mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

Revert "3012 - Probes for external-secrets (#3131)" (#3213)

Browse source 
This reverts commit 7eebfa027c.

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
This commit is contained in:
Gergely Brautigam 2024-03-01 13:22:35 +01:00 committed by GitHub
parent 7eebfa027c
commit 02f941b0a0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 13 additions and 159 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
cmd/root.go
View file

@ -57,7 +57,6 @@ var (
setupLog = ctrl.Log.WithName("setup")
dnsName string
certDir string
liveAddr string
metricsAddr string
healthzAddr string
controllerClass string
@ -145,7 +144,6 @@ var rootCmd = &cobra.Command{
Metrics: server.Options{
BindAddress: metricsAddr,
},
LivenessEndpointName: liveAddr,
WebhookServer: webhook.NewServer(webhook.Options{
Port: 9443,
}),
@ -259,7 +257,6 @@ func Execute() {
func init() {
rootCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
rootCmd.Flags().StringVar(&liveAddr, "live-addr", ":8082", "The address the live endpoint binds to.")
rootCmd.Flags().StringVar(&controllerClass, "controller-class", "default", "The controller is instantiated with a specific controller name and filters ES based on this property")
rootCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
"Enable leader election for controller manager. "+

17
deploy/charts/external-secrets/README.md
View file

@ -1,6 +1,6 @@
# External Secrets
<p"left"><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" alt="eso-logo-large"/></p>
<p align="left"><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" /></p>
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
@ -99,20 +99,13 @@ The command removes all the Kubernetes components associated with the chart and
| extraVolumes | list | `[]` | |
| fullnameOverride | string | `""` | |
| hostNetwork | bool | `false` | Run the controller on the host network |
| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
| imagePullSecrets | list | `[]` | |
| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
| livenessProbe.address | string | `""` | Address for liveness probe |
| livenessProbe.failureThreshold | int | `5` | Number of consecutive probe failures that should occur before considering the probe as failed |
| livenessProbe.initialDelaySeconds | int | `10` | Delay in seconds for container to start before performing the initial probe |
| livenessProbe.periodSeconds | int | `10` | Period in seconds for K8s to start performing probes |
| livenessProbe.port | int | `8082` | Liveness probe port for kubelet |
| livenessProbe.successThreshold | int | `1` | Number of successful probes to mark probe successful |
| livenessProbe.timeoutSeconds | int | `5` | Specify the maximum amount of time to wait for a probe to respond before considering it fails |
| metrics.listen.port | int | `8080` | |
| metrics.service.annotations | object | `{}` | Additional service annotations |
| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
@ -159,13 +152,13 @@ The command removes all the Kubernetes components associated with the chart and
| webhook.affinity | object | `{}` | |
| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
| webhook.certDir | string | `"/tmp/certs"` | |
| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically set up your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, set up the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificates expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built-in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| webhook.extraArgs | object | `{}` | |

2
deploy/charts/external-secrets/README.md.gotmpl
View file

@ -2,7 +2,7 @@
{{- $org := "external-secrets" -}}
# External Secrets
<p"left"><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" alt="eso-logo-large"/></p>
<p align="left"><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" /></p>
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)

10
deploy/charts/external-secrets/templates/deployment.yaml
View file

@ -87,20 +87,10 @@ spec:
{{- end }}
{{- end }}
- --metrics-addr=:{{ .Values.metrics.listen.port }}
- --live-addr=:{{ .Values.livenessProbe.port }}
ports:
- containerPort: {{ .Values.metrics.listen.port }}
protocol: TCP
name: metrics
livenessProbe:
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
httpGet:
port: {{ .Values.livenessProbe.port }}
path: /live
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
{{- with .Values.extraEnv }}
env:
{{- toYaml . | nindent 12 }}

10
deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap
View file

@ -32,18 +32,8 @@ should match snapshot of default values:
- args:
- --concurrent=1
- --metrics-addr=:8080
- --live-addr=:8082
image: ghcr.io/external-secrets/external-secrets:v0.9.13
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /live
port: 8082
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: external-secrets
ports:
- containerPort: 8080

92
deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap
View file

@ -2417,34 +2417,6 @@ should match snapshot of default values:
required:
- data
type: object
fortanix:
description: Fortanix configures this store to sync secrets using the Fortanix provider
properties:
apiKey:
description: APIKey is the API token to access SDKMS Applications.
properties:
secretRef:
description: SecretRef is a reference to a secret containing the SDKMS API Key.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
type: object
apiUrl:
description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
type: string
type: object
gcpsm:
description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
properties:
@ -2776,70 +2748,6 @@ should match snapshot of default values:
required:
- auth
type: object
onboardbase:
description: Onboardbase configures this store to sync secrets using the Onboardbase provider
properties:
apiHost:
default: https://public.onboardbase.com/api/v1/
description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
type: string
auth:
description: Auth configures how the Operator authenticates with the Onboardbase API
properties:
apiKeyRef:
description: |-
OnboardbaseAPIKey is the APIKey generated by an admin account.
It is used to recognize and authorize access to a project and environment within onboardbase
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
passcodeRef:
description: OnboardbasePasscode is the passcode attached to the API Key
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
required:
- apiKeyRef
- passcodeRef
type: object
environment:
default: development
description: Environment is the name of an environmnent within a project to pull the secrets from
type: string
project:
default: development
description: Project is an onboardbase project that the secrets should be pulled from
type: string
required:
- apiHost
- auth
- environment
- project
type: object
onepassword:
description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
properties:

7
deploy/charts/external-secrets/tests/controller_test.yaml
View file

@ -54,13 +54,6 @@ tests:
- equal:
path: spec.template.spec.containers[0].args[1]
value: "--metrics-addr=:8888"
- it: should override livenessProbe port
set:
livenessProbe.port: 8082
asserts:
- equal:
path: spec.template.spec.containers[0].args[2]
value: "--live-addr=:8082"
- it: should override image flavour
set:
image.repository: ghcr.io/external-secrets/external-secrets

24
deploy/charts/external-secrets/values.yaml
View file

@ -11,7 +11,7 @@ image:
# -- The flavour of tag you want to use
# There are different image flavours available, like distroless and ubi.
# Please see GitHub release notes for image tags for these flavors.
# By default, the distroless image is used.
# By default the distroless image is used.
flavour: ""
# -- If set, install and upgrade CRDs through helm chart.
@ -186,22 +186,6 @@ metrics:
# -- Additional service annotations
annotations: {}
livenessProbe:
# -- Address for liveness probe
address: ""
# -- Liveness probe port for kubelet
port: 8082
# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails
timeoutSeconds: 5
# -- Number of consecutive probe failures that should occur before considering the probe as failed
failureThreshold: 5
# -- Period in seconds for K8s to start performing probes
periodSeconds: 10
# -- Number of successful probes to mark probe successful
successThreshold: 1
# -- Delay in seconds for container to start before performing the initial probe
initialDelaySeconds: 10
nodeSelector: {}
tolerations: []
@ -269,21 +253,21 @@ webhook:
nodeSelector: {}
certManager:
# -- Enabling cert-manager support will disable the built-in secret and
# -- Enabling cert-manager support will disable the built in secret and
# switch to using cert-manager (installed separately) to automatically issue
# and renew the webhook certificate. This chart does not install
# cert-manager for you, See https://cert-manager.io/docs/
enabled: false
# -- Automatically add the cert-manager.io/inject-ca-from annotation to the
# webhooks and CRDs. As long as you have the cert-manager CA Injector
# enabled, this will automatically set up your webhook's CA to the one used
# enabled, this will automatically setup your webhook's CA to the one used
# by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
addInjectorAnnotations: true
cert:
# -- Create a certificate resource within this chart. See
# https://cert-manager.io/docs/usage/certificate/
create: true
# -- For the Certificate created by this chart, set up the issuer. See
# -- For the Certificate created by this chart, setup the issuer. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
issuerRef:
group: cert-manager.io

7
docs/api/controller-options.md
View file

@ -12,7 +12,7 @@ The external-secrets binary includes three components: `core controller`, `certc
The core controller is invoked without a subcommand and can be configured with the following flags:
| Name | Type | Default | Description |
|-----------------------------------------------|----------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| --------------------------------------------- | -------- | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--client-burst` | int | uses rest client default (10) | Maximum Burst allowed to be passed to rest.Client |
| `--client-qps` | float32 | uses rest client default (5) | QPS configuration to be passed to rest.Client |
| `--concurrent` | int | 1 | The number of concurrent reconciles. |
@ -27,7 +27,6 @@ The core controller is invoked without a subcommand and can be configured with t
| `--enable-leader-election` | boolean | false | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. |
| `--experimental-enable-aws-session-cache` | boolean | false | Enable experimental AWS session cache. External secret will reuse the AWS session without creating a new one on each request. |
| `--help` | | | help for external-secrets |
| `--live-addr` | string | :8082 | The address the live endpoint binds to |
| `--loglevel` | string | info | loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal |
| `--metrics-addr` | string | :8080 | The address the metric endpoint binds to. |
| `--namespace` | string | - | watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces |
@ -36,7 +35,7 @@ The core controller is invoked without a subcommand and can be configured with t
## Cert Controller Flags
| Name | Type | Default | Descripton |
|----------------------------|----------|--------------------------|-----------------------------------------------------------------------------------------------------------------------|
| -------------------------- | -------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------- |
| `--crd-requeue-interval` | duration | 5m0s | Time duration between reconciling CRDs for new certs |
| `--enable-leader-election` | boolean | false | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. |
| `--healthz-addr` | string | :8081 | The address the health endpoint binds to. |
@ -51,7 +50,7 @@ The core controller is invoked without a subcommand and can be configured with t
## Webhook Flags
| Name | Type | Default | Description |
|------------------------|----------|---------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ---------------------- | -------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--cert-dir` | string | /tmp/k8s-webhook-server/serving-certs | path to check for certs |
| `--check-interval` | duration | 5m0s | certificate check interval |
| `--dns-name` | string | localhost | DNS name to validate certificates with |