Support AWS KMS credentials using decryption secretRef

[aryan9600]

Adds support for using .spec.decryption to refer to custom AWS KMS credentials and override global decryption configuration.

Signed-off-by: Sanskar Jaiswal [email protected]

[stefanprodan]

Please extend the documentation to cover AWS KMS:

• Explain static keys here https://github.com/fluxcd/kustomize-controller/blob/main/docs/spec/v1beta2/kustomization.md#decryption-secret-reference
• Explain IRSA here https://github.com/fluxcd/kustomize-controller/blob/main/docs/spec/v1beta2/kustomization.md#controller-global-decryption

PS. For IRSA you can take some of the info from https://fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-various-cloud-providers

[aryan9600]

@stefanprodan I think it might be redundant to explain IRSA in both the sops guide and the kustomization docs, since IRSA is sufficiently explained in the sops guide (the wording can be improved to be clearer though), so maybe we can link that guide in the kustomization docs?

[stefanprodan]

@aryan9600 it's fine to link to the guide, but we need a section like this one https://github.com/fluxcd/kustomize-controller/blob/main/docs/spec/v1beta2/kustomization.md#gcp-kms for AWS.

[aryan9600]

@stefanprodan we already have that, if i'm not mistaken: https://github.com/fluxcd/kustomize-controller/blob/main/docs/spec/v1beta2/kustomization.md#aws. we could add the link to the sops guide (and make the guide clearer) in this section?

[hiddeco]

There is no documentation which instructs how to supply a SecretRef and what data the Secret must contain for AWS. Which is explained in detail for any other custom implementation we have. See: https://github.com/fluxcd/kustomize-controller/blob/main/docs/spec/v1beta2/kustomization.md#azure-key-vault-secret-entry

[aryan9600]

Yep, I'm working on that, I was talking about the ISRA stuff 😅

[aryan9600]

Fuzzing tests are failing because of invalid fuzzing tests in aws-sdk-go-v2, ref: aws/aws-sdk-go-v2#1693

[hiddeco]

This is shaping up well, couple of nitpicks mostly around making our lives easier when we look at this again in a couple months 😄

[hiddeco]

Suggested change

	// CredsProvider is a wrapper around aws.CredentialsProvider used for authenticating
	// when using AWS KMS.
	// CredsProvider is a wrapper around aws.CredentialsProvider used for authenticating
	// towards AWS KMS.

[hiddeco]

Suggested change

	// from the enviornment.
	// from the environment.

[hiddeco]

This should be above private methods.

[hiddeco]

Suggested change

	// epResolver IS ONLY MEANT TO BE USED FOR TESTS.
	// it can be used to override the endpoint that the AWS client resolves to
	// by default. it's hacky but there is no other choice, since you can't
	// specify the endpoint as an env var like you can do with an access key.
	epResolver aws.EndpointResolver
	// epResolver can be used to override the endpoint the AWS client resolves
	// to by default. This is mostly used for testing purposes as it can not be
	// injected using e.g. an environment variable. The field is not publicly
	// exposed, nor configurable.
	epResolver aws.EndpointResolver

[hiddeco]

Suggested change

	// WithAWSKeys configurs the AWS credentials on the Server
	// WithAWSKeys configures the AWS credentials on the Server.

[hiddeco]

This is no longer correct.

[hiddeco]

Stellar job 💯

[pjbgf]

two tiny nits, apart from that LGTM

great work @aryan9600!

[stefanprodan]

What are we going to do about fuzzing? We can't merge this and have all PRs from now on failing. Can we disable the AWS tests?

[pjbgf]

What are going to do about fuzzing? We can't merge this and have all PRs from now on failing. Can we disable the AWS tests?

We will disable them for the time being whilst we wait for the fix upstream. The approach we discussed so far is picking a different conditional tag for our own fuzz tests.

[pjbgf]

Great job @aryan9600! 👏 👏

LGTM

[hiddeco]

Can we please change the license on this (internal/sops/awskms) to MPL 2.0 before we merge.