diff --git a/tests/common-acm-industrial-edge-factory.expected.yaml b/tests/common-acm-industrial-edge-factory.expected.yaml index 561fbd7..39238f9 100644 --- a/tests/common-acm-industrial-edge-factory.expected.yaml +++ b/tests/common-acm-industrial-edge-factory.expected.yaml @@ -42,6 +42,22 @@ subjects: apiGroup: policy.open-cluster-management.io --- # Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: openshift-gitops-placement-binding-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: openshift-gitops-placement-argocd + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: openshift-gitops-policy-argocd + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule metadata: @@ -64,6 +80,28 @@ spec: - 'true' --- # Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: openshift-gitops-placement-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: vendor + operator: In + values: + - OpenShift + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: @@ -90,15 +128,6 @@ spec: include: - default object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -119,3 +148,216 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +# This policy depends on openshift-gitops-policy and the reason is that we need to be +# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance +# because the initcontainer references the trusted-ca-bundle and if it starts without the +# configmap being there we risk running an argo instances that won't trust public CAs +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: openshift-gitops-policy-argocd + annotations: + policy.open-cluster-management.io/standards: NIST-CSF + policy.open-cluster-management.io/categories: PR.DS Data Security + policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + dependencies: + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: openshift-gitops-policy + namespace: open-cluster-management + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: hub-argo-ca-openshift-gitops-policy + namespace: open-cluster-management + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: openshift-gitops-config-argocd + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.redhat.io/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml index 453e8a9..8b18a4d 100644 --- a/tests/common-acm-industrial-edge-hub.expected.yaml +++ b/tests/common-acm-industrial-edge-hub.expected.yaml @@ -38,6 +38,38 @@ subjects: kind: Policy apiGroup: policy.open-cluster-management.io --- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-openshift-gitops-policy-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-openshift-gitops-policy-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-openshift-gitops-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-factory-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-factory-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-factory-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- # Source: acm/templates/policies/application-policies.yaml apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding @@ -70,6 +102,22 @@ subjects: kind: Policy apiGroup: policy.open-cluster-management.io --- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: openshift-gitops-placement-binding-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: openshift-gitops-placement-argocd + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: openshift-gitops-policy-argocd + kind: Policy + apiGroup: policy.open-cluster-management.io +--- # Source: acm/templates/policies/acm-hub-ca-policy.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule @@ -88,6 +136,42 @@ spec: values: - 'true' --- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-openshift-gitops-policy-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-factory-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- # Source: acm/templates/policies/application-policies.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule @@ -136,6 +220,28 @@ spec: values: - 'true' --- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: openshift-gitops-placement-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: vendor + operator: In + values: + - OpenShift + - key: local-cluster + operator: NotIn + values: + - 'true' +--- # Source: acm/templates/policies/acm-hub-ca-policy.yaml apiVersion: policy.open-cluster-management.io/v1 kind: Policy @@ -167,10 +273,96 @@ spec: type: Opaque metadata: name: hub-ca - namespace: imperative + namespace: golang-external-secrets data: hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: imperative + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: hub-argo-ca-openshift-gitops-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-argo-ca-openshift-gitops-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: openshift-gitops + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: hub-argo-ca-factory-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-argo-ca-factory-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: mypattern-factory + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} --- # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io @@ -214,6 +406,8 @@ spec: path: common/clustergroup helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-factory.yaml" @@ -244,10 +438,18 @@ spec: value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - - name: clusterGroup.name - value: factory + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: + - name: global.privateRepo + value: - name: global.experimentalCapabilities value: + - name: clusterGroup.name + value: factory - name: clusterGroup.isHubCluster value: "false" destination: @@ -296,15 +498,6 @@ spec: include: - default object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -325,3 +518,216 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +# This policy depends on openshift-gitops-policy and the reason is that we need to be +# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance +# because the initcontainer references the trusted-ca-bundle and if it starts without the +# configmap being there we risk running an argo instances that won't trust public CAs +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: openshift-gitops-policy-argocd + annotations: + policy.open-cluster-management.io/standards: NIST-CSF + policy.open-cluster-management.io/categories: PR.DS Data Security + policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + dependencies: + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: openshift-gitops-policy + namespace: open-cluster-management + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: hub-argo-ca-openshift-gitops-policy + namespace: open-cluster-management + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: openshift-gitops-config-argocd + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.redhat.io/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml index 8b50de7..dffb9eb 100644 --- a/tests/common-acm-medical-diagnosis-hub.expected.yaml +++ b/tests/common-acm-medical-diagnosis-hub.expected.yaml @@ -38,6 +38,38 @@ subjects: kind: Policy apiGroup: policy.open-cluster-management.io --- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-openshift-gitops-policy-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-openshift-gitops-policy-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-openshift-gitops-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-region-one-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-region-one-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-region-one-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- # Source: acm/templates/policies/application-policies.yaml apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding @@ -70,6 +102,22 @@ subjects: kind: Policy apiGroup: policy.open-cluster-management.io --- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: openshift-gitops-placement-binding-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: openshift-gitops-placement-argocd + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: openshift-gitops-policy-argocd + kind: Policy + apiGroup: policy.open-cluster-management.io +--- # Source: acm/templates/policies/acm-hub-ca-policy.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule @@ -88,6 +136,42 @@ spec: values: - 'true' --- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-openshift-gitops-policy-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-region-one-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- # Source: acm/templates/policies/application-policies.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule @@ -127,6 +211,28 @@ spec: values: - 'true' --- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: openshift-gitops-placement-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: vendor + operator: In + values: + - OpenShift + - key: local-cluster + operator: NotIn + values: + - 'true' +--- # Source: acm/templates/policies/acm-hub-ca-policy.yaml apiVersion: policy.open-cluster-management.io/v1 kind: Policy @@ -158,10 +264,96 @@ spec: type: Opaque metadata: name: hub-ca - namespace: imperative + namespace: golang-external-secrets data: hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: imperative + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: hub-argo-ca-openshift-gitops-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-argo-ca-openshift-gitops-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: openshift-gitops + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: hub-argo-ca-region-one-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-argo-ca-region-one-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: mypattern-region-one + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} --- # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io @@ -205,6 +397,8 @@ spec: path: common/clustergroup helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-region-one.yaml" @@ -235,10 +429,18 @@ spec: value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - - name: clusterGroup.name - value: region-one + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: + - name: global.privateRepo + value: - name: global.experimentalCapabilities value: + - name: clusterGroup.name + value: region-one - name: clusterGroup.isHubCluster value: "false" destination: @@ -287,15 +489,6 @@ spec: include: - default object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -316,3 +509,216 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +# This policy depends on openshift-gitops-policy and the reason is that we need to be +# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance +# because the initcontainer references the trusted-ca-bundle and if it starts without the +# configmap being there we risk running an argo instances that won't trust public CAs +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: openshift-gitops-policy-argocd + annotations: + policy.open-cluster-management.io/standards: NIST-CSF + policy.open-cluster-management.io/categories: PR.DS Data Security + policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + dependencies: + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: openshift-gitops-policy + namespace: open-cluster-management + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: hub-argo-ca-openshift-gitops-policy + namespace: open-cluster-management + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: openshift-gitops-config-argocd + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.redhat.io/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml index 561fbd7..39238f9 100644 --- a/tests/common-acm-naked.expected.yaml +++ b/tests/common-acm-naked.expected.yaml @@ -42,6 +42,22 @@ subjects: apiGroup: policy.open-cluster-management.io --- # Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: openshift-gitops-placement-binding-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: openshift-gitops-placement-argocd + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: openshift-gitops-policy-argocd + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule metadata: @@ -64,6 +80,28 @@ spec: - 'true' --- # Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: openshift-gitops-placement-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: vendor + operator: In + values: + - OpenShift + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: @@ -90,15 +128,6 @@ spec: include: - default object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -119,3 +148,216 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +# This policy depends on openshift-gitops-policy and the reason is that we need to be +# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance +# because the initcontainer references the trusted-ca-bundle and if it starts without the +# configmap being there we risk running an argo instances that won't trust public CAs +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: openshift-gitops-policy-argocd + annotations: + policy.open-cluster-management.io/standards: NIST-CSF + policy.open-cluster-management.io/categories: PR.DS Data Security + policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + dependencies: + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: openshift-gitops-policy + namespace: open-cluster-management + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: hub-argo-ca-openshift-gitops-policy + namespace: open-cluster-management + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: openshift-gitops-config-argocd + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.redhat.io/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml index 66f1c59..1e2b157 100644 --- a/tests/common-acm-normal.expected.yaml +++ b/tests/common-acm-normal.expected.yaml @@ -1,4 +1,16 @@ --- +# Source: acm/templates/provision/clusterdeployment.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: aws-cd-one-w-pool-acm-provision-edge +--- +# Source: acm/templates/provision/clusterdeployment.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: aws-cd-two-wo-pool-acm-provision-on-deploy +--- # Source: acm/templates/provision/secrets-common.yaml apiVersion: v1 kind: Secret @@ -6,7 +18,7 @@ metadata: name: aws-ap-acm-provision-edge-install-config data: # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz type: Opaque --- # Source: acm/templates/provision/secrets-common.yaml @@ -16,7 +28,29 @@ metadata: name: azure-us-acm-provision-edge-install-config data: # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== +type: Opaque +--- +# Source: acm/templates/provision/secrets-common.yaml +apiVersion: v1 +kind: Secret +metadata: + name: aws-cd-one-w-pool-acm-provision-edge-install-config + namespace: aws-cd-one-w-pool-acm-provision-edge +data: + # Base64 encoding of install-config yaml + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLW9uZS13LXBvb2wnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCmNvbXB1dGU6Ci0gaHlwZXJ0aHJlYWRpbmc6IEVuYWJsZWQKICBhcmNoaXRlY3R1cmU6IGFtZDY0CiAgbmFtZTogJ3dvcmtlcicKICByZXBsaWNhczogMwogIHBsYXRmb3JtOgogICAgYXdzOgogICAgICB0eXBlOiBtNS54bGFyZ2UKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTEKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz +type: Opaque +--- +# Source: acm/templates/provision/secrets-common.yaml +apiVersion: v1 +kind: Secret +metadata: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config + namespace: aws-cd-two-wo-pool-acm-provision-on-deploy +data: + # Base64 encoding of install-config yaml + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLXR3by13by1wb29sJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhd3M6CiAgICByZWdpb246IGFwLXNvdXRoZWFzdC0zCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== type: Opaque --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -61,6 +95,64 @@ metadata: spec: clusterPoolName: azure-us-acm-provision-edge --- +# Source: acm/templates/provision/clusterdeployment.yaml +apiVersion: hive.openshift.io/v1 +kind: ClusterDeployment +metadata: + name: aws-cd-one-w-pool-acm-provision-edge + namespace: aws-cd-one-w-pool-acm-provision-edge + labels: + vendor: OpenShift + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + baseDomain: blueprints.rhecoeng.com + clusterName: aws-cd-one-w-pool-acm-provision-edge + installAttemptsLimit: 1 + platform: + aws: + credentialsSecretRef: + name: aws-cd-one-w-pool-acm-provision-edge-creds + region: ap-southeast-1 + provisioning: + installConfigSecretRef: + name: aws-cd-one-w-pool-acm-provision-edge-install-config + sshPrivateKeySecretRef: + name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key + imageSetRef: + name: img4.10.18-multi-appsub + pullSecretRef: + name: aws-cd-one-w-pool-acm-provision-edge-pull-secret +--- +# Source: acm/templates/provision/clusterdeployment.yaml +apiVersion: hive.openshift.io/v1 +kind: ClusterDeployment +metadata: + name: aws-cd-two-wo-pool-acm-provision-on-deploy + namespace: aws-cd-two-wo-pool-acm-provision-on-deploy + labels: + vendor: OpenShift + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + baseDomain: blueprints.rhecoeng.com + clusterName: aws-cd-two-wo-pool-acm-provision-on-deploy + installAttemptsLimit: 1 + platform: + aws: + credentialsSecretRef: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds + region: ap-southeast-3 + provisioning: + installConfigSecretRef: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config + sshPrivateKeySecretRef: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key + imageSetRef: + name: img4.10.18-multi-appsub + pullSecretRef: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret +--- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 kind: ClusterPool @@ -79,7 +171,7 @@ spec: runningCount: 0 baseDomain: blueprints.rhecoeng.com installConfigSecretTemplateRef: - name: aws-ap-acm-provision-edge-install-config + name: aws-ap-acm-provision-edge-install-config imageSetRef: name: img4.10.18-multi-appsub pullSecretRef: @@ -109,7 +201,7 @@ spec: runningCount: 2 baseDomain: blueprints.rhecoeng.com installConfigSecretTemplateRef: - name: azure-us-acm-provision-edge-install-config + name: azure-us-acm-provision-edge-install-config imageSetRef: name: img4.10.18-multi-appsub pullSecretRef: @@ -147,7 +239,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: aws-ap-acm-provision-edge-infra-creds -spec: +spec: data: - secretKey: openshiftPullSecret remoteRef: @@ -170,7 +262,7 @@ spec: key: secret/data/hub/privatekey property: content refreshInterval: 24h0m0s - secretStoreRef: + secretStoreRef: name: vault-backend kind: ClusterSecretStore target: @@ -199,6 +291,166 @@ spec: noProxy: "" additionalTrustBundle: "" --- +# Source: acm/templates/provision/secrets-aws.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aws-cd-one-w-pool-acm-provision-edge-creds + namespace: aws-cd-one-w-pool-acm-provision-edge +spec: + dataFrom: + - extract: + # Expects entries called: aws_access_key_id and aws_secret_access_key + key: secret/data/hub/aws + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-one-w-pool-acm-provision-edge-creds + creationPolicy: Owner + template: + type: Opaque +--- +# Source: acm/templates/provision/secrets-aws.yaml +# For use when manually creating clusters with ACM +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aws-cd-one-w-pool-acm-provision-edge-infra-creds + namespace: aws-cd-one-w-pool-acm-provision-edge +spec: + data: + - secretKey: openshiftPullSecret + remoteRef: + key: secret/data/hub/openshiftPullSecret + property: content + - secretKey: awsKeyId + remoteRef: + key: secret/data/hub/aws + property: aws_access_key_id + - secretKey: awsAccessKey + remoteRef: + key: secret/data/hub/aws + property: aws_secret_access_key + - secretKey: sshPublicKey + remoteRef: + key: secret/data/hub/publickey + property: content + - secretKey: sshPrivateKey + remoteRef: + key: secret/data/hub/privatekey + property: content + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-one-w-pool-acm-provision-edge-infra-creds + creationPolicy: Owner + template: + type: Opaque + metadata: + labels: + cluster.open-cluster-management.io/credentials: "" + cluster.open-cluster-management.io/type: aws + data: + baseDomain: "blueprints.rhecoeng.com" + pullSecret: |- + {{ .openshiftPullSecret | toString }} + aws_access_key_id: |- + {{ .awsKeyId | toString }} + aws_secret_access_key: |- + {{ .awsAccessKey | toString }} + ssh-privatekey: |- + {{ .sshPrivateKey | toString }} + ssh-publickey: |- + {{ .sshPublicKey | toString }} + httpProxy: "" + httpsProxy: "" + noProxy: "" + additionalTrustBundle: "" +--- +# Source: acm/templates/provision/secrets-aws.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds + namespace: aws-cd-two-wo-pool-acm-provision-on-deploy +spec: + dataFrom: + - extract: + # Expects entries called: aws_access_key_id and aws_secret_access_key + key: secret/data/hub/aws + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds + creationPolicy: Owner + template: + type: Opaque +--- +# Source: acm/templates/provision/secrets-aws.yaml +# For use when manually creating clusters with ACM +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds + namespace: aws-cd-two-wo-pool-acm-provision-on-deploy +spec: + data: + - secretKey: openshiftPullSecret + remoteRef: + key: secret/data/hub/openshiftPullSecret + property: content + - secretKey: awsKeyId + remoteRef: + key: secret/data/hub/aws + property: aws_access_key_id + - secretKey: awsAccessKey + remoteRef: + key: secret/data/hub/aws + property: aws_secret_access_key + - secretKey: sshPublicKey + remoteRef: + key: secret/data/hub/publickey + property: content + - secretKey: sshPrivateKey + remoteRef: + key: secret/data/hub/privatekey + property: content + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds + creationPolicy: Owner + template: + type: Opaque + metadata: + labels: + cluster.open-cluster-management.io/credentials: "" + cluster.open-cluster-management.io/type: aws + data: + baseDomain: "blueprints.rhecoeng.com" + pullSecret: |- + {{ .openshiftPullSecret | toString }} + aws_access_key_id: |- + {{ .awsKeyId | toString }} + aws_secret_access_key: |- + {{ .awsAccessKey | toString }} + ssh-privatekey: |- + {{ .sshPrivateKey | toString }} + ssh-publickey: |- + {{ .sshPublicKey | toString }} + httpProxy: "" + httpsProxy: "" + noProxy: "" + additionalTrustBundle: "" +--- # Source: acm/templates/provision/secrets-azure.yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret @@ -229,7 +481,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: azure-us-acm-provision-edge-infra-creds -spec: +spec: data: - secretKey: openshiftPullSecret remoteRef: @@ -248,7 +500,7 @@ spec: key: secret/data/hub/azureOsServicePrincipal property: content refreshInterval: 24h0m0s - secretStoreRef: + secretStoreRef: name: vault-backend kind: ClusterSecretStore target: @@ -282,7 +534,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: aws-ap-acm-provision-edge-pull-secret -spec: +spec: data: - secretKey: openshiftPullSecret remoteRef: @@ -330,7 +582,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: azure-us-acm-provision-edge-pull-secret -spec: +spec: data: - secretKey: openshiftPullSecret remoteRef: @@ -373,44 +625,240 @@ spec: ssh-privatekey: |- {{ .sshPrivateKey | toString }} --- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: cluster.open-cluster-management.io/v1beta1 -kind: ManagedClusterSet +# Source: acm/templates/provision/secrets-common.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret metadata: - annotations: - cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: acm-provision-edge + name: aws-cd-one-w-pool-acm-provision-edge-pull-secret + namespace: aws-cd-one-w-pool-acm-provision-edge spec: - clusterSelector: - selectorType: LegacyClusterSetLabel ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} + data: + - secretKey: openshiftPullSecret + remoteRef: + key: secret/data/hub/openshiftPullSecret + property: content + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-one-w-pool-acm-provision-edge-pull-secret + creationPolicy: Owner + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: |- + {{ .openshiftPullSecret | toString }} --- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding +# Source: acm/templates/provision/secrets-common.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io + name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key + namespace: aws-cd-one-w-pool-acm-provision-edge +spec: + data: + - secretKey: sshPrivateKey + remoteRef: + key: secret/data/hub/privatekey + property: content + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key + creationPolicy: Owner + template: + type: Opaque + data: + ssh-privatekey: |- + {{ .sshPrivateKey | toString }} +--- +# Source: acm/templates/provision/secrets-common.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret + namespace: aws-cd-two-wo-pool-acm-provision-on-deploy +spec: + data: + - secretKey: openshiftPullSecret + remoteRef: + key: secret/data/hub/openshiftPullSecret + property: content + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret + creationPolicy: Owner + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: |- + {{ .openshiftPullSecret | toString }} +--- +# Source: acm/templates/provision/secrets-common.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key + namespace: aws-cd-two-wo-pool-acm-provision-on-deploy +spec: + data: + - secretKey: sshPrivateKey + remoteRef: + key: secret/data/hub/privatekey + property: content + refreshInterval: 24h0m0s + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key + creationPolicy: Owner + template: + type: Opaque + data: + ssh-privatekey: |- + {{ .sshPrivateKey | toString }} +--- +# Source: acm/templates/provision/clusterdeployment.yaml +apiVersion: cluster.open-cluster-management.io/v1 +kind: ManagedCluster +metadata: + labels: + cluster.open-cluster-management.io/clusterset: acm-provision-edge + clusterGroup: region + name: aws-cd-one-w-pool-acm-provision-edge + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + hubAcceptsClient: true +--- +# Source: acm/templates/provision/clusterdeployment.yaml +apiVersion: cluster.open-cluster-management.io/v1 +kind: ManagedCluster +metadata: + labels: + cluster.open-cluster-management.io/clusterset: acm-provision-on-deploy + clusterGroup: acm-provision-on-deploy + name: aws-cd-two-wo-pool-acm-provision-on-deploy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + hubAcceptsClient: true +--- +# Source: acm/templates/provision/managedclusterset.yaml +apiVersion: cluster.open-cluster-management.io/v1beta2 +kind: ManagedClusterSet +metadata: + annotations: + cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: acm-provision-edge +--- +# Source: acm/templates/provision/managedclusterset.yaml +apiVersion: cluster.open-cluster-management.io/v1beta2 +kind: ManagedClusterSet +metadata: + annotations: + cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-on-deploy-broker + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: acm-provision-on-deploy +--- +# Source: acm/templates/multiclusterhub.yaml +apiVersion: operator.open-cluster-management.io/v1 +kind: MultiClusterHub +metadata: + name: multiclusterhub + namespace: open-cluster-management + annotations: + argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' +spec: {} +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: acm-hub-ca-policy-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: acm-hub-ca-policy-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: acm-hub-ca-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-openshift-gitops-policy-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-openshift-gitops-policy-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-openshift-gitops-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-acm-edge-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-acm-edge-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-acm-edge-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-acm-provision-edge-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-acm-provision-edge-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-acm-provision-edge-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-argo-ca-acm-provision-on-deploy-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-argo-ca-acm-provision-on-deploy-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-argo-ca-acm-provision-on-deploy-policy + kind: Policy + apiGroup: policy.open-cluster-management.io --- # Source: acm/templates/policies/application-policies.yaml apiVersion: policy.open-cluster-management.io/v1 @@ -444,6 +892,22 @@ subjects: kind: Policy apiGroup: policy.open-cluster-management.io --- +# Source: acm/templates/policies/application-policies.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: acm-provision-on-deploy-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: acm-provision-on-deploy-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: acm-provision-on-deploy-clustergroup-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- # Source: acm/templates/policies/ocp-gitops-policy.yaml apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding @@ -460,6 +924,22 @@ subjects: kind: Policy apiGroup: policy.open-cluster-management.io --- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: openshift-gitops-placement-binding-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: openshift-gitops-placement-argocd + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: openshift-gitops-policy-argocd + kind: Policy + apiGroup: policy.open-cluster-management.io +--- # Source: acm/templates/policies/acm-hub-ca-policy.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule @@ -478,6 +958,78 @@ spec: values: - 'true' --- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-openshift-gitops-policy-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-acm-edge-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-acm-provision-edge-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-argo-ca-acm-provision-on-deploy-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +--- # Source: acm/templates/policies/application-policies.yaml apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule @@ -493,48 +1045,244 @@ spec: matchLabels: clusterGroup: acm-region --- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule +# Source: acm/templates/policies/application-policies.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: acm-provision-edge-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchLabels: + clusterGroup: region +--- +# Source: acm/templates/policies/application-policies.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: acm-provision-on-deploy-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchLabels: + clusterGroup: acm-provision-on-deploy +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: openshift-gitops-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: vendor + operator: In + values: + - OpenShift + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: openshift-gitops-placement-argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: vendor + operator: In + values: + - OpenShift + - key: local-cluster + operator: NotIn + values: + - 'true' +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: acm-hub-ca-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: acm-hub-ca-config-policy + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: Secret + apiVersion: v1 + type: Opaque + metadata: + name: hub-ca + namespace: golang-external-secrets + data: + hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' + hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: imperative + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: hub-argo-ca-openshift-gitops-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-argo-ca-openshift-gitops-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: openshift-gitops + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} +--- +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy metadata: - name: acm-provision-edge-placement + name: hub-argo-ca-acm-edge-policy annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - clusterGroup: region + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-argo-ca-acm-edge-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: mypattern-acm-edge + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} --- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule +# Source: acm/templates/policies/acm-hub-ca-policy.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy metadata: - name: openshift-gitops-placement + name: hub-argo-ca-acm-provision-edge-policy annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-argo-ca-acm-provision-edge-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-hub-bundle + namespace: mypattern-acm-provision-edge + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: - name: acm-hub-ca-policy + name: hub-argo-ca-acm-provision-on-deploy-policy annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/compare-options: IgnoreExtraneous @@ -546,7 +1294,7 @@ spec: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: - name: acm-hub-ca-config-policy + name: hub-argo-ca-acm-provision-on-deploy-config spec: remediationAction: enforce severity: medium @@ -556,15 +1304,16 @@ spec: object-templates: - complianceType: mustonlyhave objectDefinition: - kind: Secret + kind: ConfigMap apiVersion: v1 - type: Opaque metadata: - name: hub-ca - namespace: imperative + name: trusted-hub-bundle + namespace: mypattern-acm-provision-on-deploy data: - hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' - hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} --- # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io @@ -608,6 +1357,8 @@ spec: path: common/clustergroup helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-acm-edge.yaml" @@ -638,10 +1389,18 @@ spec: value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - - name: clusterGroup.name - value: acm-edge + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: + - name: global.privateRepo + value: - name: global.experimentalCapabilities value: + - name: clusterGroup.name + value: acm-edge - name: clusterGroup.isHubCluster value: "false" destination: @@ -704,6 +1463,8 @@ spec: path: common/clustergroup helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-acm-provision-edge.yaml" @@ -734,10 +1495,18 @@ spec: value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - - name: clusterGroup.name - value: acm-provision-edge + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: + - name: global.privateRepo + value: - name: global.experimentalCapabilities value: + - name: clusterGroup.name + value: acm-provision-edge - name: clusterGroup.isHubCluster value: "false" destination: @@ -759,6 +1528,110 @@ spec: jsonPointers: - /status --- +# Source: acm/templates/policies/application-policies.yaml +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: acm-provision-on-deploy-clustergroup-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: acm-provision-on-deploy-clustergroup-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1alpha1 + kind: Application + metadata: + name: mypattern-acm-provision-on-deploy + namespace: openshift-gitops + finalizers: + - resources-finalizer.argocd.argoproj.io/foreground + spec: + project: default + source: + repoURL: https://github.com/pattern-clone/mypattern + targetRevision: main + path: common/clustergroup + helm: + ignoreMissingValueFiles: true + values: | + extraParametersNested: + valueFiles: + - "/values-global.yaml" + - "/values-acm-provision-on-deploy.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-on-deploy.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + parameters: + - name: global.repoURL + value: https://github.com/pattern-clone/mypattern + - name: global.targetRevision + value: main + - name: global.namespace + value: $ARGOCD_APP_NAMESPACE + - name: global.pattern + value: mypattern + - name: global.hubClusterDomain + value: apps.hub.example.com + - name: global.localClusterDomain + value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' + - name: global.clusterDomain + value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' + - name: global.clusterVersion + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' + - name: global.localClusterName + value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' + - name: global.clusterPlatform + value: aws + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: + - name: global.privateRepo + value: + - name: global.experimentalCapabilities + value: + - name: clusterGroup.name + value: acm-provision-on-deploy + destination: + server: https://kubernetes.default.svc + namespace: mypattern-acm-provision-on-deploy + syncPolicy: + automated: + prune: false + selfHeal: true + retry: + limit: 20 + ignoreDifferences: + - group: apps + kind: Deployment + jsonPointers: + - /spec/replicas + - group: route.openshift.io + kind: Route + jsonPointers: + - /status +--- # Source: acm/templates/policies/ocp-gitops-policy.yaml apiVersion: policy.open-cluster-management.io/v1 kind: Policy @@ -786,15 +1659,6 @@ spec: include: - default object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -815,3 +1679,216 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: acm/templates/policies/ocp-gitops-policy.yaml +# This policy depends on openshift-gitops-policy and the reason is that we need to be +# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance +# because the initcontainer references the trusted-ca-bundle and if it starts without the +# configmap being there we risk running an argo instances that won't trust public CAs +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: openshift-gitops-policy-argocd + annotations: + policy.open-cluster-management.io/standards: NIST-CSF + policy.open-cluster-management.io/categories: PR.DS Data Security + policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + dependencies: + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: openshift-gitops-policy + namespace: open-cluster-management + - apiVersion: policy.open-cluster-management.io/v1 + compliance: Compliant + kind: Policy + name: hub-argo-ca-openshift-gitops-policy + namespace: open-cluster-management + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: openshift-gitops-config-argocd + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.redhat.io/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml index 6c86971..9400ce6 100644 --- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-factory.expected.yaml @@ -64,6 +64,13 @@ metadata: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -114,8 +121,38 @@ data: --set clusterGroup.name=factory --post-renderer ./kustomize"] initContainers: [] + resourceExclusions: | + - apiGroups: + - tekton.dev + kinds: + - TaskRun + - PipelineRun + resourceHealthChecks: + - check: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs + kind: PersistentVolumeClaim + resourceTrackingMethod: label imperative: activeDeadlineSeconds: 3600 + adminClusterRoleName: imperative-admin-cluster-role + adminServiceAccountCreate: true + adminServiceAccountName: imperative-admin-sa clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob @@ -142,6 +179,7 @@ data: - manuela-stormshift-machine-sensor - manuela-stormshift-messaging - manuela-factory-ml-workspace + nodes: [] operatorgroupExcludes: - manuela-factory-ml-workspace projects: @@ -259,11 +297,24 @@ rules: - list - watch --- +# Source: clustergroup/templates/imperative/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: imperative-admin-cluster-role +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- # Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: imperative-cluster-admin-rolebinding + name: imperative-cluster-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -273,12 +324,30 @@ subjects: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: imperative-admin-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: imperative-admin-cluster-role +subjects: + - kind: ServiceAccount + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: openshift-gitops-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -298,6 +367,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mypattern-factory-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -335,7 +408,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: imperative-admin-rolebinding + name: imperative-rolebinding namespace: imperative roleRef: apiGroup: rbac.authorization.k8s.io @@ -367,6 +440,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -376,6 +470,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -402,8 +498,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -427,6 +524,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -443,6 +548,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-factory + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -517,6 +635,8 @@ spec: path: charts/datacenter/opendatahub helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-factory.yaml" @@ -526,9 +646,9 @@ spec: - "/values-4.12-factory.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -541,6 +661,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -588,6 +714,7 @@ spec: hs.message = "Waiting for PVC" return hs + resourceTrackingMethod: label applicationInstanceLabelKey: argocd.argoproj.io/instance applicationSet: resources: @@ -621,6 +748,47 @@ spec: rbac: defaultPolicy: role:admin repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles sidecarContainers: - name: helm-with-kustomize command: [/var/run/argocd/argocd-cmp-server] @@ -654,7 +822,7 @@ spec: requests: cpu: 250m memory: 256Mi - resourceExclusions: | + resourceExclusions: | - apiGroups: - tekton.dev kinds: diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml index fe0bdbb..fdfd6e4 100644 --- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-hub.expected.yaml @@ -109,6 +109,13 @@ metadata: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -235,8 +242,38 @@ data: --set clusterGroup.name=datacenter --post-renderer ./kustomize"] initContainers: [] + resourceExclusions: | + - apiGroups: + - tekton.dev + kinds: + - TaskRun + - PipelineRun + resourceHealthChecks: + - check: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs + kind: PersistentVolumeClaim + resourceTrackingMethod: label imperative: activeDeadlineSeconds: 3600 + adminClusterRoleName: imperative-admin-cluster-role + adminServiceAccountCreate: true + adminServiceAccountName: imperative-admin-sa clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob @@ -281,6 +318,7 @@ data: - manuela-data-lake - staging - vault + nodes: [] operatorgroupExcludes: - manuela-ml-workspace projects: @@ -420,11 +458,24 @@ rules: - list - watch --- +# Source: clustergroup/templates/imperative/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: imperative-admin-cluster-role +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- # Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: imperative-cluster-admin-rolebinding + name: imperative-cluster-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -434,12 +485,30 @@ subjects: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: imperative-admin-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: imperative-admin-cluster-role +subjects: + - kind: ServiceAccount + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: openshift-gitops-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -459,6 +528,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mypattern-datacenter-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -496,7 +569,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: imperative-admin-rolebinding + name: imperative-rolebinding namespace: imperative roleRef: apiGroup: rbac.authorization.k8s.io @@ -528,6 +601,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -537,6 +631,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -563,8 +659,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -588,6 +685,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -604,6 +709,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-datacenter + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -627,6 +745,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -636,6 +775,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -662,8 +803,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -689,6 +831,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -705,6 +855,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-datacenter + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -815,6 +978,8 @@ spec: path: common/acm helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" @@ -824,9 +989,9 @@ spec: - "/values-4.12-datacenter.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -839,6 +1004,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -880,6 +1051,8 @@ spec: path: charts/datacenter/opendatahub helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" @@ -889,9 +1062,9 @@ spec: - "/values-4.12-datacenter.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -904,6 +1077,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -936,6 +1115,8 @@ spec: path: charts/datacenter/pipelines helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" @@ -945,9 +1126,9 @@ spec: - "/values-4.12-datacenter.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -960,6 +1141,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -992,6 +1179,8 @@ spec: path: charts/datacenter/manuela-data-lake helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" @@ -1001,9 +1190,9 @@ spec: - "/values-4.12-datacenter.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1016,6 +1205,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1078,6 +1273,8 @@ spec: path: charts/datacenter/external-secrets helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" @@ -1087,9 +1284,9 @@ spec: - "/values-4.12-datacenter.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1102,6 +1299,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1134,6 +1337,8 @@ spec: path: common/golang-external-secrets helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" @@ -1143,9 +1348,9 @@ spec: - "/values-4.12-datacenter.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1158,6 +1363,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1217,6 +1428,8 @@ spec: chart: vault helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" @@ -1226,9 +1439,9 @@ spec: - "/values-4.12-datacenter.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1241,6 +1454,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1306,6 +1525,7 @@ spec: hs.message = "Waiting for PVC" return hs + resourceTrackingMethod: label applicationInstanceLabelKey: argocd.argoproj.io/instance applicationSet: resources: @@ -1339,6 +1559,47 @@ spec: rbac: defaultPolicy: role:admin repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles sidecarContainers: - name: helm-with-kustomize command: [/var/run/argocd/argocd-cmp-server] @@ -1372,7 +1633,7 @@ spec: requests: cpu: 250m memory: 256Mi - resourceExclusions: | + resourceExclusions: | - apiGroups: - tekton.dev kinds: diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml index d7d59bc..43e2715 100644 --- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml @@ -109,6 +109,13 @@ metadata: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -218,8 +225,38 @@ data: argoCD: configManagementPlugins: [] initContainers: [] + resourceExclusions: | + - apiGroups: + - tekton.dev + kinds: + - TaskRun + - PipelineRun + resourceHealthChecks: + - check: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs + kind: PersistentVolumeClaim + resourceTrackingMethod: label imperative: activeDeadlineSeconds: 3600 + adminClusterRoleName: imperative-admin-cluster-role + adminServiceAccountCreate: true + adminServiceAccountName: imperative-admin-sa clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob @@ -260,6 +297,7 @@ data: - staging - vault - golang-external-secrets + nodes: [] projects: - hub - medical-diagnosis @@ -347,11 +385,24 @@ rules: - list - watch --- +# Source: clustergroup/templates/imperative/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: imperative-admin-cluster-role +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- # Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: imperative-cluster-admin-rolebinding + name: imperative-cluster-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -361,12 +412,30 @@ subjects: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: imperative-admin-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: imperative-admin-cluster-role +subjects: + - kind: ServiceAccount + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: openshift-gitops-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -386,6 +455,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mypattern-hub-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -423,7 +496,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: imperative-admin-rolebinding + name: imperative-rolebinding namespace: imperative roleRef: apiGroup: rbac.authorization.k8s.io @@ -455,6 +528,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -464,6 +558,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -490,8 +586,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -515,6 +612,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -531,6 +636,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-hub + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -554,6 +672,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -563,6 +702,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -589,8 +730,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -616,6 +758,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -632,6 +782,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-hub + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -700,6 +863,8 @@ spec: path: common/golang-external-secrets helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -709,9 +874,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -724,6 +889,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -756,6 +927,8 @@ spec: path: charts/all/kafdrop helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -765,9 +938,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -780,6 +953,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -812,6 +991,8 @@ spec: path: charts/all/kafka helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -821,9 +1002,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -836,6 +1017,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -868,6 +1055,8 @@ spec: path: charts/all/opendatahub helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -877,9 +1066,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -892,6 +1081,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -924,6 +1119,8 @@ spec: path: charts/all/openshift-data-foundations helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -933,9 +1130,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -948,6 +1145,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -980,6 +1183,8 @@ spec: path: charts/all/openshift-serverless helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -989,9 +1194,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1004,6 +1209,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1036,6 +1247,8 @@ spec: path: charts/all/medical-diagnosis/service-account helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -1045,9 +1258,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1060,6 +1273,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1092,6 +1311,8 @@ spec: chart: vault helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -1101,9 +1322,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1116,6 +1337,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1166,6 +1393,8 @@ spec: path: charts/all/medical-diagnosis/database helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -1175,9 +1404,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1190,6 +1419,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1222,6 +1457,8 @@ spec: path: charts/all/medical-diagnosis/grafana helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -1231,9 +1468,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1246,6 +1483,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1278,6 +1521,8 @@ spec: path: charts/all/medical-diagnosis/image-generator helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -1287,9 +1532,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1302,6 +1547,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1343,6 +1594,8 @@ spec: path: charts/all/medical-diagnosis/image-server helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -1352,9 +1605,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1367,6 +1620,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1408,6 +1667,8 @@ spec: path: charts/all/medical-diagnosis/xray-init helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" @@ -1417,9 +1678,9 @@ spec: - "/values-4.12-hub.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -1432,6 +1693,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1479,6 +1746,7 @@ spec: hs.message = "Waiting for PVC" return hs + resourceTrackingMethod: label applicationInstanceLabelKey: argocd.argoproj.io/instance applicationSet: resources: @@ -1512,6 +1780,47 @@ spec: rbac: defaultPolicy: role:admin repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles resources: limits: cpu: "1" @@ -1519,7 +1828,7 @@ spec: requests: cpu: 250m memory: 256Mi - resourceExclusions: | + resourceExclusions: | - apiGroups: - tekton.dev kinds: diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml index fdaf429..7a9f94b 100644 --- a/tests/common-clustergroup-naked.expected.yaml +++ b/tests/common-clustergroup-naked.expected.yaml @@ -28,6 +28,13 @@ metadata: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -41,8 +48,38 @@ data: argoCD: configManagementPlugins: [] initContainers: [] + resourceExclusions: | + - apiGroups: + - tekton.dev + kinds: + - TaskRun + - PipelineRun + resourceHealthChecks: + - check: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs + kind: PersistentVolumeClaim + resourceTrackingMethod: label imperative: activeDeadlineSeconds: 3600 + adminClusterRoleName: imperative-admin-cluster-role + adminServiceAccountCreate: true + adminServiceAccountName: imperative-admin-sa clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob @@ -63,6 +100,7 @@ data: managedClusterGroups: {} name: example namespaces: [] + nodes: [] projects: [] sharedValueFiles: [] subscriptions: {} @@ -117,11 +155,24 @@ rules: - list - watch --- +# Source: clustergroup/templates/imperative/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: imperative-admin-cluster-role +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- # Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: imperative-cluster-admin-rolebinding + name: imperative-cluster-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -131,12 +182,30 @@ subjects: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: imperative-admin-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: imperative-admin-cluster-role +subjects: + - kind: ServiceAccount + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: openshift-gitops-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -156,6 +225,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: common-example-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -193,7 +266,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: imperative-admin-rolebinding + name: imperative-rolebinding namespace: imperative roleRef: apiGroup: rbac.authorization.k8s.io @@ -225,6 +298,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -234,6 +328,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -260,8 +356,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -287,6 +384,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -303,6 +408,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-example + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/plumbing/argocd.yaml @@ -341,6 +459,7 @@ spec: hs.message = "Waiting for PVC" return hs + resourceTrackingMethod: label applicationInstanceLabelKey: argocd.argoproj.io/instance applicationSet: resources: @@ -374,6 +493,47 @@ spec: rbac: defaultPolicy: role:admin repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles resources: limits: cpu: "1" @@ -381,7 +541,7 @@ spec: requests: cpu: 250m memory: 256Mi - resourceExclusions: | + resourceExclusions: | - apiGroups: - tekton.dev kinds: diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml index 4daddb8..9311408 100644 --- a/tests/common-clustergroup-normal.expected.yaml +++ b/tests/common-clustergroup-normal.expected.yaml @@ -96,6 +96,13 @@ metadata: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -126,8 +133,38 @@ data: argoCD: configManagementPlugins: [] initContainers: [] + resourceExclusions: | + - apiGroups: + - tekton.dev + kinds: + - TaskRun + - PipelineRun + resourceHealthChecks: + - check: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs + kind: PersistentVolumeClaim + resourceTrackingMethod: label imperative: activeDeadlineSeconds: 3600 + adminClusterRoleName: imperative-admin-cluster-role + adminServiceAccountCreate: true + adminServiceAccountName: imperative-admin-sa clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob @@ -160,6 +197,14 @@ data: - acmlabels: - name: clusterGroup value: region + clusterDeployments: + myFirstCluster: + baseDomain: blueprints.rhecoeng.com + name: aws-cd-one-w-pool + openshiftVersion: 4.10.18 + platform: + aws: + region: ap-southeast-1 clusterPools: exampleAWSPool: baseDomain: blueprints.rhecoeng.com @@ -192,6 +237,15 @@ data: value: "false" name: acm-provision-edge targetRevision: main + - clusterDeployments: + mySecondCluster: + baseDomain: blueprints.rhecoeng.com + name: aws-cd-two-wo-pool + openshiftVersion: 4.10.18 + platform: + aws: + region: ap-southeast-3 + name: acm-provision-on-deploy - helmOverrides: - name: clusterGroup.isHubCluster value: "false" @@ -224,10 +278,22 @@ data: operatorGroup: false - include-default-og: operatorGroup: true + nodes: + - m-m00.cluster.example.tld: + labels: + cluster.ocs.openshift.io/openshift-storage: "" + - m-m01.cluster.example.tld: + labels: + cluster.ocs.openshift.io/openshift-storage: "" + - m-m02.cluster.example.tld: + labels: + cluster.ocs.openshift.io/openshift-storage: "" operatorgroupExcludes: - exclude-og projects: - datacenter + scheduler: + mastersSchedulable: true sharedValueFiles: - /values/aws.yaml - /values/4.12.yaml @@ -309,11 +375,24 @@ rules: - list - watch --- +# Source: clustergroup/templates/imperative/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: imperative-admin-cluster-role +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- # Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: imperative-cluster-admin-rolebinding + name: imperative-cluster-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -323,12 +402,30 @@ subjects: name: imperative-sa namespace: imperative --- +# Source: clustergroup/templates/imperative/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: imperative-admin-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: imperative-admin-cluster-role +subjects: + - kind: ServiceAccount + name: imperative-admin-sa + namespace: imperative +--- # Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: openshift-gitops-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -348,6 +445,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mypattern-example-cluster-admin-rolebinding + # We need to have this before anything else or the sync might get stuck forever + # due to permission issues + annotations: + argocd.argoproj.io/sync-wave: "-100" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -385,7 +486,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: imperative-admin-rolebinding + name: imperative-rolebinding namespace: imperative roleRef: apiGroup: rbac.authorization.k8s.io @@ -417,6 +518,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -426,6 +548,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -452,8 +576,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -477,6 +602,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -493,6 +626,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-example + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -516,6 +662,27 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there + - name: fetch-ca + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + imagePullPolicy: Always + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles - name: git-init image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -525,6 +692,8 @@ spec: volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs command: - 'sh' - '-c' @@ -551,8 +720,9 @@ spec: if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -578,6 +748,14 @@ spec: - name: values-volume mountPath: /values/values.yaml subPath: values.yaml + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles containers: - name: "done" image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -594,6 +772,19 @@ spec: - name: values-volume configMap: name: helm-values-configmap-example + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - name: ca-bundles + emptyDir: {} restartPolicy: Never --- # Source: clustergroup/templates/core/operatorgroup.yaml @@ -665,6 +856,8 @@ spec: path: common/acm helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-example.yaml" @@ -676,9 +869,9 @@ spec: - "/values/4.12.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -691,6 +884,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -732,6 +931,8 @@ spec: path: charts/datacenter/pipelines helm: ignoreMissingValueFiles: true + values: | + extraParametersNested: valueFiles: - "/values-global.yaml" - "/values-example.yaml" @@ -744,9 +945,9 @@ spec: - "/values/4.12/aws.yaml" parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -759,6 +960,12 @@ spec: value: "aws" - name: global.hubClusterDomain value: apps.hub.example.com + - name: global.multiSourceSupport + value: + - name: global.multiSourceRepoUrl + value: + - name: global.multiSourceTargetRevision + value: - name: global.localClusterDomain value: apps.region.example.com - name: global.privateRepo @@ -1046,6 +1253,7 @@ spec: hs.message = "Waiting for PVC" return hs + resourceTrackingMethod: label applicationInstanceLabelKey: argocd.argoproj.io/instance applicationSet: resources: @@ -1079,6 +1287,47 @@ spec: rbac: defaultPolicy: role:admin repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /var/run/trusted-hub + name: trusted-hub-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - configMap: + name: trusted-hub-bundle + optional: true + name: trusted-hub-bundle + - emptyDir: {} + name: ca-bundles resources: limits: cpu: "1" @@ -1086,7 +1335,7 @@ spec: requests: cpu: 250m memory: 256Mi - resourceExclusions: | + resourceExclusions: | - apiGroups: - tekton.dev kinds: @@ -1132,6 +1381,33 @@ spec: location: ApplicationMenu text: 'Example ArgoCD' --- +# Source: clustergroup/templates/core/nodes.yaml +apiVersion: v1 +kind: Node +metadata: + name: m-m00.cluster.example.tld + labels: + argocd.argoproj.io/managed-by: mypattern-example + cluster.ocs.openshift.io/openshift-storage: "" +--- +# Source: clustergroup/templates/core/nodes.yaml +apiVersion: v1 +kind: Node +metadata: + name: m-m01.cluster.example.tld + labels: + argocd.argoproj.io/managed-by: mypattern-example + cluster.ocs.openshift.io/openshift-storage: "" +--- +# Source: clustergroup/templates/core/nodes.yaml +apiVersion: v1 +kind: Node +metadata: + name: m-m02.cluster.example.tld + labels: + argocd.argoproj.io/managed-by: mypattern-example + cluster.ocs.openshift.io/openshift-storage: "" +--- # Source: clustergroup/templates/core/operatorgroup.yaml --- apiVersion: operators.coreos.com/v1 @@ -1151,8 +1427,6 @@ kind: OperatorGroup metadata: name: exclude-targetns-operator-group namespace: exclude-targetns -spec: - targetNamespaces: --- # Source: clustergroup/templates/core/operatorgroup.yaml --- @@ -1175,6 +1449,14 @@ spec: targetNamespaces: - include-default-og --- +# Source: clustergroup/templates/core/scheduler.yaml +apiVersion: config.openshift.io/v1 +kind: Scheduler +metadata: + name: cluster +spec: + mastersSchedulable: true +--- # Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml index dde550f..66b2329 100644 --- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -263,7 +265,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -780,11 +784,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -827,11 +833,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -844,7 +852,7 @@ spec: x-kubernetes-map-type: atomic type: array namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. items: type: string type: array @@ -916,7 +924,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -2457,6 +2467,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -2484,11 +2499,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -2921,6 +2938,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -3034,6 +3068,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -3295,6 +3386,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -3471,6 +3598,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -3573,6 +3703,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -3697,6 +3898,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -3737,8 +3955,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -5079,7 +5295,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -5246,7 +5464,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -5487,10 +5707,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -5993,10 +6218,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -6051,7 +6281,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6127,7 +6359,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6255,7 +6489,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6299,7 +6535,7 @@ spec: auth: description: Auth configures how ESO authenticates with a Github instance. properties: - privatKey: + privateKey: properties: secretRef: description: |- @@ -6324,7 +6560,7 @@ spec: - secretRef type: object required: - - privatKey + - privateKey type: object installID: type: string @@ -6357,7 +6593,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6455,7 +6693,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -6586,11 +6824,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -6831,7 +7071,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -8372,6 +8614,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -8399,11 +8646,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -8836,6 +9085,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -8949,6 +9215,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -9210,6 +9533,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -9386,6 +9745,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -9488,6 +9850,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -9612,6 +10045,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -9652,8 +10102,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -10994,7 +11442,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11686,7 +12136,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: webhooks.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11834,10 +12286,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11901,10 +12353,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11938,6 +12390,7 @@ rules: - "pushsecrets/status" - "pushsecrets/finalizers" verbs: + - "get" - "update" - "patch" - apiGroups: @@ -12012,10 +12465,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -12054,10 +12507,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -12100,10 +12553,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12121,10 +12574,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12141,10 +12594,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12177,10 +12630,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12216,10 +12669,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12237,10 +12690,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -12261,10 +12714,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12276,10 +12729,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -12294,7 +12747,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -12305,7 +12758,9 @@ spec: - --secret-namespace=default - --metrics-addr=:8080 - --healthz-addr=:8081 - + - --loglevel=info + - --zap-time-encoding=epoch + - --enable-partial-cache=true ports: - containerPort: 8080 protocol: TCP @@ -12324,10 +12779,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12339,10 +12794,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -12357,15 +12812,18 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 - --metrics-addr=:8080 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics + dnsPolicy: ClusterFirst --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml apiVersion: apps/v1 @@ -12374,10 +12832,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12389,10 +12847,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -12407,7 +12865,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -12417,6 +12875,8 @@ spec: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP @@ -12457,7 +12917,7 @@ spec: type: Secret name: hub-ca key: hub-kube-root-ca.crt - namespace: imperative + namespace: golang-external-secrets auth: kubernetes: diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml index a0ad351..b7c2ad9 100644 --- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -263,7 +265,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -780,11 +784,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -827,11 +833,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -844,7 +852,7 @@ spec: x-kubernetes-map-type: atomic type: array namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. items: type: string type: array @@ -916,7 +924,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -2457,6 +2467,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -2484,11 +2499,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -2921,6 +2938,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -3034,6 +3068,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -3295,6 +3386,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -3471,6 +3598,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -3573,6 +3703,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -3697,6 +3898,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -3737,8 +3955,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -5079,7 +5295,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -5246,7 +5464,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -5487,10 +5707,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -5993,10 +6218,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -6051,7 +6281,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6127,7 +6359,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6255,7 +6489,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6299,7 +6535,7 @@ spec: auth: description: Auth configures how ESO authenticates with a Github instance. properties: - privatKey: + privateKey: properties: secretRef: description: |- @@ -6324,7 +6560,7 @@ spec: - secretRef type: object required: - - privatKey + - privateKey type: object installID: type: string @@ -6357,7 +6593,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6455,7 +6693,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -6586,11 +6824,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -6831,7 +7071,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -8372,6 +8614,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -8399,11 +8646,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -8836,6 +9085,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -8949,6 +9215,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -9210,6 +9533,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -9386,6 +9745,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -9488,6 +9850,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -9612,6 +10045,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -9652,8 +10102,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -10994,7 +11442,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11686,7 +12136,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: webhooks.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11834,10 +12286,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11901,10 +12353,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11938,6 +12390,7 @@ rules: - "pushsecrets/status" - "pushsecrets/finalizers" verbs: + - "get" - "update" - "patch" - apiGroups: @@ -12012,10 +12465,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -12054,10 +12507,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -12100,10 +12553,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12121,10 +12574,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12141,10 +12594,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12177,10 +12630,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12216,10 +12669,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12237,10 +12690,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -12261,10 +12714,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12276,10 +12729,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -12294,7 +12747,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -12305,7 +12758,9 @@ spec: - --secret-namespace=default - --metrics-addr=:8080 - --healthz-addr=:8081 - + - --loglevel=info + - --zap-time-encoding=epoch + - --enable-partial-cache=true ports: - containerPort: 8080 protocol: TCP @@ -12324,10 +12779,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12339,10 +12794,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -12357,15 +12812,18 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 - --metrics-addr=:8080 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics + dnsPolicy: ClusterFirst --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml apiVersion: apps/v1 @@ -12374,10 +12832,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12389,10 +12847,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -12407,7 +12865,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -12417,6 +12875,8 @@ spec: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml index a0ad351..b7c2ad9 100644 --- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -263,7 +265,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -780,11 +784,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -827,11 +833,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -844,7 +852,7 @@ spec: x-kubernetes-map-type: atomic type: array namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. items: type: string type: array @@ -916,7 +924,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -2457,6 +2467,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -2484,11 +2499,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -2921,6 +2938,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -3034,6 +3068,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -3295,6 +3386,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -3471,6 +3598,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -3573,6 +3703,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -3697,6 +3898,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -3737,8 +3955,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -5079,7 +5295,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -5246,7 +5464,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -5487,10 +5707,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -5993,10 +6218,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -6051,7 +6281,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6127,7 +6359,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6255,7 +6489,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6299,7 +6535,7 @@ spec: auth: description: Auth configures how ESO authenticates with a Github instance. properties: - privatKey: + privateKey: properties: secretRef: description: |- @@ -6324,7 +6560,7 @@ spec: - secretRef type: object required: - - privatKey + - privateKey type: object installID: type: string @@ -6357,7 +6593,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6455,7 +6693,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -6586,11 +6824,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -6831,7 +7071,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -8372,6 +8614,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -8399,11 +8646,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -8836,6 +9085,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -8949,6 +9215,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -9210,6 +9533,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -9386,6 +9745,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -9488,6 +9850,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -9612,6 +10045,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -9652,8 +10102,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -10994,7 +11442,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11686,7 +12136,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: webhooks.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11834,10 +12286,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11901,10 +12353,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11938,6 +12390,7 @@ rules: - "pushsecrets/status" - "pushsecrets/finalizers" verbs: + - "get" - "update" - "patch" - apiGroups: @@ -12012,10 +12465,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -12054,10 +12507,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -12100,10 +12553,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12121,10 +12574,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12141,10 +12594,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12177,10 +12630,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12216,10 +12669,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12237,10 +12690,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -12261,10 +12714,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12276,10 +12729,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -12294,7 +12747,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -12305,7 +12758,9 @@ spec: - --secret-namespace=default - --metrics-addr=:8080 - --healthz-addr=:8081 - + - --loglevel=info + - --zap-time-encoding=epoch + - --enable-partial-cache=true ports: - containerPort: 8080 protocol: TCP @@ -12324,10 +12779,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12339,10 +12794,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -12357,15 +12812,18 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 - --metrics-addr=:8080 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics + dnsPolicy: ClusterFirst --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml apiVersion: apps/v1 @@ -12374,10 +12832,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12389,10 +12847,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -12407,7 +12865,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -12417,6 +12875,8 @@ spec: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml index 3d54dd6..b6a836e 100644 --- a/tests/common-golang-external-secrets-naked.expected.yaml +++ b/tests/common-golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -263,7 +265,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -780,11 +784,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -827,11 +833,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -844,7 +852,7 @@ spec: x-kubernetes-map-type: atomic type: array namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. items: type: string type: array @@ -916,7 +924,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -2457,6 +2467,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -2484,11 +2499,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -2921,6 +2938,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -3034,6 +3068,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -3295,6 +3386,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -3471,6 +3598,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -3573,6 +3703,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -3697,6 +3898,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -3737,8 +3955,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -5079,7 +5295,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -5246,7 +5464,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -5487,10 +5707,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -5993,10 +6218,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -6051,7 +6281,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6127,7 +6359,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6255,7 +6489,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6299,7 +6535,7 @@ spec: auth: description: Auth configures how ESO authenticates with a Github instance. properties: - privatKey: + privateKey: properties: secretRef: description: |- @@ -6324,7 +6560,7 @@ spec: - secretRef type: object required: - - privatKey + - privateKey type: object installID: type: string @@ -6357,7 +6593,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6455,7 +6693,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -6586,11 +6824,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -6831,7 +7071,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -8372,6 +8614,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -8399,11 +8646,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -8836,6 +9085,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -8949,6 +9215,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -9210,6 +9533,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -9386,6 +9745,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -9488,6 +9850,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -9612,6 +10045,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -9652,8 +10102,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -10994,7 +11442,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11686,7 +12136,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: webhooks.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11834,10 +12286,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11901,10 +12353,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11938,6 +12390,7 @@ rules: - "pushsecrets/status" - "pushsecrets/finalizers" verbs: + - "get" - "update" - "patch" - apiGroups: @@ -12012,10 +12465,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -12054,10 +12507,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -12100,10 +12553,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12121,10 +12574,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12141,10 +12594,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12177,10 +12630,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12216,10 +12669,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12237,10 +12690,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -12261,10 +12714,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12276,10 +12729,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -12294,7 +12747,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -12305,7 +12758,9 @@ spec: - --secret-namespace=default - --metrics-addr=:8080 - --healthz-addr=:8081 - + - --loglevel=info + - --zap-time-encoding=epoch + - --enable-partial-cache=true ports: - containerPort: 8080 protocol: TCP @@ -12324,10 +12779,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12339,10 +12794,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -12357,15 +12812,18 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 - --metrics-addr=:8080 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics + dnsPolicy: ClusterFirst --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml apiVersion: apps/v1 @@ -12374,10 +12832,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12389,10 +12847,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -12407,7 +12865,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -12417,6 +12875,8 @@ spec: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml index a0ad351..b7c2ad9 100644 --- a/tests/common-golang-external-secrets-normal.expected.yaml +++ b/tests/common-golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -263,7 +265,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -780,11 +784,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -827,11 +833,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -844,7 +852,7 @@ spec: x-kubernetes-map-type: atomic type: array namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. items: type: string type: array @@ -916,7 +924,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -2457,6 +2467,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -2484,11 +2499,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -2921,6 +2938,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -3034,6 +3068,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -3295,6 +3386,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -3471,6 +3598,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -3573,6 +3703,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -3697,6 +3898,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -3737,8 +3955,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -5079,7 +5295,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -5246,7 +5464,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -5487,10 +5707,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -5993,10 +6218,15 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -6051,7 +6281,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6127,7 +6359,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6255,7 +6489,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6299,7 +6535,7 @@ spec: auth: description: Auth configures how ESO authenticates with a Github instance. properties: - privatKey: + privateKey: properties: secretRef: description: |- @@ -6324,7 +6560,7 @@ spec: - secretRef type: object required: - - privatKey + - privateKey type: object installID: type: string @@ -6357,7 +6593,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -6455,7 +6693,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -6586,11 +6824,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -6831,7 +7071,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -8372,6 +8614,11 @@ spec: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -8399,11 +8646,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -8836,6 +9085,23 @@ spec: authSecretRef: description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: + clientCertificate: + description: The Azure ClientCertificate of the service principle used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object clientId: description: The Azure clientId of the service principle or managed identity used for authentication. properties: @@ -8949,6 +9215,63 @@ spec: required: - vaultUrl type: object + bitwardensecretsmanager: + description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider + properties: + apiURL: + type: string + auth: + description: |- + Auth configures how secret-manager authenticates with a bitwarden machine account instance. + Make sure that the token being used has permissions on the given secret. + properties: + secretRef: + description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. + properties: + credentials: + description: AccessToken used for the bitwarden instance. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - credentials + type: object + required: + - secretRef + type: object + bitwardenServerSDKURL: + type: string + caBundle: + description: |- + Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack + can be performed. + type: string + identityURL: + type: string + organizationID: + description: OrganizationID determines which organization this secret store manages. + type: string + projectID: + description: ProjectID determines which project this secret store manages. + type: string + required: + - auth + - caBundle + - organizationID + - projectID + type: object chef: description: Chef configures this store to sync secrets with chef server properties: @@ -9210,6 +9533,42 @@ spec: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -9386,6 +9745,9 @@ spec: - serviceAccountRef type: object type: object + location: + description: Location optionally defines a location for a secret + type: string projectID: description: ProjectID project where secret is located type: string @@ -9488,6 +9850,77 @@ spec: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: @@ -9612,6 +10045,23 @@ spec: type: object type: object type: object + authRef: + description: A reference to a secret that contains the auth information. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object remoteNamespace: default: default description: Remote namespace to fetch the secrets from @@ -9652,8 +10102,6 @@ spec: description: configures the Kubernetes server Address. type: string type: object - required: - - auth type: object onboardbase: description: Onboardbase configures this store to sync secrets using the Onboardbase provider @@ -10994,7 +11442,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11686,7 +12136,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: webhooks.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -11834,10 +12286,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11901,10 +12353,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11938,6 +12390,7 @@ rules: - "pushsecrets/status" - "pushsecrets/finalizers" verbs: + - "get" - "update" - "patch" - apiGroups: @@ -12012,10 +12465,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -12054,10 +12507,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -12100,10 +12553,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12121,10 +12574,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12141,10 +12594,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12177,10 +12630,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -12216,10 +12669,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -12237,10 +12690,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -12261,10 +12714,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12276,10 +12729,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -12294,7 +12747,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -12305,7 +12758,9 @@ spec: - --secret-namespace=default - --metrics-addr=:8080 - --healthz-addr=:8081 - + - --loglevel=info + - --zap-time-encoding=epoch + - --enable-partial-cache=true ports: - containerPort: 8080 protocol: TCP @@ -12324,10 +12779,10 @@ metadata: name: common-golang-external-secrets namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12339,10 +12794,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -12357,15 +12812,18 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 - --metrics-addr=:8080 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics + dnsPolicy: ClusterFirst --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml apiVersion: apps/v1 @@ -12374,10 +12832,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: default labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -12389,10 +12847,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.20 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.16" + app.kubernetes.io/version: "v0.9.20" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -12407,7 +12865,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -12417,6 +12875,8 @@ spec: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 + - --loglevel=info + - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml index 9838c4a..19cef10 100644 --- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -43,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -64,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -96,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -127,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -206,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -348,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -375,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml index 9838c4a..19cef10 100644 --- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -43,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -64,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -96,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -127,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -206,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -348,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -375,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml index 9838c4a..19cef10 100644 --- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -43,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -64,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -96,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -127,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -206,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -348,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -375,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml index e6933c4..1a62b9c 100644 --- a/tests/common-hashicorp-vault-naked.expected.yaml +++ b/tests/common-hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -43,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -64,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -96,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -127,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -206,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -348,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -375,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml index 9838c4a..19cef10 100644 --- a/tests/common-hashicorp-vault-normal.expected.yaml +++ b/tests/common-hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -43,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -64,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -96,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -127,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -206,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -348,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.28.0 + helm.sh/chart: vault-0.28.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -375,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-operator-install-industrial-edge-factory.expected.yaml b/tests/common-operator-install-industrial-edge-factory.expected.yaml index b04d071..755b244 100644 --- a/tests/common-operator-install-industrial-edge-factory.expected.yaml +++ b/tests/common-operator-install-industrial-edge-factory.expected.yaml @@ -25,9 +25,6 @@ spec: gitSpec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main - gitOpsSpec: - operatorChannel: gitops-1.12 - operatorSource: redhat-operators multiSourceConfig: enabled: false --- diff --git a/tests/common-operator-install-industrial-edge-hub.expected.yaml b/tests/common-operator-install-industrial-edge-hub.expected.yaml index b04d071..755b244 100644 --- a/tests/common-operator-install-industrial-edge-hub.expected.yaml +++ b/tests/common-operator-install-industrial-edge-hub.expected.yaml @@ -25,9 +25,6 @@ spec: gitSpec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main - gitOpsSpec: - operatorChannel: gitops-1.12 - operatorSource: redhat-operators multiSourceConfig: enabled: false --- diff --git a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml index b04d071..755b244 100644 --- a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml +++ b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml @@ -25,9 +25,6 @@ spec: gitSpec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main - gitOpsSpec: - operatorChannel: gitops-1.12 - operatorSource: redhat-operators multiSourceConfig: enabled: false --- diff --git a/tests/common-operator-install-naked.expected.yaml b/tests/common-operator-install-naked.expected.yaml index ada9ab1..937fb6a 100644 --- a/tests/common-operator-install-naked.expected.yaml +++ b/tests/common-operator-install-naked.expected.yaml @@ -25,9 +25,6 @@ spec: gitSpec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main - gitOpsSpec: - operatorChannel: gitops-1.12 - operatorSource: redhat-operators multiSourceConfig: enabled: false --- diff --git a/tests/common-operator-install-normal.expected.yaml b/tests/common-operator-install-normal.expected.yaml index b04d071..755b244 100644 --- a/tests/common-operator-install-normal.expected.yaml +++ b/tests/common-operator-install-normal.expected.yaml @@ -25,9 +25,6 @@ spec: gitSpec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main - gitOpsSpec: - operatorChannel: gitops-1.12 - operatorSource: redhat-operators multiSourceConfig: enabled: false ---