feat(jans-pycloudlib): add AWS Secrets Manager support for configuration layers (#3112)

* feat(jans-pycloudlib): add AWS Secrets Manager support for configuration layers

Ref: #3026

* chore(jans-pycloudlib): updated build (#3113)

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>

* feat: add aws secret setup to helm chart

* ci: add update of pycloud exception

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
Co-authored-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
Co-authored-by: moabu <47318409+moabu@users.noreply.github.com>

Author: 3 people

.github/workflows/pr-ref-issue.yml

@@ -15,6 +15,7 @@ on:
       - "release-please-**"
       - "dependabot/**"
       - "snyk-**"
+      - "update-pycloud-in-**"
   workflow_dispatch:
 jobs:
   check-prs-issue:

charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml

@@ -41,6 +41,17 @@ spec:
                 {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }}
               imagePullPolicy: {{ .Values.image.pullPolicy }}
               volumeMounts:
+              {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+                - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
+                  name: aws-shared-credential-file
+                  subPath: aws_shared_credential_file
+                - mountPath: {{ .Values.global.cnAwsConfigFile }}
+                  name: aws-config-file
+                  subPath: aws_config_file
+                - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
+                  name: aws-secrets-replica-regions
+                  subPath: aws_secrets_replica_regions
+              {{- end }}
               {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
                 - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
                   name: google-sa
@@ -80,6 +91,26 @@ spec:
           {{- with .Values.volumes }}
 {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+            - name: aws-shared-credential-file
+              secret:
+                secretName: {{ .Release.Name }}-aws-config-creds
+                items:
+                  - key: aws_shared_credential_file
+                    path: aws_shared_credential_file
+            - name: aws-config-file
+              secret:
+                secretName: {{ .Release.Name }}-aws-config-creds
+                items:
+                  - key: aws_config_file
+                    path: aws_config_file
+            - name: aws-secrets-replica-regions
+              secret:
+                secretName: {{ .Release.Name }}-aws-config-creds
+                items:
+                  - key: aws_secrets_replica_regions
+                    path: aws_secrets_replica_regions
+          {{- end }}
           {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
             - name: google-sa
               secret:

charts/janssen/charts/auth-server/templates/deployment.yml

@@ -81,6 +81,17 @@ spec:
         {{- with .Values.volumeMounts }}
 {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+          - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
+            name: aws-shared-credential-file
+            subPath: aws_shared_credential_file
+          - mountPath: {{ .Values.global.cnAwsConfigFile }}
+            name: aws-config-file
+            subPath: aws_config_file
+          - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
+            name: aws-secrets-replica-regions
+            subPath: aws_secrets_replica_regions
+        {{- end }}
         {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
           - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
             name: google-sa
@@ -121,6 +132,26 @@ spec:
       {{- with .Values.volumes }}
 {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+        - name: aws-shared-credential-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_shared_credential_file
+                path: aws_shared_credential_file
+        - name: aws-config-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_config_file
+                path: aws_config_file
+        - name: aws-secrets-replica-regions
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_secrets_replica_regions
+                path: aws_secrets_replica_regions
+      {{- end }}
       {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
         - name: google-sa
           secret:

charts/janssen/charts/config-api/templates/deployment.yaml

@@ -77,6 +77,17 @@ spec:
           {{- with .Values.volumeMounts }}
 {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+            - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
+              name: aws-shared-credential-file
+              subPath: aws_shared_credential_file
+            - mountPath: {{ .Values.global.cnAwsConfigFile }}
+              name: aws-config-file
+              subPath: aws_config_file
+            - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
+              name: aws-secrets-replica-regions
+              subPath: aws_secrets_replica_regions
+          {{- end }}
           {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
             - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
               name: google-sa
@@ -106,6 +117,26 @@ spec:
       {{- with .Values.volumes }}
 {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+        - name: aws-shared-credential-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_shared_credential_file
+                path: aws_shared_credential_file
+        - name: aws-config-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_config_file
+                path: aws_config_file
+        - name: aws-secrets-replica-regions
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_secrets_replica_regions
+                path: aws_secrets_replica_regions
+      {{- end }}
       {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
         - name: google-sa
           secret:

charts/janssen/charts/config/templates/load-init-config.yml

@@ -34,6 +34,26 @@ spec:
       volumes:
       {{- with .Values.volumes }}
 {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+        - name: aws-shared-credential-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_shared_credential_file
+                path: aws_shared_credential_file
+        - name: aws-config-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_config_file
+                path: aws_config_file
+        - name: aws-secrets-replica-regions
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_secrets_replica_regions
+                path: aws_secrets_replica_regions
       {{- end }}
         - name: {{ include "config.fullname" . }}-mount-gen-file
           secret:
@@ -59,6 +79,17 @@ spec:
           {{- with .Values.volumeMounts }}
 {{- toYaml . | nindent 10 }}
           {{- end }}
+        {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+          - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
+            name: aws-shared-credential-file
+            subPath: aws_shared_credential_file
+          - mountPath: {{ .Values.global.cnAwsConfigFile }}
+            name: aws-config-file
+            subPath: aws_config_file
+          - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
+            name: aws-secrets-replica-regions
+            subPath: aws_secrets_replica_regions
+        {{- end }}
           - mountPath: /app/db/generate.json
             name: {{ include "config.fullname" . }}-mount-gen-file
             subPath: generate.json

charts/janssen/charts/config/templates/secrets.yaml

@@ -59,6 +59,33 @@ data:
   couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }}
 {{- end }}
 {{- end }}
+{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-aws-config-creds
+  labels:
+{{ include "config.labels" . | indent 4 }}
+{{- if .Values.additionalLabels }}
+{{ toYaml .Values.additionalLabels | indent 4 }}
+{{- end }}
+{{- if .Values.additionalAnnotations }}
+  annotations:
+{{ toYaml .Values.additionalAnnotations | indent 4 }}
+{{- end }}
+type: Opaque
+stringData:
+  aws_shared_credential_file: |-
+    [{{ .Values.configmap.cnAwsProfile | quote }}]
+    aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }}
+    aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }}
+  aws_config_file: |-
+    [{{ .Values.configmap.cnAwsProfile | quote }}]
+    region = {{ .Values.configmap.cnAwsDefaultRegion | quote }}
+  aws_secrets_replica_regions: |-
+    {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }}
+{{- end }}
 {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
 ---
 apiVersion: v1

charts/janssen/charts/fido2/templates/deployment.yml

@@ -81,6 +81,17 @@ spec:
         {{- with .Values.volumeMounts }}
 {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+          - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
+            name: aws-shared-credential-file
+            subPath: aws_shared_credential_file
+          - mountPath: {{ .Values.global.cnAwsConfigFile }}
+            name: aws-config-file
+            subPath: aws_config_file
+          - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
+            name: aws-secrets-replica-regions
+            subPath: aws_secrets_replica_regions
+        {{- end }}
         {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
           - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
             name: google-sa
@@ -121,6 +132,26 @@ spec:
       {{- with .Values.volumes }}
 {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+        - name: aws-shared-credential-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_shared_credential_file
+                path: aws_shared_credential_file
+        - name: aws-config-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_config_file
+                path: aws_config_file
+        - name: aws-secrets-replica-regions
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_secrets_replica_regions
+                path: aws_secrets_replica_regions
+      {{- end }}
       {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
         - name: google-sa
           secret:

charts/janssen/charts/persistence/templates/jobs.yml

@@ -67,6 +67,17 @@ spec:
           {{- with .Values.volumeMounts }}
 {{- toYaml . | nindent 10 }}
           {{- end }}
+        {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+          - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
+            name: aws-shared-credential-file
+            subPath: aws_shared_credential_file
+          - mountPath: {{ .Values.global.cnAwsConfigFile }}
+            name: aws-config-file
+            subPath: aws_config_file
+          - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
+            name: aws-secrets-replica-regions
+            subPath: aws_secrets_replica_regions
+        {{- end }}
         {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
           - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
             name: google-sa
@@ -83,6 +94,26 @@ spec:
       {{- with .Values.volumes }}
 {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+        - name: aws-shared-credential-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_shared_credential_file
+                path: aws_shared_credential_file
+        - name: aws-config-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_config_file
+                path: aws_config_file
+        - name: aws-secrets-replica-regions
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_secrets_replica_regions
+                path: aws_secrets_replica_regions
+      {{- end }}
       {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
         - name: google-sa
           secret:

charts/janssen/charts/scim/templates/deployment.yml

@@ -89,6 +89,17 @@ spec:
         {{- with .Values.volumeMounts }}
 {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+        - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
+          name: aws-shared-credential-file
+          subPath: aws_shared_credential_file
+        - mountPath: {{ .Values.global.cnAwsConfigFile }}
+          name: aws-config-file
+          subPath: aws_config_file
+        - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
+          name: aws-secrets-replica-regions
+          subPath: aws_secrets_replica_regions
+        {{- end }}
         {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
         - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
           name: google-sa
@@ -119,6 +130,26 @@ spec:
       {{- with .Values.volumes }}
 {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
+        - name: aws-shared-credential-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_shared_credential_file
+                path: aws_shared_credential_file
+        - name: aws-config-file
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_config_file
+                path: aws_config_file
+        - name: aws-secrets-replica-regions
+          secret:
+            secretName: {{ .Release.Name }}-aws-config-creds
+            items:
+              - key: aws_secrets_replica_regions
+                path: aws_secrets_replica_regions
+      {{- end }}
       {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
         - name: google-sa
           secret:

charts/janssen/values.schema.json

@@ -458,14 +458,14 @@
           }
         },
         "configAdapterName": {
-          "description": "The config backend adapter that will hold Janssen configuration layer. google|kubernetes",
+          "description": "The config backend adapter that will hold Janssen configuration layer. aws|google|kubernetes",
           "type": "string",
-          "pattern": "^(kubernetes|google)$"
+          "pattern": "^(kubernetes|google|aws)$"
         },
         "configSecretAdapter": {
-          "description": "The config backend adapter that will hold Janssen secret layer. google|kubernetes",
+          "description": "The config backend adapter that will hold Janssen secret layer. aws|google|kubernetes",
           "type": "string",
-          "pattern": "^(kubernetes|google)$"
+          "pattern": "^(kubernetes|google|aws)$"
         },
         "cnGoogleApplicationCredentials": {
           "description": "Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.",