From 02f941b0a087360d54d2be7e6ccdd08137c3d59d Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Fri, 1 Mar 2024 13:22:35 +0100 Subject: [PATCH] Revert "3012 - Probes for external-secrets (#3131)" (#3213) This reverts commit 7eebfa027cfe17b3939e93ac044fd21885d362c3. Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --- cmd/root.go | 3 - deploy/charts/external-secrets/README.md | 17 +--- .../charts/external-secrets/README.md.gotmpl | 2 +- .../templates/deployment.yaml | 10 -- .../__snapshot__/controller_test.yaml.snap | 10 -- .../tests/__snapshot__/crds_test.yaml.snap | 92 ------------------- .../tests/controller_test.yaml | 7 -- deploy/charts/external-secrets/values.yaml | 24 +---- docs/api/controller-options.md | 7 +- 9 files changed, 13 insertions(+), 159 deletions(-) diff --git a/cmd/root.go b/cmd/root.go index 83dc1f2b1..bf575050b 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -57,7 +57,6 @@ var ( setupLog = ctrl.Log.WithName("setup") dnsName string certDir string - liveAddr string metricsAddr string healthzAddr string controllerClass string @@ -145,7 +144,6 @@ var rootCmd = &cobra.Command{ Metrics: server.Options{ BindAddress: metricsAddr, }, - LivenessEndpointName: liveAddr, WebhookServer: webhook.NewServer(webhook.Options{ Port: 9443, }), @@ -259,7 +257,6 @@ func Execute() { func init() { rootCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") - rootCmd.Flags().StringVar(&liveAddr, "live-addr", ":8082", "The address the live endpoint binds to.") rootCmd.Flags().StringVar(&controllerClass, "controller-class", "default", "The controller is instantiated with a specific controller name and filters ES based on this property") rootCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false, "Enable leader election for controller manager. "+ diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md index d6fe1a230..d65d82a64 100644 --- a/deploy/charts/external-secrets/README.md +++ b/deploy/charts/external-secrets/README.md @@ -1,6 +1,6 @@ # External Secrets -eso-logo-large

+

[//]: # (README.md generated by gotmpl. DO NOT EDIT.) @@ -99,20 +99,13 @@ The command removes all the Kubernetes components associated with the chart and | extraVolumes | list | `[]` | | | fullnameOverride | string | `""` | | | hostNetwork | bool | `false` | Run the controller on the host network | -| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. | +| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | | imagePullSecrets | list | `[]` | | | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. | | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. | -| livenessProbe.address | string | `""` | Address for liveness probe | -| livenessProbe.failureThreshold | int | `5` | Number of consecutive probe failures that should occur before considering the probe as failed | -| livenessProbe.initialDelaySeconds | int | `10` | Delay in seconds for container to start before performing the initial probe | -| livenessProbe.periodSeconds | int | `10` | Period in seconds for K8s to start performing probes | -| livenessProbe.port | int | `8082` | Liveness probe port for kubelet | -| livenessProbe.successThreshold | int | `1` | Number of successful probes to mark probe successful | -| livenessProbe.timeoutSeconds | int | `5` | Specify the maximum amount of time to wait for a probe to respond before considering it fails | | metrics.listen.port | int | `8080` | | | metrics.service.annotations | object | `{}` | Additional service annotations | | metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics | @@ -159,13 +152,13 @@ The command removes all the Kubernetes components associated with the chart and | webhook.affinity | object | `{}` | | | webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid | | webhook.certDir | string | `"/tmp/certs"` | | -| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically set up your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector | +| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector | | webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. | | webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ | | webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. | -| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, set up the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec | +| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec | | webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. | -| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built-in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ | +| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ | | webhook.create | bool | `true` | Specifies whether a webhook deployment be created. | | webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment | | webhook.extraArgs | object | `{}` | | diff --git a/deploy/charts/external-secrets/README.md.gotmpl b/deploy/charts/external-secrets/README.md.gotmpl index 15aafe3ed..7c1b60d23 100644 --- a/deploy/charts/external-secrets/README.md.gotmpl +++ b/deploy/charts/external-secrets/README.md.gotmpl @@ -2,7 +2,7 @@ {{- $org := "external-secrets" -}} # External Secrets -eso-logo-large

+

[//]: # (README.md generated by gotmpl. DO NOT EDIT.) diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml index e45e05b9b..3dafc2c9d 100644 --- a/deploy/charts/external-secrets/templates/deployment.yaml +++ b/deploy/charts/external-secrets/templates/deployment.yaml @@ -87,20 +87,10 @@ spec: {{- end }} {{- end }} - --metrics-addr=:{{ .Values.metrics.listen.port }} - - --live-addr=:{{ .Values.livenessProbe.port }} ports: - containerPort: {{ .Values.metrics.listen.port }} protocol: TCP name: metrics - livenessProbe: - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - httpGet: - port: {{ .Values.livenessProbe.port }} - path: /live - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} {{- with .Values.extraEnv }} env: {{- toYaml . | nindent 12 }} diff --git a/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap b/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap index 3ac90831e..8ba1ca00b 100644 --- a/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap +++ b/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap @@ -32,18 +32,8 @@ should match snapshot of default values: - args: - --concurrent=1 - --metrics-addr=:8080 - - --live-addr=:8082 image: ghcr.io/external-secrets/external-secrets:v0.9.13 imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /live - port: 8082 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 name: external-secrets ports: - containerPort: 8080 diff --git a/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap b/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap index a0279bc07..2dcd8dc13 100644 --- a/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap +++ b/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap @@ -2417,34 +2417,6 @@ should match snapshot of default values: required: - data type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2776,70 +2748,6 @@ should match snapshot of default values: required: - auth type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: diff --git a/deploy/charts/external-secrets/tests/controller_test.yaml b/deploy/charts/external-secrets/tests/controller_test.yaml index 498a6ab49..c437d64fc 100644 --- a/deploy/charts/external-secrets/tests/controller_test.yaml +++ b/deploy/charts/external-secrets/tests/controller_test.yaml @@ -54,13 +54,6 @@ tests: - equal: path: spec.template.spec.containers[0].args[1] value: "--metrics-addr=:8888" - - it: should override livenessProbe port - set: - livenessProbe.port: 8082 - asserts: - - equal: - path: spec.template.spec.containers[0].args[2] - value: "--live-addr=:8082" - it: should override image flavour set: image.repository: ghcr.io/external-secrets/external-secrets diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml index ffe4badf5..f2f5597c1 100644 --- a/deploy/charts/external-secrets/values.yaml +++ b/deploy/charts/external-secrets/values.yaml @@ -11,7 +11,7 @@ image: # -- The flavour of tag you want to use # There are different image flavours available, like distroless and ubi. # Please see GitHub release notes for image tags for these flavors. - # By default, the distroless image is used. + # By default the distroless image is used. flavour: "" # -- If set, install and upgrade CRDs through helm chart. @@ -186,22 +186,6 @@ metrics: # -- Additional service annotations annotations: {} -livenessProbe: - # -- Address for liveness probe - address: "" - # -- Liveness probe port for kubelet - port: 8082 - # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails - timeoutSeconds: 5 - # -- Number of consecutive probe failures that should occur before considering the probe as failed - failureThreshold: 5 - # -- Period in seconds for K8s to start performing probes - periodSeconds: 10 - # -- Number of successful probes to mark probe successful - successThreshold: 1 - # -- Delay in seconds for container to start before performing the initial probe - initialDelaySeconds: 10 - nodeSelector: {} tolerations: [] @@ -269,21 +253,21 @@ webhook: nodeSelector: {} certManager: - # -- Enabling cert-manager support will disable the built-in secret and + # -- Enabling cert-manager support will disable the built in secret and # switch to using cert-manager (installed separately) to automatically issue # and renew the webhook certificate. This chart does not install # cert-manager for you, See https://cert-manager.io/docs/ enabled: false # -- Automatically add the cert-manager.io/inject-ca-from annotation to the # webhooks and CRDs. As long as you have the cert-manager CA Injector - # enabled, this will automatically set up your webhook's CA to the one used + # enabled, this will automatically setup your webhook's CA to the one used # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector addInjectorAnnotations: true cert: # -- Create a certificate resource within this chart. See # https://cert-manager.io/docs/usage/certificate/ create: true - # -- For the Certificate created by this chart, set up the issuer. See + # -- For the Certificate created by this chart, setup the issuer. See # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec issuerRef: group: cert-manager.io diff --git a/docs/api/controller-options.md b/docs/api/controller-options.md index 58fc8a145..a846aff99 100644 --- a/docs/api/controller-options.md +++ b/docs/api/controller-options.md @@ -12,7 +12,7 @@ The external-secrets binary includes three components: `core controller`, `certc The core controller is invoked without a subcommand and can be configured with the following flags: | Name | Type | Default | Description | -|-----------------------------------------------|----------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| --------------------------------------------- | -------- | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `--client-burst` | int | uses rest client default (10) | Maximum Burst allowed to be passed to rest.Client | | `--client-qps` | float32 | uses rest client default (5) | QPS configuration to be passed to rest.Client | | `--concurrent` | int | 1 | The number of concurrent reconciles. | @@ -27,7 +27,6 @@ The core controller is invoked without a subcommand and can be configured with t | `--enable-leader-election` | boolean | false | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. | | `--experimental-enable-aws-session-cache` | boolean | false | Enable experimental AWS session cache. External secret will reuse the AWS session without creating a new one on each request. | | `--help` | | | help for external-secrets | -| `--live-addr` | string | :8082 | The address the live endpoint binds to | | `--loglevel` | string | info | loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal | | `--metrics-addr` | string | :8080 | The address the metric endpoint binds to. | | `--namespace` | string | - | watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces | @@ -36,7 +35,7 @@ The core controller is invoked without a subcommand and can be configured with t ## Cert Controller Flags | Name | Type | Default | Descripton | -|----------------------------|----------|--------------------------|-----------------------------------------------------------------------------------------------------------------------| +| -------------------------- | -------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------- | | `--crd-requeue-interval` | duration | 5m0s | Time duration between reconciling CRDs for new certs | | `--enable-leader-election` | boolean | false | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. | | `--healthz-addr` | string | :8081 | The address the health endpoint binds to. | @@ -51,7 +50,7 @@ The core controller is invoked without a subcommand and can be configured with t ## Webhook Flags | Name | Type | Default | Description | -|------------------------|----------|---------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ---------------------- | -------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `--cert-dir` | string | /tmp/k8s-webhook-server/serving-certs | path to check for certs | | `--check-interval` | duration | 5m0s | certificate check interval | | `--dns-name` | string | localhost | DNS name to validate certificates with |