+	//	// The content of the aws secret key is expected to be a text containing a valid AWS secret key.
+	//	// Syntax: [configmap|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-secret-key).
 	SecretKey string `property:"secret-key" json:"secretKey,omitempty"`
 	// The AWS Region to use
 	Region string `property:"region" json:"region,omitempty"`
@@ -98,6 +103,7 @@ func (t *awsSecretsManagerTrait) Configure(environment *trait.Environment) (bool
 }
 
 func (t *awsSecretsManagerTrait) Apply(environment *trait.Environment) error {
+	rex := regexp.MustCompile(`^(configmap|secret):([a-zA-Z0-9][a-zA-Z0-9-]*)(/([a-zA-Z0-9].*))?$`)
 	if environment.IntegrationInPhase(v1.IntegrationPhaseInitialization) {
 		util.StringSliceUniqueAdd(&environment.Integration.Status.Capabilities, v1.CapabilityAwsSecretsManager)
 		// Deprecated
@@ -106,8 +112,20 @@ func (t *awsSecretsManagerTrait) Apply(environment *trait.Environment) error {
 	}
 
 	if environment.IntegrationInRunningPhases() {
-		environment.ApplicationProperties["camel.vault.aws.accessKey"] = t.AccessKey
-		environment.ApplicationProperties["camel.vault.aws.secretKey"] = t.SecretKey
+		hits := rex.FindAllStringSubmatch(t.AccessKey, -1)
+		if len(hits) >= 1 {
+			var res, _ = v1.DecodeValueSource(t.AccessKey, "aws-access-key", "The access Key provided is not valid")
+			environment.ApplicationProperties["camel.vault.aws.accessKey"] = res.SecretKeyRef.Key
+		} else {
+			environment.ApplicationProperties["camel.vault.aws.accessKey"] = t.AccessKey
+		}
+		hits = rex.FindAllStringSubmatch(t.SecretKey, -1)
+		if len(hits) >= 1 {
+			var res, _ = v1.DecodeValueSource(t.SecretKey, "aws-secret-key", "The secret Key provided is not valid")
+			environment.ApplicationProperties["camel.vault.aws.secretKey"] = res.SecretKeyRef.Key
+		} else {
+			environment.ApplicationProperties["camel.vault.aws.secretKey"] = t.SecretKey
+		}
 		environment.ApplicationProperties["camel.vault.aws.region"] = t.Region
 		environment.ApplicationProperties["camel.vault.aws.defaultCredentialsProvider"] = strconv.FormatBool(*t.UseDefaultCredentialsProvider)
 		environment.ApplicationProperties["camel.vault.aws.refreshEnabled"] = strconv.FormatBool(*t.RefreshEnabled)

addons/vault/aws/aws_secrets_manager_test.go

@@ -75,6 +75,28 @@ func TestAwsSecretsManagerTraitNoDefaultCreds(t *testing.T) {
 	assert.Equal(t, "false", e.ApplicationProperties["camel.vault.aws.defaultCredentialsProvider"])
 }
 
+func TestAwsSecretsManagerTraitWithSecrets(t *testing.T) {
+	e := createEnvironment(t, camel.QuarkusCatalog)
+	aws := NewAwsSecretsManagerTrait()
+	secrets, _ := aws.(*awsSecretsManagerTrait)
+	secrets.Enabled = pointer.Bool(true)
+	secrets.Region = "eu-west-1"
+	secrets.AccessKey = "secret:my-secret/accessKey"
+	secrets.SecretKey = "secret:my-secret/secretKey"
+	ok, err := secrets.Configure(e)
+	assert.Nil(t, err)
+	assert.True(t, ok)
+
+	err = secrets.Apply(e)
+	assert.Nil(t, err)
+
+	assert.Empty(t, e.ApplicationProperties["quarkus.jaeger.enabled"])
+	assert.Equal(t, "eu-west-1", e.ApplicationProperties["camel.vault.aws.region"])
+	assert.Equal(t, "accessKey", e.ApplicationProperties["camel.vault.aws.accessKey"])
+	assert.Equal(t, "secretKey", e.ApplicationProperties["camel.vault.aws.secretKey"])
+	assert.Equal(t, "false", e.ApplicationProperties["camel.vault.aws.defaultCredentialsProvider"])
+}
+
 func createEnvironment(t *testing.T, catalogGen func() (*camel.RuntimeCatalog, error)) *trait.Environment {
 	t.Helper()
 

docs/modules/traits/pages/aws-secrets-manager.adoc

@@ -43,11 +43,15 @@ The following configuration options are available:
 
 | aws-secrets-manager.access-key
 | string
-| The AWS Access Key to use
+| The AWS Access Key to use. This could be a plain text or a configmap/secret
+The content of the aws access key is expected to be a text containing a valid AWS access key.
+Syntax: [configmap\|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-access-key).
 
 | aws-secrets-manager.secret-key
 | string
-| The AWS Secret Key to use
+| The AWS Secret Key to use. This could be a plain text or a configmap/secret
+	// The content of the aws secret key is expected to be a text containing a valid AWS secret key.
+	// Syntax: [configmap\|secret]:name[/key], where name represents the resource name, key optionally represents the resource key to be filtered (default key value = aws-secret-key).
 
 | aws-secrets-manager.region
 | string

resources/traits.yaml

@@ -1,3 +1,19 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
 traits:
 - name: 3scale
   platform: false
@@ -93,10 +109,18 @@ traits:
     description: Enables automatic configuration of the trait.
   - name: access-key
     type: string
-    description: The AWS Access Key to use
+    description: 'The AWS Access Key to use. This could be a plain text or a configmap/secret
+      The content of the aws access key is expected to be a text containing a valid
+      AWS access key. Syntax: [configmap|secret]:name[/key], where name represents
+      the resource name, key optionally represents the resource key to be filtered
+      (default key value = aws-access-key).'
   - name: secret-key
     type: string
-    description: The AWS Secret Key to use
+    description: "The AWS Secret Key to use. This could be a plain text or a configmap/secret
+      \t// The content of the aws secret key is expected to be a text containing a
+      valid AWS secret key. \t// Syntax: [configmap|secret]:name[/key], where name
+      represents the resource name, key optionally represents the resource key to
+      be filtered (default key value = aws-secret-key)."
   - name: region
     type: string
     description: The AWS Region to use