add docs

Signed-off-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
2022-04-28 22:49:45 +05:30 · 2022-04-28 22:49:45 +05:30 · c801f75458
parent 53aded2596
commit c801f75458
4 changed files with 69 additions and 9 deletions
--- a/docs/spec/v1beta2/kustomization.md
+++ b/docs/spec/v1beta2/kustomization.md
@ -1105,6 +1105,25 @@ data:
  identity.asc: <BASE64>
 ```

+#### AWS KMS Secret Entry
+
+To specify credentials for an AWS user account linked to the IAM role with access
+to KMS, append a `.data` entry with a fixed `sops.aws-kms` key.
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sops-keys
+  namespace: default
+stringData:
+  sops.aws-kms: |
+        aws_access_key_id: some-access-key-id
+        aws_secret_access_key: some-aws-secret-access-key
+        aws_session_token: some-aws-session-token # this field is optional
+```
+
 #### Azure Key Vault Secret entry

 To specify credentials for Azure Key Vault in a Secret, append a `.data` entry
@ -1233,7 +1252,8 @@ While making use of the [IAM OIDC provider](https://eksctl.io/usage/iamserviceac
 on your EKS cluster, you can create an IAM Role and Service Account with access
 to AWS KMS (using at least `kms:Decrypt` and `kms:DescribeKey`). Once these are
 created, you can annotate the kustomize-controller Service Account with the
-Role ARN, granting the controller permissions to decrypt the Secrets.
+Role ARN, granting the controller permissions to decrypt the Secrets. Please refer
+to the [SOPS guide](https://fluxcd.io/docs/guides/mozilla-sops/#aws) for detailed steps.

 ```sh
 kubectl -n flux-system annotate serviceaccount kustomize-controller \
--- a/internal/sops/awskms/keysource.go
+++ b/internal/sops/awskms/keysource.go
@ -1,3 +1,19 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package awskms

 import (
@ -32,16 +48,21 @@ type MasterKey struct {
 	credentials       *credentials.Credentials
 }

+// Creds is a wrapper around credentials.Credentials used for authenticating
+// when using AWS KMS.
 type Creds struct {
 	credentials *credentials.Credentials
 }

+// NewCreds creates new Creds object with the provided credentials.Credentials
 func NewCreds(credentials *credentials.Credentials) *Creds {
 	return &Creds{
 		credentials: credentials,
 	}
 }

+// LoadAwsKmsCredsFromYaml parses the given yaml returns a Creds object, which contains
+// the AWS credentials.
 func LoadAwsKmsCredsFromYaml(b []byte) (*Creds, error) {
 	credInfo := struct {
 		AccessKeyID     string `json:"aws_access_key_id"`
@ -57,6 +78,7 @@ func LoadAwsKmsCredsFromYaml(b []byte) (*Creds, error) {
 	}, nil
 }

+// ApplyToMasterKey configures the credentials the provided key.
 func (c Creds) ApplyToMasterKey(key *MasterKey) {
 	key.credentials = c.credentials
 }
--- a/internal/sops/awskms/keysource_test.go
+++ b/internal/sops/awskms/keysource_test.go
@ -1,3 +1,19 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package awskms

 import (
--- a/internal/sops/keyservice/options.go
+++ b/internal/sops/keyservice/options.go
@ -57,6 +57,16 @@ func (o WithAgeIdentities) ApplyToServer(s *Server) {
 	s.ageIdentities = age.ParsedIdentities(o)
 }

+// WithAWSKeys configurs the AWS credentials on the Server
+type WithAWSKeys struct {
+	creds *awskms.Creds
+}
+
+// ApplyToServer applies this configuration to the given Server.
+func (o WithAWSKeys) ApplyToServer(s *Server) {
+	s.awsCreds = o.creds
+}
+
 // WithAzureToken configures the Azure credential token on the Server.
 type WithAzureToken struct {
 	Token *azkv.Token
@ -76,11 +86,3 @@ type WithDefaultServer struct {
 func (o WithDefaultServer) ApplyToServer(s *Server) {
 	s.defaultServer = o.Server
 }
-
-type WithAWSKeys struct {
-	creds *awskms.Creds
-}
-
-func (o WithAWSKeys) ApplyToServer(s *Server) {
-	s.awsCreds = o.creds
-}