diff --git a/common/.github/workflows/ansible-unittest.yml b/common/.github/workflows/ansible-unittest.yml index 90d4507f..c9f7485a 100644 --- a/common/.github/workflows/ansible-unittest.yml +++ b/common/.github/workflows/ansible-unittest.yml @@ -38,7 +38,7 @@ jobs: fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/common/.github/workflows/jsonschema.yaml b/common/.github/workflows/jsonschema.yaml index ad83173a..e47de928 100644 --- a/common/.github/workflows/jsonschema.yaml +++ b/common/.github/workflows/jsonschema.yaml @@ -38,7 +38,7 @@ jobs: fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/common/Makefile b/common/Makefile index f0593552..af2c82f1 100644 --- a/common/Makefile +++ b/common/Makefile @@ -44,6 +44,13 @@ help: ## This help message show: ## show the starting template without installing it helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS) +preview-all: + @common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH) + +preview-%: + CLUSTERGROUP?=$(shell yq ".main.clusterGroupName" values-global.yaml) + @common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH) + .PHONY: operator-deploy operator-deploy operator-upgrade: validate-prereq validate-origin validate-cluster ## runs helm install @set -e -o pipefail diff --git a/common/acm/.github/workflows/update-helm-repo.yml b/common/acm/.github/workflows/update-helm-repo.yml index 8c658a18..c12af2b5 100644 --- a/common/acm/.github/workflows/update-helm-repo.yml +++ b/common/acm/.github/workflows/update-helm-repo.yml @@ -18,12 +18,12 @@ on: jobs: helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: contents: read update-helm-repo: needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: read-all secrets: inherit diff --git a/common/acm/templates/policies/private-repo-policies.yaml b/common/acm/templates/policies/private-repo-policies.yaml new file mode 100644 index 00000000..0b7db0da --- /dev/null +++ b/common/acm/templates/policies/private-repo-policies.yaml @@ -0,0 +1,161 @@ +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +{{ if $.Values.global.privateRepo }} +{{ if .Values.clusterGroup.isHubCluster }} +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: private-hub-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: private-hub-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: Secret + apiVersion: v1 + type: Opaque + metadata: + name: vp-private-repo-credentials + namespace: open-cluster-management + labels: + argocd.argoproj.io/secret-type: repository + data: '{{ `{{copySecretData "openshift-gitops" "vp-private-repo-credentials"}}` }}' +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: private-hub-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: private-hub-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: private-hub-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: private-hub-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: In + values: + - 'true' +--- +{{ end }}{{- /* if .Values.clusterGroup.isHubCluster */}} +{{- range .Values.clusterGroup.managedClusterGroups }} +{{- $group := . }} +{{- if not .hostedArgoSites }} +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: private-{{ .name }}-policy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: private-{{ .name }}-config + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: Secret + apiVersion: v1 + type: Opaque + metadata: + name: vp-private-repo-credentials + namespace: openshift-gitops + labels: + argocd.argoproj.io/secret-type: repository + data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}' + - complianceType: mustonlyhave + objectDefinition: + kind: Secret + apiVersion: v1 + type: Opaque + metadata: + name: vp-private-repo-credentials + namespace: {{ $.Values.global.pattern }}-{{ .name }} + labels: + argocd.argoproj.io/secret-type: repository + data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}' +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: private-{{ .name }}-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: private-{{ .name }}-placement + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: private-{{ .name }}-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: private-{{ .name }}-placement + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: local-cluster + operator: NotIn + values: + - 'true' +{{- end }}{{- /* if not .hostedArgoSites */}} +{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} +{{- end }}{{- /* if $.Values.global.privateRepo */}} diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md index 828daa05..98355ad9 100644 --- a/common/ansible/roles/iib_ci/README.md +++ b/common/ansible/roles/iib_ci/README.md @@ -54,7 +54,7 @@ export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=ii make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install ``` -*Note*: This needs VP operator version >= 0.0.14 +*Note*: In this case `acm` is the name of the subscription in `values-hub.yaml` ### OCP 4.13 and onwards diff --git a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml index 821e4be0..32a36c07 100644 --- a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml +++ b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml @@ -89,7 +89,7 @@ image_urls: "{{ image_urls | default({}) | combine({item: {'mirrordest': mirror_dest + item | basename, 'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''), - 'mirrordest_tag': iib}}, recursive=true) }}" + 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" loop: "{{ all_images }}" when: use_internal_registry diff --git a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 index d23ab9f2..1b04f321 100644 --- a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 +++ b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 @@ -10,9 +10,9 @@ spec: - mirrors: - {{ item.mirrordest_nosha }} source: {{ item.source_nosha }} - mirrorSourcePolicy: NeverContactSource + mirrorSourcePolicy: AllowContactingSource - mirrors: - {{ item.mirrordest_nosha }} source: {{ item.image_nosha }} - mirrorSourcePolicy: NeverContactSource + mirrorSourcePolicy: AllowContactingSource {% endfor %} diff --git a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml index 9255a0ca..31d2878b 100644 --- a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml +++ b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml @@ -30,7 +30,9 @@ command: sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'" register: vault_role_cmd - until: vault_role_cmd.rc == 0 + until: + - vault_role_cmd.rc is defined + - vault_role_cmd.rc == 0 retries: 20 delay: 45 changed_when: false diff --git a/common/clustergroup/.github/workflows/update-helm-repo.yml b/common/clustergroup/.github/workflows/update-helm-repo.yml index 8c658a18..fa1d6247 100644 --- a/common/clustergroup/.github/workflows/update-helm-repo.yml +++ b/common/clustergroup/.github/workflows/update-helm-repo.yml @@ -9,6 +9,7 @@ # - Contents: r/w # - Deployments: r/w # - Pages: r/w +# name: vp-patterns/update-helm-repo on: @@ -18,12 +19,12 @@ on: jobs: helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: contents: read update-helm-repo: needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: read-all secrets: inherit diff --git a/common/clustergroup/Chart.yaml b/common/clustergroup/Chart.yaml index 1256786b..345b8175 100644 --- a/common/clustergroup/Chart.yaml +++ b/common/clustergroup/Chart.yaml @@ -3,4 +3,4 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any keywords: - pattern name: clustergroup -version: 0.0.4 +version: 0.8.2 diff --git a/common/clustergroup/templates/_helpers.tpl b/common/clustergroup/templates/_helpers.tpl index e7736a6c..83b06a04 100644 --- a/common/clustergroup/templates/_helpers.tpl +++ b/common/clustergroup/templates/_helpers.tpl @@ -20,6 +20,8 @@ Default always defined top-level variables for helm charts value: {{ $.Values.global.hubClusterDomain }} - name: global.localClusterDomain value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }} +- name: global.privateRepo + value: {{ $.Values.global.privateRepo | quote }} {{- end }} {{/* clustergroup.globalvaluesparameters */}} diff --git a/common/clustergroup/templates/core/operatorgroup.yaml b/common/clustergroup/templates/core/operatorgroup.yaml index 66774fa6..cd679bd5 100644 --- a/common/clustergroup/templates/core/operatorgroup.yaml +++ b/common/clustergroup/templates/core/operatorgroup.yaml @@ -5,7 +5,7 @@ {{- if kindIs "map" $ns }} {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} - + {{- if $v.operatorGroup }}{{- /* Checks if the user sets operatorGroup: false */}} apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -13,9 +13,15 @@ metadata: namespace: {{ $k }} spec: targetNamespaces: + {{- if (hasKey $v "targetNamespaces") }} + {{- range $v.targetNamespaces }}{{- /* We loop through the list of tergetnamespaces */}} + - {{ . }} + {{- end }}{{- /* End range targetNamespaces */}} + {{- else }} - {{ $k }} + {{- end }}{{- /* End of if operatorGroup */}} {{- end }}{{- /* range $k, $v := $ns */}} - + {{- end }}{{- /* End of if operatorGroup */}} {{- else if kindIs "string" $ns }} apiVersion: operators.coreos.com/v1 kind: OperatorGroup diff --git a/common/clustergroup/templates/imperative/_helpers.tpl b/common/clustergroup/templates/imperative/_helpers.tpl index 8a946b3c..f75e781e 100644 --- a/common/clustergroup/templates/imperative/_helpers.tpl +++ b/common/clustergroup/templates/imperative/_helpers.tpl @@ -1,3 +1,9 @@ +# Pseudo-code +# 1. Get the pattern's CR +# 2. If there is a secret called vp-private-repo-credentials in the current namespace, fetch it +# 3. If it is an http secret, generate the correct URL +# 4. If it is an ssh secret, create the private ssh key and make sure the git clone works + {{/* git-init InitContainer */}} {{- define "imperative.initcontainers.gitinit" }} - name: git-init @@ -9,7 +15,28 @@ command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- {{ $.Values.global.repoURL }} /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="{{ $.Values.global.repoURL }}"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')"; + URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" diff --git a/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml b/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml new file mode 100644 index 00000000..6f86c316 --- /dev/null +++ b/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml @@ -0,0 +1,12 @@ +{{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} +{{- if $cmp.pluginConfig }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: "argocd-cmp-{{ $cmp.name }}" + namespace: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} +data: + "plugin.yaml": | {{ tpl $cmp.pluginConfig $ | nindent 4 }} +{{- end }} +{{- end }} diff --git a/common/clustergroup/templates/plumbing/argocd.yaml b/common/clustergroup/templates/plumbing/argocd.yaml index de83b53c..b0977e9c 100644 --- a/common/clustergroup/templates/plumbing/argocd.yaml +++ b/common/clustergroup/templates/plumbing/argocd.yaml @@ -36,36 +36,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-{{ .Values.clusterGroup.name }}.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern={{ .Values.global.pattern }} - --set global.clusterDomain={{ .Values.global.clusterDomain }} - --set global.hubClusterDomain={{ .Values.global.hubClusterDomain }} - --set global.localClusterDomain={{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }} - --set clusterGroup.name={{ .Values.clusterGroup.name }} - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -98,6 +68,45 @@ spec: rbac: defaultPolicy: role:admin repo: +{{- if len $.Values.clusterGroup.argoCD.initContainers }} + initContainers: {{ $.Values.clusterGroup.argoCD.initContainers | toPrettyJson }} +{{- end }} +{{- if len $.Values.clusterGroup.argoCD.configManagementPlugins }} + sidecarContainers: +{{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} + - name: {{ $cmp.name }} + command: [/var/run/argocd/argocd-cmp-server] +{{- if $cmp.pluginArgs }} + args: {{ $cmp.pluginArgs | toPrettyJson }} +{{- end }} + image: {{ $cmp.image }} + imagePullPolicy: {{ coalesce $cmp.imagePullPolicy "Always" }} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp +{{- if $cmp.pluginConfig }} + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: plugin.yaml + name: {{ $cmp.name }} +{{- end }} +{{- end }} +{{- end }} +{{- if len $.Values.clusterGroup.argoCD.configManagementPlugins }} + volumes: + - emptyDir: {} + name: cmp-tmp +{{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} + - configMap: + name: "argocd-cmp-{{ $cmp.name }}" + name: {{ $cmp.name }} +{{- end }} +{{- end }} resources: limits: cpu: "1" @@ -111,6 +120,12 @@ spec: kinds: - TaskRun - PipelineRun +{{- if .Values.global.excludeESO }} + - apiGroups: + - external-secrets.io + kinds: + - ExternalSecret +{{- end }} server: autoscale: enabled: false diff --git a/common/clustergroup/test.yaml b/common/clustergroup/test.yaml deleted file mode 100644 index 3c0afc6f..00000000 --- a/common/clustergroup/test.yaml +++ /dev/null @@ -1,100 +0,0 @@ -clusterGroup: - name: hub - isHubCluster: true - - namespaces: - - open-cluster-management - - vault - - golang-external-secrets - - config-demo - - indexImages: - - name: snr - image: quay.io/mshitrit/self-node-remediation-manager-index:0.0.104 - - subscriptions: - acm: - name: advanced-cluster-management - namespace: open-cluster-management - channel: release-2.5 - csv: advanced-cluster-management.v2.5.0 - - projects: - - hub - - config-demo - - applications: - acm: - name: acm - namespace: open-cluster-management - project: hub - path: common/acm - ignoreDifferences: - - group: internal.open-cluster-management.io - kind: ManagedClusterInfo - jsonPointers: - - /spec/loggingCA - - vault: - name: vault - namespace: vault - project: hub - chart: vault - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.21.0 - overrides: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: LoadBalancer - - name: server.route.enabled - value: "true" - - name: server.route.host - value: null - - name: server.route.tls.termination - value: edge - - name: server.image.repository - value: "registry.connect.redhat.com/hashicorp/vault" - - name: server.image.tag - value: "1.11.2-ubi" - - golang-external-secrets: - name: golang-external-secrets - namespace: golang-external-secrets - project: hub - path: common/golang-external-secrets - - config-demo: - name: config-demo - namespace: config-demo - project: config-demo - path: charts/all/config-demo - - imperative: - # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm - # The default schedule is every 10 minutes: imperative.schedule - # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds - # imagePullPolicy is set to always: imperative.imagePullPolicy - # For additional overrides that apply to the jobs, please refer to - # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations - jobs: - - name: regional-ca - # ansible playbook to be run - playbook: ansible/playbooks/on-hub-get-regional-ca.yml - # per playbook timeout in seconds - timeout: 234 - # verbosity: "-v" - - managedClusterGroups: - region-one: - name: region-one - hostedArgoSites: - - perth - - sydney - helmOverrides: - - name: clusterGroup.isHubCluster - value: false diff --git a/common/clustergroup/values.schema.json b/common/clustergroup/values.schema.json index 4b94bf26..e88fc5a9 100644 --- a/common/clustergroup/values.schema.json +++ b/common/clustergroup/values.schema.json @@ -266,6 +266,13 @@ "type": "string" } }, + "operatorgroupExcludeTargetNS": { + "type": "array", + "description": "Specify the list of namespaces where the target namespace field in the corresponding operatorgroup object should be excluded.", + "items": { + "type": "string" + } + }, "hostedSite": { "type": "object", "items": { @@ -310,6 +317,9 @@ "$ref": "#/definitions/Applications" } }, + "argoCD": { + "$ref": "#/definitions/ArgoCD" + }, "imperative": { "$ref": "#/definitions/Imperative" }, @@ -481,6 +491,54 @@ ], "title": "Applications" }, + "ArgoCD": { + "type": "object", + "description": "Details for configuring ArgoCD instances in particular", + "additionalProperties": false, + "properties": { + "configManagementPlugins": { + "type": "array", + "items": { + "$ref": "#/definitions/ArgoCDConfigManagementPlugin" + }, + "description": "The new configManagementPlugins array, will also generate configMaps to inject into the plugins" + }, + "initContainers": { + "type": "array", + "description": "A list of initContainers to add to the repo-server if needed" + } + } + }, + "ArgoCDConfigManagementPlugin": { + "type": "object", + "additionalProperties": true, + "properties": { + "name": { + "type": "string", + "description": "Name for the config management plugin" + }, + "image": { + "type": "string", + "description": "Image for a sidecar container" + }, + "imagePullPolicy": { + "type": "string", + "description": "Image pull policy for the sidecar. Defaults to 'Always'" + }, + "pluginConfig": { + "type": "string", + "description": "Configuration file to project into sidecar container. This will create a configMap if specified" + }, + "pluginArgs": { + "type": "array", + "description": "Additional args to pass to the cmpserver command, usually loglevel" + } + }, + "required": [ + "name", + "image" + ] + }, "IndexImages": { "type": "object", "description": "Details for overriding default catalog sources", diff --git a/common/clustergroup/values.yaml b/common/clustergroup/values.yaml index e9720d20..bb3a6e27 100644 --- a/common/clustergroup/values.yaml +++ b/common/clustergroup/values.yaml @@ -18,10 +18,14 @@ clusterGroup: targetCluster: in-cluster sharedValueFiles: [] + argoCD: + initContainers: [] + configManagementPlugins: [] + imperative: jobs: [] # This image contains ansible + kubernetes.core by default and is used to run the jobs - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest namespace: "imperative" # configmap name in the namespace that will contain all helm values valuesConfigMap: "helm-values-configmap" diff --git a/common/examples/industrial-edge-factory.yaml b/common/examples/industrial-edge-factory.yaml index 9ed1e8d3..c60d0960 100644 --- a/common/examples/industrial-edge-factory.yaml +++ b/common/examples/industrial-edge-factory.yaml @@ -36,6 +36,37 @@ clusterGroup: projects: - factory + argoCD: + configManagementPlugins: + - name: helm-with-kustomize + image: quay.io/hybridcloudpatterns/utility-container:latest + pluginArgs: + - '--loglevel=debug' + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-{{ .Values.clusterGroup.name }}.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern={{ .Values.global.pattern }} + --set global.clusterDomain={{ .Values.global.clusterDomain }} + --set global.hubClusterDomain={{ .Values.global.hubClusterDomain }} + --set global.localClusterDomain={{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }} + --set clusterGroup.name={{ .Values.clusterGroup.name }} + --post-renderer ./kustomize"] + applications: - name: stormshift project: factory diff --git a/common/examples/industrial-edge-hub.yaml b/common/examples/industrial-edge-hub.yaml index 3dfd2fc8..e48c4013 100644 --- a/common/examples/industrial-edge-hub.yaml +++ b/common/examples/industrial-edge-hub.yaml @@ -65,6 +65,37 @@ clusterGroup: - golang-external-secrets - vault + argoCD: + configManagementPlugins: + - name: helm-with-kustomize + image: quay.io/hybridcloudpatterns/utility-container:latest + pluginArgs: + - '--loglevel=debug' + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-{{ .Values.clusterGroup.name }}.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern={{ .Values.global.pattern }} + --set global.clusterDomain={{ .Values.global.clusterDomain }} + --set global.hubClusterDomain={{ .Values.global.hubClusterDomain }} + --set global.localClusterDomain={{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }} + --set clusterGroup.name={{ .Values.clusterGroup.name }} + --post-renderer ./kustomize"] + applications: acm: name: acm diff --git a/common/examples/values-example.yaml b/common/examples/values-example.yaml index 2a224b62..6c006b00 100644 --- a/common/examples/values-example.yaml +++ b/common/examples/values-example.yaml @@ -23,12 +23,23 @@ clusterGroup: annotations: openshift.io/cluster-monitoring: "true" owner: "namespace owner" - - application-ci - - excludes-ci + - application-ci: + operatorGroup: true + targetNamespaces: + - application-ci + - other-namespace + - exclude-targetns: + operatorGroup: true + targetNamespaces: + - include-ci + - exclude-og + - totally-exclude-og: + operatorGroup: false + - include-default-og: + operatorGroup: true operatorgroupExcludes: - - excludes-ci - + - exclude-og subscriptions: acm: diff --git a/common/golang-external-secrets/.github/workflows/update-helm-repo.yml b/common/golang-external-secrets/.github/workflows/update-helm-repo.yml index 8c658a18..c12af2b5 100644 --- a/common/golang-external-secrets/.github/workflows/update-helm-repo.yml +++ b/common/golang-external-secrets/.github/workflows/update-helm-repo.yml @@ -18,12 +18,12 @@ on: jobs: helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: contents: read update-helm-repo: needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: read-all secrets: inherit diff --git a/common/golang-external-secrets/Chart.yaml b/common/golang-external-secrets/Chart.yaml index 9b2c3b6d..613a9a96 100644 --- a/common/golang-external-secrets/Chart.yaml +++ b/common/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.3 dependencies: - name: external-secrets - version: "0.9.5" + version: "0.9.10" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/common/golang-external-secrets/charts/external-secrets-0.9.10.tgz b/common/golang-external-secrets/charts/external-secrets-0.9.10.tgz new file mode 100644 index 00000000..dc04b636 Binary files /dev/null and b/common/golang-external-secrets/charts/external-secrets-0.9.10.tgz differ diff --git a/common/golang-external-secrets/charts/external-secrets-0.9.5.tgz b/common/golang-external-secrets/charts/external-secrets-0.9.5.tgz deleted file mode 100644 index f40bed88..00000000 Binary files a/common/golang-external-secrets/charts/external-secrets-0.9.5.tgz and /dev/null differ diff --git a/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml b/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml index 0245ebf7..fc0b410f 100644 --- a/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +++ b/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml @@ -10,19 +10,21 @@ spec: path: secret # Version of KV backend version: v2 +{{- if .Values.golangExternalSecrets.caProvider.enabled }} {{ if .Values.clusterGroup.isHubCluster }} caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets + type: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.namespace }} {{ else }} caProvider: - type: Secret - name: hub-ca - key: hub-kube-root-ca.crt - namespace: imperative + type: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.namespace }} {{ end }} +{{- end }} auth: kubernetes: {{ if .Values.clusterGroup.isHubCluster }} diff --git a/common/golang-external-secrets/values.yaml b/common/golang-external-secrets/values.yaml index ea644c03..6e14ea09 100644 --- a/common/golang-external-secrets/values.yaml +++ b/common/golang-external-secrets/values.yaml @@ -1,7 +1,23 @@ --- +# Eventually we should aim to move these two under the golangExternalSecrets key mountPath: "hub" mountRole: "hub-role" +golangExternalSecrets: + # This controls how ESO connects to vault + caProvider: + enabled: true # If vault is exposed via a route that is signed by a non internal CA you might want to disable this + vaultHostCluster: + type: ConfigMap + name: kube-root-ca.crt + key: ca.crt + namespace: golang-external-secrets + vaultClientCluster: + type: Secret + name: hub-ca + key: hub-kube-root-ca.crt + namespace: imperative + global: hubClusterDomain: hub.example.com clusterDomain: foo.example.com @@ -11,10 +27,10 @@ clusterGroup: external-secrets: image: - tag: v0.9.5-ubi + tag: v0.9.10-ubi webhook: image: - tag: v0.9.5-ubi + tag: v0.9.10-ubi certController: image: - tag: v0.9.5-ubi + tag: v0.9.10-ubi diff --git a/common/hashicorp-vault/.github/workflows/update-helm-repo.yml b/common/hashicorp-vault/.github/workflows/update-helm-repo.yml index 8c658a18..c12af2b5 100644 --- a/common/hashicorp-vault/.github/workflows/update-helm-repo.yml +++ b/common/hashicorp-vault/.github/workflows/update-helm-repo.yml @@ -18,12 +18,12 @@ on: jobs: helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: contents: read update-helm-repo: needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: read-all secrets: inherit diff --git a/common/hashicorp-vault/Chart.yaml b/common/hashicorp-vault/Chart.yaml index 84e7edc7..b9a20124 100644 --- a/common/hashicorp-vault/Chart.yaml +++ b/common/hashicorp-vault/Chart.yaml @@ -6,5 +6,5 @@ name: hashicorp-vault version: 0.0.1 dependencies: - name: vault - version: "0.25.0" + version: "0.27.0" repository: "https://helm.releases.hashicorp.com" diff --git a/common/hashicorp-vault/charts/vault-0.25.0.tgz b/common/hashicorp-vault/charts/vault-0.25.0.tgz deleted file mode 100644 index 62e685dc..00000000 Binary files a/common/hashicorp-vault/charts/vault-0.25.0.tgz and /dev/null differ diff --git a/common/hashicorp-vault/charts/vault-0.27.0.tgz b/common/hashicorp-vault/charts/vault-0.27.0.tgz new file mode 100644 index 00000000..574b3e74 Binary files /dev/null and b/common/hashicorp-vault/charts/vault-0.27.0.tgz differ diff --git a/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch b/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch index ba73a467..796b64cf 100644 --- a/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch +++ b/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch @@ -1,69 +1,10 @@ -From f62623030374c55410624a00755e9a3c07a411da Mon Sep 17 00:00:00 2001 -From: Michele Baldessari -Date: Tue, 29 Nov 2022 20:06:09 +0100 -Subject: [PATCH] Allow per-service annotations - -We add the 'annotations' field to the existing -vault.service.{active,standby} dictionaries which are relevant for the -active/standby vault ha services. We also add -vault.service.{nonha,internal}.annotations in order to allow per-service -annotations when using the non-ha variant. - -We had to choose 'nonha' as we cannot reuse the existing -vault.service.annotations key, because that gets still applied to all -services and we do not want to break existing installations. - -WIP as we need to add some more docs and maybe some more tests. ---- - templates/_helpers.tpl | 57 ++++++++++++++++++++++++ - templates/server-ha-active-service.yaml | 3 +- - templates/server-ha-standby-service.yaml | 1 + - templates/server-headless-service.yaml | 1 + - templates/server-service.yaml | 1 + - test/unit/server-ha-active-service.bats | 11 +++++ - test/unit/server-ha-standby-service.bats | 11 +++++ - test/unit/server-service.bats | 10 +++++ - values.schema.json | 34 ++++++++++++++ - values.yaml | 22 +++++++++ - 10 files changed, 150 insertions(+), 1 deletion(-) - -diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl -index 3897391..9e98c0b 100644 ---- a/templates/_helpers.tpl -+++ b/templates/_helpers.tpl -@@ -683,6 +683,63 @@ Sets extra vault server Service annotations - {{- end }} +diff -up vault/templates/_helpers.tpl.0.26.1 vault/templates/_helpers.tpl +--- vault/templates/_helpers.tpl.0.26.1 2023-11-07 14:06:52.285821136 +0100 ++++ vault/templates/_helpers.tpl 2023-11-07 14:07:45.445038627 +0100 +@@ -738,6 +738,35 @@ Sets extra vault server Service annotati {{- end -}} -+{{/* -+Sets extra vault server Service active annotations -+*/}} -+{{- define "vault.service.active.annotations" -}} -+ {{- if .Values.server.service.active.annotations }} -+ {{- $tp := typeOf .Values.server.service.active.annotations }} -+ {{- if eq $tp "string" }} -+ {{- tpl .Values.server.service.active.annotations . | nindent 4 }} -+ {{- else }} -+ {{- toYaml .Values.server.service.active.annotations | nindent 4 }} -+ {{- end }} -+ {{- end }} -+{{- end -}} -+ -+{{/* -+Sets extra vault server Service standby annotations -+*/}} -+{{- define "vault.service.standby.annotations" -}} -+ {{- if .Values.server.service.standby.annotations }} -+ {{- $tp := typeOf .Values.server.service.standby.annotations }} -+ {{- if eq $tp "string" }} -+ {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} -+ {{- else }} -+ {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} -+ {{- end }} -+ {{- end }} -+{{- end -}} -+ -+{{/* + {{/* +Sets extra vault server Service internal annotations +*/}} +{{- define "vault.service.internal.annotations" -}} @@ -92,53 +33,25 @@ index 3897391..9e98c0b 100644 + {{- end }} +{{- end -}} + - {{/* ++{{/* Sets PodSecurityPolicy annotations */}} -diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml -index 7def2a0..649ffb8 100644 ---- a/templates/server-ha-active-service.yaml -+++ b/templates/server-ha-active-service.yaml -@@ -18,8 +18,9 @@ metadata: - vault-active: "true" - annotations: - {{ template "vault.service.annotations" .}} -+{{ template "vault.service.active.annotations" .}} - spec: -- {{- if .Values.server.service.type}} -+ {{- if .Values.server.service.type }} - type: {{ .Values.server.service.type }} - {{- end}} - {{- if .Values.server.service.clusterIP }} -diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml -index 50fca4b..cdbfcad 100644 ---- a/templates/server-ha-standby-service.yaml -+++ b/templates/server-ha-standby-service.yaml -@@ -17,6 +17,7 @@ metadata: - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: - {{ template "vault.service.annotations" .}} -+{{ template "vault.service.standby.annotations" .}} - spec: - {{- if .Values.server.service.type}} - type: {{ .Values.server.service.type }} -diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml -index b03f491..25aaa8d 100644 ---- a/templates/server-headless-service.yaml -+++ b/templates/server-headless-service.yaml -@@ -16,6 +16,7 @@ metadata: + {{- define "vault.psp.annotations" -}} +diff -up vault/templates/server-headless-service.yaml.0.26.1 vault/templates/server-headless-service.yaml +--- vault/templates/server-headless-service.yaml.0.26.1 2023-11-07 14:08:24.302197609 +0100 ++++ vault/templates/server-headless-service.yaml 2023-11-07 14:08:48.707297472 +0100 +@@ -21,6 +21,7 @@ metadata: vault-internal: "true" annotations: {{ template "vault.service.annotations" .}} +{{ template "vault.service.internal.annotations" .}} spec: - clusterIP: None - publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} -diff --git a/templates/server-service.yaml b/templates/server-service.yaml -index 913b569..02a1ccd 100644 ---- a/templates/server-service.yaml -+++ b/templates/server-service.yaml -@@ -15,6 +15,7 @@ metadata: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} +diff -up vault/templates/server-service.yaml.0.26.1 vault/templates/server-service.yaml +--- vault/templates/server-service.yaml.0.26.1 2023-11-07 14:09:43.152520231 +0100 ++++ vault/templates/server-service.yaml 2023-11-07 14:09:55.406570360 +0100 +@@ -20,6 +20,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: {{ template "vault.service.annotations" .}} @@ -146,87 +59,10 @@ index 913b569..02a1ccd 100644 spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} -diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats -index d78f5d4..13b5271 100755 ---- a/test/unit/server-ha-active-service.bats -+++ b/test/unit/server-ha-active-service.bats -@@ -13,6 +13,17 @@ load _helpers - [ "${actual}" = "true" ] - } - -+@test "server/ha-active-Service: specific annotations" { -+ cd `chart_dir` -+ local actual=$(helm template \ -+ --show-only templates/server-ha-active-service.yaml \ -+ --set 'server.ha.enabled=true' \ -+ --set 'server.service.active.annotations=vaultIsAwesome: true' \ -+ . | tee /dev/stderr | -+ yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) -+ [ "${actual}" = "true" ] -+} -+ - @test "server/ha-active-Service: disable with ha.enabled false" { - cd `chart_dir` - local actual=$( (helm template \ -diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats -index 6698314..6244565 100755 ---- a/test/unit/server-ha-standby-service.bats -+++ b/test/unit/server-ha-standby-service.bats -@@ -13,6 +13,17 @@ load _helpers - [ "${actual}" = "true" ] - } - -+@test "server/ha-standby-Service: specific annotations string" { -+ cd `chart_dir` -+ local actual=$(helm template \ -+ --show-only templates/server-ha-standby-service.yaml \ -+ --set 'server.ha.enabled=true' \ -+ --set 'server.service.standby.annotations=vaultIsAwesome: true' \ -+ . | tee /dev/stderr | -+ yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) -+ [ "${actual}" = "true" ] -+} -+ - @test "server/ha-standby-Service: generic annotations yaml" { - cd `chart_dir` - local actual=$(helm template \ -diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats -index 70a5445..cc66987 100755 ---- a/test/unit/server-service.bats -+++ b/test/unit/server-service.bats -@@ -153,6 +153,16 @@ load _helpers - [ "${actual}" = "true" ] - } - -+@test "server/Service: specific annotations" { -+ cd `chart_dir` -+ local actual=$(helm template \ -+ --show-only templates/server-service.yaml \ -+ --set 'server.service.nonha.annotations=vaultIsAwesome: true' \ -+ . | tee /dev/stderr | -+ yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) -+ [ "${actual}" = "true" ] -+} -+ - @test "server/Service: publish not ready" { - cd `chart_dir` - local actual=$(helm template \ -diff --git a/values.schema.json b/values.schema.json -index c183957..d0dca34 100644 ---- a/values.schema.json -+++ b/values.schema.json -@@ -854,11 +854,39 @@ - "active": { - "type": "object", - "properties": { -+ "annotations" : { -+ "type": [ -+ "object", -+ "string" -+ ] -+ }, - "enabled": { - "type": "boolean" +diff -up vault/values.schema.json.0.26.1 vault/values.schema.json +--- vault/values.schema.json.0.26.1 2023-11-07 14:10:35.177733085 +0100 ++++ vault/values.schema.json 2023-11-07 14:11:52.244048399 +0100 +@@ -931,6 +931,28 @@ } } }, @@ -255,40 +91,13 @@ index c183957..d0dca34 100644 "annotations": { "type": [ "object", -@@ -890,6 +918,12 @@ - "properties": { - "enabled": { - "type": "boolean" -+ }, -+ "annotations": { -+ "type": [ -+ "object", -+ "string" -+ ] - } - } - }, -diff --git a/values.yaml b/values.yaml -index 2c3d9e2..32d8ea1 100644 ---- a/values.yaml -+++ b/values.yaml -@@ -600,10 +600,32 @@ server: - # have labelled themselves as the cluster leader with `vault-active: "true"` - active: - enabled: true -+ # Extra annotations for the service definition. This can either be YAML or a -+ # YAML-formatted multi-line templated string map of the annotations to apply -+ # to the service. -+ annotations: {} -+ - # Enable or disable the vault-standby service, which selects Vault pods that - # have labelled themselves as a cluster follower with `vault-active: "false"` - standby: - enabled: true -+ # Extra annotations for the service definition. This can either be YAML or a -+ # YAML-formatted multi-line templated string map of the annotations to apply -+ # to the service. -+ annotations: {} +diff -up vault/values.yaml.0.26.1 vault/values.yaml +--- vault/values.yaml.0.26.1 2023-11-07 14:13:00.865329166 +0100 ++++ vault/values.yaml 2023-11-07 14:14:15.318633813 +0100 +@@ -673,6 +673,19 @@ server: + # YAML-formatted multi-line templated string map of the annotations to apply + # to the standby service. + annotations: {} + + nonha: + # Extra annotations for the service definition. This can either be YAML or a @@ -305,6 +114,3 @@ index 2c3d9e2..32d8ea1 100644 # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` # When disabled, services may select Vault pods not deployed from the chart. # Does not affect the headless vault-internal service with `ClusterIP: None` --- -2.38.1 - diff --git a/common/hashicorp-vault/values.yaml b/common/hashicorp-vault/values.yaml index 780f574a..25740d98 100644 --- a/common/hashicorp-vault/values.yaml +++ b/common/hashicorp-vault/values.yaml @@ -48,4 +48,4 @@ vault: termination: "reencrypt" image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.14.0-ubi" + tag: "1.15.2-ubi" diff --git a/common/letsencrypt/.github/workflows/update-helm-repo.yml b/common/letsencrypt/.github/workflows/update-helm-repo.yml index 8c658a18..c12af2b5 100644 --- a/common/letsencrypt/.github/workflows/update-helm-repo.yml +++ b/common/letsencrypt/.github/workflows/update-helm-repo.yml @@ -18,12 +18,12 @@ on: jobs: helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: contents: read update-helm-repo: needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main + uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 permissions: read-all secrets: inherit diff --git a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml b/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml index 1806661d..68be225f 100644 --- a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml +++ b/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml @@ -98,12 +98,22 @@ spec: type: integer targetRepo: description: Git repo containing the pattern to deploy. Must use - https/http + https/http or, for ssh, git@server:foo/bar.git type: string targetRevision: description: 'Branch, tag, or commit to deploy. Does not support short-sha''s. Default: HEAD' type: string + tokenSecret: + description: Optional. K8s secret name where the info for connecting + to git can be found. The supported secrets are modeled after + the private repositories in argo (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) + currently ssh and username+password are supported + type: string + tokenSecretNamespace: + description: Optional. K8s secret namespace where the token for + connecting to git can be found + type: string required: - targetRepo type: object @@ -116,9 +126,8 @@ spec: used when developing the clustergroup helm chart) type: string clusterGroupChartVersion: - default: 0.0.* - description: Which chart version for the clustergroup helm chart - Defaults to "0.0.*" + description: Which chart version for the clustergroup helm chart. + Defaults to "0.8.*" type: string clusterGroupGitRepoUrl: description: The url when deploying the clustergroup helm chart @@ -126,14 +135,13 @@ spec: (Only used when developing the clustergroup helm chart) type: string enabled: - default: false + default: true description: (EXPERIMENTAL) Enable multi-source support when deploying the clustergroup argo application type: boolean helmRepoUrl: - default: https://charts.validatedpatterns.io/ description: The helm chart url to fetch the helm charts from - in order to deploy the pattern Defaults to https://charts.validatedpatterns.io/ + in order to deploy the pattern. Defaults to https://charts.validatedpatterns.io/ type: string type: object required: @@ -213,6 +221,8 @@ spec: lastStep: description: Last action related to the pattern type: string + path: + type: string version: description: Number of updates to the pattern type: integer diff --git a/common/operator-install/templates/pattern.yaml b/common/operator-install/templates/pattern.yaml index d0227e58..e70f391d 100644 --- a/common/operator-install/templates/pattern.yaml +++ b/common/operator-install/templates/pattern.yaml @@ -16,6 +16,10 @@ spec: {{- if .Values.main.analyticsUUID }} analyticsUUID: {{ .Values.main.analyticsUUID }} {{- end }} {{/* if .Values.main.analyticsUUID */}} +{{- if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace }} + tokenSecret: {{ .Values.main.tokenSecret }} + tokenSecretNamespace: {{ .Values.main.tokenSecretNamespace }} +{{- end }} {{/* if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace */}} {{- if .Values.main.extraParameters }} extraParameters: {{- range .Values.main.extraParameters }} diff --git a/common/operator-install/values.yaml b/common/operator-install/values.yaml index 01605b21..0e92559d 100644 --- a/common/operator-install/values.yaml +++ b/common/operator-install/values.yaml @@ -18,3 +18,8 @@ main: source: community-operators clusterGroupName: default + + # If you are using a private repository define the secret where + # credentials to access the private repository are + # tokenSecret: + # tokenSecretNamespace: diff --git a/common/scripts/preview-all.sh b/common/scripts/preview-all.sh new file mode 100755 index 00000000..cc7775bf --- /dev/null +++ b/common/scripts/preview-all.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +REPO=$1; shift; +TARGET_BRANCH=$1; shift + +HUB=$( yq ".main.clusterGroupName" values-global.yaml ) +MANAGED_CLUSTERS=$( yq ".clusterGroup.managedClusterGroups.[].name" values-$HUB.yaml ) +ALL_CLUSTERS=( $HUB $MANAGED_CLUSTERS ) + +for cluster in ${ALL_CLUSTERS[@]}; do + APPS=$( yq ".clusterGroup.applications.[].name" values-$cluster.yaml ) + for app in $APPS; do + common/scripts/preview.sh $cluster $app $REPO $TARGET_BRANCH + done +done diff --git a/common/scripts/preview.sh b/common/scripts/preview.sh new file mode 100755 index 00000000..379f240d --- /dev/null +++ b/common/scripts/preview.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# DISCLAIMER +# +# - Parsing of applications needs to be more clever. Currently the code assumes that all +# targets will be local charts. This is not true, for example, in industrial-edge. +# - There is currently not a mechanism to actually preview against multiple clusters +# (i.e. a hub and a remote). All previews will be done against the current. +# - Make output can be included in the YAML. + +SITE=$1; shift +APP=$1; shift +GIT_REPO=$1; shift +GIT_BRANCH=$1; shift + +chart=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) +namespace=$(yq ".clusterGroup.applications.$APP.namespace" values-$SITE.yaml) +pattern=$(yq ".global.pattern" values-global.yaml) + +platform=$(oc get Infrastructure.config.openshift.io/cluster -o jsonpath='{.spec.platformSpec.type}') +ocpversion=$(oc get clusterversion/version -o jsonpath='{.status.desired.version}' | awk -F. '{print $1"."$2}') +domain=$(oc get Ingress.config.openshift.io/cluster -o jsonpath='{.spec.domain}' | sed 's/^apps.//') + +function replaceGlobals() { + output=$( echo $1 | sed -e 's/ //g' -e 's/\$//g' -e s@^-@@g -e s@\'@@g ) + + output=$(echo $output | sed "s@{{.Values.global.clusterPlatform}}@${platform}@g") + output=$(echo $output | sed "s@{{.Values.global.clusterVersion}}@${ocpversion}@g") + output=$(echo $output | sed "s@{{.Values.global.clusterDomain}}@${domain}@g") + + echo $output +} + +function getOverrides() { + overrides='' + overrides=$( yq ".clusterGroup.applications.$APP.overrides[]" "values-$SITE.yaml" ) + overrides=$( echo "$overrides" | tr -d '\n' ) + overrides=$( echo "$overrides" | sed -e 's/name:/ --set/g; s/value: /=/g' ) + if [ -n "$overrides" ]; then + echo "$overrides" + fi +} + + +CLUSTER_OPTS="" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.pattern=$pattern" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.repoURL=$GIT_REPO" +CLUSTER_OPTS="$CLUSTER_OPTS --set main.git.repoURL=$GIT_REPO" +CLUSTER_OPTS="$CLUSTER_OPTS --set main.git.revision=$GIT_BRANCH" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.namespace=$namespace" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.hubClusterDomain=apps.$domain" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.localClusterDomain=apps.$domain" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.clusterDomain=$domain" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.clusterVersion=$ocpversion" +CLUSTER_OPTS="$CLUSTER_OPTS --set global.clusterPlatform=$platform" + + +sharedValueFiles=$(yq ".clusterGroup.sharedValueFiles" values-$SITE.yaml) +appValueFiles=$(yq ".clusterGroup.applications.$APP.extraValueFiles" values-$SITE.yaml) +OVERRIDES=$( getOverrides ) + +VALUE_FILES="" +IFS=$'\n' +for line in $sharedValueFiles; do + if [ $line != "null" ]; then + file=$(replaceGlobals $line) + VALUE_FILES="$VALUE_FILES -f $PWD$file" + fi +done + +for line in $appValueFiles; do + if [ $line != "null" ]; then + file=$(replaceGlobals $line) + VALUE_FILES="$VALUE_FILES -f $PWD$file" + fi +done + +cmd="helm template $chart --name-template ${APP} -n ${namespace} ${VALUE_FILES} ${OVERRIDES} ${CLUSTER_OPTS}" +eval "$cmd" diff --git a/common/tests/acm-industrial-edge-factory.expected.yaml b/common/tests/acm-industrial-edge-factory.expected.yaml index 86d7277d..2210b4cf 100644 --- a/common/tests/acm-industrial-edge-factory.expected.yaml +++ b/common/tests/acm-industrial-edge-factory.expected.yaml @@ -5,6 +5,15 @@ # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/common/tests/acm-industrial-edge-hub.expected.yaml b/common/tests/acm-industrial-edge-hub.expected.yaml index 6bb30bac..f9627771 100644 --- a/common/tests/acm-industrial-edge-hub.expected.yaml +++ b/common/tests/acm-industrial-edge-hub.expected.yaml @@ -2,6 +2,15 @@ # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/common/tests/acm-medical-diagnosis-hub.expected.yaml b/common/tests/acm-medical-diagnosis-hub.expected.yaml index 2361be7a..cea5a1dc 100644 --- a/common/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/common/tests/acm-medical-diagnosis-hub.expected.yaml @@ -2,6 +2,15 @@ # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/common/tests/acm-naked.expected.yaml b/common/tests/acm-naked.expected.yaml index cb73d733..5ba9bd60 100644 --- a/common/tests/acm-naked.expected.yaml +++ b/common/tests/acm-naked.expected.yaml @@ -5,6 +5,15 @@ # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/common/tests/acm-normal.expected.yaml b/common/tests/acm-normal.expected.yaml index a83284bb..55553a79 100644 --- a/common/tests/acm-normal.expected.yaml +++ b/common/tests/acm-normal.expected.yaml @@ -22,6 +22,15 @@ type: Opaque # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 kind: ClusterClaim diff --git a/common/tests/clustergroup-industrial-edge-factory.expected.yaml b/common/tests/clustergroup-industrial-edge-factory.expected.yaml index 3eed3296..aef52f65 100644 --- a/common/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -83,12 +83,43 @@ data: namespace: manuela-factory-ml-workspace path: charts/datacenter/opendatahub project: factory + argoCD: + configManagementPlugins: + - image: quay.io/hybridcloudpatterns/utility-container:latest + name: helm-with-kustomize + pluginArgs: + - --loglevel=debug + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-factory.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=factory + --post-renderer ./kustomize"] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -165,6 +196,38 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: "argocd-cmp-helm-with-kustomize" + namespace: mypattern-factory +data: + "plugin.yaml": | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-factory.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=factory + --post-renderer ./kustomize"] +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -289,7 +352,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -297,12 +360,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -325,7 +409,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -439,6 +523,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -481,36 +567,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-factory.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=factory - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -543,6 +599,32 @@ spec: rbac: defaultPolicy: role:admin repo: + sidecarContainers: + - name: helm-with-kustomize + command: [/var/run/argocd/argocd-cmp-server] + args: [ + "--loglevel=debug" +] + image: quay.io/hybridcloudpatterns/utility-container:latest + imagePullPolicy: Always + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: plugin.yaml + name: helm-with-kustomize + volumes: + - emptyDir: {} + name: cmp-tmp + - configMap: + name: "argocd-cmp-helm-with-kustomize" + name: helm-with-kustomize resources: limits: cpu: "1" diff --git a/common/tests/clustergroup-industrial-edge-hub.expected.yaml b/common/tests/clustergroup-industrial-edge-hub.expected.yaml index 12e1ee28..3fcca694 100644 --- a/common/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -204,12 +204,43 @@ data: project: datacenter repoURL: https://helm.releases.hashicorp.com targetRevision: v0.20.1 + argoCD: + configManagementPlugins: + - image: quay.io/hybridcloudpatterns/utility-container:latest + name: helm-with-kustomize + pluginArgs: + - --loglevel=debug + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-datacenter.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=datacenter + --post-renderer ./kustomize"] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -326,6 +357,38 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: "argocd-cmp-helm-with-kustomize" + namespace: mypattern-datacenter +data: + "plugin.yaml": | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-datacenter.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=datacenter + --post-renderer ./kustomize"] +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -450,7 +513,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -458,12 +521,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -486,7 +570,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -524,7 +608,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -532,12 +616,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -562,7 +667,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -712,6 +817,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -773,6 +880,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -825,6 +934,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -877,6 +988,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps", @@ -959,6 +1072,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1011,6 +1126,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1090,6 +1207,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1150,36 +1269,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-datacenter.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=datacenter - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -1212,6 +1301,32 @@ spec: rbac: defaultPolicy: role:admin repo: + sidecarContainers: + - name: helm-with-kustomize + command: [/var/run/argocd/argocd-cmp-server] + args: [ + "--loglevel=debug" +] + image: quay.io/hybridcloudpatterns/utility-container:latest + imagePullPolicy: Always + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: plugin.yaml + name: helm-with-kustomize + volumes: + - emptyDir: {} + name: cmp-tmp + - configMap: + name: "argocd-cmp-helm-with-kustomize" + name: helm-with-kustomize resources: limits: cpu: "1" diff --git a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 9efc2431..5678d8bc 100644 --- a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -215,12 +215,15 @@ data: namespace: xraylab-1 path: charts/all/medical-diagnosis/xray-init project: medical-diagnosis + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -437,7 +440,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -445,12 +448,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -473,7 +497,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -511,7 +535,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -519,12 +543,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -549,7 +594,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -657,6 +702,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -709,6 +756,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -761,6 +810,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -813,6 +864,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -865,6 +918,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -917,6 +972,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -969,6 +1026,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1021,6 +1080,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1091,6 +1152,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1143,6 +1206,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1195,6 +1260,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1256,6 +1323,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1317,6 +1386,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1359,36 +1430,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-hub.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=hub - --post-renderer ./kustomize"] applicationSet: resources: limits: diff --git a/common/tests/clustergroup-naked.expected.yaml b/common/tests/clustergroup-naked.expected.yaml index 75359902..ec8099f3 100644 --- a/common/tests/clustergroup-naked.expected.yaml +++ b/common/tests/clustergroup-naked.expected.yaml @@ -38,12 +38,15 @@ data: values.yaml: | clusterGroup: applications: {} + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -202,7 +205,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -210,12 +213,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL=""; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -240,7 +264,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -293,36 +317,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-example.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=common - --set global.clusterDomain= - --set global.hubClusterDomain= - --set global.localClusterDomain= - --set clusterGroup.name=example - --post-renderer ./kustomize"] applicationSet: resources: limits: diff --git a/common/tests/clustergroup-normal.expected.yaml b/common/tests/clustergroup-normal.expected.yaml index d6886bed..a3dd7cd4 100644 --- a/common/tests/clustergroup-normal.expected.yaml +++ b/common/tests/clustergroup-normal.expected.yaml @@ -17,18 +17,54 @@ spec: apiVersion: v1 kind: Namespace metadata: + name: application-ci + labels: + argocd.argoproj.io/managed-by: mypattern-example +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: exclude-targetns + labels: + argocd.argoproj.io/managed-by: mypattern-example +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: include-ci +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: exclude-og +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: totally-exclude-og labels: argocd.argoproj.io/managed-by: mypattern-example - name: application-ci spec: --- # Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: + name: include-default-og labels: argocd.argoproj.io/managed-by: mypattern-example - name: excludes-ci spec: --- # Source: clustergroup/templates/imperative/namespace.yaml @@ -87,12 +123,15 @@ data: namespace: application-ci path: charts/datacenter/pipelines project: datacenter + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -171,10 +210,22 @@ data: labels: kubernetes.io/os: linux openshift.io/node-selector: "" - - application-ci - - excludes-ci + - application-ci: + operatorGroup: true + targetNamespaces: + - application-ci + - other-namespace + - exclude-targetns: + operatorGroup: true + targetNamespaces: null + - include-ci + - exclude-og + - totally-exclude-og: + operatorGroup: false + - include-default-og: + operatorGroup: true operatorgroupExcludes: - - excludes-ci + - exclude-og projects: - datacenter sharedValueFiles: @@ -351,7 +402,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -359,12 +410,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -387,7 +459,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -425,7 +497,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -433,12 +505,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -463,7 +556,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -573,6 +666,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -637,6 +732,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -919,36 +1016,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-example.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=example - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -1038,21 +1105,42 @@ spec: apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: open-cluster-management-operator-group - namespace: open-cluster-management + name: application-ci-operator-group + namespace: application-ci spec: targetNamespaces: - - open-cluster-management + - application-ci + - other-namespace --- # Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: application-ci-operator-group - namespace: application-ci + name: exclude-targetns-operator-group + namespace: exclude-targetns spec: targetNamespaces: - - application-ci +--- +# Source: clustergroup/templates/core/operatorgroup.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: include-ci-operator-group + namespace: include-ci +spec: + targetNamespaces: + - include-ci +--- +# Source: clustergroup/templates/core/operatorgroup.yaml +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: include-default-og-operator-group + namespace: include-default-og +spec: + targetNamespaces: + - include-default-og --- # Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index d4a7f257..56d59652 100644 --- a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index a549223c..c58f735d 100644 --- a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index a549223c..c58f735d 100644 --- a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-naked.expected.yaml b/common/tests/golang-external-secrets-naked.expected.yaml index fa8a268b..5a2e226b 100644 --- a/common/tests/golang-external-secrets-naked.expected.yaml +++ b/common/tests/golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-normal.expected.yaml b/common/tests/golang-external-secrets-normal.expected.yaml index a549223c..c58f735d 100644 --- a/common/tests/golang-external-secrets-normal.expected.yaml +++ b/common/tests/golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml index ccb5e5bb..0c68e832 100644 --- a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "hashicorp-vault-server-test" - namespace: default + name: hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://hashicorp-vault.default.svc:8200 + value: http://hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml index ccb5e5bb..0c68e832 100644 --- a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "hashicorp-vault-server-test" - namespace: default + name: hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://hashicorp-vault.default.svc:8200 + value: http://hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml index ccb5e5bb..0c68e832 100644 --- a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "hashicorp-vault-server-test" - namespace: default + name: hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://hashicorp-vault.default.svc:8200 + value: http://hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/common/tests/hashicorp-vault-naked.expected.yaml b/common/tests/hashicorp-vault-naked.expected.yaml index aa4f5b87..e09ac08f 100644 --- a/common/tests/hashicorp-vault-naked.expected.yaml +++ b/common/tests/hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -345,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,7 +365,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "hashicorp-vault-server-test" + name: hashicorp-vault-server-test namespace: default annotations: "helm.sh/hook": test @@ -372,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-normal.expected.yaml b/common/tests/hashicorp-vault-normal.expected.yaml index ccb5e5bb..0c68e832 100644 --- a/common/tests/hashicorp-vault-normal.expected.yaml +++ b/common/tests/hashicorp-vault-normal.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "hashicorp-vault-server-test" - namespace: default + name: hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://hashicorp-vault.default.svc:8200 + value: http://hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/tests/common-acm-industrial-edge-factory.expected.yaml b/tests/common-acm-industrial-edge-factory.expected.yaml index 86d7277d..2210b4cf 100644 --- a/tests/common-acm-industrial-edge-factory.expected.yaml +++ b/tests/common-acm-industrial-edge-factory.expected.yaml @@ -5,6 +5,15 @@ # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml index 6bb30bac..f9627771 100644 --- a/tests/common-acm-industrial-edge-hub.expected.yaml +++ b/tests/common-acm-industrial-edge-hub.expected.yaml @@ -2,6 +2,15 @@ # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml index 2361be7a..cea5a1dc 100644 --- a/tests/common-acm-medical-diagnosis-hub.expected.yaml +++ b/tests/common-acm-medical-diagnosis-hub.expected.yaml @@ -2,6 +2,15 @@ # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml index cb73d733..5ba9bd60 100644 --- a/tests/common-acm-naked.expected.yaml +++ b/tests/common-acm-naked.expected.yaml @@ -5,6 +5,15 @@ # Source: acm/templates/policies/application-policies.yaml # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/multiclusterhub.yaml apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml index a83284bb..55553a79 100644 --- a/tests/common-acm-normal.expected.yaml +++ b/tests/common-acm-normal.expected.yaml @@ -22,6 +22,15 @@ type: Opaque # Source: acm/templates/policies/acm-hub-ca-policy.yaml # This pushes out the HUB's Certificate Authorities on to the imported clusters --- +# Source: acm/templates/policies/private-repo-policies.yaml +# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace +# to the "open-cluster-management" via the "private-hub-policy" +# +# Then we copy the secret from the "open-cluster-management" namespace to the +# managed clusters "openshift-gitops" instance +# +# And we also copy the same secret to the namespaced argo's namespace +--- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 kind: ClusterClaim diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml index 7349d26b..63c17f27 100644 --- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-factory.expected.yaml @@ -83,12 +83,43 @@ data: namespace: manuela-factory-ml-workspace path: charts/datacenter/opendatahub project: factory + argoCD: + configManagementPlugins: + - image: quay.io/hybridcloudpatterns/utility-container:latest + name: helm-with-kustomize + pluginArgs: + - --loglevel=debug + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-factory.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=factory + --post-renderer ./kustomize"] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -180,6 +211,38 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: "argocd-cmp-helm-with-kustomize" + namespace: mypattern-factory +data: + "plugin.yaml": | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-factory.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=factory + --post-renderer ./kustomize"] +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -304,7 +367,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -312,12 +375,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -340,7 +424,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -454,6 +538,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -496,36 +582,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-factory.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=factory - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -558,6 +614,32 @@ spec: rbac: defaultPolicy: role:admin repo: + sidecarContainers: + - name: helm-with-kustomize + command: [/var/run/argocd/argocd-cmp-server] + args: [ + "--loglevel=debug" +] + image: quay.io/hybridcloudpatterns/utility-container:latest + imagePullPolicy: Always + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: plugin.yaml + name: helm-with-kustomize + volumes: + - emptyDir: {} + name: cmp-tmp + - configMap: + name: "argocd-cmp-helm-with-kustomize" + name: helm-with-kustomize resources: limits: cpu: "1" diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml index c0d078aa..fd8b747b 100644 --- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-hub.expected.yaml @@ -204,12 +204,43 @@ data: project: datacenter repoURL: https://helm.releases.hashicorp.com targetRevision: v0.20.1 + argoCD: + configManagementPlugins: + - image: quay.io/hybridcloudpatterns/utility-container:latest + name: helm-with-kustomize + pluginArgs: + - --loglevel=debug + pluginConfig: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-datacenter.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=datacenter + --post-renderer ./kustomize"] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -341,6 +372,38 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: "argocd-cmp-helm-with-kustomize" + namespace: mypattern-datacenter +data: + "plugin.yaml": | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: helm-with-kustomize + spec: + preserveFileMode: true + init: + command: ["/bin/sh", "-c"] + args: ["helm dependency build"] + generate: + command: ["/bin/bash", "-c"] + args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} + -f $(git rev-parse --show-toplevel)/values-global.yaml + -f $(git rev-parse --show-toplevel)/values-datacenter.yaml + --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL + --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION + --set global.namespace=$ARGOCD_APP_NAMESPACE + --set global.pattern=mypattern + --set global.clusterDomain=region.example.com + --set global.hubClusterDomain=apps.hub.example.com + --set global.localClusterDomain=apps.region.example.com + --set clusterGroup.name=datacenter + --post-renderer ./kustomize"] +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -465,7 +528,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -473,12 +536,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -501,7 +585,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -539,7 +623,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -547,12 +631,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -577,7 +682,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -727,6 +832,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -788,6 +895,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -840,6 +949,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -892,6 +1003,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps", @@ -974,6 +1087,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1026,6 +1141,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1105,6 +1222,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1165,36 +1284,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-datacenter.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=datacenter - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -1227,6 +1316,32 @@ spec: rbac: defaultPolicy: role:admin repo: + sidecarContainers: + - name: helm-with-kustomize + command: [/var/run/argocd/argocd-cmp-server] + args: [ + "--loglevel=debug" +] + image: quay.io/hybridcloudpatterns/utility-container:latest + imagePullPolicy: Always + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: plugin.yaml + name: helm-with-kustomize + volumes: + - emptyDir: {} + name: cmp-tmp + - configMap: + name: "argocd-cmp-helm-with-kustomize" + name: helm-with-kustomize resources: limits: cpu: "1" diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml index 1b14514b..faa8e50a 100644 --- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml @@ -215,12 +215,15 @@ data: namespace: xraylab-1 path: charts/all/medical-diagnosis/xray-init project: medical-diagnosis + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -452,7 +455,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -460,12 +463,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -488,7 +512,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -526,7 +550,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -534,12 +558,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -564,7 +609,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -672,6 +717,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -724,6 +771,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -776,6 +825,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -828,6 +879,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -880,6 +933,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -932,6 +987,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -984,6 +1041,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1036,6 +1095,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1106,6 +1167,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1158,6 +1221,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1210,6 +1275,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1271,6 +1338,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1332,6 +1401,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -1374,36 +1445,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-hub.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=hub - --post-renderer ./kustomize"] applicationSet: resources: limits: diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml index 75359902..ec8099f3 100644 --- a/tests/common-clustergroup-naked.expected.yaml +++ b/tests/common-clustergroup-naked.expected.yaml @@ -38,12 +38,15 @@ data: values.yaml: | clusterGroup: applications: {} + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -202,7 +205,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -210,12 +213,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL=""; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -240,7 +264,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -293,36 +317,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-example.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=common - --set global.clusterDomain= - --set global.hubClusterDomain= - --set global.localClusterDomain= - --set clusterGroup.name=example - --post-renderer ./kustomize"] applicationSet: resources: limits: diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml index 0f4e676b..aa9595e1 100644 --- a/tests/common-clustergroup-normal.expected.yaml +++ b/tests/common-clustergroup-normal.expected.yaml @@ -17,18 +17,54 @@ spec: apiVersion: v1 kind: Namespace metadata: + name: application-ci + labels: + argocd.argoproj.io/managed-by: mypattern-example +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: exclude-targetns + labels: + argocd.argoproj.io/managed-by: mypattern-example +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: include-ci +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: exclude-og +spec: +--- +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: totally-exclude-og labels: argocd.argoproj.io/managed-by: mypattern-example - name: application-ci spec: --- # Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: + name: include-default-og labels: argocd.argoproj.io/managed-by: mypattern-example - name: excludes-ci spec: --- # Source: clustergroup/templates/imperative/namespace.yaml @@ -87,12 +123,15 @@ data: namespace: application-ci path: charts/datacenter/pipelines project: datacenter + argoCD: + configManagementPlugins: [] + initContainers: [] imperative: activeDeadlineSeconds: 3600 clusterRoleName: imperative-cluster-role clusterRoleYaml: "" cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' jobName: imperative-job @@ -171,10 +210,22 @@ data: labels: kubernetes.io/os: linux openshift.io/node-selector: "" - - application-ci - - excludes-ci + - application-ci: + operatorGroup: true + targetNamespaces: + - application-ci + - other-namespace + - exclude-targetns: + operatorGroup: true + targetNamespaces: null + - include-ci + - exclude-og + - totally-exclude-og: + operatorGroup: false + - include-default-og: + operatorGroup: true operatorgroupExcludes: - - excludes-ci + - exclude-og projects: - datacenter sharedValueFiles: @@ -366,7 +417,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -374,12 +425,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: test - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -402,7 +474,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -440,7 +512,7 @@ spec: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there - name: git-init - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -448,12 +520,33 @@ spec: command: - 'sh' - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}" + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="https://github.com/pattern-clone/mypattern"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; volumeMounts: - name: git mountPath: "/git" - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always env: - name: HOME @@ -478,7 +571,7 @@ spec: subPath: values.yaml containers: - name: "done" - image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest + image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always command: - 'sh' @@ -588,6 +681,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -652,6 +747,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: apps.region.example.com + - name: global.privateRepo + value: syncPolicy: automated: {} retry: @@ -934,36 +1031,6 @@ spec: return hs applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-example.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=example - --post-renderer ./kustomize"] applicationSet: resources: limits: @@ -1053,21 +1120,42 @@ spec: apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: open-cluster-management-operator-group - namespace: open-cluster-management + name: application-ci-operator-group + namespace: application-ci spec: targetNamespaces: - - open-cluster-management + - application-ci + - other-namespace --- # Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: application-ci-operator-group - namespace: application-ci + name: exclude-targetns-operator-group + namespace: exclude-targetns spec: targetNamespaces: - - application-ci +--- +# Source: clustergroup/templates/core/operatorgroup.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: include-ci-operator-group + namespace: include-ci +spec: + targetNamespaces: + - include-ci +--- +# Source: clustergroup/templates/core/operatorgroup.yaml +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: include-default-og-operator-group + namespace: include-default-og +spec: + targetNamespaces: + - include-default-og --- # Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml index 1f2e2925..012d8fa0 100644 --- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml index 7b2b7171..cb2ea2c2 100644 --- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml index 7b2b7171..cb2ea2c2 100644 --- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml index 0e02057e..f8780cc0 100644 --- a/tests/common-golang-external-secrets-naked.expected.yaml +++ b/tests/common-golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml index 7b2b7171..cb2ea2c2 100644 --- a/tests/common-golang-external-secrets-normal.expected.yaml +++ b/tests/common-golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -306,7 +318,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -421,7 +462,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,9 +1433,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -2080,7 +2173,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -2159,8 +2252,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -2181,7 +2285,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -2308,11 +2412,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2444,6 +2609,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2828,9 +2994,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -3734,6 +3931,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3962,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +4001,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +4022,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4170,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -3988,7 +4210,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4032,16 +4254,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4292,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4338,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4103,7 +4354,7 @@ spec: maxProperties: 1 properties: generatorRef: - description: GeneratorRef points to a generator custom resource in + description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4188,9 +4439,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4474,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4499,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4515,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4624,7 +4892,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -4636,6 +4903,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -4755,7 +5025,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -5439,7 +5708,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,9 +5754,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -6194,7 +6494,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -6273,8 +6573,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -6295,7 +6606,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -6422,11 +6733,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6558,6 +6930,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -6942,9 +7315,40 @@ spec: - tenancy - user type: object + compartment: + description: Compartment is the vault compartment OCID. Required for PushSecret + type: string + encryptionKey: + description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + type: string + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload + type: string region: description: Region is the region where vault is located. type: string + serviceAccountRef: + description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object vault: description: Vault is the vault's OCID of the specific vault where secret is located. type: string @@ -8097,6 +8501,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path @@ -8124,10 +8531,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8598,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8707,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8747,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8791,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8812,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8832,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8868,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8907,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8928,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8952,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8967,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8985,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +9015,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +9030,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -8641,10 +9048,11 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 + - --metrics-addr=:8080 ports: - containerPort: 8080 protocol: TCP @@ -8657,10 +9065,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +9080,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.10 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.10" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +9098,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.10-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200" diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml index edd614b8..58a88890 100644 --- a/tests/common-hashicorp-vault-naked.expected.yaml +++ b/tests/common-hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -345,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,7 +365,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" + name: common-hashicorp-vault-server-test namespace: default annotations: "helm.sh/hook": test @@ -372,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml index 1fc97cf0..0760b39c 100644 --- a/tests/common-hashicorp-vault-normal.expected.yaml +++ b/tests/common-hashicorp-vault-normal.expected.yaml @@ -4,9 +4,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -16,9 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: common-hashicorp-vault-config - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -53,7 +53,7 @@ roleRef: subjects: - kind: ServiceAccount name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace --- # Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster @@ -61,9 +61,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-internal - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -93,9 +93,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -124,9 +124,9 @@ apiVersion: v1 kind: Service metadata: name: common-hashicorp-vault-ui - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -148,7 +148,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault @@ -167,7 +167,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -317,6 +317,7 @@ spec: - metadata: name: data + spec: accessModes: - ReadWriteOnce @@ -343,9 +344,9 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: common-hashicorp-vault - namespace: default + namespace: pattern-namespace labels: - helm.sh/chart: vault-0.25.0 + helm.sh/chart: vault-0.27.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -364,19 +365,19 @@ spec: apiVersion: v1 kind: Pod metadata: - name: "common-hashicorp-vault-server-test" - namespace: default + name: common-hashicorp-vault-server-test + namespace: pattern-namespace annotations: "helm.sh/hook": test spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 + value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - name: "VAULT_ADDR" value: "https://vault.vault.svc.cluster.local:8200"