diff --git a/tests/common-acm-industrial-edge-factory.expected.yaml b/tests/common-acm-industrial-edge-factory.expected.yaml index 86d7277d..2210b4cf 100644 --- a/tests/common-acm-industrial-edge-factory.expected.yaml +++ b/tests/common-acm-industrial-edge-factory.expected.yaml @@ -5,6 +5,15 @@ # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml index 6bb30bac..f9627771 100644 --- a/tests/common-acm-industrial-edge-hub.expected.yaml +++ b/tests/common-acm-industrial-edge-hub.expected.yaml @@ -2,6 +2,15 @@ # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml index 2361be7a..cea5a1dc 100644 --- a/tests/common-acm-medical-diagnosis-hub.expected.yaml +++ b/tests/common-acm-medical-diagnosis-hub.expected.yaml @@ -2,6 +2,15 @@ # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml index cb73d733..5ba9bd60 100644 --- a/tests/common-acm-naked.expected.yaml +++ b/tests/common-acm-naked.expected.yaml @@ -5,6 +5,15 @@ # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml index a83284bb..55553a79 100644 --- a/tests/common-acm-normal.expected.yaml +++ b/tests/common-acm-normal.expected.yaml @@ -22,6 +22,15 @@ type: Opaque # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 kind: ClusterClaim diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml index 7349d26b..63c17f27 100644 --- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-factory.expected.yaml @@ -83,12 +83,43 @@ data: namespace: manuela-factory-ml-workspace path: charts/datacenter/opendatahub project: factory + argoCD: + configManagementPlugins: + - image: quay.io/hybridcloudpatterns/utility-container:latest + name: helm-with-kustomize + pluginArgs: + - --loglevel=debug + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-factory.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=factory + --post-renderer ./kustomize"] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -180,6 +211,38 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: "argocd-cmp-helm-with-kustomize" + namespace: mypattern-factory +data: + "plugin.yaml": | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-factory.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=factory + --post-renderer ./kustomize"] +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -304,7 +367,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -312,12 +375,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -340,7 +424,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -454,6 +538,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -496,36 +582,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-factory.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=factory - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -558,6 +614,32 @@ spec: rbac: defaultPolicy: role:admin repo: + sidecarContainers: + - name: helm-with-kustomize + command: [/var/run/argocd/argocd-cmp-server] + args: [ + "--loglevel=debug" +] + image: quay.io/hybridcloudpatterns/utility-container:latest + imagePullPolicy: Always + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: plugin.yaml + name: helm-with-kustomize + volumes: + - emptyDir: {} + name: cmp-tmp + - configMap: + name: "argocd-cmp-helm-with-kustomize" + name: helm-with-kustomize resources: limits: cpu: "1" diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml index c0d078aa..fd8b747b 100644 --- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-hub.expected.yaml @@ -204,12 +204,43 @@ data: project: datacenter repoURL: https://helm.releases.hashicorp.com targetRevision: v0.20.1 + argoCD: + configManagementPlugins: + - image: quay.io/hybridcloudpatterns/utility-container:latest + name: helm-with-kustomize + pluginArgs: + - --loglevel=debug + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-datacenter.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=datacenter + --post-renderer ./kustomize"] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -341,6 +372,38 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: "argocd-cmp-helm-with-kustomize" + namespace: mypattern-datacenter +data: + "plugin.yaml": | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-datacenter.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=datacenter + --post-renderer ./kustomize"] +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -465,7 +528,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -473,12 +536,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -501,7 +585,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -539,7 +623,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -547,12 +631,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -577,7 +682,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -727,6 +832,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -788,6 +895,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -840,6 +949,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -892,6 +1003,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps", @@ -974,6 +1087,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1026,6 +1141,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1105,6 +1222,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1165,36 +1284,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-datacenter.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=datacenter - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -1227,6 +1316,32 @@ spec: rbac: defaultPolicy: role:admin repo: + sidecarContainers: + - name: helm-with-kustomize + command: [/var/run/argocd/argocd-cmp-server] + args: [ + "--loglevel=debug" +] + image: quay.io/hybridcloudpatterns/utility-container:latest + imagePullPolicy: Always + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: plugin.yaml + name: helm-with-kustomize + volumes: + - emptyDir: {} + name: cmp-tmp + - configMap: + name: "argocd-cmp-helm-with-kustomize" + name: helm-with-kustomize resources: limits: cpu: "1" diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml index 1b14514b..faa8e50a 100644 --- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml @@ -215,12 +215,15 @@ data: namespace: xraylab-1 path: charts/all/medical-diagnosis/xray-init project: medical-diagnosis + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -452,7 +455,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -460,12 +463,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -488,7 +512,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -526,7 +550,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -534,12 +558,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -564,7 +609,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -672,6 +717,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -724,6 +771,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -776,6 +825,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -828,6 +879,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -880,6 +933,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -932,6 +987,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -984,6 +1041,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1036,6 +1095,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1106,6 +1167,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1158,6 +1221,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1210,6 +1275,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1271,6 +1338,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1332,6 +1401,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1374,36 +1445,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-hub.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=hub - --post-renderer ./kustomize"] applicationSet: resources: limits: diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml index 75359902..ec8099f3 100644 --- a/tests/common-clustergroup-naked.expected.yaml +++ b/tests/common-clustergroup-naked.expected.yaml @@ -38,12 +38,15 @@ data: values.yaml: | clusterGroup: applications: {} + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -202,7 +205,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -210,12 +213,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL=""; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -240,7 +264,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -293,36 +317,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-example.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=common - --set global.clusterDomain= - --set global.hubClusterDomain= - --set global.localClusterDomain= - --set clusterGroup.name=example - --post-renderer ./kustomize"] applicationSet: resources: limits: diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml index 0f4e676b..aa9595e1 100644 --- a/tests/common-clustergroup-normal.expected.yaml +++ b/tests/common-clustergroup-normal.expected.yaml @@ -17,18 +17,54 @@ spec: apiVersion: v1 kind: Namespace metadata: + name: application-ci + labels: + argocd.argoproj.io/managed-by: mypattern-example +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: exclude-targetns + labels: + argocd.argoproj.io/managed-by: mypattern-example +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: include-ci +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: exclude-og +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: totally-exclude-og labels: argocd.argoproj.io/managed-by: mypattern-example - name: application-ci spec: --- # Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: + name: include-default-og labels: argocd.argoproj.io/managed-by: mypattern-example - name: excludes-ci spec: --- # Source: clustergroup/templates/imperative/namespace.yaml @@ -87,12 +123,15 @@ data: namespace: application-ci path: charts/datacenter/pipelines project: datacenter + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -171,10 +210,22 @@ data: labels: kubernetes.io/os: linux openshift.io/node-selector: "" - - application-ci - - excludes-ci + - application-ci: + operatorGroup: true + targetNamespaces: + - application-ci + - other-namespace + - exclude-targetns: + operatorGroup: true + targetNamespaces: null + - include-ci + - exclude-og + - totally-exclude-og: + operatorGroup: false + - include-default-og: + operatorGroup: true operatorgroupExcludes: - - excludes-ci + - exclude-og projects: - datacenter sharedValueFiles: @@ -366,7 +417,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -374,12 +425,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -402,7 +474,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -440,7 +512,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -448,12 +520,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -478,7 +571,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -588,6 +681,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -652,6 +747,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -934,36 +1031,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-example.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=example - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -1053,21 +1120,42 @@ spec: apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: open-cluster-management-operator-group - namespace: open-cluster-management + name: application-ci-operator-group + namespace: application-ci spec: targetNamespaces: - - open-cluster-management + - application-ci + - other-namespace --- # Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: application-ci-operator-group - namespace: application-ci + name: exclude-targetns-operator-group + namespace: exclude-targetns spec: targetNamespaces: - - application-ci +--- +# Source: clustergroup/templates/core/operatorgroup.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: include-ci-operator-group + namespace: include-ci +spec: + targetNamespaces: + - include-ci +--- +# Source: clustergroup/templates/core/operatorgroup.yaml +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: include-default-og-operator-group + namespace: include-default-og +spec: + targetNamespaces: + - include-default-og --- # Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml index 1f2e2925..012d8fa0 100644 --- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml index 7b2b7171..cb2ea2c2 100644 --- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml index 7b2b7171..cb2ea2c2 100644 --- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml index 0e02057e..f8780cc0 100644 --- a/tests/common-golang-external-secrets-naked.expected.yaml +++ b/tests/common-golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml index 7b2b7171..cb2ea2c2 100644 --- a/tests/common-golang-external-secrets-normal.expected.yaml +++ b/tests/common-golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml index edd614b8..58a88890 100644 --- a/tests/common-hashicorp-vault-naked.expected.yaml +++ b/tests/common-hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -345,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,7 +365,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" + name: common-hashicorp-vault-server-test namespace: default annotations: "helm.sh/hook": test @@ -372,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-normal.expected.yaml +++ b/tests/common-hashicorp-vault-normal.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200"