Add support for AWS STS endpoint in the Bucket API

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

Author: matheuscscp

api/v1beta2/bucket_types.go

@@ -49,6 +49,7 @@ const (
 
 // BucketSpec specifies the required configuration to produce an Artifact for
 // an object storage bucket.
+// +kubebuilder:validation:XValidation:rule="self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws'", message="'aws' is the only supported STS provider for the 'aws' Bucket provider"
 type BucketSpec struct {
 	// Provider of the object storage bucket.
 	// Defaults to 'generic', which expects an S3 (API) compatible object
@@ -66,6 +67,14 @@ type BucketSpec struct {
 	// +required
 	Endpoint string `json:"endpoint"`
 
+	// STS specifies the required configuration to use a Security Token
+	// Service for fetching temporary credentials to authenticate in a
+	// Bucket provider.
+	//
+	// This field is only supported for the `aws` provider.
+	// +optional
+	STS *BucketSTSSpec `json:"sts,omitempty"`
+
 	// Insecure allows connecting to a non-TLS HTTP Endpoint.
 	// +optional
 	Insecure bool `json:"insecure,omitempty"`
@@ -140,6 +149,21 @@ type BucketSpec struct {
 	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
 }
 
+// BucketSTSSpec specifies the required configuration to use a Security Token
+// Service for fetching temporary credentials to authenticate in a Bucket
+// provider.
+type BucketSTSSpec struct {
+	// Provider of the Security Token Service.
+	// +kubebuilder:validation:Enum=aws
+	// +required
+	Provider string `json:"provider"`
+
+	// Endpoint is the HTTP/S endpoint of the Security Token Service from
+	// where temporary credentials will be fetched.
+	// +required
+	Endpoint string `json:"endpoint"`
+}
+
 // BucketStatus records the observed state of a Bucket.
 type BucketStatus struct {
 	// ObservedGeneration is the last observed generation of the Bucket object.

api/v1beta2/sts_types.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+const (
+	// STSProviderAmazon represents the AWS provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an AWS STS endpoint.
+	STSProviderAmazon string = "aws"
+)

api/v1beta2/zz_generated.deepcopy.go

@@ -420,6 +420,29 @@ spec:
                 required:
                 - name
                 type: object
+              sts:
+                description: |-
+                  STS specifies the required configuration to use a Security Token
+                  Service for fetching temporary credentials to authenticate in a
+                  Bucket provider.
+
+
+                  This field is only supported for the `aws` provider.
+                properties:
+                  endpoint:
+                    description: |-
+                      Endpoint is the HTTP/S endpoint of the Security Token Service from
+                      where temporary credentials will be fetched.
+                    type: string
+                  provider:
+                    description: Provider of the Security Token Service.
+                    enum:
+                    - aws
+                    type: string
+                required:
+                - endpoint
+                - provider
+                type: object
               suspend:
                 description: |-
                   Suspend tells the controller to suspend the reconciliation of this
@@ -435,6 +458,11 @@ spec:
             - endpoint
             - interval
             type: object
+            x-kubernetes-validations:
+            - message: '''aws'' is the only supported STS provider for the ''aws''
+                Bucket provider'
+              rule: self.provider != 'aws' || !has(self.sts) || self.sts.provider
+                == 'aws'
           status:
             default:
               observedGeneration: -1

config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml

@@ -114,6 +114,23 @@ string
 </tr>
 <tr>
 <td>
+<code>sts</code><br>
+<em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.BucketSTSSpec">
+BucketSTSSpec
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>STS specifies the required configuration to use a Security Token
+Service for fetching temporary credentials to authenticate in a
+Bucket provider.</p>
+<p>This field is only supported for the <code>aws</code> provider.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>insecure</code><br>
 <em>
 bool
@@ -1424,6 +1441,52 @@ map[string]string
 </table>
 </div>
 </div>
+<h3 id="source.toolkit.fluxcd.io/v1beta2.BucketSTSSpec">BucketSTSSpec
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.BucketSpec">BucketSpec</a>)
+</p>
+<p>BucketSTSSpec specifies the required configuration to use a Security Token
+Service for fetching temporary credentials to authenticate in a Bucket
+provider.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>provider</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Provider of the Security Token Service.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>endpoint</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Endpoint is the HTTP/S endpoint of the Security Token Service from
+where temporary credentials will be fetched.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="source.toolkit.fluxcd.io/v1beta2.BucketSpec">BucketSpec
 </h3>
 <p>
@@ -1480,6 +1543,23 @@ string
 </tr>
 <tr>
 <td>
+<code>sts</code><br>
+<em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.BucketSTSSpec">
+BucketSTSSpec
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>STS specifies the required configuration to use a Security Token
+Service for fetching temporary credentials to authenticate in a
+Bucket provider.</p>
+<p>This field is only supported for the <code>aws</code> provider.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>insecure</code><br>
 <em>
 bool

docs/api/v1beta2/source.md

@@ -749,6 +749,23 @@ HTTP endpoint requires enabling [`.spec.insecure`](#insecure).
 Some endpoints require the specification of a [`.spec.region`](#region),
 see [Provider](#provider) for more (provider specific) examples.
 
+### STS
+
+`.spec.sts` is an optional field for specifying the Security Token Service
+configuration. A Security Token Service (STS) is a web service that issues
+temporary security credentials. By adding this field, one may specify the
+STS endpoint from where temporary credentials will be fetched.
+
+If using `.spec.sts`, the following fields are required:
+
+- `.spec.sts.provider`, the Security Token Service provider. The only supported
+  option is `aws`.
+- `.spec.sts.endpoint`, the HTTP/S endpoint of the Security Token Service. In
+  the case of AWS, this can be `https://sts.amazonaws.com`, or a Regional STS
+  Endpoint, or an Interface Endpoint created inside a VPC.
+
+This field is only supported for the `aws` bucket provider.
+
 ### Bucket name
 
 `.spec.bucketName` is a required field that specifies which object storage

docs/spec/v1beta2/buckets.md

@@ -88,21 +88,6 @@ func NewClient(bucket *sourcev1.Bucket, opts ...Option) (*MinioClient, error) {
 		// auto access, which we believe can cover most use cases.
 	}
 
-	if secret != nil {
-		var accessKey, secretKey string
-		if k, ok := secret.Data["accesskey"]; ok {
-			accessKey = string(k)
-		}
-		if k, ok := secret.Data["secretkey"]; ok {
-			secretKey = string(k)
-		}
-		if accessKey != "" && secretKey != "" {
-			minioOpts.Creds = credentials.NewStaticV4(accessKey, secretKey, "")
-		}
-	} else if bucket.Spec.Provider == sourcev1.AmazonBucketProvider {
-		minioOpts.Creds = credentials.NewIAM("")
-	}
-
 	var transportOpts []func(*http.Transport)
 
 	if minioOpts.Secure && tlsConfig != nil {
@@ -117,6 +102,42 @@ func NewClient(bucket *sourcev1.Bucket, opts ...Option) (*MinioClient, error) {
 		})
 	}
 
+	switch bucketProvider := bucket.Spec.Provider; {
+	case secret != nil:
+		var accessKey, secretKey string
+		if k, ok := secret.Data["accesskey"]; ok {
+			accessKey = string(k)
+		}
+		if k, ok := secret.Data["secretkey"]; ok {
+			secretKey = string(k)
+		}
+		if accessKey != "" && secretKey != "" {
+			minioOpts.Creds = credentials.NewStaticV4(accessKey, secretKey, "")
+		}
+	case bucketProvider == sourcev1.AmazonBucketProvider:
+		stsEndpoint := ""
+		if sts := bucket.Spec.STS; sts != nil {
+			if sts.Provider != sourcev1.STSProviderAmazon {
+				return nil, fmt.Errorf("STS provider '%s' is not supported for Bucket provider '%s'",
+					sts.Provider, sourcev1.AmazonBucketProvider)
+			}
+			stsEndpoint = sts.Endpoint
+		}
+
+		creds := credentials.NewIAM(stsEndpoint)
+		if len(transportOpts) > 0 {
+			transport := http.DefaultTransport.(*http.Transport).Clone()
+			for _, opt := range transportOpts {
+				opt(transport)
+			}
+			creds = credentials.New(&credentials.IAM{
+				Client:   &http.Client{Transport: transport},
+				Endpoint: stsEndpoint,
+			})
+		}
+		minioOpts.Creds = creds
+	}
+
 	if len(transportOpts) > 0 {
 		transport, err := minio.DefaultTransport(minioOpts.Secure)
 		if err != nil {