feat(secrets): add Scaleway Secret Manager backend#152
Merged
Conversation
Adds a fourth backend implementation alongside aws / kubernetes /
infisical. Scaleway-region scoping + Project-UUID + IAM API key auth
(read from a Kubernetes Secret holding `access_key` + `secret_key` —
same shape as ESO's Scaleway provider expects).
CRD shape:
spec:
secretBackend:
scaleway:
region: fr-par # required, enum {fr-par, nl-ams, pl-waw}
projectID: <uuid> # required
description: ... # optional
tags: { ... } # optional, k=v map
authSecretRef:
name: scaleway-dbuo-creds
Wire-format: each Update creates a new Scaleway SecretVersion (1-based
monotonic Revision returned as the version string). Tags are flattened
to "key=value" entries and replaced wholesale on SyncTags. Secret
names containing slashes (e.g. the AWS-style `rds/postgres/<db>`
default) are sanitised to underscores; Scaleway's allowed character
set is `[A-Za-z0-9-_.]`.
Permissions required on the IAM Application:
- SecretManagerReadOnly at Org scope (covers list-by-name)
- SecretManagerSecretAccess at Project scope (covers decrypt)
Tests cover: create-new, restore-on-existing, get round-trip,
not-found errors, update-creates-new-version, delete idempotence,
SyncTags replace-set, name sanitisation, validation in
NewScalewayBackend, and stored-payload JSON shape.
Member
Author
|
Smoke-tested end-to-end on Scaleway staging (Kapsule + managed RDB PostgreSQL 16, fr-par, in-cluster operator pulled Reconcile log walks through the expected path: Required IAM perms confirmed (only):
Reads back through the existing ESO Scaleway provider against the same secret without changes — interoperability with |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a fourth backend implementation alongside
aws,kubernetes, andinfisical(introduced in #135). Stores generated database credentials in Scaleway Secret Manager scoped to a (Region, Project) pair, authenticated via a Scaleway IAM API key read from a Kubernetes Secret.Auth-Secret shape (
access_key+secret_key) intentionally mirrors the External Secrets Operator's Scaleway provider so the same IAM key can back both stores when a cluster runs ESO + DBUO.CRD shape
A full sample lives at
config/samples/database_v1alpha1_database_scaleway.yaml.Implementation notes
Updatecreates a new ScalewaySecretVersion. The 1-based monotonicRevisionis returned as theversionstring inStatus.SecretVersion.[]string. The map is flattened tokey=valueentries (sorted for stability), andSyncTagsreplaces the full set wholesale viaUpdateSecret.[A-Za-z0-9-_.]in secret names. The defaultrds/<engine>/<db>name (slashes) is sanitised tords_<engine>_<db>— same approach as the Infisical backend.Createadds a new version + refreshes tags/description rather than failing.Required Scaleway IAM permissions
The supplied API key must hold:
SecretManagerReadOnlySecretManagerSecretAccessOrg-scope
ReadOnlycovers theListSecrets(lookup-by-name) call we issue on every reconcile; Scaleway's IAM evaluator rejects it at Project scope. Project-scopeSecretAccesscovers the decrypt path used byGet/ read.Tests
internal/secrets/scaleway_test.goadds 12 cases via an in-memoryfakeScalewayClientimplementing theScalewaySMClientinterface:Create_NewSecret+Create_RestoreOnExistingGet_RoundTrip+Get_NotFoundUpdate_NewVersion+Update_NotFoundDelete(incl. delete-on-missing as no-op) +SyncTags+SyncTags_NotFoundNameSanitisationNewBackend_Validation(table-driven: empty region, invalid region, empty projectID, empty auth)StoredPayloadIsDatabaseSecretJSON(ensures the wire format matches the AWS / K8s / Infisical backends so consumers like ExternalSecrets templates work uniformly)New dep footprint
github.com/scaleway/scaleway-sdk-go(~5 MB vendored). Used only forapi/secret/v1beta1+scwcore; no transitive dependencies beyond what the SDK ships.Smoke-tested against
Drafted as a regression-test vehicle. Ready for review when you've eyeballed the design.