stackrox · kovayur · Dec 1, 2025 · Nov 28, 2025 · Nov 28, 2025 · Nov 28, 2025
diff --git a/deploy/charts/emailsender/templates/emailsender-secret.yaml b/deploy/charts/emailsender/templates/emailsender-secret.yaml
@@ -32,21 +32,4 @@ spec:
       remoteRef:
         key: "cluster-{{ .Values.clusterName }}-emailsender-db"
         property: "port"
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: emailsender-ext-parameters
-  namespace: {{ .Release.Namespace }}
-spec:
-  secretStoreRef:
-    name: {{ .Values.secretStore.aws.parameterStoreSecretStoreName }}
-    kind: ClusterSecretStore
-  target:
-    name: emailsender-parameters
-    creationPolicy: Owner
-  data:
-    - secretKey: aws-role-arn # pragma: allowlist secret
-      remoteRef:
-        key: "/emailsender/aws_role_arn"
 {{- end }}
diff --git a/deploy/charts/emailsender/templates/emailsender.yaml b/deploy/charts/emailsender/templates/emailsender.yaml
@@ -54,10 +54,7 @@ spec:
             - name: AWS_REGION
               value: {{ .Values.aws.region }}
             - name: AWS_ROLE_ARN
-              valueFrom:
-                secretKeyRef:
-                  name: emailsender-parameters
-                  key: "aws-role-arn"
+              value: {{ .Values.aws.roleArn }}
             - name: AWS_WEB_IDENTITY_TOKEN_FILE
               value: "/var/run/secrets/tokens/aws-token"
           ports:

diff --git a/deploy/charts/emailsender/values.yaml b/deploy/charts/emailsender/values.yaml
@@ -23,6 +23,7 @@ authConfigFromKubernetes: true
 # AWS configuration
 aws:
   region: "us-east-1"
+  roleArn: ""
 # Resource limits and requests
 resources:
   requests:
@@ -36,4 +37,3 @@ createExternalSecrets: true
 secretStore:
   aws:
     secretsManagerSecretStoreName: secrets-manager-secret-store # pragma: allowlist secret
-    parameterStoreSecretStoreName: parameter-store-secret-store # pragma: allowlist secret
diff --git a/dev/env/manifests/emailsender-db/emailsender-db.yaml b/dev/env/manifests/emailsender-db/emailsender-db.yaml
@@ -57,10 +57,3 @@ metadata:
   name: emailsender-db
 stringData:
   db.host: "emailsender-db"
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: emailsender-parameters
-stringData:
-  aws-role-arn: "placeholder"
diff --git a/dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml b/dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml
@@ -18,23 +18,3 @@ spec:
             name: aws-access-keys
             key: secret-access-key
             namespace: rhacs
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: parameter-store-secret-store
-spec:
-  provider:
-    aws:
-      service: ParameterStore
-      region: us-east-1
-      auth:
-        secretRef:
-          accessKeyIDSecretRef:
-            name: aws-access-keys
-            key: access-key-id
-            namespace: rhacs
-          secretAccessKeySecretRef:
-            name: aws-access-keys
-            key: secret-access-key
-            namespace: rhacs
diff --git a/dev/env/values/emailsender/values.yaml b/dev/env/values/emailsender/values.yaml
@@ -10,3 +10,5 @@ db:
 image:
   repo: "quay.io/rhacs-eng/emailsender"
 createExternalSecrets: false
+aws:
+  roleArn: placeholder
diff --git a/docs/development/setup-osd-cluster-idp.md b/docs/development/setup-osd-cluster-idp.md
diff --git a/dp-terraform/osd-cluster-idp-setup.sh b/dp-terraform/osd-cluster-idp-setup.sh
diff --git a/fleetshard/README.md b/fleetshard/README.md
@@ -34,7 +34,7 @@ make fleetshard-sync
 ```
 
 ## External configuration
-To run Fleetshard-sync locally, you may need to download the development configuration from AWS Parameter Store:
+To run Fleetshard-sync locally, you may need to download the development configuration from AWS Secrets Manager:
 ```shell
 export AWS_AUTH_HELPER=aws-saml
 source ./scripts/lib/external_config.sh

diff --git a/scripts/lib/external_config.sh b/scripts/lib/external_config.sh
@@ -60,17 +60,3 @@ auth_init_error() {
 auth_helper_error() {
     die "Error: $1. Please refer to the troubleshooting section in docs/development/secret-management.md for a possible cause."
 }
-
-# Loads config from the external storage to the environment and applying a prefix to a variable name (if exists).
-load_external_config() {
-    local service="$1"
-    local prefix="${2:-}"
-    local parameter_store_output
-    local secrets_manager_output
-    parameter_store_output=$(chamber env "$service" --backend ssm)
-    # chamber fails for secretsmanager backend, but not for ssm (parameter store).
-    # We suppress pipefail error for secretsmanager backend to get similar behaviour.
-    secrets_manager_output=$(chamber env "$service" --backend secretsmanager) || true
-    [[ -z "$parameter_store_output" && -z "$secrets_manager_output" ]] && echo "WARNING: no parameters found under '/$service' of this environment"
-    eval "$(printf '%s\n%s' "$parameter_store_output" "$secrets_manager_output" | sed -E "s/(^export +)(.*)/readonly ${prefix}\2/")"
-}