feat: enable AWS pod mutation

Signed-off-by: Bence Csati <bcsati@cisco.com> feat: enable AWS pod mutation Signed-off-by: Bence Csati <bcsati@cisco.com> feat: enable AWS pod mutation Signed-off-by: Bence Csati <bcsati@cisco.com>
bank-vaults · Aug 14, 2024 · 44f9bd8 · 44f9bd8
1 parent d60c1b7
commit 44f9bd8
Show file tree

Hide file tree

Showing 7 changed files with 525 additions and 22 deletions.
diff --git a/pkg/common/common.go b/pkg/common/common.go
@@ -140,6 +140,7 @@ const (
 	AWSLoadFromSharedConfigAnnotation  = WebhookAnnotationPrefix + "aws-load-from-shared-config"
 	AWSCredentialsNamespaceAnnotation  = WebhookAnnotationPrefix + "credentials-namespace"
 	AWSCredentialsSecretNameAnnotation = WebhookAnnotationPrefix + "credentials-secret-name"
+	AWSTLSSecretARNAnnotation          = WebhookAnnotationPrefix + "aws-tls-secret-arn"
 )
 
 // ENVIRONMENT VARIABLES
@@ -227,10 +228,11 @@ const (
 	BaoSATokenVolumeNameEnvVar          = "bao_service_account_token_volume_name"
 
 	// AWS environment variables
-	AWSRegionEnvVar                = "AWS_REGION"
-	AWSLoadFromSharedConfigEnvVar  = "AWS_LOAD_FROM_SHARED_CONFIG"
-	AWSCredentialsNamespaceEnvVar  = "AWS_CREDENTIALS_NAMESPACE"
-	AWSCredentialsSecretNameEnvVar = "AWS_CREDENTIALS_SECRET_NAME"
+	AWSRegionEnvVar                = "aws_region"
+	AWSLoadFromSharedConfigEnvVar  = "aws_load_from_shared_config"
+	AWSCredentialsNamespaceEnvVar  = "aws_credentials_namespace"
+	AWSCredentialsSecretNameEnvVar = "aws_credentials_secret_name"
+	AWSTLSSecretARNEnvVar          = "aws_tls_secret_arn"
 )
 
 // DEPRECATED ANNOTATIONS AND ENVIRONMENT VARIABLES

diff --git a/pkg/provider/aws/config.go b/pkg/provider/aws/config.go
@@ -34,6 +34,7 @@ type Config struct {
 	LoadFromSharedConfig  bool
 	CredentialsNamespace  string
 	CredentialsSecretName string
+	TLSSecretARN          string
 }
 
 func loadConfig(obj metav1.Object) (Config, error) {
@@ -71,5 +72,11 @@ func loadConfig(obj metav1.Object) (Config, error) {
 		config.CredentialsSecretName = defaultCredentialsSecretName
 	}
 
+	if val, ok := annotations[common.AWSTLSSecretARNAnnotation]; ok {
+		config.TLSSecretARN = val
+	} else {
+		config.TLSSecretARN = viper.GetString(common.AWSTLSSecretARNEnvVar)
+	}
+
 	return config, nil
 }
diff --git a/pkg/provider/aws/mutator.go b/pkg/provider/aws/mutator.go
@@ -85,20 +85,29 @@ func (m *mutator) createAWSSession(ctx context.Context, k8sClient kubernetes.Int
 }
 
 func (m *mutator) createSessionUsingK8sSecretCredentials(ctx context.Context, k8sClient kubernetes.Interface) (session.Options, error) {
-	secret, err := k8sClient.CoreV1().Secrets(m.config.CredentialsNamespace).Get(
-		ctx,
-		m.config.CredentialsSecretName,
-		metav1.GetOptions{},
-	)
+	secret, err := m.getK8sSecretCredentials(ctx, k8sClient)
 	if err != nil {
-		return session.Options{}, fmt.Errorf("failed to get AWS credentials secret: %w", err)
+		return session.Options{}, fmt.Errorf("failed to get Kubernetes secret credentials: %w", err)
 	}
 
 	return session.Options{
 		SharedConfigState: session.SharedConfigDisable,
 		Config: aws.Config{
 			Region:      aws.String(m.config.Region),
-			Credentials: credentials.NewStaticCredentials(string(secret.Data["AWS_ACCESS_KEY_ID"]), string(secret.Data["AWS_SECRET_ACCESS_KEY"]), ""),
+			Credentials: credentials.NewStaticCredentials(string(secret["AWS_ACCESS_KEY_ID"]), string(secret["AWS_SECRET_ACCESS_KEY"]), ""),
 		},
 	}, nil
 }
+
+func (m *mutator) getK8sSecretCredentials(ctx context.Context, k8sClient kubernetes.Interface) (map[string][]byte, error) {
+	secret, err := k8sClient.CoreV1().Secrets(m.config.CredentialsNamespace).Get(
+		ctx,
+		m.config.CredentialsSecretName,
+		metav1.GetOptions{},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get AWS credentials secret: %w", err)
+	}
+
+	return secret.Data, nil
+}