diff --git a/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml new file mode 100644 index 00000000..bfdf14b3 --- /dev/null +++ b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: {{ .Values.global.xraylab.namespace }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi \ No newline at end of file diff --git a/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml index 4b33c53c..41c33ea4 100644 --- a/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml +++ b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml @@ -15,8 +15,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: {{ .Values.global.xraylab.namespace }}-sa diff --git a/charts/all/medical-diagnosis/xray-init/values.yaml b/charts/all/medical-diagnosis/xray-init/values.yaml index 818debfd..79488893 100644 --- a/charts/all/medical-diagnosis/xray-init/values.yaml +++ b/charts/all/medical-diagnosis/xray-init/values.yaml @@ -54,6 +54,20 @@ rbac: - "get" - "list" - "watch" + - name: view-odf-subs + createRole: true + apiGroups: + - "operators.coreos.com" + scope: + cluster: true + namespace: "" + resources: + - subs + - subscriptions + verbs: + - "get" + - "list" + - "watch" - name: view-odf-objectstoreusers createRole: true apiGroups: @@ -133,6 +147,19 @@ rbac: roleRef: kind: Role name: create-pattern-secret + - name: view-odf-subs-rb + createBinding: true + scope: + cluster: true + namespace: "" + subjects: + kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" + roleRef: + kind: ClusterRole + name: view-odf-subs - name: view-odf-storageclusters createBinding: true scope: @@ -184,4 +211,4 @@ rbac: apiGroup: "" roleRef: kind: Role - name: view-pattern-jobs \ No newline at end of file + name: view-pattern-jobs diff --git a/common/.ansible-lint b/common/.ansible-lint index 67a7552c..353222eb 100644 --- a/common/.ansible-lint +++ b/common/.ansible-lint @@ -6,3 +6,12 @@ skip_list: - template-instead-of-copy # Templated files should use template instead of copy - yaml[line-length] # too long lines - yaml[indentation] # Forcing lists to be always indented by 2 chars is silly IMO + - var-naming[no-role-prefix] # This would be too much churn for very little gain + - no-changed-when + - var-naming[no-role-prefix] # There are too many changes now and it would be too risky + +# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role +exclude_paths: + - ./ansible/playbooks/vault/vault.yaml + - ./ansible/playbooks/iib-ci/iib-ci.yaml + - ./ansible/roles/vault_utils/tests/test.yml diff --git a/common/.github/dependabot.yml b/common/.github/dependabot.yml new file mode 100644 index 00000000..a175e666 --- /dev/null +++ b/common/.github/dependabot.yml @@ -0,0 +1,9 @@ +--- +version: 2 +updates: + # Check for updates to GitHub Actions every week + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + diff --git a/common/.github/workflows/ansible-lint.yml b/common/.github/workflows/ansible-lint.yml index 3b2de754..1bf2f7dd 100644 --- a/common/.github/workflows/ansible-lint.yml +++ b/common/.github/workflows/ansible-lint.yml @@ -8,11 +8,10 @@ jobs: steps: # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Lint Ansible Playbook - # Using the latest as of today (2023-01-24) v6.11.0 - uses: ansible/ansible-lint-action@v6.11.0 + uses: ansible/ansible-lint-action@v6 # Let's point it to the path with: path: "ansible/" diff --git a/common/.github/workflows/ansible-unittest.yml b/common/.github/workflows/ansible-unittest.yml index 3c8b5c46..af326b66 100644 --- a/common/.github/workflows/ansible-unittest.yml +++ b/common/.github/workflows/ansible-unittest.yml @@ -20,7 +20,7 @@ jobs: name: Ansible unit tests strategy: matrix: - python-version: [3.10.10] + python-version: [3.11.3] # Set the agent to run on runs-on: ubuntu-latest @@ -32,13 +32,13 @@ jobs: # Checkout the code base # ########################## - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v1 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/common/.github/workflows/jsonschema.yaml b/common/.github/workflows/jsonschema.yaml index 00232f0b..a0c60c11 100644 --- a/common/.github/workflows/jsonschema.yaml +++ b/common/.github/workflows/jsonschema.yaml @@ -20,7 +20,7 @@ jobs: name: Json Schema tests strategy: matrix: - python-version: [3.11.2] + python-version: [3.11.3] # Set the agent to run on runs-on: ubuntu-latest @@ -32,13 +32,13 @@ jobs: # Checkout the code base # ########################## - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v1 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/common/.github/workflows/linter.yml b/common/.github/workflows/linter.yml index 8a276b0c..28c3944d 100644 --- a/common/.github/workflows/linter.yml +++ b/common/.github/workflows/linter.yml @@ -29,7 +29,7 @@ jobs: # Checkout the code base # ########################## - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/common/.github/workflows/superlinter.yml b/common/.github/workflows/superlinter.yml index a3e22028..30cb00a8 100644 --- a/common/.github/workflows/superlinter.yml +++ b/common/.github/workflows/superlinter.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 @@ -21,7 +21,7 @@ jobs: # Run Linter against code base # ################################ - name: Lint Code Base - uses: github/super-linter/slim@v4 + uses: github/super-linter/slim@v5 env: VALIDATE_ALL_CODEBASE: true DEFAULT_BRANCH: main @@ -30,7 +30,7 @@ jobs: VALIDATE_ANSIBLE: false VALIDATE_BASH: false VALIDATE_JSCPD: false - VALIDATE_KUBERNETES_KUBEVAL: false + VALIDATE_KUBERNETES_KUBECONFORM: false VALIDATE_YAML: false # VALIDATE_DOCKERFILE_HADOLINT: false # VALIDATE_MARKDOWN: false diff --git a/common/Changes.md b/common/Changes.md index d4fe67a7..0e1e8c47 100644 --- a/common/Changes.md +++ b/common/Changes.md @@ -1,5 +1,23 @@ # Changes +## Jul 8, 2023 + +* Introduced a default of 20 for sync failures retries in argo applications (global override via global.options.applicationRetryLimit + and per-app override via .syncPolicy) + +## May 22, 2023 + +* Upgraded ESO to 0.8.2 +* *Important* we now use the newly blessed sso config for argo. This means that gitops < 1.8 are *unsupported* + +## May 18, 2023 + +* Introduce a EXTRA_HELM_OPTS env variable that will be passed to the helm invocations + +## April 21, 2023 + +* Added labels and annotation support to namespaces.yaml template + ## Apr 11, 2023 * Apply the ACM ocp-gitops-policy everywhere but the hub diff --git a/common/Makefile b/common/Makefile index c4d98414..83871b7e 100644 --- a/common/Makefile +++ b/common/Makefile @@ -1,11 +1,16 @@ -NAME=$(shell basename "`pwd`") +NAME ?= $(shell basename "`pwd`") ifneq ($(origin TARGET_SITE), undefined) TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE) endif +# This variable can be set in order to pass additional helm arguments from the +# the command line. I.e. we can set things without having to tweak values files +EXTRA_HELM_OPTS ?= + # INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248 -INDEX_IMAGES ?= -INDEX_OPTIONS=$(shell echo $(INDEX_IMAGES) | tr ',' '\n' | awk -F: 'match($$1,"/"){print "--set main.extraParameters."NR".name=clusterGroup.indexImages."NR".image --set main.extraParameters."NR".value="$$1":"$$2}') +# or +# INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248,registry-proxy.engineering.redhat.com/rh-osbs/iib:394249 +INDEX_IMAGES ?= TARGET_ORIGIN ?= origin # This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL @@ -15,12 +20,13 @@ TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e ' TARGET_BRANCH=$(shell git rev-parse --abbrev-ref HEAD) # --set values always take precedence over the contents of -f -HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(INDEX_OPTIONS) +HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(EXTRA_HELM_OPTS) ##@ Pattern Common Tasks .PHONY: help help: ## This help message + @echo "Pattern: $(NAME)" @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf " \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) # Makefiles in the individual patterns should call these targets explicitly @@ -55,6 +61,15 @@ uninstall: ## runs helm uninstall load-secrets: ## loads the secrets into the vault common/scripts/vault-utils.sh push_secrets $(NAME) +.PHONY: load-iib +load-iib: ## CI target to install Index Image Bundles + @set -e; if [ x$(INDEX_IMAGES) != x ]; then \ + for IIB in $(shell echo $(INDEX_IMAGES) | tr ',' '\n'); do \ + INDEX_IMAGE="$${IIB}" ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \ + done; \ + fi + + ##@ Validation Tasks # We only check the remote ssh git branch's existance if we're not running inside a container @@ -110,7 +125,8 @@ helmlint: ## run helm lint @for t in $(CHARTS); do common/scripts/lint.sh $$t $(TEST_OPTS); if [ $$? != 0 ]; then exit 1; fi; done API_URL ?= https://raw.githubusercontent.com/hybrid-cloud-patterns/ocp-schemas/main/openshift/4.10/ -KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition' +KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition,ClusterIssuer,CertManager,Certificate,ArgoCD' + # We need to skip 'CustomResourceDefinition' as openapi2jsonschema seems to be unable to generate them ATM .PHONY: kubeconform kubeconform: ## run helm kubeconform @@ -122,7 +138,7 @@ super-linter: ## Runs super linter locally podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \ -e VALIDATE_BASH=false \ -e VALIDATE_JSCPD=false \ - -e VALIDATE_KUBERNETES_KUBEVAL=false \ + -e VALIDATE_KUBERNETES_KUBECONFORM=false \ -e VALIDATE_YAML=false \ -e VALIDATE_ANSIBLE=false \ -e VALIDATE_DOCKERFILE_HADOLINT=false \ @@ -130,11 +146,12 @@ super-linter: ## Runs super linter locally $(DISABLE_LINTERS) \ -v $(PWD):/tmp/lint:rw,z \ -w /tmp/lint \ - docker.io/github/super-linter:slim-v4 + docker.io/github/super-linter:slim-v5 .PHONY: ansible-lint ansible-lint: ## run ansible lint on ansible/ folder - podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest "-vvv" "ansible/" + podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --env ANSIBLE_CONFIG=./ansible/ansible.cfg \ + --entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest "-vvv" "ansible/" .PHONY: ansible-unittest ansible-unittest: ## run ansible unit tests diff --git a/common/acm/templates/_helpers.tpl b/common/acm/templates/_helpers.tpl new file mode 100644 index 00000000..fdd91273 --- /dev/null +++ b/common/acm/templates/_helpers.tpl @@ -0,0 +1,13 @@ +{{/* +Default always defined valueFiles to be included when pushing the cluster wide argo application via acm +*/}} +{{- define "acm.app.policies.valuefiles" -}} +- "/values-global.yaml" +- "/values-{{ .name }}.yaml" +- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml' +- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml' +- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml' +# We cannot use $.Values.global.clusterVersion because that gets resolved to the +# hub's cluster version, whereas we want to include the spoke cluster version +- '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml' +{{- end }} {{- /*acm.app.policies.valuefiles */}} diff --git a/common/acm/templates/multiclusterhub.yaml b/common/acm/templates/multiclusterhub.yaml index f925d5a6..79ef9339 100644 --- a/common/acm/templates/multiclusterhub.yaml +++ b/common/acm/templates/multiclusterhub.yaml @@ -5,4 +5,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + {{- if kindIs "map" .Values.clusterGroup.subscriptions }} + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.clusterGroup.subscriptions.acm.source }}" }' + {{- end }} spec: {} diff --git a/common/acm/templates/policies/application-policies.yaml b/common/acm/templates/policies/application-policies.yaml index 0cb10ae0..5bc5de6a 100644 --- a/common/acm/templates/policies/application-policies.yaml +++ b/common/acm/templates/policies/application-policies.yaml @@ -43,14 +43,7 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-{{ .name }}.yaml" - - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml' - - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml' - - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml' + {{- include "acm.app.policies.valuefiles" . | nindent 24 }} {{- range $valueFile := .extraValueFiles }} - {{ $valueFile | quote }} {{- end }} @@ -95,6 +88,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} ignoreDifferences: - group: apps kind: Deployment diff --git a/common/acm/templates/provision/_install-config.tpl b/common/acm/templates/provision/_install-config.tpl index 39aa03eb..b0336627 100644 --- a/common/acm/templates/provision/_install-config.tpl +++ b/common/acm/templates/provision/_install-config.tpl @@ -24,7 +24,10 @@ controlPlane: name: controlPlane {{- if .controlPlane }} replicas: {{ default 3 .controlPlane.count }} - platform: {{- .controlPlane.platform | toPrettyJson }} + {{- if .controlPlane.platform }} + platform: + {{- toYaml .controlPlane.platform | nindent 4 }} + {{- end }} {{- else }} replicas: 3 platform: @@ -36,8 +39,11 @@ compute: architecture: amd64 name: 'worker' {{- if .workers }} - replicas: {{ default 3 .workers.count }} - platform: {{- .workers.platform | toPrettyJson }} + replicas: {{ default 0 .workers.count }} + {{- if .workers.platform }} + platform: + {{- toYaml .workers.platform | nindent 4 }} + {{- end }} {{- else }} replicas: 3 platform: @@ -50,10 +56,11 @@ networking: hostPrefix: 23 machineNetwork: - cidr: 10.0.0.0/16 - networkType: OpenShiftSDN + networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16 -platform: {{ .platform | toPrettyJson }} +platform: +{{- toYaml .platform | nindent 2 }} pullSecret: "" # skip, hive will inject based on it's secrets sshKey: "" # skip, hive will inject based on it's secrets -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/common/acm/templates/provision/clusterpool.yaml b/common/acm/templates/provision/clusterpool.yaml index 31a22224..e2f9d3d1 100644 --- a/common/acm/templates/provision/clusterpool.yaml +++ b/common/acm/templates/provision/clusterpool.yaml @@ -19,6 +19,7 @@ spec: {{- $cloud := "None" }} {{- $region := "None" }} +{{- $numClusters := 0 }} {{- if .platform.aws }} {{- $cloud = "aws" }} @@ -28,6 +29,10 @@ spec: {{- $region = .platform.azure.region }} {{- end }} +{{- if .clusters }} +{{- $numClusters = len .clusters }} +{{- end }} + apiVersion: hive.openshift.io/v1 kind: ClusterPool metadata: @@ -44,14 +49,14 @@ spec: {{- if .size }} size: {{ .size }} {{- else }} - size: {{ len .clusters }} + size: {{ $numClusters }} {{- end }} - runningCount: {{ len .clusters }} + runningCount: {{ $numClusters }} baseDomain: {{ .baseDomain }} installConfigSecretTemplateRef: name: {{ $poolName }}-install-config imageSetRef: - name: img{{ .openshiftVersion }}-x86-64-appsub + name: img{{ .openshiftVersion }}-multi-appsub pullSecretRef: name: {{ $poolName }}-pull-secret skipMachinePools: true # Disable MachinePool as using custom install-config @@ -65,13 +70,13 @@ spec: apiVersion: hive.openshift.io/v1 kind: ClusterClaim metadata: - name: '{{ . }}-{{ $group.name }}' + name: '{{ lower . }}-{{ lower $group.name }}' annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true cluster.open-cluster-management.io/createmanagedcluster: "true" labels: - clusterClaimName: {{ . }}-{{ $group.name }} + clusterClaimName: {{ lower . }}-{{ lower $group.name }} {{- if (not $group.acmlabels) }} clusterGroup: {{ $group.name }} {{- else if eq (len $group.acmlabels) 0 }} @@ -82,7 +87,7 @@ metadata: {{- end }} {{- end }} spec: - clusterPoolName: {{ $pool.name }} + clusterPoolName: {{ $poolName }} --- {{- end }}{{- /* range .range clusters */}} {{- end }}{{- /* range .clusterPools */}} diff --git a/common/acm/values.yaml b/common/acm/values.yaml index b7c27d88..7c4a19c0 100644 --- a/common/acm/values.yaml +++ b/common/acm/values.yaml @@ -6,9 +6,13 @@ global: pattern: none repoURL: none targetRevision: main - + options: + applicationRetryLimit: 20 clusterGroup: + subscriptions: + acm: + source: redhat-operators managedClusterGroups: # testRegion: # name: region-one diff --git a/common/ansible/ansible.cfg b/common/ansible/ansible.cfg index 4cceda11..652feb98 100644 --- a/common/ansible/ansible.cfg +++ b/common/ansible/ansible.cfg @@ -1,5 +1,4 @@ [defaults] -display_skipped_hosts=False localhost_warning=False library=./plugins/modules:~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules roles_path=./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles diff --git a/common/ansible/playbooks/acm/acmhub-get-ca.yaml b/common/ansible/playbooks/acm/acmhub-get-ca.yaml index 8c6d2684..770333ff 100644 --- a/common/ansible/playbooks/acm/acmhub-get-ca.yaml +++ b/common/ansible/playbooks/acm/acmhub-get-ca.yaml @@ -1,7 +1,8 @@ # This playbook fetches the hub cluster's CAbundle from ACM's objects # and puts it in a secret inside the imperative namespace --- -- hosts: localhost +- name: ACM Get Hub CA + hosts: localhost connection: local gather_facts: false become: false diff --git a/common/ansible/playbooks/hello-world/hello-world.yaml b/common/ansible/playbooks/hello-world/hello-world.yaml new file mode 100644 index 00000000..c0a992a7 --- /dev/null +++ b/common/ansible/playbooks/hello-world/hello-world.yaml @@ -0,0 +1,23 @@ +# This playbook is a simple hello-world playbook to show capabilities +# It creates a config-map inside the imperative namespace containing +# the helm variable "global.clusterDomain" +--- +- name: Hello World Example + hosts: localhost + connection: local + gather_facts: false + become: false + vars: + ns: imperative + tasks: + - name: Create secret with managed cluster's CA + kubernetes.core.k8s: + state: present + definition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: "hello-world" + namespace: "{{ ns }}" + data: + hello-cluster-domain: "{{ global['clusterDomain'] }}" diff --git a/common/ansible/playbooks/iib-ci/iib-ci.yaml b/common/ansible/playbooks/iib-ci/iib-ci.yaml new file mode 100644 index 00000000..dc6e45cb --- /dev/null +++ b/common/ansible/playbooks/iib-ci/iib-ci.yaml @@ -0,0 +1,8 @@ +# This playbook invokes the iib_ci role +--- +- name: IIB CI playbook + hosts: localhost + connection: local + gather_facts: false + roles: + - iib_ci diff --git a/common/ansible/playbooks/iib-ci/lookup.yml b/common/ansible/playbooks/iib-ci/lookup.yml new file mode 100644 index 00000000..f7e42ca4 --- /dev/null +++ b/common/ansible/playbooks/iib-ci/lookup.yml @@ -0,0 +1,46 @@ +--- +- name: IIB CI playbook + hosts: localhost + connection: local + gather_facts: false + vars: + rh_url: "https://datagrepper.engineering.redhat.com/raw?topic=/topic/VirtualTopic.eng.ci.redhat-container-image.index.built&contains=%s&rows_per_page=20" + operator: "openshift-gitops-1-gitops-operator-bundle" + ocp_versions: {} + tasks: + - name: Set url fact + ansible.builtin.set_fact: + url: "{{ rh_url | format(operator + ':v') }}" + + - name: Fetch URI + ansible.builtin.uri: + url: "{{ url }}" + return_content: true + register: jsoncontent + + - name: Setting content + ansible.builtin.set_fact: + content: "{{ jsoncontent['content'] | from_json }}" + + - name: Set messages fact + ansible.builtin.set_fact: + raw_messages: "{{ content.raw_messages }}" + + # The when clause is because if we already have an IIB for an ocp version we do not + # want to override it (combine will always override existing keys) + # Reason for this is that the messages are sorted last first and we only want the + # last entries + - name: Set output + ansible.builtin.set_fact: + ocp_versions: "{{ ocp_versions | combine({item['msg']['index']['ocp_version']: {'indeximage': item['msg']['index']['index_image'], 'bundleimage': item['msg']['index']['added_bundle_images'][0]}}) }}" + loop: "{{ raw_messages }}" + when: item['msg']['index']['ocp_version'] is not in ocp_versions + loop_control: + label: "{{ item['msg']['index']['ocp_version'] }}" + + - name: Print OCP versions for "{{ operator }}" + ansible.builtin.debug: + msg: "{{ item.key }} -> {{ item.value }}" + loop: "{{ ocp_versions | dict2items }}" + loop_control: + label: "{{ item.key }}" diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md new file mode 100644 index 00000000..1d8b447e --- /dev/null +++ b/common/ansible/roles/iib_ci/README.md @@ -0,0 +1,85 @@ +# IIB Utilities + +A set of ansible plays to fetch an IIB (Image Index Bundle, aka a container created by the operator sdk +that contains a bunch of references to operators that can be installed in an OpenShift cluster) + +Run `make lookup` to see which IIBs are available. + +Typically IIB are prerelease stuff that lives on some internal boxes. What these scripts do is fetch +the IIB internally, mirror it to the registry inside the cluster, parse all the needed images and mirror +those to the internal cluster registry and then set up the registries.conf files on all nodes so +that the images used are the ones pointing to the internal cluster. + +## Usage + +By default the operator to be installed from the IIB is `openshift-gitops-operator`. You can override this through the `OPERATOR` env variable. +For example, to mirror an operator into an existing cluster you would do the following: + +```sh +export KUBECONFIG=/tmp/foo/kubeconfig +export OPERATOR=openshift-gitops-operator +export IIB=492329 +export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:${IIB} +export KUBEADMINPASS="11111-22222-33333-44444" +# This will push the IIB and all the needed images for the default openshift-gitops-operator into the cluster +make load-iib +# This will install the pattern using the gitops operator from the IIB +``` + +Then in case of the `openshift-gitops-operator` we would install with: + +```sh +export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') +make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.gitops.channel=${CHANNEL}" install +``` + +To install ACM (`export OPERATOR=advanced-cluster-management`) or any other +operator (except the gitops one) from an IIB we would call the following as a +final step: + +```sh +export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') +make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install +``` + +*Note*: This needs VP operator version >= 0.0.14 + +### OCP 4.13 and onwards + +Since 4.13 supports an internal registry that can cope with v2 docker manifests, we +use that. Run `make iib` with the following environment variables set: + +* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` +* `KUBEADMINPASS="11111-22222-33333-44444"` + +### OCP 4.12 and previous versions + +Due to the lack of v2 manifest support on the internal registry, we use an external +registry. Run `make iib` with the following environment variables set: + +* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` +* `REGISTRY=quay.io/rhn_support_mbaldess/iib` +* `REGISTRY_TOKEN=:` + +*Note*: For the REGISTRY_TOKEN go to your quay repository, add a robot with "Write" permissions. The robot created will have a "username" and "password" fields. Set the REGISTRY_TOKEN environment variable to that value. + +## Useful commands + +* List IIBs for an operator: + +```sh +ansible-playbook common/ansible/playbooks/iib-ci/lookup.yml +... +ok: [localhost] => (item=v4.13) => { + "msg": "v4.13 -> {'indeximage': 'registry-proxy.engineering.redhat.com/rh-osbs/iib:509435', 'bundleimage': 'registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle:v99.9.0-106'}" +} +... +``` + +Override the `operator` value with the desired bundle name to figure out the last IIBs for it. + +* List all images uploaded to the internal registry: + +```sh +oc exec -it -n openshift-image-registry $(oc get pods -n openshift-image-registry -o json | jq -r '.items[].metadata.name | select(. | test("^image-registry-"))' | head -n1) -- bash -c "curl -k -u kubeadmin:$(oc whoami -t) https://localhost:5000/v2/_catalog" +``` diff --git a/common/ansible/roles/iib_ci/defaults/main.yml b/common/ansible/roles/iib_ci/defaults/main.yml new file mode 100644 index 00000000..7605dba5 --- /dev/null +++ b/common/ansible/roles/iib_ci/defaults/main.yml @@ -0,0 +1,17 @@ +rh_internal_registry: registry-proxy.engineering.redhat.com +iib_image: "{{ lookup('env', 'INDEX_IMAGE') }}" + +external_registry: "{{ lookup('env', 'REGISTRY') }}" +external_registry_token: "{{ lookup('env', 'REGISTRY_TOKEN') }}" +external_registry_email: noemail@localhost + +kubeadminpass: "{{ lookup('env', 'KUBEADMINPASS') }}" + +internal_registry_ns: openshift-marketplace +internal_registry_email: noemail@localhost +internal_registry_user: registry-custom-user +internal_registry_pass: "{{ lookup('env', 'INTERNAL_REGISTRY_USER') }}" + +# We can use default(, true) below because OPERATOR is a string and not +# a boolean +operator: "{{ lookup('env', 'OPERATOR') | default('openshift-gitops-operator', true) }}" diff --git a/common/ansible/roles/iib_ci/handlers/main.yml b/common/ansible/roles/iib_ci/handlers/main.yml new file mode 100644 index 00000000..a983544d --- /dev/null +++ b/common/ansible/roles/iib_ci/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for vault_utils diff --git a/common/ansible/roles/iib_ci/meta/main.yml b/common/ansible/roles/iib_ci/meta/main.yml new file mode 100644 index 00000000..c9d7005d --- /dev/null +++ b/common/ansible/roles/iib_ci/meta/main.yml @@ -0,0 +1,29 @@ +galaxy_info: + author: Validated Patterns Team https://github.com/hybrid-cloud-patterns/ + description: Internal module to work with IIBs (Image Index Bundles) + + issue_tracker_url: https://github.com/hybrid-cloud-patterns/common/issues + license: Apache-2.0 + min_ansible_version: "2.1" + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + platforms: + - name: Fedora + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: EL + versions: + - "8" + - "9" + + galaxy_tags: [] + +dependencies: [] diff --git a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml new file mode 100644 index 00000000..10f083e9 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml @@ -0,0 +1,95 @@ +# This task fetches all the images given an operator name +# the operator name is defined in the variable "item". This +# set of tasks is to be included in a loop that goes over the +# needed operators +- name: Get default channel in the IIB for "{{ item }}" + ansible.builtin.shell: | + oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \ + -o jsonpath='{.items[0].status.defaultChannel}' + register: default_channel_raw + retries: 10 + delay: 10 + until: default_channel_raw is not failed + +- name: Set default channel fact + ansible.builtin.set_fact: + default_channel: "{{ default_channel_raw.stdout }}" + +- name: Get all related images in the IIB for "{{ item }}" + ansible.builtin.shell: | + oc get packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \ + -o jsonpath="{.items[0].status.channels[?(@.name==\"{{ default_channel }}\")].currentCSVDesc.relatedImages}" + register: related_images_raw + +- name: Set related_images fact + ansible.builtin.set_fact: + related_images: "{{ related_images_raw.stdout }}" + +# NOTE(bandini) +# The following code is here to fund out what the operator bundle image is and to make +# sure it is on the internal registry. +# This is all potentially hacky, but so far I could not find a single place in the cluster +# where the olm.bundle image is available. The info is in there in the IIB, but it certainly +# is not in any package manifest nor catalogsource. This is why we resort to invoking opm +# alpha commands inside the IIB image locally +- name: Pull the IIB locally + ansible.builtin.command: + podman pull "{{ iib_image }}" + +# $ opm alpha list channels /configs advanced-cluster-management +# PACKAGE CHANNEL HEAD +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.4 +# advanced-cluster-management release-2.8 advanced-cluster-management.v2.8.0-130 +- name: Read the operator bundle from the default channel + ansible.builtin.shell: | + set -o pipefail + podman run -it --rm "{{ iib_image }}" alpha list channels /configs "{{ item }}" | grep --word-regexp "{{ default_channel }}" | awk '{ print $3 }' + register: bundle_channel_raw + +- name: Set bundle fact + ansible.builtin.set_fact: + bundle_channel: "{{ bundle_channel_raw.stdout }}" + +- name: Fail if bundle_channel is empty + ansible.builtin.fail: + msg: "Failed to find bundle from channel: {{ bundle_channel_raw }}" + when: > + (bundle_channel is not defined) or (bundle_channel | length == 0) + +# $ opm alpha list bundles /configs advanced-cluster-management +# PACKAGE CHANNEL BUNDLE REPLACES SKIPS SKIP RANGE IMAGE +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.0 >=2.6.0 <2.7.0 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:f63d0a9a0e3dc9d86e84279c50e9c613d8430e71a3821d418e168250ca3b747c +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.1 advanced-cluster-management.v2.7.0 >=2.6.0 <2.7.1 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:a81a574f2f22d37681c44fe0c3b958074408705415de333de54d120145537533 +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.2 advanced-cluster-management.v2.7.1 >=2.6.0 <2.7.2 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:8a2c758689eaebe6a287315ca18fd9122f323e195ea3410db005b6a449060fad +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.3 advanced-cluster-management.v2.7.2 >=2.6.0 <2.7.3 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:208f4d9473a923817c102bb7e5f138d3e1e8ed3057a23a220ffa8fe9c0c27128 +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.4 advanced-cluster-management.v2.7.3 >=2.6.0 <2.7.4 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:75b6438e08800b2e3608aeb01c1c0a68810108d9905fff35916afd21e6d32685 +# advanced-cluster-management release-2.8 advanced-cluster-management.v2.8.0-130 >=2.7.0 <2.8.0-130 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:6c385aa69256cdd964ae9e79e52ce52e1048391f0557af59843326c4ebe9bec0 +- name: Get bundle image + ansible.builtin.shell: | + set -o pipefail + podman run -it --rm "{{ iib_image }}" alpha list bundles /configs "{{ item }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }' + register: bundle_image_raw + +- name: Set bundle image fact + ansible.builtin.set_fact: + bundle_image: "{{ bundle_image_raw.stdout }}" + +- name: Fail if bundle_image is empty + ansible.builtin.fail: + msg: "Failed to find bundle image: {{ bundle_image_raw }}" + when: > + (bundle_image is not defined) or (bundle_image | length == 0) + +# all_images will be a list as follows: +# [ "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40", +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b", +# "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759", +# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3", +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792", +# "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2", +# "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461", +# "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5", +# "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0dda..." ] +- name: Set all images fact (related images + operator bundles) + ansible.builtin.set_fact: + all_images: "{{ all_images + related_images + [bundle_image] }}" diff --git a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml new file mode 100644 index 00000000..4b39184c --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml @@ -0,0 +1,52 @@ +- name: Remove manifest folder "{{ iib_local_folder }}" + ansible.builtin.file: + path: "{{ iib_local_folder }}" + state: absent + +- name: Create manifest folder "{{ iib_local_folder }}" + ansible.builtin.file: + path: "{{ iib_local_folder }}" + state: directory + mode: "0755" + +# This generates files in /tmp/manifest-IIB: +# - mapping.txt +# - catalogSource.yaml +# - imageContentSourcePolicy.yaml +- name: Mirror catalog manifests only to "{{ iib_local_folder }}" + ansible.builtin.shell: | + oc adm catalog mirror --insecure --manifests-only --to-manifests=. \ + "{{ iib_image }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1 + args: + chdir: "{{ iib_local_folder }}" + +- name: Mirror IIB to "{{ mirror_iib }}" + ansible.builtin.shell: | + oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" \ + "{{ iib_image }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1 + args: + chdir: "{{ iib_local_folder }}" + register: oc_mirror_result + retries: 10 + delay: 5 + until: oc_mirror_result is not failed + +- name: Template mirrored catalogsource + ansible.builtin.template: + src: ./templates/catalogSource.yaml.j2 + dest: "{{ iib_local_folder }}/mirrored-catalogsource.yaml" + mode: "0644" + +- name: Apply mirrored catalogsource + ansible.builtin.shell: | + oc apply -f "{{ iib_local_folder }}/mirrored-catalogsource.yaml" + +- name: Wait for catalogsource to show up + ansible.builtin.shell: | + oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ operator }}" \ + -o jsonpath='{.items[0].status.defaultChannel}' + register: oc_catalogsource_result + retries: 30 + delay: 10 + until: oc_catalogsource_result is not failed + changed_when: false diff --git a/common/ansible/roles/iib_ci/tasks/main.yml b/common/ansible/roles/iib_ci/tasks/main.yml new file mode 100644 index 00000000..ba6eb7c8 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/main.yml @@ -0,0 +1,43 @@ +- name: Check that INDEX_IMAGE env variable is set + ansible.builtin.fail: + msg: "INDEX_IMAGE: '{{ iib_image }}' is not set" + failed_when: + (iib_image is not defined or iib_image | length == 0) + +- name: Set IIB fact + ansible.builtin.set_fact: + iib: "{{ iib_image.split(':')[1] }}" + +- name: Set IIB local folder fact + ansible.builtin.set_fact: + iib_local_folder: "/tmp/manifest-{{ iib }}" + +- name: Get cluster version + # E.g. 4.13.0-rc.6 or 4.12.16 + ansible.builtin.shell: | + oc get openshiftcontrollermanager/cluster -o yaml -o jsonpath='{.status.version}' + register: oc_version_raw + changed_when: false + +- name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests) + ansible.builtin.set_fact: + use_internal_registry: "{{ oc_version_raw.stdout is version('4.13', '>=') }}" + +- name: Set up internal registry (OCP >= 4.13) + ansible.builtin.include_tasks: setup-internal-registry.yml + when: use_internal_registry + +- name: Set up external registry (OCP < 4.13) + ansible.builtin.include_tasks: setup-external-registry.yml + when: not use_internal_registry + +- name: Install new IIB in cluster + ansible.builtin.include_tasks: install-iib-in-cluster.yml + +- name: Mirror all related images + ansible.builtin.include_tasks: mirror-related-images.yml + +- name: Remove pullsecrets tempfolder + ansible.builtin.file: + path: "{{ pull_secrets_tempfolder.path }}" + state: absent diff --git a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml new file mode 100644 index 00000000..821e4be0 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml @@ -0,0 +1,226 @@ +# This is needed because some operators like "advanced-cluster-management" +# install a second operator "multicluster-engine" +- name: Set operators list + ansible.builtin.set_fact: + operator_list: "{{ [operator] + (operator == 'advanced-cluster-management') | ternary(['multicluster-engine'], []) }}" + +- name: Set all images to empty list + ansible.builtin.set_fact: + all_images: [] + +- name: Fetch operator images tasks + ansible.builtin.include_tasks: fetch-operator-images.yml + loop: "{{ operator_list }}" + +- name: Print all_images + ansible.builtin.debug: + msg: "{{ all_images }}" + +# A mapping.txt file will have lines like the following. Note how the image to the right of '=' +# does have a shortened hash! : +# registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff...=registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8:8256cca6 +# registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf..=registry-proxy.engineering.redhat.com/rh-osbs/openshift4-ose-haproxy-router:a636cbea +# +# Now what we are doing here is the following: +# 1. For every image we get from the bundle (contained in all_images var) we check if it exists. If it does great, skip to the next image +# 2. If the image was not found above, we take the corresponding URL on the right hand side of the '=' sign in mapping.txt +# except that we drop the hash that exists on the right hand-side and just use the one we were given with the image. +# If the image is found, great. If not we need to error out because we have no idea where we can fetch it from +- name: Find out which images really exist by consulting mapping.txt + ansible.builtin.shell: | + set -o pipefail + left_sha=$(echo "{{ image }}" | sed -e 's/^.*@//') + right=$(grep "{{ image }}" "{{ iib_local_folder }}/mapping.txt" | cut -f2 -d=) + right_base=$(echo $right | sed -e 's/:.*$//' -e 's/@.*$//') + right_log=$(echo "${right_base}@${left_sha}" | sed -e 's/\//-/g') + if skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" &> /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log; then + echo "{{ image }}" + elif skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" &> "/tmp/skopeo-${right_log}.log"; then + echo "${right_base}@${left_sha}" + else + echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" + exit 1 + fi + register: all_existing_images + with_items: "{{ all_images }}" + loop_control: + loop_var: image + +# The dictionary below will be in the following form: +# { +# "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0" +# }, +# "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759" +# }, +# "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5" +# }, +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792" +# }, +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b" +# }, +# "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461" +# }, +# "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2": { +# "source": "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2" +# }, +# "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40": { +# "source": "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40" +# }, +# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": { +# "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3" +# } +# } +- name: Create dict with full image name+sha -> url where we will fetch it from + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: {'source': all_existing_images.results[counter].stdout, + 'source_nosha': all_existing_images.results[counter].stdout | regex_replace('@.*$', '')}}, recursive=true) }}" + loop: "{{ all_images }}" + loop_control: + index_var: counter + +- name: Create dict with full image name+sha -> mirror destination (OCP >= 4.13) + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: + {'mirrordest': mirror_dest + item | basename, + 'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''), + 'mirrordest_tag': iib}}, recursive=true) }}" + loop: "{{ all_images }}" + when: use_internal_registry + +- name: Create dict with full image name+sha -> mirror destination (OCP < 4.13) + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: + {'mirrordest': mirror_dest + '@' + item | basename | regex_replace('^.*@', ''), + 'mirrordest_nosha': mirror_dest, + 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" + loop: "{{ all_images }}" + when: not use_internal_registry + +- name: Create dict with full image name+sha -> image key without sha + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: {'image_nosha': item | regex_replace('@.*$', '')}}, recursive=true) }}" + loop: "{{ all_images }}" + +# At this point the dictionary looks as follows: +# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": { +# "mirrordest": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6@sha256:535... +# "mirrordest_nosha": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6", +# "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3", +# "source_nosha": "registry.redhat.io/rhel8/redis-6" +# } +- name: Print dict with full images + ansible.builtin.debug: + msg: "{{ image_urls }}" + +# OCP 4.13 uses the new fangled "ImageDigestMirrorSet", older OCPs use "ImageContentSourcePolicy" +- name: Template out imageMirror.yaml (OCP >= 4.13) + ansible.builtin.template: + src: ./templates/imageDigestMirror.yaml.j2 + dest: "{{ iib_local_folder }}/imageMirror.yaml" + mode: "0644" + when: use_internal_registry + +- name: Template out imageMirror.yaml (OCP < 4.13) + ansible.builtin.template: + src: ./templates/imageContentSourcePolicy.yaml.j2 + dest: "{{ iib_local_folder }}/imageMirror.yaml" + mode: "0644" + when: not use_internal_registry + +- name: Template out mirror.map + ansible.builtin.template: + src: ./templates/mirror.map.j2 + dest: "{{ iib_local_folder }}/mirror.map" + mode: "0644" + +# NOTE(bandini): mirror.map *must* have a tag (we use the IIB number) on the image on the right side +# otherwise, the image will be uplaoded and will exist in S3 but it won't exist in the registry's catalog!! +- name: Mirror all the needed images + ansible.builtin.shell: | + set -o pipefail + oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" -f mirror.map --insecure --keep-manifest-list 2>&1 | tee -a image-mirror.log + args: + chdir: "{{ iib_local_folder }}" + retries: 5 + delay: 2 + register: oc_mirror + until: oc_mirror is not failed + +- name: Fetch MCP observedGeneration worker + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.observedGeneration}' + register: worker_observed_generation_raw + +- name: Fetch MCP machineCount worker + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.machineCount}' + register: worker_machinecount_raw + +- name: Fetch MCP observedGeneration master + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.observedGeneration}' + register: master_observed_generation_raw + +- name: Fetch MCP machineCount master + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.machineCount}' + register: master_machinecount_raw + +- name: Will the imageMirror trigger any changes + ansible.builtin.command: + oc diff -f "{{ iib_local_folder }}/imageMirror.yaml" + failed_when: false + register: oc_mirror_diff + +# We only run this piece if there is an actual change in the mirror digest for images +# cannot use 'is failed' as that is always false when setting failed_when: false above +- name: Apply imageMirror and wait for MCP to complete + when: oc_mirror_diff.rc != 0 + block: + - name: Apply imageMirror + ansible.builtin.command: + oc apply -f "{{ iib_local_folder }}/imageMirror.yaml" + + # NOTE(bandini): The reason to not fail on these two observedGeneration waiting + # tasks, is to make this idempotent: If the 'oc apply' above does *not* trigger + # any changes, the observed generation tasks will just timeout. And then we still + # wait to make sure that the readyworker count is correct. + - name: Wait for MCP new observedGeneration worker + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.observedGeneration}' + register: worker_current_observed_generation_raw + retries: 10 + delay: 20 + until: worker_current_observed_generation_raw.stdout != worker_observed_generation_raw.stdout + failed_when: false + + - name: Wait for MCP new observedGeneration master + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.observedGeneration}' + register: master_current_observed_generation_raw + retries: 10 + delay: 20 + until: master_current_observed_generation_raw.stdout != master_observed_generation_raw.stdout + failed_when: false + + - name: Wait for MCP readyMachineCount to be the same as before applying the digest (worker) + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.readyMachineCount}' + register: worker_current_ready_machinecount_raw + retries: 30 + delay: 10 + until: worker_current_ready_machinecount_raw.stdout == worker_machinecount_raw.stdout + + - name: Wait for MCP readyMachineCount to be the same as before applying the digest (master) + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.readyMachineCount}' + register: master_current_ready_machinecount_raw + retries: 30 + delay: 10 + until: master_current_ready_machinecount_raw.stdout == master_machinecount_raw.stdout diff --git a/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml new file mode 100644 index 00000000..a9a9b10a --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml @@ -0,0 +1,45 @@ +- name: Check that we can push to the external registry + ansible.builtin.fail: + msg: "REGISTRY: '{{ external_registry }}' and REGISTRY_TOKEN: '{{ external_registry_token }}'. Both need to be set" + failed_when: > + (external_registry is not defined or external_registry | length == 0) or + (external_registry_token is not defined or external_registry_token | length == 0) + +- name: Get current cluster pull secrets + ansible.builtin.command: + oc extract secret/pull-secret -n openshift-config --to=- + register: pull_secrets_raw + +- name: Add external registry to pull secrets and set auth fact + ansible.builtin.set_fact: + pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}" + external_registry_auth: "{{ external_registry_token | b64encode }}" + +- name: Add local registry to pull secrets + ansible.builtin.set_fact: + pull_secrets: "{{ pull_secrets_new | combine({'auths': {external_registry.split('/')[0]: {'email': external_registry_email, 'auth': external_registry_auth}}}, recursive=true) }}" + +- name: Get a tempfile for the pull secrets + ansible.builtin.tempfile: + state: directory + register: pull_secrets_tempfolder + +- name: Store pull secrets in tempfile + ansible.builtin.copy: + dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" + content: "{{ pull_secrets | to_nice_json }}" + mode: "0644" + +# We cannot store the logins back in the cluster, because quay.io would be overwritten and not have +# access to the images openshift needs. See: +# https://github.com/moby/moby/issues/37569 +# - name: Update pull-secret in the cluster +# ansible.builtin.shell: | +# oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" +- name: Set Mirror URL fact for external mirror IIB + ansible.builtin.set_fact: + mirror_iib: "{{ external_registry }}" + +- name: Set Mirror URL fact for external mirror + ansible.builtin.set_fact: + mirror_dest: "{{ external_registry }}" diff --git a/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml new file mode 100644 index 00000000..82ee7ac4 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml @@ -0,0 +1,108 @@ +- name: Check KUBEADMINPASS is set + ansible.builtin.fail: + msg: "KUBEADMINPASS: '{{ kubeadminpass }}' is not set" + failed_when: kubeadminpass is not defined or kubeadminpass | length == 0 + +- name: Get kubeadmin api endpoint + ansible.builtin.command: + oc whoami --show-server=true + register: kubeadminapi_raw + +- name: Set kubeadminapi fact + ansible.builtin.set_fact: + kubeadminapi: "{{ kubeadminapi_raw.stdout }}" + +- name: Login via kubeadmin + ansible.builtin.command: | + oc login -u kubeadmin -p "{{ kubeadminpass }}" "{{ kubeadminapi }}" --insecure-skip-tls-verify=true + +- name: Get kubeadmin token + ansible.builtin.command: | + oc whoami -t + register: oc_whoami_raw + +- name: Set kubeadmin token + ansible.builtin.set_fact: + kubeadmin_token: "{{ oc_whoami_raw.stdout }}" + +- name: Expose internal registry route + ansible.builtin.shell: | + oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge + +- name: Fetch internal registry route value + ansible.builtin.command: + oc registry info --public=true + register: registry_route_raw + retries: 20 + delay: 10 + until: + - registry_route_raw is not failed + - registry_route_raw.stdout | length > 0 + +- name: Set route fact + ansible.builtin.set_fact: + registry_route: "{{ registry_route_raw.stdout }}" + +- name: Set registry allowedRegistries + ansible.builtin.shell: > + oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"allowedRegistries\":[ \"registry.stage.redhat.io\", \"registry.access.redhat.com\", \"registry.connect.redhat.com\", \"ghcr.io\", \"gcr.io\", \"quay.io\", \"registry.redhat.io\", + \"registry-proxy.engineering.redhat.com\", \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge + +- name: Set registry insecureRegistries + ansible.builtin.shell: > + oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"insecureRegistries\":[ \"registry-proxy.engineering.redhat.com\", + \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge + +- name: Get current cluster pull secrets + ansible.builtin.command: + oc extract secret/pull-secret -n openshift-config --to=- + register: pull_secrets_raw + +- name: Add local registry to pull secrets and set auth fact + ansible.builtin.set_fact: + pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}" + internal_registry_auth: "{{ ('kubeadmin:' + kubeadmin_token) | b64encode }}" + +- name: Add local registry to pull secrets + ansible.builtin.set_fact: + pull_secrets: "{{ pull_secrets_new | combine({'auths': {registry_route: {'email': internal_registry_email, 'auth': internal_registry_auth}}}, recursive=true) }}" + +- name: Get a tempfile for the pull secrets + ansible.builtin.tempfile: + state: directory + register: pull_secrets_tempfolder + +- name: Store pull secrets in tempfile + ansible.builtin.copy: + dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" + content: "{{ pull_secrets | to_nice_json }}" + mode: "0644" + +- name: Update pull-secret in the cluster + ansible.builtin.shell: | + oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" + +- name: Before proceeding here we need to make sure that the MCPs have all settled + ansible.builtin.shell: | + if [ $(oc get mcp/master -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/master -o jsonpath='{.status.machineCount}') ]; then + exit 1 + fi + if [ $(oc get mcp/worker -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/worker -o jsonpath='{.status.machineCount}') ]; then + exit 1 + fi + retries: 30 + delay: 20 + register: mcp_ready + until: mcp_ready is not failed + +- name: Login the internal registry with podman + ansible.builtin.command: + podman login --tls-verify=false --username unused --password "{{ kubeadmin_token }}" "{{ registry_route }}" + +- name: Set Mirror URL fact for internal mirror IIB + ansible.builtin.set_fact: + mirror_iib: "{{ registry_route }}/{{ internal_registry_ns }}/iib" + +- name: Set Mirror URL fact for internal mirror + ansible.builtin.set_fact: + mirror_dest: "{{ registry_route }}/{{ internal_registry_ns }}/" diff --git a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 new file mode 100644 index 00000000..99087603 --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 @@ -0,0 +1,9 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: CatalogSource +metadata: + name: iib-{{ iib }} + namespace: {{ internal_registry_ns }} +spec: + image: {{ mirror_iib }}:{{ iib }} + sourceType: grpc + displayName: IIB {{ iib }} diff --git a/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml b/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml new file mode 100644 index 00000000..8fc41821 --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml @@ -0,0 +1,14 @@ +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: + - name: my_htpasswd_provider + mappingMethod: claim + type: HTPasswd + challenge: true + login: true + htpasswd: + fileData: + name: htpass-secret diff --git a/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 new file mode 100644 index 00000000..d0f417ec --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 @@ -0,0 +1,19 @@ +--- +apiVersion: operator.openshift.io/v1alpha1 +kind: ImageContentSourcePolicy +metadata: + labels: + operators.openshift.org/catalog: "true" + name: iib-{{ iib }} +spec: + repositoryDigestMirrors: +{% for item in image_urls.values() %} + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.source_nosha }} + mirrorSourcePolicy: NeverContactSource + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.image_nosha }} + mirrorSourcePolicy: NeverContactSource +{% endfor %} diff --git a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 new file mode 100644 index 00000000..d23ab9f2 --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 @@ -0,0 +1,18 @@ +apiVersion: config.openshift.io/v1 +kind: ImageDigestMirrorSet +metadata: + labels: + operators.openshift.org/catalog: "true" + name: iib-{{ iib }} +spec: + imageDigestMirrors: +{% for item in image_urls.values() %} + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.source_nosha }} + mirrorSourcePolicy: NeverContactSource + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.image_nosha }} + mirrorSourcePolicy: NeverContactSource +{% endfor %} diff --git a/common/ansible/roles/iib_ci/templates/mirror.map.j2 b/common/ansible/roles/iib_ci/templates/mirror.map.j2 new file mode 100644 index 00000000..ecef721c --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/mirror.map.j2 @@ -0,0 +1,3 @@ +{% for item in image_urls.values() %} +{{ item.source }}={{ item.mirrordest_nosha }}:{{ item.mirrordest_tag }} +{% endfor %} diff --git a/common/ansible/roles/iib_ci/vars/main.yml b/common/ansible/roles/iib_ci/vars/main.yml new file mode 100644 index 00000000..56894088 --- /dev/null +++ b/common/ansible/roles/iib_ci/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for iib_ci diff --git a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml index 0fdaa631..a820f40a 100644 --- a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml +++ b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml @@ -80,9 +80,12 @@ register: encrypted failed_when: (encrypted.rc not in [0, 1]) +# When HOME is set we replace it with '~' in this debug message +# because when run from inside the container the HOME is /pattern-home +# which is confusing for users - name: Is found values secret file encrypted ansible.builtin.debug: - msg: "Using {{ found_file }} to parse secrets" + msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets" - name: Set encryption bool fact no_log: true @@ -102,6 +105,7 @@ ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}" register: values_secret_plaintext when: is_encrypted + changed_when: false - name: Loads secrets file into the vault of a cluster no_log: false diff --git a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml index af1a02fd..d4310e7f 100644 --- a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml +++ b/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml @@ -182,8 +182,8 @@ pod: "{{ vault_pod }}" command: > vault write auth/"{{ item.value['vault_path'] }}"/role/"{{ item.value['vault_path'] }}"-role - bound_service_account_names="{{ external_secrets_ns }}" - bound_service_account_namespaces="{{ external_secrets_sa }}" + bound_service_account_names="{{ external_secrets_sa }}" + bound_service_account_namespaces="{{ external_secrets_ns }}" policies="default,{{ vault_global_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}" loop: "{{ clusters_info | dict2items }}" when: diff --git a/common/ansible/roles/vault_utils/tests/test.yml b/common/ansible/roles/vault_utils/tests/test.yml index 0998beb6..b4da5c68 100644 --- a/common/ansible/roles/vault_utils/tests/test.yml +++ b/common/ansible/roles/vault_utils/tests/test.yml @@ -1,5 +1,6 @@ --- -- hosts: localhost +- name: Test Play + hosts: localhost remote_user: root roles: - vault_utils diff --git a/common/clustergroup/Chart.yaml b/common/clustergroup/Chart.yaml index 249163ae..38ece255 100644 --- a/common/clustergroup/Chart.yaml +++ b/common/clustergroup/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 description: A Helm chart to create per-clustergroup ArgoCD applications and any required namespaces or subscriptions keywords: - pattern -name: pattern-clustergroup +name: clustergroup version: 0.0.1 diff --git a/common/clustergroup/templates/_helpers.tpl b/common/clustergroup/templates/_helpers.tpl new file mode 100644 index 00000000..c3a730fb --- /dev/null +++ b/common/clustergroup/templates/_helpers.tpl @@ -0,0 +1,42 @@ +{{/* +Default always defined top-level variables for helm charts +*/}} +{{- define "clustergroup.app.globalvalues.helmparameters" -}} +- name: global.repoURL + value: $ARGOCD_APP_SOURCE_REPO_URL +- name: global.targetRevision + value: $ARGOCD_APP_SOURCE_TARGET_REVISION +- name: global.namespace + value: $ARGOCD_APP_NAMESPACE +- name: global.pattern + value: {{ $.Values.global.pattern }} +- name: global.clusterDomain + value: {{ $.Values.global.clusterDomain }} +- name: global.clusterVersion + value: "{{ $.Values.global.clusterVersion }}" +- name: global.clusterPlatform + value: "{{ $.Values.global.clusterPlatform }}" +- name: global.hubClusterDomain + value: {{ $.Values.global.hubClusterDomain }} +- name: global.localClusterDomain + value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }} +{{- end }} {{/* clustergroup.globalvaluesparameters */}} + + +{{/* +Default always defined valueFiles to be included in Applications +*/}} +{{- define "clustergroup.app.globalvalues.valuefiles" -}} +- "/values-global.yaml" +- "/values-{{ $.Values.clusterGroup.name }}.yaml" +{{- if $.Values.global.clusterPlatform }} +- "/values-{{ $.Values.global.clusterPlatform }}.yaml" + {{- if $.Values.global.clusterVersion }} +- "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.global.clusterVersion }}.yaml" + {{- end }} +- "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.clusterGroup.name }}.yaml" +{{- end }} +{{- if $.Values.global.clusterVersion }} +- "/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml" +{{- end }} +{{- end }} {{/* clustergroup.app.globalvalues.valuefiles */}} diff --git a/common/clustergroup/templates/core/namespaces.yaml b/common/clustergroup/templates/core/namespaces.yaml index bf0bfc7d..dfa6ae1a 100644 --- a/common/clustergroup/templates/core/namespaces.yaml +++ b/common/clustergroup/templates/core/namespaces.yaml @@ -1,11 +1,31 @@ {{- if not (eq .Values.enabled "plumbing") }} -{{- range .Values.clusterGroup.namespaces }} +{{- range $ns := .Values.clusterGroup.namespaces }} apiVersion: v1 kind: Namespace metadata: + {{- if kindIs "map" $ns }} + {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} + name: {{ $k }} labels: argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} - name: {{ . }} + {{- if $v.labels }} + {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }} + {{- if $v.annotations }} + annotations: + {{- range $key, $value := $v.annotations }} {{- /* We loop through the map to get key/value pairs */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }}{{- /* if $v.annotations */}} + {{- end }}{{- /* range $k, $v := $ns */}} + + {{- else if kindIs "string" $ns }} + labels: + argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} + name: {{ $ns }} + {{- end }} {{- /* if kindIs "string" $ns */}} spec: --- {{- end }} diff --git a/common/clustergroup/templates/core/operatorgroup.yaml b/common/clustergroup/templates/core/operatorgroup.yaml index 74febe94..66774fa6 100644 --- a/common/clustergroup/templates/core/operatorgroup.yaml +++ b/common/clustergroup/templates/core/operatorgroup.yaml @@ -1,17 +1,22 @@ {{- if not (eq .Values.enabled "plumbing") }} -{{- range .Values.clusterGroup.namespaces }} +{{- range $ns := .Values.clusterGroup.namespaces }} + +{{- if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) }} + + {{- if kindIs "map" $ns }} + {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} -{{- if empty $.Values.clusterGroup.operatorgroupExcludes }} apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: {{ . }}-operator-group - namespace: {{ . }} + name: {{ $k }}-operator-group + namespace: {{ $k }} spec: targetNamespaces: - - {{ . }} ---- -{{- else if not (has . $.Values.clusterGroup.operatorgroupExcludes) }} + - {{ $k }} + {{- end }}{{- /* range $k, $v := $ns */}} + + {{- else if kindIs "string" $ns }} apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -20,8 +25,8 @@ metadata: spec: targetNamespaces: - {{ . }} + {{- end }} {{- /* if kindIs "string" $ns */}} --- -{{- end }} - -{{- end }} -{{- end }} +{{- end }} {{- /* if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) */}} +{{- end }} {{- /* range $ns := .Values.clusterGroup.namespaces */}} +{{- end }} {{- /* if not (eq .Values.enabled "plumbing") */}} diff --git a/common/clustergroup/templates/plumbing/applications.yaml b/common/clustergroup/templates/plumbing/applications.yaml index 2593942f..075e1bdb 100644 --- a/common/clustergroup/templates/plumbing/applications.yaml +++ b/common/clustergroup/templates/plumbing/applications.yaml @@ -35,6 +35,8 @@ spec: {{- else }} syncPolicy: automated: {} + retry: + limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} {{- end }} {{- if .ignoreDifferences }} ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }} @@ -55,10 +57,7 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "values.yaml" - {{- if $.Values.global.clusterVersion }} - - "/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml" - {{- end }} + {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 12 }} {{- range .extraValueFiles }} - {{ . | quote }} {{- end }} @@ -67,24 +66,13 @@ spec: {{ `{{ values }}` }} {{- end }} parameters: - - name: global.clusterDomain - value: {{ $.Values.global.clusterDomain }} - - name: global.clusterVersion - value: "{{ $.Values.global.clusterVersion }}" - - name: global.clusterPlatform - value: "{{ $.Values.global.clusterPlatform }}" - - name: global.hubClusterDomain - value: {{ $.Values.global.hubClusterDomain }} - - name: global.localClusterDomain - value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }} + {{- include "clustergroup.app.globalvalues.helmparameters" $ | nindent 12 }} - name: global.repoURL value: {{ $.Values.global.repoURL }} - name: global.targetRevision value: {{ $.Values.global.targetRevision }} - name: global.namespace value: {{ $.Values.global.namespace }} - - name: global.pattern - value: {{ $.Values.global.pattern }} - name: clusterGroup.name value: {{ .Values.clusterGroup.name }} {{- range .extraHubClusterDomainFields }} @@ -111,6 +99,10 @@ spec: - name: {{ . }} value: {{ $.Values.global.pattern }} {{- end }} + {{- range $k, $v := $.Values.extraParametersNested }} + - name: {{ $k }} + value: {{ $v }} + {{- end }} {{- range .overrides }} - name: {{ .name }} value: {{ .value | quote }} @@ -142,48 +134,19 @@ spec: chart: {{ .chart }} {{- else }} path: {{ .path }} - {{- end }} + {{- end }}{{- /* if .chart */}} {{- if .plugin }} plugin: {{ .plugin | toPrettyJson }} {{- else if not .kustomize }} helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-{{ $.Values.clusterGroup.name }}.yaml" - {{- if $.Values.global.clusterPlatform }} - - "/values-{{ $.Values.global.clusterPlatform }}.yaml" - {{- if $.Values.global.clusterVersion }} - - "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.global.clusterVersion }}.yaml" - {{- end }} - - "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.clusterGroup.name }}.yaml" - {{- end }} - {{- if $.Values.global.clusterVersion }} - - "/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml" - {{- end }} + {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 6 }} {{- range $valueFile := .extraValueFiles }} - {{ $valueFile | quote }} {{- end }} - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: {{ $.Values.global.pattern }} - - name: global.clusterDomain - value: {{ $.Values.global.clusterDomain }} - - name: global.clusterVersion - value: "{{ $.Values.global.clusterVersion }}" - - name: global.clusterPlatform - value: "{{ $.Values.global.clusterPlatform }}" - - name: global.hubClusterDomain - value: {{ $.Values.global.hubClusterDomain }} - - name: global.localClusterDomain - value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }} + {{- include "clustergroup.app.globalvalues.helmparameters" $ | nindent 8 }} {{- range .extraHubClusterDomainFields }} - name: {{ . }} value: {{ $.Values.global.hubClusterDomain }} @@ -208,21 +171,25 @@ spec: - name: {{ . }} value: {{ $.Values.global.pattern }} {{- end }} + {{- range $k, $v := $.Values.extraParametersNested }} + - name: {{ $k }} + value: {{ $v }} + {{- end }} {{- range .overrides }} - name: {{ .name }} value: {{ .value | quote }} - {{- if .forceString }} + {{- if .forceString }} forceString: true - {{- end }} - {{- end }} + {{- end }} + {{- end }}{{- /* range .overrides */}} {{- if .fileParameters }} fileParameters: {{- range .fileParameters }} - name: {{ .name }} path: {{ .path }} - {{- end }} - {{- end }} - {{- end }} + {{- end }}{{- /* range .fileParameters */}} + {{- end }}{{- /* if .fileParameters */}} + {{- end }}{{- /* if .plugin */}} {{- if .ignoreDifferences }} ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }} {{- end }} @@ -231,9 +198,10 @@ spec: {{- else }} syncPolicy: automated: {} - # selfHeal: true - {{- end }} + retry: + limit: {{ default 20 $.Values.global.applicationRetryLimit }} + {{- end }}{{- /* .syncPolicy */}} --- -{{- end }} -{{- end }} -{{- end }} +{{- end }}{{- /* if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) */}} +{{- end }}{{- /* range .Values.clusterGroup.applications */}} +{{- end }}{{- /* if not (eq .Values.enabled "core") */}} diff --git a/common/clustergroup/templates/plumbing/argocd.yaml b/common/clustergroup/templates/plumbing/argocd.yaml index 68400b95..84643644 100644 --- a/common/clustergroup/templates/plumbing/argocd.yaml +++ b/common/clustergroup/templates/plumbing/argocd.yaml @@ -12,6 +12,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -60,15 +82,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/common/clustergroup/values.schema.json b/common/clustergroup/values.schema.json index 2377e31b..e64a8125 100644 --- a/common/clustergroup/values.schema.json +++ b/common/clustergroup/values.schema.json @@ -192,6 +192,10 @@ "type": "string", "deprecated": true, "description": "This is used to approval strategy for the subscriptions of OpenShift Operators being installed. You can choose Automatic or Manual updates. NOTE: This setting is now available in the subcriptions description in the values file." + }, + "applicationRetryLimit": { + "type": "integer", + "description": "Number of failed sync attempt retries; unlimited number of attempts if less than 0" } }, "required": [ @@ -220,7 +224,7 @@ "type": "array", "description": "This is the array of namespaces that the VP framework will create. In addition, operator groups will also be created for each namespace.", "items": { - "type": "string" + "$ref": "#/definitions/Namespaces" } }, "indexImages": { @@ -318,6 +322,51 @@ ], "title": "ClusterGroup" }, + "Namespaces": { + "anyOf": [ + { + "type": "object" + }, + { + "type": "string" + } + ], + "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", + "additionalProperties": true, + "properties": { + "name": { + "type": "string", + "description": "Name of the namespace." + }, + "labels": { + "type": "array", + "items": { + "$ref": "#/definitions/NameValue" + } + }, + "annotations": { + "type": "array", + "items": { + "$ref": "#/definitions/NameValue" + } + } + } + }, + "NameValue": { + "type": "object", + "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", + "additionalProperties": true, + "properties": { + "name": { + "type": "string", + "description": "Name of the namespace." + }, + "value": { + "type": "string", + "description": "Name of the namespace." + } + } + }, "Applications": { "type": "object", "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", diff --git a/common/clustergroup/values.yaml b/common/clustergroup/values.yaml index 18212e4b..117e009e 100644 --- a/common/clustergroup/values.yaml +++ b/common/clustergroup/values.yaml @@ -5,6 +5,7 @@ global: useCSV: True syncPolicy: Automatic installPlanApproval: Automatic + applicationRetryLimit: 20 enabled: "all" diff --git a/common/examples/kustomize-renderer/kustomize b/common/examples/kustomize-renderer/kustomize index 5f62b40c..3266d453 100755 --- a/common/examples/kustomize-renderer/kustomize +++ b/common/examples/kustomize-renderer/kustomize @@ -5,11 +5,10 @@ if [ $BASE = $PWD ]; then BASE=./ fi -cat <&0 > "$BASE/helm.patch.yaml" +cat <&0 > "$BASE/helm.yaml" # Including at least one log to stderr allows us to see the full -x output echo $HOME $PWD 1>&2 ls -al 1>&2 -kubectl kustomize "$BASE" && rm "$BASE/helm.patch.yaml" -#kubectl kustomize "$BASE" > "$BASE/result.yaml" +kustomize build "$BASE" && rm "$BASE/helm.yaml" diff --git a/common/examples/values-example.yaml b/common/examples/values-example.yaml index 20b5d227..4035c431 100644 --- a/common/examples/values-example.yaml +++ b/common/examples/values-example.yaml @@ -13,8 +13,19 @@ clusterGroup: isHubCluster: true namespaces: - - open-cluster-management + - open-cluster-management: + labels: + openshift.io/node-selector: "" + kubernetes.io/os: linux + annotations: + openshift.io/cluster-monitoring: "true" + owner: "namespace owner" - application-ci + - excludes-ci + + operatorgroupExcludes: + - excludes-ci + subscriptions: acm: @@ -93,11 +104,16 @@ clusterGroup: name: aws-ap openshiftVersion: 4.10.18 baseDomain: blueprints.rhecoeng.com + controlPlane: + count: 1 + platform: + aws: + type: m5.xlarge + workers: + count: 0 platform: aws: region: ap-southeast-2 - clusters: - - one exampleAzurePool: name: azure-us openshiftVersion: 4.10.18 @@ -107,7 +123,7 @@ clusterGroup: baseDomainResourceGroupName: dojo-dns-zones region: eastus clusters: - - two + - Two - three acmlabels: - name: clusterGroup diff --git a/common/golang-external-secrets/Chart.yaml b/common/golang-external-secrets/Chart.yaml index a0e1afe0..ab900162 100644 --- a/common/golang-external-secrets/Chart.yaml +++ b/common/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.1 dependencies: - name: external-secrets - version: "0.8.1" + version: "0.8.5" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/common/golang-external-secrets/README.md b/common/golang-external-secrets/README.md index 6db62db7..e12d58f1 100644 --- a/common/golang-external-secrets/README.md +++ b/common/golang-external-secrets/README.md @@ -3,3 +3,12 @@ When updating this sub-chart, please remember to tweak the image tag in values.yaml. That is because we want to use -ubi images if possible and there is no suffix option, so we just override the tag with the version + "-ubi" + +## Steps + +1. Edit the version in Chart.yaml +2. Run `helm dependency update .` +3. Run `./update-helm-dependency.sh` +4. Tweak `values.yaml` with the new image versions +5. Run `make test` +6. Commit to git diff --git a/common/golang-external-secrets/charts/external-secrets-0.8.1.tgz b/common/golang-external-secrets/charts/external-secrets-0.8.1.tgz deleted file mode 100644 index 73fc4a59..00000000 Binary files a/common/golang-external-secrets/charts/external-secrets-0.8.1.tgz and /dev/null differ diff --git a/common/golang-external-secrets/charts/external-secrets-0.8.5.tgz b/common/golang-external-secrets/charts/external-secrets-0.8.5.tgz new file mode 100644 index 00000000..af7525bf Binary files /dev/null and b/common/golang-external-secrets/charts/external-secrets-0.8.5.tgz differ diff --git a/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch b/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch new file mode 100644 index 00000000..6545881f --- /dev/null +++ b/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch @@ -0,0 +1,48 @@ +diff -up external-secrets/values.yaml.orig external-secrets/values.yaml +--- external-secrets/values.yaml.orig 2023-07-31 15:12:18.815909938 +0200 ++++ external-secrets/values.yaml 2023-07-31 15:32:59.905360226 +0200 +@@ -117,9 +117,11 @@ securityContext: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true +- runAsUser: 1000 +- seccompProfile: +- type: RuntimeDefault ++ # runAsUser: 1000 ++ # Uncomment this once 4.10 is out of scope ++ # seccompProfile: ++ # type: RuntimeDefault ++ seccompProfile: null + + resources: {} + # requests: +@@ -331,9 +333,11 @@ webhook: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true +- runAsUser: 1000 +- seccompProfile: +- type: RuntimeDefault ++ # runAsUser: 1000 ++ seccompProfile: null ++ # Uncomment this once 4.10 is out of scope ++ # seccompProfile: ++ # type: RuntimeDefault + + resources: {} + # requests: +@@ -453,9 +457,11 @@ certController: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true +- runAsUser: 1000 +- seccompProfile: +- type: RuntimeDefault ++ # runAsUser: 1000 ++ seccompProfile: null ++ # Uncomment this once 4.10 is out of scope ++ # seccompProfile: ++ # type: RuntimeDefault + + resources: {} + # requests: diff --git a/common/golang-external-secrets/update-helm-dependency.sh b/common/golang-external-secrets/update-helm-dependency.sh new file mode 100755 index 00000000..492148eb --- /dev/null +++ b/common/golang-external-secrets/update-helm-dependency.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -eu + +# Get the version of the dependency and then unquote it +TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }') +VERSION=$(eval echo "${TMPVER}") + +# Chart format is external-secrets-0.8.0.tgz +NAME="external-secrets" +TAR="${NAME}-${VERSION}.tgz" +CHARTDIR="charts" + +if [ ! -f "${CHARTDIR}/${TAR}" ]; then + echo "Charts $TAR not found" + exit 1 +fi + +pushd "${CHARTDIR}" +rm -rf "${NAME}" +tar xfz "${TAR}" +pushd "${NAME}" +for i in ../../local-patches/*.patch; do + filterdiff "${i}" -p1 -x 'test/*' | patch -p1 +done +find . -type f -iname '*.orig' -exec rm -f "{}" \; +popd +tar cvfz "${TAR}" "${NAME}" +rm -rf "${NAME}" +popd diff --git a/common/golang-external-secrets/values.yaml b/common/golang-external-secrets/values.yaml index 7c7ce7dc..0030eda3 100644 --- a/common/golang-external-secrets/values.yaml +++ b/common/golang-external-secrets/values.yaml @@ -9,14 +9,12 @@ global: clusterGroup: isHubCluster: true - - external-secrets: image: - tag: v0.8.1-ubi + tag: v0.8.5-ubi webhook: image: - tag: v0.8.1-ubi + tag: v0.8.5-ubi certController: image: - tag: v0.8.1-ubi + tag: v0.8.5-ubi diff --git a/common/hashicorp-vault/Chart.yaml b/common/hashicorp-vault/Chart.yaml index 5e929ec1..6df9f5ec 100644 --- a/common/hashicorp-vault/Chart.yaml +++ b/common/hashicorp-vault/Chart.yaml @@ -6,5 +6,5 @@ name: hashicorp-vault version: 0.0.1 dependencies: - name: vault - version: "0.23.0" + version: "0.24.1" repository: "https://helm.releases.hashicorp.com" diff --git a/common/hashicorp-vault/README.md b/common/hashicorp-vault/README.md index dbc0f016..84065ffd 100644 --- a/common/hashicorp-vault/README.md +++ b/common/hashicorp-vault/README.md @@ -1,5 +1,13 @@ # VP hashicorp-vault +## Updating the chart + +1. Edit Chart.yaml with the new version +2. In the hashicorp-vault folder, run: `helm dependency update .` +3. Run `./update-helm-dependency.sh` +4. Check that the images in ./values.yaml are the same version as [upstream](https://github.com/hashicorp/vault-helm/blob/main/values.openshift.yaml) +5. Git add the new chart in `./charts/vault-.tgz` + ## Patches ### Issue 9136 diff --git a/common/hashicorp-vault/charts/vault-0.23.0.tgz b/common/hashicorp-vault/charts/vault-0.23.0.tgz deleted file mode 100644 index 7e8660a0..00000000 Binary files a/common/hashicorp-vault/charts/vault-0.23.0.tgz and /dev/null differ diff --git a/common/hashicorp-vault/charts/vault-0.24.1.tgz b/common/hashicorp-vault/charts/vault-0.24.1.tgz new file mode 100644 index 00000000..94b38500 Binary files /dev/null and b/common/hashicorp-vault/charts/vault-0.24.1.tgz differ diff --git a/common/hashicorp-vault/update-helm-dependency.sh b/common/hashicorp-vault/update-helm-dependency.sh index fafe3dde..76e4ac14 100755 --- a/common/hashicorp-vault/update-helm-dependency.sh +++ b/common/hashicorp-vault/update-helm-dependency.sh @@ -22,6 +22,7 @@ pushd "${NAME}" for i in ../../local-patches/*.patch; do filterdiff "${i}" -p1 -x 'test/*' | patch -p1 done +find . -type f -iname '*.orig' -exec rm -f "{}" \; popd tar cvfz "${TAR}" "${NAME}" rm -rf "${NAME}" diff --git a/common/hashicorp-vault/values.yaml b/common/hashicorp-vault/values.yaml index a0e91908..585e9274 100644 --- a/common/hashicorp-vault/values.yaml +++ b/common/hashicorp-vault/values.yaml @@ -49,4 +49,4 @@ vault: termination: "reencrypt" image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" diff --git a/common/letsencrypt/.helmignore b/common/letsencrypt/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/common/letsencrypt/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/common/letsencrypt/Chart.yaml b/common/letsencrypt/Chart.yaml new file mode 100644 index 00000000..b5b1c31b --- /dev/null +++ b/common/letsencrypt/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +name: letsencrypt +description: A Helm chart to add letsencrypt support to Validated Patterns + +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/common/letsencrypt/README.md b/common/letsencrypt/README.md new file mode 100644 index 00000000..d277abaa --- /dev/null +++ b/common/letsencrypt/README.md @@ -0,0 +1,68 @@ +# Letsencrypt support for Validated patterns + +This is an *EXPERIMENTAL* and *UNSUPPORTED* chart to enable letsencrypt support in the pattern. +Currently the only supported cloud for this is AWS. + +In order to enable this chart in your patterns, please add and edit the following lines to `values-AWS.yaml`: + + letsencrypt: + region: eu-central-1 # region of the cluster + server: https://acme-v02.api.letsencrypt.org/directory + # staging URL + # server: https://acme-staging-v02.api.letsencrypt.org/directory + email: foo@bar.it + + clusterGroup: + applications: + letsencrypt: + name: letsencrypt + namespace: letsencrypt + project: default + path: common/letsencrypt + +Once the above is enabled in a pattern, a certain amount of time (~15/20 minutes or so) is needed for all the cluster operators to settle, all the HTTPS routes will have a wildcard certificate signed by letsencrypt. By default also the API endpoint will use a certificate signed by letsencrypt. + +## Limitations + +Please be aware of the following gotchas when using this chart: + +1. Once the API certificate has been replaced with the letsencrypt one, the `oc` commands might fail with x509 unknown certificate authority errors. + You need to remove the previous CA from the kubeconfig file. Run: `oc config set-cluster --certificate-authority="/dev/null" --embed-certs` +2. When you switch to non-staging letsencrypt certificates, things might fail if you asked for too many certificates over the last few days. +3. The cluster takes ~20-30 mins to fully settle when both the API endpoint and the default ingress certificates are implemented + +## Implementation + +This chart creates a Cloud Credential that is allowed to write and read DNS entries via Route53 in AWS. That credential is then used by cert-manager to prove ownership of the DNS zone and answer the ACME DNS01 challenges. +We ask for a single wildcard certificate for the default Ingress *.apps.domain and one non-wildcard certificate for the API endpoint api.domain. +We use Argo's Server-Side Apply feature to patch in the Ingress Controller and the API endpoint certificates. +Currently we also patch the main cluster-wide Argo instance to set the tls route to `reencrypt` in order have a proper cert there. Once issue 297 in the gitops-operator repository is fixed, we can drop that. + +## Parameters + +### global parameters + +This section contains the global parameters consumed by this chart + +| Name | Description | Value | +| --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------ | +| `global.localClusterDomain` | String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework | `apps.example.com` | + +### letsencrypt parameters + +This section contains all the parameters for the letsencrypt +chart in order to request CA signed certificates in a Validated Pattern + +| Name | Description | Value | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | +| `letsencrypt.enabled` | Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) | `true` | +| `letsencrypt.api_endpoint` | Boolean to enable letsencrypt certs on the API endpoint too (defaults to True) | `true` | +| `letsencrypt.region` | String that defines the region used by the route53/dns01 resolver in cert-manager (required) | `eu-central-1` | +| `letsencrypt.email` | String containing the email used when requesting certificates to letsencrypt (required) | `test@example.com` | +| `letsencrypt.server` | String containing the letsencrypt ACME URL (Defaults to the staging server) | `https://acme-staging-v02.api.letsencrypt.org/directory` | +| `letsencrypt.organizations` | List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io]) | `["hybrid-cloud-patterns.io"]` | +| `letsencrypt.usages` | List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth]) | `["server auth"]` | +| `letsencrypt.duration` | Duration of the requested letsencrypt certificates (Defaults to 168h0m0s) | `168h0m0s` | +| `letsencrypt.renewBefore` | How long before expiration date should the certs be renewed (Defaults to 28h0m0s) | `28h0m0s` | +| `letsencrypt.nameservers` | List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) | `["8.8.8.8:53","1.1.1.1:53"]` | +| `letsencrypt.certmanagerChannel` | String the channel to install cert-manager from (Defaults to "stable-v1") | `stable-v1` | diff --git a/common/letsencrypt/templates/api-cert.yaml b/common/letsencrypt/templates/api-cert.yaml new file mode 100644 index 00000000..ed9e7c0e --- /dev/null +++ b/common/letsencrypt/templates/api-cert.yaml @@ -0,0 +1,28 @@ +{{ if and (.Values.letsencrypt.enabled) (.Values.letsencrypt.api_endpoint) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: {{ .Values.letsencrypt.duration }} + renewBefore: {{ .Values.letsencrypt.renewBefore }} + commonName: 'api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}' + usages: + {{- range .Values.letsencrypt.usages }} + - {{ . }} + {{- end }} + dnsNames: + - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }} + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + {{- range .Values.letsencrypt.organizations }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/common/letsencrypt/templates/cert-manager-installation.yaml b/common/letsencrypt/templates/cert-manager-installation.yaml new file mode 100644 index 00000000..59375b00 --- /dev/null +++ b/common/letsencrypt/templates/cert-manager-installation.yaml @@ -0,0 +1,38 @@ +{{ if .Values.letsencrypt.enabled }} +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "{{ .Values.letsencrypt.certmanagerChannel }}" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers={{ with index .Values.letsencrypt.nameservers 0 }}{{ . }}{{- end }},{{ with index .Values.letsencrypt.nameservers 1 }}{{ . }}{{- end }}" + - "--dns01-recursive-nameservers-only" +{{- end }} diff --git a/common/letsencrypt/templates/credentials-request.yaml b/common/letsencrypt/templates/credentials-request.yaml new file mode 100644 index 00000000..27aad295 --- /dev/null +++ b/common/letsencrypt/templates/credentials-request.yaml @@ -0,0 +1,24 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +{{- end }} diff --git a/common/letsencrypt/templates/default-routes.yaml b/common/letsencrypt/templates/default-routes.yaml new file mode 100644 index 00000000..8a01db6a --- /dev/null +++ b/common/letsencrypt/templates/default-routes.yaml @@ -0,0 +1,46 @@ +{{ if .Values.letsencrypt.enabled }} +--- +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +{{ if .Values.letsencrypt.api_endpoint }} +--- +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }} + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +{{- end }} +{{- end }} diff --git a/common/letsencrypt/templates/issuer.yaml b/common/letsencrypt/templates/issuer.yaml new file mode 100644 index 00000000..1370500f --- /dev/null +++ b/common/letsencrypt/templates/issuer.yaml @@ -0,0 +1,25 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: {{ .Values.letsencrypt.server }} + email: {{ .Values.letsencrypt.email }} + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: {{ .Values.letsencrypt.region }} + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +{{- end }} diff --git a/common/letsencrypt/templates/namespaces.yaml b/common/letsencrypt/templates/namespaces.yaml new file mode 100644 index 00000000..a4f65fe5 --- /dev/null +++ b/common/letsencrypt/templates/namespaces.yaml @@ -0,0 +1,20 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +{{- end }} diff --git a/common/letsencrypt/templates/wildcard-cert.yaml b/common/letsencrypt/templates/wildcard-cert.yaml new file mode 100644 index 00000000..e7b82480 --- /dev/null +++ b/common/letsencrypt/templates/wildcard-cert.yaml @@ -0,0 +1,28 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: {{ .Values.letsencrypt.duration }} + renewBefore: {{ .Values.letsencrypt.renewBefore }} + commonName: '*.{{ $.Values.global.localClusterDomain }}' + usages: + {{- range .Values.letsencrypt.usages }} + - {{ . }} + {{- end }} + dnsNames: + - '*.{{ $.Values.global.localClusterDomain }}' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + {{- range .Values.letsencrypt.organizations }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/common/letsencrypt/values.yaml b/common/letsencrypt/values.yaml new file mode 100644 index 00000000..a95957b8 --- /dev/null +++ b/common/letsencrypt/values.yaml @@ -0,0 +1,60 @@ +# NOTE: This is currently an experimental/unsupported chart! +# Default values for the experimental letsencrypt chart +# Generate the README.md sections using https://github.com/bitnami-labs/readme-generator-for-helm +# +## @section global parameters +## @descriptionStart This section contains the global parameters consumed by this chart +## @descriptionEnd +global: + ## @param global.localClusterDomain String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework + localClusterDomain: "apps.example.com" + +## @section letsencrypt parameters +## @descriptionStart This section contains all the parameters for the letsencrypt +## chart in order to request CA signed certificates in a Validated Pattern +## @descriptionEnd +letsencrypt: + # By default if you include this chart you enable the letsencrypt charts + # on both the *.apps. ingress and on the API endpoint + ## @param letsencrypt.enabled Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) + enabled: true + ## @param letsencrypt.api_endpoint Boolean to enable letsencrypt certs on the API endpoint too (defaults to True) + api_endpoint: true + + # These two lines need tweaking for every deployment. @example.com emails + # will be rejected by letsencrypt + ## @param letsencrypt.region String that defines the region used by the route53/dns01 resolver in cert-manager (required) + region: eu-central-1 + ## @param letsencrypt.email String containing the email used when requesting certificates to letsencrypt (required) + email: test@example.com + + # By default we use the staging URL to avoid any ratelimiting while testing + # To switch to the production certificates signed by a recognized CA, please + # switch the comments around in the two following lines + ## @param letsencrypt.server String containing the letsencrypt ACME URL (Defaults to the staging server) + server: https://acme-staging-v02.api.letsencrypt.org/directory + # server: https://acme-v02.api.letsencrypt.org/directory + + # These are only for metadata in the certificates + ## @param letsencrypt.organizations List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io]) + organizations: + - hybrid-cloud-patterns.io + ## @param letsencrypt.usages List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth]) + usages: + - server auth + + ## @param letsencrypt.duration Duration of the requested letsencrypt certificates (Defaults to 168h0m0s) + duration: "168h0m0s" + ## @param letsencrypt.renewBefore How long before expiration date should the certs be renewed (Defaults to 28h0m0s) + renewBefore: "28h0m0s" + + # These two are needed because the DNS01 ACME solver needs outside DNS + # servers and won't really work with openshift's internal split-view DNS servers + # https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check + ## @param letsencrypt.nameservers List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) + nameservers: + - 8.8.8.8:53 + - 1.1.1.1:53 + + ## @param letsencrypt.certmanagerChannel String the channel to install cert-manager from (Defaults to "stable-v1") + certmanagerChannel: "stable-v1" diff --git a/common/operator-install/templates/pattern.yaml b/common/operator-install/templates/pattern.yaml index efe9f3ba..d8b3df81 100644 --- a/common/operator-install/templates/pattern.yaml +++ b/common/operator-install/templates/pattern.yaml @@ -10,6 +10,7 @@ spec: targetRevision: {{ .Values.main.git.revision }} gitOpsSpec: operatorChannel: {{ default "gitops-1.8" .Values.main.gitops.channel }} + operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }} {{- if .Values.main.extraParameters }} extraParameters: {{- range .Values.main.extraParameters }} diff --git a/common/operator-install/templates/subscription.yaml b/common/operator-install/templates/subscription.yaml index 381e185f..41d0d211 100644 --- a/common/operator-install/templates/subscription.yaml +++ b/common/operator-install/templates/subscription.yaml @@ -6,8 +6,8 @@ metadata: labels: operators.coreos.com/patterns-operator.openshift-operators: "" spec: - channel: fast + channel: {{ .Values.main.patternsOperator.channel }} installPlanApproval: Automatic name: patterns-operator - source: community-operators + source: {{ .Values.main.patternsOperator.source }} sourceNamespace: openshift-marketplace diff --git a/common/operator-install/values.yaml b/common/operator-install/values.yaml index d3ff7fe7..d5b0b13f 100644 --- a/common/operator-install/values.yaml +++ b/common/operator-install/values.yaml @@ -5,5 +5,10 @@ main: gitops: channel: "gitops-1.8" + operatorSource: redhat-operators + + patternsOperator: + channel: fast + source: community-operators clusterGroupName: default diff --git a/common/scripts/pattern-util.sh b/common/scripts/pattern-util.sh index 82416a2d..f55bbdee 100755 --- a/common/scripts/pattern-util.sh +++ b/common/scripts/pattern-util.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash if [ -z "$PATTERN_UTILITY_CONTAINER" ]; then PATTERN_UTILITY_CONTAINER="quay.io/hybridcloudpatterns/utility-container" @@ -14,6 +14,13 @@ for i in ${UNSUPPORTED_PODMAN_VERSIONS}; do fi done +if [ -n "$KUBECONFIG" ]; then + if [[ ! "${KUBECONFIG}" =~ ^$HOME* ]]; then + echo "${KUBECONFIG} is pointing outside of the HOME folder, this will make it unavailable from the container." + echo "Please move it somewhere inside your $HOME folder, as that is what gets bind-mounted inside the container" + exit 1 + fi +fi # Copy Kubeconfig from current environment. The utilities will pick up ~/.kube/config if set so it's not mandatory # $HOME is mounted as itself for any files that are referenced with absolute paths # $HOME is mounted to /root because the UID in the container is 0 and that's where SSH looks for credentials @@ -27,7 +34,7 @@ fi # Do not quote the ${KUBECONF_ENV} below, otherwise we will pass '' to podman # which will be confused -podman run -it \ +podman run -it --rm \ --security-opt label=disable \ ${KUBECONF_ENV} \ -v "${HOME}":"${HOME}" \ diff --git a/common/tests/acm-industrial-edge-hub.expected.yaml b/common/tests/acm-industrial-edge-hub.expected.yaml index f9772238..444b833c 100644 --- a/common/tests/acm-industrial-edge-hub.expected.yaml +++ b/common/tests/acm-industrial-edge-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -205,14 +206,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml' + - "/values-global.yaml" + - "/values-factory.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -245,6 +246,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/common/tests/acm-medical-diagnosis-hub.expected.yaml b/common/tests/acm-medical-diagnosis-hub.expected.yaml index 5e064480..f79e013b 100644 --- a/common/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/common/tests/acm-medical-diagnosis-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -196,14 +197,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml' + - "/values-global.yaml" + - "/values-region-one.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -236,6 +237,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/common/tests/acm-naked.expected.yaml b/common/tests/acm-naked.expected.yaml index 86d7277d..cb73d733 100644 --- a/common/tests/acm-naked.expected.yaml +++ b/common/tests/acm-naked.expected.yaml @@ -13,6 +13,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/ocp-gitops-policy.yaml diff --git a/common/tests/acm-normal.expected.yaml b/common/tests/acm-normal.expected.yaml index 79a9dde4..900cc291 100644 --- a/common/tests/acm-normal.expected.yaml +++ b/common/tests/acm-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: aws-ap-acm-provision-edge-install-config data: # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF3cyI6IHsKICAgICJyZWdpb24iOiAiYXAtc291dGhlYXN0LTIiCiAgfQp9CnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz type: Opaque --- # Source: acm/templates/provision/secrets-common.yaml @@ -16,7 +16,7 @@ metadata: name: azure-us-acm-provision-edge-install-config data: # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF6dXJlIjogewogICAgImJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZSI6ICJkb2pvLWRucy16b25lcyIsCiAgICAicmVnaW9uIjogImVhc3R1cyIKICB9Cn0KcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== type: Opaque --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -25,21 +25,6 @@ type: Opaque # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 kind: ClusterClaim -metadata: - name: 'one-acm-provision-edge' - annotations: - argocd.argoproj.io/sync-wave: "20" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster.open-cluster-management.io/createmanagedcluster: "true" - labels: - clusterClaimName: one-acm-provision-edge - clusterGroup: region -spec: - clusterPoolName: aws-ap ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterClaim metadata: name: 'two-acm-provision-edge' annotations: @@ -50,7 +35,7 @@ metadata: clusterClaimName: two-acm-provision-edge clusterGroup: region spec: - clusterPoolName: azure-us + clusterPoolName: azure-us-acm-provision-edge --- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 @@ -65,7 +50,7 @@ metadata: clusterClaimName: three-acm-provision-edge clusterGroup: region spec: - clusterPoolName: azure-us + clusterPoolName: azure-us-acm-provision-edge --- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 @@ -82,12 +67,12 @@ metadata: cluster.open-cluster-management.io/clusterset: aws-ap spec: size: 3 - runningCount: 1 + runningCount: 0 baseDomain: blueprints.rhecoeng.com installConfigSecretTemplateRef: name: aws-ap-acm-provision-edge-install-config imageSetRef: - name: img4.10.18-x86-64-appsub + name: img4.10.18-multi-appsub pullSecretRef: name: aws-ap-acm-provision-edge-pull-secret skipMachinePools: true # Disable MachinePool as using custom install-config @@ -117,7 +102,7 @@ spec: installConfigSecretTemplateRef: name: azure-us-acm-provision-edge-install-config imageSetRef: - name: img4.10.18-x86-64-appsub + name: img4.10.18-multi-appsub pullSecretRef: name: azure-us-acm-provision-edge-pull-secret skipMachinePools: true # Disable MachinePool as using custom install-config @@ -399,6 +384,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -614,14 +600,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' + - "/values-global.yaml" + - "/values-acm-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -654,6 +640,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment @@ -706,14 +694,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' + - "/values-global.yaml" + - "/values-acm-provision-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -746,6 +734,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/common/tests/clustergroup-industrial-edge-factory.expected.yaml b/common/tests/clustergroup-industrial-edge-factory.expected.yaml index dfb795d4..be93aa88 100644 --- a/common/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: name: manuela-stormshift-line-dashboard spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +17,7 @@ metadata: name: manuela-stormshift-machine-sensor spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +26,7 @@ metadata: name: manuela-stormshift-messaging spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -35,7 +35,7 @@ metadata: name: manuela-factory-ml-workspace spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -44,7 +44,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-factory name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -57,14 +57,14 @@ metadata: name: mypattern-factory spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -145,6 +145,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Manual useCSV: true @@ -160,7 +161,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -175,7 +176,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -189,7 +190,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -208,7 +209,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -233,7 +234,7 @@ subjects: name: factory-gitops-argocd-dex-server namespace: mypattern-factory --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -247,7 +248,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -262,7 +263,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -336,10 +337,10 @@ spec: name: helm-values-configmap-factory restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -360,7 +361,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -382,9 +383,10 @@ spec: } syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -406,7 +408,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-factory.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -428,9 +429,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -443,6 +445,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -491,15 +515,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -543,7 +569,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -557,7 +583,7 @@ spec: location: ApplicationMenu text: 'Factory ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -567,7 +593,7 @@ spec: targetNamespaces: - manuela-stormshift-line-dashboard --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -577,7 +603,7 @@ spec: targetNamespaces: - manuela-stormshift-machine-sensor --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -587,7 +613,7 @@ spec: targetNamespaces: - manuela-stormshift-messaging --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -601,7 +627,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -615,7 +641,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -629,7 +655,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -643,7 +669,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/common/tests/clustergroup-industrial-edge-hub.expected.yaml b/common/tests/clustergroup-industrial-edge-hub.expected.yaml index 9c43c8cc..a759bdde 100644 --- a/common/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: name: golang-external-secrets spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +17,7 @@ metadata: name: external-secrets spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +26,7 @@ metadata: name: open-cluster-management spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -35,7 +35,7 @@ metadata: name: manuela-ml-workspace spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -44,7 +44,7 @@ metadata: name: manuela-tst-all spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -53,7 +53,7 @@ metadata: name: manuela-ci spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -62,7 +62,7 @@ metadata: name: manuela-data-lake spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -71,7 +71,7 @@ metadata: name: staging spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -80,7 +80,7 @@ metadata: name: vault spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -89,7 +89,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-datacenter name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -102,14 +102,14 @@ metadata: name: mypattern-datacenter spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -306,6 +306,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Manual useCSV: true @@ -321,7 +322,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -336,7 +337,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -350,7 +351,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -369,7 +370,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -394,7 +395,7 @@ subjects: name: datacenter-gitops-argocd-dex-server namespace: mypattern-datacenter --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -408,7 +409,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -423,7 +424,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -497,7 +498,7 @@ spec: name: helm-values-configmap-datacenter restartPolicy: Never --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -573,10 +574,10 @@ spec: name: helm-values-configmap-datacenter restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -597,7 +598,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -618,7 +619,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -639,7 +640,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -660,7 +661,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -682,7 +683,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -713,9 +713,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -737,7 +738,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -759,9 +759,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -783,7 +784,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -805,9 +805,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -829,7 +830,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -881,9 +881,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -905,7 +906,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -927,9 +927,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -951,7 +952,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -973,9 +973,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -997,9 +998,10 @@ spec: } syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1021,7 +1023,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1061,9 +1062,10 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -1076,6 +1078,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1124,15 +1148,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -1176,7 +1202,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -1190,7 +1216,7 @@ spec: location: ApplicationMenu text: 'Datacenter ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1200,7 +1226,7 @@ spec: targetNamespaces: - golang-external-secrets --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1210,7 +1236,7 @@ spec: targetNamespaces: - external-secrets --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1220,7 +1246,7 @@ spec: targetNamespaces: - open-cluster-management --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1230,7 +1256,7 @@ spec: targetNamespaces: - manuela-tst-all --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1240,7 +1266,7 @@ spec: targetNamespaces: - manuela-ci --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1250,7 +1276,7 @@ spec: targetNamespaces: - manuela-data-lake --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1260,7 +1286,7 @@ spec: targetNamespaces: - staging --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1270,7 +1296,7 @@ spec: targetNamespaces: - vault --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1284,7 +1310,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1298,7 +1324,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1312,7 +1338,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1326,7 +1352,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1340,7 +1366,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1354,7 +1380,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1368,7 +1394,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1382,7 +1408,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1396,7 +1422,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 89ba22d6..175f134b 100644 --- a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: name: open-cluster-management spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +17,7 @@ metadata: name: openshift-serverless spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +26,7 @@ metadata: name: opendatahub spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -35,7 +35,7 @@ metadata: name: openshift-storage spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -44,7 +44,7 @@ metadata: name: xraylab-1 spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -53,7 +53,7 @@ metadata: name: knative-serving spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -62,7 +62,7 @@ metadata: name: staging spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -71,7 +71,7 @@ metadata: name: vault spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -80,7 +80,7 @@ metadata: name: golang-external-secrets spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -89,7 +89,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-hub name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -102,14 +102,14 @@ metadata: name: mypattern-hub spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -293,6 +293,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Manual useCSV: true @@ -308,7 +309,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -323,7 +324,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -337,7 +338,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -356,7 +357,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -381,7 +382,7 @@ subjects: name: hub-gitops-argocd-dex-server namespace: mypattern-hub --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -395,7 +396,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -410,7 +411,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -484,7 +485,7 @@ spec: name: helm-values-configmap-hub restartPolicy: Never --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -560,10 +561,10 @@ spec: name: helm-values-configmap-hub restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -584,7 +585,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -605,7 +606,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -627,7 +628,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -649,9 +649,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -673,7 +674,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -695,9 +695,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -719,7 +720,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -741,9 +741,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -765,7 +766,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -787,9 +787,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -811,7 +812,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -833,9 +833,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -857,7 +858,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -879,9 +879,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -903,7 +904,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -925,9 +925,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -949,7 +950,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -989,9 +989,10 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1013,7 +1014,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1035,9 +1035,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1059,7 +1060,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1081,9 +1081,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1105,7 +1106,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1136,9 +1136,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1160,7 +1161,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1191,9 +1191,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1215,7 +1216,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1237,9 +1237,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -1252,6 +1253,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1300,15 +1323,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -1352,7 +1377,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -1366,7 +1391,7 @@ spec: location: ApplicationMenu text: 'Hub ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1376,7 +1401,7 @@ spec: targetNamespaces: - open-cluster-management --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1386,7 +1411,7 @@ spec: targetNamespaces: - openshift-serverless --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1396,7 +1421,7 @@ spec: targetNamespaces: - opendatahub --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1406,7 +1431,7 @@ spec: targetNamespaces: - openshift-storage --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1416,7 +1441,7 @@ spec: targetNamespaces: - xraylab-1 --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1426,7 +1451,7 @@ spec: targetNamespaces: - knative-serving --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1436,7 +1461,7 @@ spec: targetNamespaces: - staging --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1446,7 +1471,7 @@ spec: targetNamespaces: - vault --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1456,7 +1481,7 @@ spec: targetNamespaces: - golang-external-secrets --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1470,7 +1495,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1484,7 +1509,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1498,7 +1523,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1511,7 +1536,7 @@ spec: installPlanApproval: Automatic startingCSV: --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/common/tests/clustergroup-naked.expected.yaml b/common/tests/clustergroup-naked.expected.yaml index f0c12937..e15566b0 100644 --- a/common/tests/clustergroup-naked.expected.yaml +++ b/common/tests/clustergroup-naked.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: argocd.argoproj.io/managed-by: common-example name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -21,14 +21,14 @@ metadata: name: common-example spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -66,6 +66,7 @@ data: enabled: all global: options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: true @@ -75,7 +76,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -90,7 +91,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -104,7 +105,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -123,7 +124,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -148,7 +149,7 @@ subjects: name: example-gitops-argocd-dex-server namespace: common-example --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -162,7 +163,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -177,7 +178,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -253,7 +254,7 @@ spec: name: helm-values-configmap-example restartPolicy: Never --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -266,6 +267,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -314,15 +337,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -366,7 +391,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: diff --git a/common/tests/clustergroup-normal.expected.yaml b/common/tests/clustergroup-normal.expected.yaml index f7e6d84d..ab4d4d08 100644 --- a/common/tests/clustergroup-normal.expected.yaml +++ b/common/tests/clustergroup-normal.expected.yaml @@ -1,14 +1,19 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: + name: open-cluster-management labels: argocd.argoproj.io/managed-by: mypattern-example - name: open-cluster-management + kubernetes.io/os: "linux" + openshift.io/node-selector: "" + annotations: + openshift.io/cluster-monitoring: "true" + owner: "namespace owner" spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +22,16 @@ metadata: name: application-ci spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: excludes-ci +spec: +--- +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +40,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-example name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -39,14 +53,14 @@ metadata: name: mypattern-example spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -108,18 +122,23 @@ data: clusterPools: exampleAWSPool: baseDomain: blueprints.rhecoeng.com - clusters: - - one + controlPlane: + count: 1 + platform: + aws: + type: m5.xlarge name: aws-ap openshiftVersion: 4.10.18 platform: aws: region: ap-southeast-2 size: 3 + workers: + count: 0 exampleAzurePool: baseDomain: blueprints.rhecoeng.com clusters: - - two + - Two - three name: azure-us openshiftVersion: 4.10.18 @@ -143,8 +162,17 @@ data: name: argo-edge name: example namespaces: - - open-cluster-management + - open-cluster-management: + annotations: + openshift.io/cluster-monitoring: "true" + owner: namespace owner + labels: + kubernetes.io/os: linux + openshift.io/node-selector: "" - application-ci + - excludes-ci + operatorgroupExcludes: + - excludes-ci projects: - datacenter subscriptions: @@ -175,6 +203,7 @@ data: multiClusterTarget: all namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -190,7 +219,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -205,7 +234,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -219,7 +248,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -238,7 +267,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -263,7 +292,7 @@ subjects: name: example-gitops-argocd-dex-server namespace: mypattern-example --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -277,7 +306,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -292,7 +321,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -366,7 +395,7 @@ spec: name: helm-values-configmap-example restartPolicy: Never --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -442,10 +471,10 @@ spec: name: helm-values-configmap-example restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -466,7 +495,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -487,7 +516,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -509,7 +538,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-example.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -540,9 +568,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -564,7 +593,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-example.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -586,9 +614,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -648,7 +677,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -708,7 +737,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -768,7 +797,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -828,7 +857,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -841,6 +870,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -889,15 +940,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -941,7 +994,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -955,7 +1008,7 @@ spec: location: ApplicationMenu text: 'Example ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -965,7 +1018,7 @@ spec: targetNamespaces: - open-cluster-management --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -975,7 +1028,7 @@ spec: targetNamespaces: - application-ci --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -989,7 +1042,7 @@ spec: installPlanApproval: Automatic startingCSV: advanced-cluster-management.v2.4.1 --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index d7e88e41..1452df28 100644 --- a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index 4b957a45..f0314907 100644 --- a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index 4b957a45..f0314907 100644 --- a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-naked.expected.yaml b/common/tests/golang-external-secrets-naked.expected.yaml index 5e43d029..063464e7 100644 --- a/common/tests/golang-external-secrets-naked.expected.yaml +++ b/common/tests/golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-normal.expected.yaml b/common/tests/golang-external-secrets-normal.expected.yaml index 4b957a45..f0314907 100644 --- a/common/tests/golang-external-secrets-normal.expected.yaml +++ b/common/tests/golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-naked.expected.yaml b/common/tests/hashicorp-vault-naked.expected.yaml index d4b110b5..c8506883 100644 --- a/common/tests/hashicorp-vault-naked.expected.yaml +++ b/common/tests/hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-normal.expected.yaml b/common/tests/hashicorp-vault-normal.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-normal.expected.yaml +++ b/common/tests/hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/letsencrypt-industrial-edge-factory.expected.yaml b/common/tests/letsencrypt-industrial-edge-factory.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-industrial-edge-factory.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-industrial-edge-hub.expected.yaml b/common/tests/letsencrypt-industrial-edge-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-industrial-edge-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml b/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-naked.expected.yaml b/common/tests/letsencrypt-naked.expected.yaml new file mode 100644 index 00000000..73aa94a4 --- /dev/null +++ b/common/tests/letsencrypt-naked.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.example.com' + usages: + - server auth + dnsNames: + - api.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.example.com' + usages: + - server auth + dnsNames: + - '*.apps.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-normal.expected.yaml b/common/tests/letsencrypt-normal.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-normal.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install-industrial-edge-factory.expected.yaml b/common/tests/operator-install-industrial-edge-factory.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-industrial-edge-factory.expected.yaml +++ b/common/tests/operator-install-industrial-edge-factory.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-industrial-edge-hub.expected.yaml b/common/tests/operator-install-industrial-edge-hub.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-industrial-edge-hub.expected.yaml +++ b/common/tests/operator-install-industrial-edge-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml +++ b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-naked.expected.yaml b/common/tests/operator-install-naked.expected.yaml index d9a00c03..4c7837fe 100644 --- a/common/tests/operator-install-naked.expected.yaml +++ b/common/tests/operator-install-naked.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-normal.expected.yaml b/common/tests/operator-install-normal.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-normal.expected.yaml +++ b/common/tests/operator-install-normal.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/values-global.yaml b/common/values-global.yaml index 8a890f3d..24feccd5 100644 --- a/common/values-global.yaml +++ b/common/values-global.yaml @@ -3,6 +3,7 @@ global: useCSV: True syncPolicy: Manual installPlanApproval: Automatic + applicationRetryLimit: 20 git: hostname: github.com diff --git a/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml b/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml b/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml b/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-naked.expected.yaml b/tests/all-medical-diagnosis-xray-init-naked.expected.yaml index 8e5e54f7..255c04b3 100644 --- a/tests/all-medical-diagnosis-xray-init-naked.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-naked.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-normal.expected.yaml b/tests/all-medical-diagnosis-xray-init-normal.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-normal.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-normal.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml index f9772238..444b833c 100644 --- a/tests/common-acm-industrial-edge-hub.expected.yaml +++ b/tests/common-acm-industrial-edge-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -205,14 +206,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml' + - "/values-global.yaml" + - "/values-factory.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -245,6 +246,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml index 5e064480..f79e013b 100644 --- a/tests/common-acm-medical-diagnosis-hub.expected.yaml +++ b/tests/common-acm-medical-diagnosis-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -196,14 +197,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml' + - "/values-global.yaml" + - "/values-region-one.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -236,6 +237,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml index 86d7277d..cb73d733 100644 --- a/tests/common-acm-naked.expected.yaml +++ b/tests/common-acm-naked.expected.yaml @@ -13,6 +13,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/ocp-gitops-policy.yaml diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml index 79a9dde4..900cc291 100644 --- a/tests/common-acm-normal.expected.yaml +++ b/tests/common-acm-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: aws-ap-acm-provision-edge-install-config data: # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF3cyI6IHsKICAgICJyZWdpb24iOiAiYXAtc291dGhlYXN0LTIiCiAgfQp9CnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz type: Opaque --- # Source: acm/templates/provision/secrets-common.yaml @@ -16,7 +16,7 @@ metadata: name: azure-us-acm-provision-edge-install-config data: # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF6dXJlIjogewogICAgImJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZSI6ICJkb2pvLWRucy16b25lcyIsCiAgICAicmVnaW9uIjogImVhc3R1cyIKICB9Cn0KcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz + install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== type: Opaque --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -25,21 +25,6 @@ type: Opaque # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 kind: ClusterClaim -metadata: - name: 'one-acm-provision-edge' - annotations: - argocd.argoproj.io/sync-wave: "20" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster.open-cluster-management.io/createmanagedcluster: "true" - labels: - clusterClaimName: one-acm-provision-edge - clusterGroup: region -spec: - clusterPoolName: aws-ap ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterClaim metadata: name: 'two-acm-provision-edge' annotations: @@ -50,7 +35,7 @@ metadata: clusterClaimName: two-acm-provision-edge clusterGroup: region spec: - clusterPoolName: azure-us + clusterPoolName: azure-us-acm-provision-edge --- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 @@ -65,7 +50,7 @@ metadata: clusterClaimName: three-acm-provision-edge clusterGroup: region spec: - clusterPoolName: azure-us + clusterPoolName: azure-us-acm-provision-edge --- # Source: acm/templates/provision/clusterpool.yaml apiVersion: hive.openshift.io/v1 @@ -82,12 +67,12 @@ metadata: cluster.open-cluster-management.io/clusterset: aws-ap spec: size: 3 - runningCount: 1 + runningCount: 0 baseDomain: blueprints.rhecoeng.com installConfigSecretTemplateRef: name: aws-ap-acm-provision-edge-install-config imageSetRef: - name: img4.10.18-x86-64-appsub + name: img4.10.18-multi-appsub pullSecretRef: name: aws-ap-acm-provision-edge-pull-secret skipMachinePools: true # Disable MachinePool as using custom install-config @@ -117,7 +102,7 @@ spec: installConfigSecretTemplateRef: name: azure-us-acm-provision-edge-install-config imageSetRef: - name: img4.10.18-x86-64-appsub + name: img4.10.18-multi-appsub pullSecretRef: name: azure-us-acm-provision-edge-pull-secret skipMachinePools: true # Disable MachinePool as using custom install-config @@ -399,6 +384,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -614,14 +600,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' + - "/values-global.yaml" + - "/values-acm-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -654,6 +640,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment @@ -706,14 +694,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' + - "/values-global.yaml" + - "/values-acm-provision-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -746,6 +734,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml index 3a326973..777f4d00 100644 --- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-factory.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: name: manuela-stormshift-line-dashboard spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +17,7 @@ metadata: name: manuela-stormshift-machine-sensor spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +26,7 @@ metadata: name: manuela-stormshift-messaging spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -35,7 +35,7 @@ metadata: name: manuela-factory-ml-workspace spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -44,7 +44,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-factory name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -57,14 +57,14 @@ metadata: name: mypattern-factory spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -146,6 +146,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -166,7 +167,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -181,7 +182,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -195,7 +196,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -214,7 +215,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -239,7 +240,7 @@ subjects: name: factory-gitops-argocd-dex-server namespace: mypattern-factory --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -253,7 +254,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -268,7 +269,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -342,10 +343,10 @@ spec: name: helm-values-configmap-factory restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -366,7 +367,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -388,9 +389,10 @@ spec: } syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -412,7 +414,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-factory.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -434,9 +435,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -449,6 +451,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -497,15 +521,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -549,7 +575,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -563,7 +589,7 @@ spec: location: ApplicationMenu text: 'Factory ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -573,7 +599,7 @@ spec: targetNamespaces: - manuela-stormshift-line-dashboard --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -583,7 +609,7 @@ spec: targetNamespaces: - manuela-stormshift-machine-sensor --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -593,7 +619,7 @@ spec: targetNamespaces: - manuela-stormshift-messaging --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -606,7 +632,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -619,7 +645,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -632,7 +658,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -645,7 +671,7 @@ spec: channel: 7.x installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml index aedb4ffb..76904a7c 100644 --- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-hub.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: name: golang-external-secrets spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +17,7 @@ metadata: name: external-secrets spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +26,7 @@ metadata: name: open-cluster-management spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -35,7 +35,7 @@ metadata: name: manuela-ml-workspace spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -44,7 +44,7 @@ metadata: name: manuela-tst-all spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -53,7 +53,7 @@ metadata: name: manuela-ci spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -62,7 +62,7 @@ metadata: name: manuela-data-lake spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -71,7 +71,7 @@ metadata: name: staging spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -80,7 +80,7 @@ metadata: name: vault spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -89,7 +89,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-datacenter name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -102,14 +102,14 @@ metadata: name: mypattern-datacenter spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -307,6 +307,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -327,7 +328,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -342,7 +343,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -356,7 +357,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -375,7 +376,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -400,7 +401,7 @@ subjects: name: datacenter-gitops-argocd-dex-server namespace: mypattern-datacenter --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -414,7 +415,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -429,7 +430,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -503,7 +504,7 @@ spec: name: helm-values-configmap-datacenter restartPolicy: Never --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -579,10 +580,10 @@ spec: name: helm-values-configmap-datacenter restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -603,7 +604,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -624,7 +625,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -645,7 +646,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -666,7 +667,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -688,7 +689,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -719,9 +719,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -743,7 +744,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -765,9 +765,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -789,7 +790,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -811,9 +811,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -835,7 +836,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -887,9 +887,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -911,7 +912,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -933,9 +933,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -957,7 +958,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -979,9 +979,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1003,9 +1004,10 @@ spec: } syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1027,7 +1029,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-datacenter.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1067,9 +1068,10 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -1082,6 +1084,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1130,15 +1154,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -1182,7 +1208,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -1196,7 +1222,7 @@ spec: location: ApplicationMenu text: 'Datacenter ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1206,7 +1232,7 @@ spec: targetNamespaces: - golang-external-secrets --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1216,7 +1242,7 @@ spec: targetNamespaces: - external-secrets --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1226,7 +1252,7 @@ spec: targetNamespaces: - open-cluster-management --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1236,7 +1262,7 @@ spec: targetNamespaces: - manuela-tst-all --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1246,7 +1272,7 @@ spec: targetNamespaces: - manuela-ci --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1256,7 +1282,7 @@ spec: targetNamespaces: - manuela-data-lake --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1266,7 +1292,7 @@ spec: targetNamespaces: - staging --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1276,7 +1302,7 @@ spec: targetNamespaces: - vault --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1289,7 +1315,7 @@ spec: channel: release-2.6 installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1302,7 +1328,7 @@ spec: channel: 7.x installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1315,7 +1341,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1328,7 +1354,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1341,7 +1367,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1354,7 +1380,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1367,7 +1393,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1380,7 +1406,7 @@ spec: channel: latest installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1393,7 +1419,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml index 5a62327c..c34339a9 100644 --- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: name: open-cluster-management spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +17,7 @@ metadata: name: openshift-serverless spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +26,7 @@ metadata: name: opendatahub spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -35,7 +35,7 @@ metadata: name: openshift-storage spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -44,7 +44,7 @@ metadata: name: xraylab-1 spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -53,7 +53,7 @@ metadata: name: knative-serving spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -62,7 +62,7 @@ metadata: name: staging spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -71,7 +71,7 @@ metadata: name: vault spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -80,7 +80,7 @@ metadata: name: golang-external-secrets spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -89,7 +89,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-hub name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -102,14 +102,14 @@ metadata: name: mypattern-hub spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -294,6 +294,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -314,7 +315,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -329,7 +330,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -343,7 +344,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -362,7 +363,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -387,7 +388,7 @@ subjects: name: hub-gitops-argocd-dex-server namespace: mypattern-hub --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -401,7 +402,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -416,7 +417,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -490,7 +491,7 @@ spec: name: helm-values-configmap-hub restartPolicy: Never --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -566,10 +567,10 @@ spec: name: helm-values-configmap-hub restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -590,7 +591,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -611,7 +612,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -633,7 +634,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -655,9 +655,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -679,7 +680,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -701,9 +701,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -725,7 +726,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -747,9 +747,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -771,7 +772,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -793,9 +793,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -817,7 +818,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -839,9 +839,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -863,7 +864,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -885,9 +885,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -909,7 +910,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -931,9 +931,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -955,7 +956,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -995,9 +995,10 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1019,7 +1020,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1041,9 +1041,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1065,7 +1066,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1087,9 +1087,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1111,7 +1112,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1142,9 +1142,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1166,7 +1167,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1197,9 +1197,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -1221,7 +1222,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-hub.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -1243,9 +1243,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -1258,6 +1259,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1306,15 +1329,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -1358,7 +1383,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -1372,7 +1397,7 @@ spec: location: ApplicationMenu text: 'Hub ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1382,7 +1407,7 @@ spec: targetNamespaces: - open-cluster-management --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1392,7 +1417,7 @@ spec: targetNamespaces: - openshift-serverless --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1402,7 +1427,7 @@ spec: targetNamespaces: - opendatahub --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1412,7 +1437,7 @@ spec: targetNamespaces: - openshift-storage --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1422,7 +1447,7 @@ spec: targetNamespaces: - xraylab-1 --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1432,7 +1457,7 @@ spec: targetNamespaces: - knative-serving --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1442,7 +1467,7 @@ spec: targetNamespaces: - staging --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1452,7 +1477,7 @@ spec: targetNamespaces: - vault --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1462,7 +1487,7 @@ spec: targetNamespaces: - golang-external-secrets --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1475,7 +1500,7 @@ spec: channel: stable installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1488,7 +1513,7 @@ spec: channel: v4 installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1501,7 +1526,7 @@ spec: channel: stable-4.11 installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -1513,7 +1538,7 @@ spec: sourceNamespace: openshift-marketplace installPlanApproval: Automatic --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml index f0c12937..e15566b0 100644 --- a/tests/common-clustergroup-naked.expected.yaml +++ b/tests/common-clustergroup-naked.expected.yaml @@ -1,5 +1,5 @@ --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -8,7 +8,7 @@ metadata: argocd.argoproj.io/managed-by: common-example name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -21,14 +21,14 @@ metadata: name: common-example spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -66,6 +66,7 @@ data: enabled: all global: options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: true @@ -75,7 +76,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -90,7 +91,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -104,7 +105,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -123,7 +124,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -148,7 +149,7 @@ subjects: name: example-gitops-argocd-dex-server namespace: common-example --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -162,7 +163,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -177,7 +178,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -253,7 +254,7 @@ spec: name: helm-values-configmap-example restartPolicy: Never --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -266,6 +267,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -314,15 +337,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -366,7 +391,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml index 9e1c7abc..966550a1 100644 --- a/tests/common-clustergroup-normal.expected.yaml +++ b/tests/common-clustergroup-normal.expected.yaml @@ -1,14 +1,19 @@ --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: + name: open-cluster-management labels: argocd.argoproj.io/managed-by: mypattern-example - name: open-cluster-management + kubernetes.io/os: "linux" + openshift.io/node-selector: "" + annotations: + openshift.io/cluster-monitoring: "true" + owner: "namespace owner" spec: --- -# Source: pattern-clustergroup/templates/core/namespaces.yaml +# Source: clustergroup/templates/core/namespaces.yaml apiVersion: v1 kind: Namespace metadata: @@ -17,7 +22,16 @@ metadata: name: application-ci spec: --- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml +# Source: clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: excludes-ci +spec: +--- +# Source: clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -26,7 +40,7 @@ metadata: argocd.argoproj.io/managed-by: mypattern-example name: imperative --- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml +# Source: clustergroup/templates/plumbing/gitops-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -39,14 +53,14 @@ metadata: name: mypattern-example spec: {} --- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml +# Source: clustergroup/templates/imperative/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml +# Source: clustergroup/templates/imperative/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -108,18 +122,23 @@ data: clusterPools: exampleAWSPool: baseDomain: blueprints.rhecoeng.com - clusters: - - one + controlPlane: + count: 1 + platform: + aws: + type: m5.xlarge name: aws-ap openshiftVersion: 4.10.18 platform: aws: region: ap-southeast-2 size: 3 + workers: + count: 0 exampleAzurePool: baseDomain: blueprints.rhecoeng.com clusters: - - two + - Two - three name: azure-us openshiftVersion: 4.10.18 @@ -143,8 +162,17 @@ data: name: argo-edge name: example namespaces: - - open-cluster-management + - open-cluster-management: + annotations: + openshift.io/cluster-monitoring: "true" + owner: namespace owner + labels: + kubernetes.io/os: linux + openshift.io/node-selector: "" - application-ci + - excludes-ci + operatorgroupExcludes: + - excludes-ci projects: - datacenter subscriptions: @@ -176,6 +204,7 @@ data: multiClusterTarget: all namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -196,7 +225,7 @@ data: kind: ClusterSecretStore name: vault-backend --- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml +# Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -211,7 +240,7 @@ rules: - list - watch --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -225,7 +254,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -244,7 +273,7 @@ subjects: name: openshift-gitops-argocd-server namespace: openshift-gitops --- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml +# Source: clustergroup/templates/plumbing/argocd-super-role.yaml # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -269,7 +298,7 @@ subjects: name: example-gitops-argocd-dex-server namespace: mypattern-example --- -# Source: pattern-clustergroup/templates/imperative/role.yaml +# Source: clustergroup/templates/imperative/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -283,7 +312,7 @@ rules: verbs: - '*' --- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml +# Source: clustergroup/templates/imperative/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -298,7 +327,7 @@ subjects: name: imperative-sa namespace: imperative --- -# Source: pattern-clustergroup/templates/imperative/job.yaml +# Source: clustergroup/templates/imperative/job.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -372,7 +401,7 @@ spec: name: helm-values-configmap-example restartPolicy: Never --- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml +# Source: clustergroup/templates/imperative/unsealjob.yaml apiVersion: batch/v1 kind: CronJob metadata: @@ -448,10 +477,10 @@ spec: name: helm-values-configmap-example restartPolicy: Never --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml --- --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -472,7 +501,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/projects.yaml +# Source: clustergroup/templates/plumbing/projects.yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -493,7 +522,7 @@ spec: - '*' status: {} --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -515,7 +544,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-example.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -546,9 +574,10 @@ spec: ] syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/applications.yaml +# Source: clustergroup/templates/plumbing/applications.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -570,7 +599,6 @@ spec: valueFiles: - "/values-global.yaml" - "/values-example.yaml" - # Watch the progress of https://issues.redhat.com/browse/GITOPS-891 and update accordingly parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -592,9 +620,10 @@ spec: value: apps.region.example.com syncPolicy: automated: {} - # selfHeal: true + retry: + limit: 20 --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -654,7 +683,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -714,7 +743,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -774,7 +803,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml +# Source: clustergroup/templates/plumbing/hosted-sites.yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -834,7 +863,7 @@ spec: jsonPointers: - /status --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: @@ -847,6 +876,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -895,15 +946,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin @@ -947,7 +1000,7 @@ spec: ca: {} status: --- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml +# Source: clustergroup/templates/plumbing/argocd.yaml apiVersion: console.openshift.io/v1 kind: ConsoleLink metadata: @@ -961,7 +1014,7 @@ spec: location: ApplicationMenu text: 'Example ArgoCD' --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -971,7 +1024,7 @@ spec: targetNamespaces: - open-cluster-management --- -# Source: pattern-clustergroup/templates/core/operatorgroup.yaml +# Source: clustergroup/templates/core/operatorgroup.yaml apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -981,7 +1034,7 @@ spec: targetNamespaces: - application-ci --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: @@ -995,7 +1048,7 @@ spec: installPlanApproval: Automatic startingCSV: advanced-cluster-management.v2.4.1 --- -# Source: pattern-clustergroup/templates/core/subscriptions.yaml +# Source: clustergroup/templates/core/subscriptions.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml index 87362544..1ef6cf66 100644 --- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml index 64450598..b516e345 100644 --- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml index 64450598..b516e345 100644 --- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml index e73a1f41..ac3c1ad1 100644 --- a/tests/common-golang-external-secrets-naked.expected.yaml +++ b/tests/common-golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml index 64450598..b516e345 100644 --- a/tests/common-golang-external-secrets-normal.expected.yaml +++ b/tests/common-golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.5 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.5" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,17 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8250,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8270,17 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8296,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.5 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.5" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8319,14 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml index d0d10b05..682eeb67 100644 --- a/tests/common-hashicorp-vault-naked.expected.yaml +++ b/tests/common-hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-normal.expected.yaml +++ b/tests/common-hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-letsencrypt-industrial-edge-factory.expected.yaml b/tests/common-letsencrypt-industrial-edge-factory.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-industrial-edge-factory.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-industrial-edge-hub.expected.yaml b/tests/common-letsencrypt-industrial-edge-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-industrial-edge-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml b/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-naked.expected.yaml b/tests/common-letsencrypt-naked.expected.yaml new file mode 100644 index 00000000..73aa94a4 --- /dev/null +++ b/tests/common-letsencrypt-naked.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.example.com' + usages: + - server auth + dnsNames: + - api.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.example.com' + usages: + - server auth + dnsNames: + - '*.apps.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-normal.expected.yaml b/tests/common-letsencrypt-normal.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-normal.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-operator-install-industrial-edge-factory.expected.yaml b/tests/common-operator-install-industrial-edge-factory.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-industrial-edge-factory.expected.yaml +++ b/tests/common-operator-install-industrial-edge-factory.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-industrial-edge-hub.expected.yaml b/tests/common-operator-install-industrial-edge-hub.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-industrial-edge-hub.expected.yaml +++ b/tests/common-operator-install-industrial-edge-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml +++ b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-naked.expected.yaml b/tests/common-operator-install-naked.expected.yaml index 1289183d..beabcc82 100644 --- a/tests/common-operator-install-naked.expected.yaml +++ b/tests/common-operator-install-naked.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-normal.expected.yaml b/tests/common-operator-install-normal.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-normal.expected.yaml +++ b/tests/common-operator-install-normal.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1