mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

v1beta1 initial commit

Browse source 
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
This commit is contained in:
Gustavo Carvalho 2022-02-08 14:07:34 -03:00
parent 2bbc033699
commit 0530385992
82 changed files with 6791 additions and 707 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
PROJECT
View file

@ -2,10 +2,22 @@ domain: io
multigroup: true
repo: github.com/external-secrets/external-secrets
resources:
- group: external-secrets
kind: ClusterSecretStore
version: v1alpha1
- group: external-secrets
kind: SecretStore
version: v1alpha1
- group: external-secrets
kind: ExternalSecret
version: v1alpha1
version: "2"
- group: external-secrets
kind: ClusterSecretStore
version: v1beta1
- group: external-secrets
kind: SecretStore
version: v1beta1
- group: external-secrets
kind: ExternalSecret
version: v1beta1
version: "3"

194
apis/externalsecrets/v1alpha1/externalsecret_conversion.go Normal file
View file

@ -0,0 +1,194 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
"sigs.k8s.io/controller-runtime/pkg/conversion"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
func (alpha *ExternalSecret) ConvertTo(betaRaw conversion.Hub) error {
beta := betaRaw.(*esv1beta1.ExternalSecret)
v1beta1DataFrom := make([]esv1beta1.ExternalSecretDataFromRemoteRef, len(alpha.Spec.DataFrom))
for _, v1alpha1RemoteRef := range alpha.Spec.DataFrom {
v1beta1RemoteRef := esv1beta1.ExternalSecretDataFromRemoteRef{
Extract: esv1beta1.ExternalSecretDataRemoteRef{
Key: v1alpha1RemoteRef.Key,
Property: v1alpha1RemoteRef.Property,
Version: v1alpha1RemoteRef.Version,
},
}
v1beta1DataFrom = append(v1beta1DataFrom, v1beta1RemoteRef)
}
beta.Spec.DataFrom = v1beta1DataFrom
v1beta1Data := make([]esv1beta1.ExternalSecretData, len(alpha.Spec.Data))
for _, v1alpha1SecretData := range alpha.Spec.Data {
v1beta1SecretData := esv1beta1.ExternalSecretData{
RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
Key: v1alpha1SecretData.RemoteRef.Key,
Property: v1alpha1SecretData.RemoteRef.Property,
Version: v1alpha1SecretData.RemoteRef.Version,
},
SecretKey: v1alpha1SecretData.SecretKey,
}
v1beta1Data = append(v1beta1Data, v1beta1SecretData)
}
beta.Spec.Data = v1beta1Data
esv1beta1TemplateFrom := make([]esv1beta1.TemplateFrom, len(alpha.Spec.Target.Template.TemplateFrom))
for _, esv1alpha1TemplateFrom := range alpha.Spec.Target.Template.TemplateFrom {
esv1beta1ConfigMapItems := make([]esv1beta1.TemplateRefItem, len(esv1alpha1TemplateFrom.ConfigMap.Items))
for _, esv1alpha1ConfigMapItem := range esv1alpha1TemplateFrom.ConfigMap.Items {
esv1beta1ConfigMapItem := esv1beta1.TemplateRefItem(esv1alpha1ConfigMapItem)
esv1beta1ConfigMapItems = append(esv1beta1ConfigMapItems, esv1beta1ConfigMapItem)
}
esv1beta1SecretItems := make([]esv1beta1.TemplateRefItem, len(esv1alpha1TemplateFrom.Secret.Items))
for _, esv1alpha1SecretItem := range esv1alpha1TemplateFrom.Secret.Items {
esv1beta1SecretItem := esv1beta1.TemplateRefItem(esv1alpha1SecretItem)
esv1beta1SecretItems = append(esv1beta1SecretItems, esv1beta1SecretItem)
}
esv1beta1TemplateFromItem := esv1beta1.TemplateFrom{
ConfigMap: &esv1beta1.TemplateRef{
Name: esv1alpha1TemplateFrom.ConfigMap.Name,
Items: esv1beta1ConfigMapItems,
},
Secret: &esv1beta1.TemplateRef{
Name: esv1alpha1TemplateFrom.Secret.Name,
Items: esv1beta1SecretItems,
},
}
esv1beta1TemplateFrom = append(esv1beta1TemplateFrom, esv1beta1TemplateFromItem)
}
esv1beta1Template := esv1beta1.ExternalSecretTemplate{
Type: alpha.Spec.Target.Template.Type,
Metadata: esv1beta1.ExternalSecretTemplateMetadata(alpha.Spec.Target.Template.Metadata),
Data: alpha.Spec.Target.Template.Data,
TemplateFrom: esv1beta1TemplateFrom,
}
beta.Spec.Target = esv1beta1.ExternalSecretTarget{
Name: alpha.Spec.Target.Name,
CreationPolicy: esv1beta1.ExternalSecretCreationPolicy(alpha.Spec.Target.CreationPolicy),
Immutable: alpha.Spec.Target.Immutable,
Template: &esv1beta1Template,
}
beta.Spec.RefreshInterval = alpha.Spec.RefreshInterval
beta.Spec.SecretStoreRef = esv1beta1.SecretStoreRef(alpha.Spec.SecretStoreRef)
beta.ObjectMeta = alpha.ObjectMeta
esv1beta1Conditions := make([]esv1beta1.ExternalSecretStatusCondition, len(alpha.Status.Conditions))
for _, esv1alpha1Condition := range alpha.Status.Conditions {
esv1beta1Condition := esv1beta1.ExternalSecretStatusCondition{
Type: esv1beta1.ExternalSecretConditionType(esv1alpha1Condition.Type),
Status: esv1alpha1Condition.Status,
Reason: esv1alpha1Condition.Reason,
Message: esv1alpha1Condition.Message,
LastTransitionTime: esv1alpha1Condition.LastTransitionTime,
}
esv1beta1Conditions = append(esv1beta1Conditions, esv1beta1Condition)
}
beta.Status = esv1beta1.ExternalSecretStatus{
RefreshTime: alpha.Status.RefreshTime,
SyncedResourceVersion: alpha.Status.SyncedResourceVersion,
Conditions: esv1beta1Conditions,
}
return nil
}
func (alpha *ExternalSecret) ConvertFrom(betaRaw conversion.Hub) error {
beta := betaRaw.(*esv1beta1.ExternalSecret)
v1alpha1DataFrom := make([]ExternalSecretDataRemoteRef, len(beta.Spec.DataFrom))
for _, v1beta1RemoteRef := range beta.Spec.DataFrom {
if v1beta1RemoteRef.Extract.Key != "" {
v1alpha1RemoteRef := ExternalSecretDataRemoteRef{
Key: v1beta1RemoteRef.Extract.Key,
Property: v1beta1RemoteRef.Extract.Property,
Version: v1beta1RemoteRef.Extract.Version,
}
v1alpha1DataFrom = append(v1alpha1DataFrom, v1alpha1RemoteRef)
}
}
alpha.Spec.DataFrom = v1alpha1DataFrom
v1alpha1Data := make([]ExternalSecretData, len(beta.Spec.Data))
for _, v1beta1SecretData := range beta.Spec.Data {
v1alpha1SecretData := ExternalSecretData{
RemoteRef: ExternalSecretDataRemoteRef(v1beta1SecretData.RemoteRef),
SecretKey: v1beta1SecretData.SecretKey,
}
v1alpha1Data = append(v1alpha1Data, v1alpha1SecretData)
}
alpha.Spec.Data = v1alpha1Data
esv1alpha1TemplateFrom := make([]TemplateFrom, len(beta.Spec.Target.Template.TemplateFrom))
for _, esv1beta1TemplateFrom := range beta.Spec.Target.Template.TemplateFrom {
esv1alpha1ConfigMapItems := make([]TemplateRefItem, len(esv1beta1TemplateFrom.ConfigMap.Items))
for _, esv1beta1ConfigMapItem := range esv1beta1TemplateFrom.ConfigMap.Items {
esv1alpha1ConfigMapItem := TemplateRefItem(esv1beta1ConfigMapItem)
esv1alpha1ConfigMapItems = append(esv1alpha1ConfigMapItems, esv1alpha1ConfigMapItem)
}
esv1alpha1SecretItems := make([]TemplateRefItem, len(esv1beta1TemplateFrom.Secret.Items))
for _, esv1beta1SecretItem := range esv1beta1TemplateFrom.Secret.Items {
esv1alpha1SecretItem := TemplateRefItem(esv1beta1SecretItem)
esv1alpha1SecretItems = append(esv1alpha1SecretItems, esv1alpha1SecretItem)
}
esv1alpha1TemplateFromItem := TemplateFrom{
ConfigMap: &TemplateRef{
Name: esv1beta1TemplateFrom.ConfigMap.Name,
Items: esv1alpha1ConfigMapItems,
},
Secret: &TemplateRef{
Name: esv1beta1TemplateFrom.Secret.Name,
Items: esv1alpha1SecretItems,
},
}
esv1alpha1TemplateFrom = append(esv1alpha1TemplateFrom, esv1alpha1TemplateFromItem)
}
esv1alpha1Template := ExternalSecretTemplate{
Type: beta.Spec.Target.Template.Type,
Metadata: ExternalSecretTemplateMetadata(beta.Spec.Target.Template.Metadata),
Data: beta.Spec.Target.Template.Data,
TemplateFrom: esv1alpha1TemplateFrom,
}
alpha.Spec.Target = ExternalSecretTarget{
Name: beta.Spec.Target.Name,
CreationPolicy: ExternalSecretCreationPolicy(beta.Spec.Target.CreationPolicy),
Immutable: beta.Spec.Target.Immutable,
Template: &esv1alpha1Template,
}
alpha.Spec.RefreshInterval = beta.Spec.RefreshInterval
alpha.Spec.SecretStoreRef = SecretStoreRef(beta.Spec.SecretStoreRef)
alpha.ObjectMeta = beta.ObjectMeta
esv1alpha1Conditions := make([]ExternalSecretStatusCondition, len(beta.Status.Conditions))
for _, esv1beta1Condition := range beta.Status.Conditions {
esv1alpha1Condition := ExternalSecretStatusCondition{
Type: ExternalSecretConditionType(esv1beta1Condition.Type),
Status: esv1beta1Condition.Status,
Reason: esv1beta1Condition.Reason,
Message: esv1beta1Condition.Message,
LastTransitionTime: esv1beta1Condition.LastTransitionTime,
}
esv1alpha1Conditions = append(esv1alpha1Conditions, esv1alpha1Condition)
}
alpha.Status = ExternalSecretStatus{
RefreshTime: beta.Status.RefreshTime,
SyncedResourceVersion: beta.Status.SyncedResourceVersion,
Conditions: esv1alpha1Conditions,
}
return nil
}

28
apis/externalsecrets/v1alpha1/externalsecret_webhook.go Normal file
View file

@ -0,0 +1,28 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
ctrl "sigs.k8s.io/controller-runtime"
)
// log is for logging in this package.
// var externalsecretlog = logf.Log.WithName("externalsecret-resource")
func (alpha *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(alpha).
Complete()
}

92
apis/externalsecrets/v1alpha1/secretstore_conversion.go Normal file
View file

@ -0,0 +1,92 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// TODO IMPLEMENT.
package v1alpha1
import (
"encoding/json"
"sigs.k8s.io/controller-runtime/pkg/conversion"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
func (c *SecretStore) ConvertTo(betaRaw conversion.Hub) error {
beta := betaRaw.(*esv1beta1.SecretStore)
tmp := &esv1beta1.SecretStore{}
alphajson, err := json.Marshal(c)
if err != nil {
return err
}
err = json.Unmarshal(alphajson, tmp)
if err != nil {
return err
}
beta.Spec = tmp.Spec
beta.ObjectMeta = tmp.ObjectMeta
beta.Status = tmp.Status
return nil
}
func (c *SecretStore) ConvertFrom(betaRaw conversion.Hub) error {
beta := betaRaw.(*esv1beta1.SecretStore)
tmp := &SecretStore{}
betajson, err := json.Marshal(beta)
if err != nil {
return err
}
err = json.Unmarshal(betajson, tmp)
if err != nil {
return err
}
c.Spec = tmp.Spec
c.ObjectMeta = tmp.ObjectMeta
c.Status = tmp.Status
return nil
}
func (c *ClusterSecretStore) ConvertTo(betaRaw conversion.Hub) error {
beta := betaRaw.(*esv1beta1.ClusterSecretStore)
tmp := &esv1beta1.ClusterSecretStore{}
alphajson, err := json.Marshal(c)
if err != nil {
return err
}
err = json.Unmarshal(alphajson, tmp)
if err != nil {
return err
}
beta.Spec = tmp.Spec
beta.ObjectMeta = tmp.ObjectMeta
beta.Status = tmp.Status
return nil
}
func (c *ClusterSecretStore) ConvertFrom(betaRaw conversion.Hub) error {
beta := betaRaw.(*esv1beta1.ClusterSecretStore)
tmp := &ClusterSecretStore{}
betajson, err := json.Marshal(beta)
if err != nil {
return err
}
err = json.Unmarshal(betajson, tmp)
if err != nil {
return err
}
c.Spec = tmp.Spec
c.ObjectMeta = tmp.ObjectMeta
c.Status = tmp.Status
return nil
}

34
apis/externalsecrets/v1alpha1/secretstore_webhook.go Normal file
View file

@ -0,0 +1,34 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
ctrl "sigs.k8s.io/controller-runtime"
)
// log is for logging in this package.
// var secretStorelog = logf.Log.WithName("secretStore-resource")
func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(c).
Complete()
}
func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(c).
Complete()
}

19
apis/externalsecrets/v1beta1/doc.go Normal file
View file

@ -0,0 +1,19 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package v1beta1 contains resources for external-secrets
// +kubebuilder:object:generate=true
// +groupName=external-secrets.io
// +versionName=v1beta1
package v1beta1

17
apis/externalsecrets/v1beta1/externalsecret_conversion.go Normal file
View file

@ -0,0 +1,17 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
func (*ExternalSecret) Hub() {}

256
apis/externalsecrets/v1beta1/externalsecret_types.go Normal file
View file

@ -0,0 +1,256 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
type SecretStoreRef struct {
// Name of the SecretStore resource
Name string `json:"name"`
// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
// Defaults to `SecretStore`
// +optional
Kind string `json:"kind,omitempty"`
}
// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.
type ExternalSecretCreationPolicy string
const (
// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
Owner ExternalSecretCreationPolicy = "Owner"
// Merge does not create the Secret, but merges the data fields to the Secret.
Merge ExternalSecretCreationPolicy = "Merge"
// None does not create a Secret (future use with injector).
None ExternalSecretCreationPolicy = "None"
)
// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
type ExternalSecretTemplateMetadata struct {
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
// +optional
Labels map[string]string `json:"labels,omitempty"`
}
// ExternalSecretTemplate defines a blueprint for the created Secret resource.
// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448
type ExternalSecretTemplate struct {
// +optional
Type corev1.SecretType `json:"type,omitempty"`
// +optional
Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
// +optional
Data map[string]string `json:"data,omitempty"`
// +optional
TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
}
// +kubebuilder:validation:MinProperties=1
// +kubebuilder:validation:MaxProperties=1
type TemplateFrom struct {
ConfigMap *TemplateRef `json:"configMap,omitempty"`
Secret *TemplateRef `json:"secret,omitempty"`
}
type TemplateRef struct {
Name string `json:"name"`
Items []TemplateRefItem `json:"items"`
}
type TemplateRefItem struct {
Key string `json:"key"`
}
// ExternalSecretTarget defines the Kubernetes Secret to be created
// There can be only one target per ExternalSecret.
type ExternalSecretTarget struct {
// Name defines the name of the Secret resource to be managed
// This field is immutable
// Defaults to the .metadata.name of the ExternalSecret resource
// +optional
Name string `json:"name,omitempty"`
// CreationPolicy defines rules on how to create the resulting Secret
// Defaults to 'Owner'
// +optional
// +kubebuilder:default="Owner"
CreationPolicy ExternalSecretCreationPolicy `json:"creationPolicy,omitempty"`
// Template defines a blueprint for the created Secret resource.
// +optional
Template *ExternalSecretTemplate `json:"template,omitempty"`
// Immutable defines if the final secret will be immutable
// +optional
Immutable bool `json:"immutable,omitempty"`
}
// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
type ExternalSecretData struct {
SecretKey string `json:"secretKey"`
RemoteRef ExternalSecretDataRemoteRef `json:"remoteRef"`
}
// ExternalSecretDataRemoteRef defines Provider data location.
type ExternalSecretDataRemoteRef struct {
// Key is the key used in the Provider, mandatory
Key string `json:"key"`
// Used to select a specific version of the Provider value, if supported
// +optional
Version string `json:"version,omitempty"`
// +optional
// Used to select a specific property of the Provider value (if a map), if supported
Property string `json:"property,omitempty"`
}
type ExternalSecretDataFromRemoteRef struct {
// Used to select a specific version and property from the secret
// +optional
Extract ExternalSecretDataRemoteRef `json:"extract,omitempty"`
// Used to find secrets based on tags or regular expressions
// +optional
Find ExternalSecretFind `json:"find,omitempty"`
}
type ExternalSecretFind struct {
// Key is the key used in the Provider
// +optional
Name FindName `json:"name,omitempty"`
// Used to select a specific version of the Provider value, if supported
// +optional
Tags map[string]string `json:"tags,omitempty"`
}
type FindName struct {
// Used to select multiple secrets based on a regular expression of the name
// +optional
RegExp string `json:"regexp,omitempty"`
}
// ExternalSecretSpec defines the desired state of ExternalSecret.
type ExternalSecretSpec struct {
SecretStoreRef SecretStoreRef `json:"secretStoreRef"`
Target ExternalSecretTarget `json:"target"`
// RefreshInterval is the amount of time before the values are read again from the SecretStore provider
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
// May be set to zero to fetch and create it once. Defaults to 1h.
// +kubebuilder:default="1h"
RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
// Data defines the connection between the Kubernetes Secret keys and the Provider data
// +optional
Data []ExternalSecretData `json:"data,omitempty"`
// DataFrom is used to fetch all properties from a specific Provider data
// If multiple entries are specified, the Secret keys are merged in the specified order
// +optional
DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
}
type ExternalSecretConditionType string
const (
ExternalSecretReady ExternalSecretConditionType = "Ready"
ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
)
type ExternalSecretStatusCondition struct {
Type ExternalSecretConditionType `json:"type"`
Status corev1.ConditionStatus `json:"status"`
// +optional
Reason string `json:"reason,omitempty"`
// +optional
Message string `json:"message,omitempty"`
// +optional
LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
}
const (
// ConditionReasonSecretSynced indicates that the secrets was synced.
ConditionReasonSecretSynced = "SecretSynced"
// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret.
ConditionReasonSecretSyncedError = "SecretSyncedError"
// ConditionReasonSecretDeleted indicates that the secret has been deleted.
ConditionReasonSecretDeleted = "SecretDeleted"
ReasonInvalidStoreRef = "InvalidStoreRef"
ReasonProviderClientConfig = "InvalidProviderClientConfig"
ReasonUpdateFailed = "UpdateFailed"
ReasonUpdated = "Updated"
)
type ExternalSecretStatus struct {
// +nullable
// refreshTime is the time and date the external secret was fetched and
// the target secret updated
RefreshTime metav1.Time `json:"refreshTime,omitempty"`
// SyncedResourceVersion keeps track of the last synced version
SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
// +optional
Conditions []ExternalSecretStatusCondition `json:"conditions,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// ExternalSecret is the Schema for the external-secrets API.
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=es
// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name`
// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
type ExternalSecret struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ExternalSecretSpec `json:"spec,omitempty"`
Status ExternalSecretStatus `json:"status,omitempty"`
}
const (
// AnnotationDataHash is used to ensure consistency.
AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
)
// +kubebuilder:object:root=true
// ExternalSecretList contains a list of ExternalSecret resources.
type ExternalSecretList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ExternalSecret `json:"items"`
}

28
apis/externalsecrets/v1beta1/externalsecret_webhook.go Normal file
View file

@ -0,0 +1,28 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
ctrl "sigs.k8s.io/controller-runtime"
)
// log is for logging in this package.
// var externalsecretlog = logf.Log.WithName("externalsecret-resource")
func (r *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
Complete()
}

107
apis/externalsecrets/v1beta1/generic_store.go Normal file
View file

@ -0,0 +1,107 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// +kubebuilder:object:root=false
// +kubebuilder:object:generate:false
// +k8s:deepcopy-gen:interfaces=nil
// +k8s:deepcopy-gen=nil
// GenericStore is a common interface for interacting with ClusterSecretStore
// or a namespaced SecretStore.
type GenericStore interface {
runtime.Object
metav1.Object
GetObjectMeta() *metav1.ObjectMeta
GetTypeMeta() *metav1.TypeMeta
GetSpec() *SecretStoreSpec
GetNamespacedName() string
GetStatus() SecretStoreStatus
SetStatus(status SecretStoreStatus)
Copy() GenericStore
}
// +kubebuilder:object:root:false
// +kubebuilder:object:generate:false
var _ GenericStore = &SecretStore{}
func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta {
return &c.ObjectMeta
}
func (c *SecretStore) GetTypeMeta() *metav1.TypeMeta {
return &c.TypeMeta
}
func (c *SecretStore) GetSpec() *SecretStoreSpec {
return &c.Spec
}
func (c *SecretStore) GetStatus() SecretStoreStatus {
return c.Status
}
func (c *SecretStore) SetStatus(status SecretStoreStatus) {
c.Status = status
}
func (c *SecretStore) GetNamespacedName() string {
return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
}
func (c *SecretStore) Copy() GenericStore {
return c.DeepCopy()
}
// +kubebuilder:object:root:false
// +kubebuilder:object:generate:false
var _ GenericStore = &ClusterSecretStore{}
func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta {
return &c.ObjectMeta
}
func (c *ClusterSecretStore) GetTypeMeta() *metav1.TypeMeta {
return &c.TypeMeta
}
func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec {
return &c.Spec
}
func (c *ClusterSecretStore) Copy() GenericStore {
return c.DeepCopy()
}
func (c *ClusterSecretStore) GetStatus() SecretStoreStatus {
return c.Status
}
func (c *ClusterSecretStore) SetStatus(status SecretStoreStatus) {
c.Status = status
}
func (c *ClusterSecretStore) GetNamespacedName() string {
return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
}

67
apis/externalsecrets/v1beta1/register.go Normal file
View file

@ -0,0 +1,67 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"reflect"
"k8s.io/apimachinery/pkg/runtime/schema"
"sigs.k8s.io/controller-runtime/pkg/scheme"
)
// Package type metadata.
const (
Group = "external-secrets.io"
Version = "v1beta1"
)
var (
// SchemeGroupVersion is group version used to register these objects.
SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
AddToScheme = SchemeBuilder.AddToScheme
)
// ExternalSecret type metadata.
var (
ExtSecretKind = reflect.TypeOf(ExternalSecret{}).Name()
ExtSecretGroupKind = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
ExtSecretKindAPIVersion = ExtSecretKind + "." + SchemeGroupVersion.String()
ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
)
// SecretStore type metadata.
var (
SecretStoreKind = reflect.TypeOf(SecretStore{}).Name()
SecretStoreGroupKind = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
SecretStoreKindAPIVersion = SecretStoreKind + "." + SchemeGroupVersion.String()
SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
)
// ClusterSecretStore type metadata.
var (
ClusterSecretStoreKind = reflect.TypeOf(ClusterSecretStore{}).Name()
ClusterSecretStoreGroupKind = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
ClusterSecretStoreKindAPIVersion = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
)
func init() {
SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
}

42
apis/externalsecrets/v1beta1/secretstore_akeyless_types.go Normal file
View file

@ -0,0 +1,42 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
// AkeylessProvider Configures an store to sync secrets using Akeyless KV.
type AkeylessProvider struct {
// Akeyless GW API Url from which the secrets to be fetched from.
AkeylessGWApiURL *string `json:"akeylessGWApiURL"`
// Auth configures how the operator authenticates with Akeyless.
Auth *AkeylessAuth `json:"authSecretRef"`
}
type AkeylessAuth struct {
SecretRef AkeylessAuthSecretRef `json:"secretRef"`
}
// AkeylessAuthSecretRef
//AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.
type AkeylessAuthSecretRef struct {
// The SecretAccessID is used for authentication
AccessID esmeta.SecretKeySelector `json:"accessID,omitempty"`
AccessType esmeta.SecretKeySelector `json:"accessType,omitempty"`
AccessTypeParam esmeta.SecretKeySelector `json:"accessTypeParam,omitempty"`
}

41
apis/externalsecrets/v1beta1/secretstore_alibaba_types.go Normal file
View file

@ -0,0 +1,41 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
// AlibabaAuth contains a secretRef for credentials.
type AlibabaAuth struct {
SecretRef AlibabaAuthSecretRef `json:"secretRef"`
}
// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
type AlibabaAuthSecretRef struct {
// The AccessKeyID is used for authentication
AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
// The AccessKeySecret is used for authentication
AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
}
// AlibabaProvider configures a store to sync secrets using the Alibaba Secret Manager provider.
type AlibabaProvider struct {
Auth *AlibabaAuth `json:"auth"`
// +optional
Endpoint string `json:"endpoint"`
// Alibaba Region to be used for the provider
RegionID string `json:"regionID"`
}

76
apis/externalsecrets/v1beta1/secretstore_aws_types.go Normal file
View file

@ -0,0 +1,76 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
// AWSAuth tells the controller how to do authentication with aws.
// Only one of secretRef or jwt can be specified.
// if none is specified the controller will load credentials using the aws sdk defaults.
type AWSAuth struct {
// +optional
SecretRef *AWSAuthSecretRef `json:"secretRef,omitempty"`
// +optional
JWTAuth *AWSJWTAuth `json:"jwt,omitempty"`
}
// AWSAuthSecretRef holds secret references for AWS credentials
// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
type AWSAuthSecretRef struct {
// The AccessKeyID is used for authentication
AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
// The SecretAccessKey is used for authentication
SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
}
// Authenticate against AWS using service account tokens.
type AWSJWTAuth struct {
ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
}
// AWSServiceType is a enum that defines the service/API that is used to fetch the secrets.
// +kubebuilder:validation:Enum=SecretsManager;ParameterStore
type AWSServiceType string
const (
// AWSServiceSecretsManager is the AWS SecretsManager.
// see: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
AWSServiceSecretsManager AWSServiceType = "SecretsManager"
// AWSServiceParameterStore is the AWS SystemsManager ParameterStore.
// see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
AWSServiceParameterStore AWSServiceType = "ParameterStore"
)
// AWSProvider configures a store to sync secrets with AWS.
type AWSProvider struct {
// Service defines which service should be used to fetch the secrets
Service AWSServiceType `json:"service"`
// Auth defines the information necessary to authenticate against AWS
// if not set aws sdk will infer credentials from your environment
// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
// +optional
Auth AWSAuth `json:"auth"`
// Role is a Role ARN which the SecretManager provider will assume
// +optional
Role string `json:"role,omitempty"`
// AWS Region to be used for the provider
Region string `json:"region"`
}

62
apis/externalsecrets/v1beta1/secretstore_azurekv_types.go Normal file
View file

@ -0,0 +1,62 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
// AuthType describes how to authenticate to the Azure Keyvault
// Only one of the following auth types may be specified.
// If none of the following auth type is specified, the default one
// is ServicePrincipal.
// +kubebuilder:validation:Enum=ServicePrincipal;ManagedIdentity
type AuthType string
const (
// Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
ServicePrincipal AuthType = "ServicePrincipal"
// Using Managed Identity to authenticate. Used with aad-pod-identity instelled in the clister.
ManagedIdentity AuthType = "ManagedIdentity"
)
// Configures an store to sync secrets using Azure KV.
type AzureKVProvider struct {
// Auth type defines how to authenticate to the keyvault service.
// Valid values are:
// - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
// - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
// +optional
// +kubebuilder:default=ServicePrincipal
AuthType *AuthType `json:"authType,omitempty"`
// Vault Url from which the secrets to be fetched from.
VaultURL *string `json:"vaultUrl"`
// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
// +optional
TenantID *string `json:"tenantId,omitempty"`
// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
// +optional
AuthSecretRef *AzureKVAuth `json:"authSecretRef,omitempty"`
// If multiple Managed Identity is assigned to the pod, you can select the one to be used
// +optional
IdentityID *string `json:"identityId,omitempty"`
}
// Configuration used to authenticate with Azure.
type AzureKVAuth struct {
// The Azure clientId of the service principle used for authentication.
ClientID *smmeta.SecretKeySelector `json:"clientId"`
// The Azure ClientSecret of the service principle used for authentication.
ClientSecret *smmeta.SecretKeySelector `json:"clientSecret"`
}

19
apis/externalsecrets/v1beta1/secretstore_conversion.go Normal file
View file

@ -0,0 +1,19 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
func (*SecretStore) Hub() {}
func (*ClusterSecretStore) Hub() {}

27
apis/externalsecrets/v1beta1/secretstore_fake_types.go Normal file
View file

@ -0,0 +1,27 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
// FakeProvider configures a fake provider that returns static values.
type FakeProvider struct {
Data []FakeProviderData `json:"data"`
}
type FakeProviderData struct {
Key string `json:"key"`
Value string `json:"value,omitempty"`
ValueMap map[string]string `json:"valueMap,omitempty"`
Version string `json:"version,omitempty"`
}

48
apis/externalsecrets/v1beta1/secretstore_gcpsm_types.go Normal file
View file

@ -0,0 +1,48 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
type GCPSMAuth struct {
// +optional
SecretRef *GCPSMAuthSecretRef `json:"secretRef,omitempty"`
// +optional
WorkloadIdentity *GCPWorkloadIdentity `json:"workloadIdentity,omitempty"`
}
type GCPSMAuthSecretRef struct {
// The SecretAccessKey is used for authentication
// +optional
SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
}
type GCPWorkloadIdentity struct {
ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
ClusterLocation string `json:"clusterLocation"`
ClusterName string `json:"clusterName"`
}
// GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
type GCPSMProvider struct {
// Auth defines the information necessary to authenticate against GCP
// +optional
Auth GCPSMAuth `json:"auth,omitempty"`
// ProjectID project where secret is located
ProjectID string `json:"projectID,omitempty"`
}

40
apis/externalsecrets/v1beta1/secretstore_gitlab_types.go Normal file
View file

@ -0,0 +1,40 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
// Configures a store to sync secrets with a GitLab instance.
type GitlabProvider struct {
// URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
URL string `json:"url,omitempty"`
// Auth configures how secret-manager authenticates with a GitLab instance.
Auth GitlabAuth `json:"auth"`
// ProjectID specifies a project where secrets are located.
ProjectID string `json:"projectID,omitempty"`
}
type GitlabAuth struct {
SecretRef GitlabSecretRef `json:"SecretRef"`
}
type GitlabSecretRef struct {
// AccessToken is used for authentication.
AccessToken esmeta.SecretKeySelector `json:"accessToken,omitempty"`
}

39
apis/externalsecrets/v1beta1/secretstore_ibm_types.go Normal file
View file

@ -0,0 +1,39 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
// Configures an store to sync secrets using a IBM Cloud Secrets Manager
// backend.
type IBMProvider struct {
// Auth configures how secret-manager authenticates with the IBM secrets manager.
Auth IBMAuth `json:"auth"`
// ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
ServiceURL *string `json:"serviceUrl,omitempty"`
}
type IBMAuth struct {
SecretRef IBMAuthSecretRef `json:"secretRef"`
}
type IBMAuthSecretRef struct {
// The SecretAccessKey is used for authentication
// +optional
SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
}

49
apis/externalsecrets/v1beta1/secretstore_oracle_types.go Normal file
View file

@ -0,0 +1,49 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
// Configures an store to sync secrets using a Oracle Vault
// backend.
type OracleProvider struct {
// Auth configures how secret-manager authenticates with the Oracle Vault.
Auth OracleAuth `json:"auth"`
// User is an access OCID specific to the account.
User string `json:"user,omitempty"`
// Tenancy is the tenancy OCID where secret is located.
Tenancy string `json:"tenancy,omitempty"`
// Region is the region where secret is located.
Region string `json:"region,omitempty"`
// Vault is the vault's OCID of the specific vault where secret is located.
Vault string `json:"vault,omitempty"`
}
type OracleAuth struct {
// SecretRef to pass through sensitive information.
SecretRef OracleSecretRef `json:"secretRef"`
}
type OracleSecretRef struct {
// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
PrivateKey esmeta.SecretKeySelector `json:"privatekey,omitempty"`
// Fingerprint is the fingerprint of the API private key.
Fingerprint esmeta.SecretKeySelector `json:"fingerprint,omitempty"`
}

173
apis/externalsecrets/v1beta1/secretstore_types.go Normal file
View file

@ -0,0 +1,173 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// SecretStoreSpec defines the desired state of SecretStore.
type SecretStoreSpec struct {
// Used to select the correct KES controller (think: ingress.ingressClassName)
// The KES controller is instantiated with a specific controller name and filters ES based on this property
// +optional
Controller string `json:"controller"`
// Used to configure the provider. Only one provider may be set
Provider *SecretStoreProvider `json:"provider"`
// Used to configure http retries if failed
// +optional
RetrySettings *SecretStoreRetrySettings `json:"retrySettings,omitempty"`
}
// SecretStoreProvider contains the provider-specific configration.
// +kubebuilder:validation:MinProperties=1
// +kubebuilder:validation:MaxProperties=1
type SecretStoreProvider struct {
// AWS configures this store to sync secrets using AWS Secret Manager provider
// +optional
AWS *AWSProvider `json:"aws,omitempty"`
// AzureKV configures this store to sync secrets using Azure Key Vault provider
// +optional
AzureKV *AzureKVProvider `json:"azurekv,omitempty"`
// Akeyless configures this store to sync secrets using Akeyless Vault provider
// +optional
Akeyless *AkeylessProvider `json:"akeyless,omitempty"`
// Vault configures this store to sync secrets using Hashi provider
// +optional
Vault *VaultProvider `json:"vault,omitempty"`
// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
// +optional
GCPSM *GCPSMProvider `json:"gcpsm,omitempty"`
// Oracle configures this store to sync secrets using Oracle Vault provider
// +optional
Oracle *OracleProvider `json:"oracle,omitempty"`
// IBM configures this store to sync secrets using IBM Cloud provider
// +optional
IBM *IBMProvider `json:"ibm,omitempty"`
// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
// +optional
YandexLockbox *YandexLockboxProvider `json:"yandexlockbox,omitempty"`
// GItlab configures this store to sync secrets using Gitlab Variables provider
// +optional
Gitlab *GitlabProvider `json:"gitlab,omitempty"`
// Alibaba configures this store to sync secrets using Alibaba Cloud provider
// +optional
Alibaba *AlibabaProvider `json:"alibaba,omitempty"`
// Webhook configures this store to sync secrets using a generic templated webhook
// +optional
Webhook *WebhookProvider `json:"webhook,omitempty"`
// Fake configures a store with static key/value pairs
// +optional
Fake *FakeProvider `json:"fake,omitempty"`
}
type SecretStoreRetrySettings struct {
MaxRetries *int32 `json:"maxRetries,omitempty"`
RetryInterval *string `json:"retryInterval,omitempty"`
}
type SecretStoreConditionType string
const (
SecretStoreReady SecretStoreConditionType = "Ready"
ReasonInvalidStore = "InvalidStoreConfiguration"
ReasonInvalidProviderConfig = "InvalidProviderConfig"
ReasonValidationFailed = "ValidationFailed"
ReasonStoreValid = "Valid"
)
type SecretStoreStatusCondition struct {
Type SecretStoreConditionType `json:"type"`
Status corev1.ConditionStatus `json:"status"`
// +optional
Reason string `json:"reason,omitempty"`
// +optional
Message string `json:"message,omitempty"`
// +optional
LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
}
// SecretStoreStatus defines the observed state of the SecretStore.
type SecretStoreStatus struct {
// +optional
Conditions []SecretStoreStatusCondition `json:"conditions"`
}
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss
type SecretStore struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec SecretStoreSpec `json:"spec,omitempty"`
Status SecretStoreStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// SecretStoreList contains a list of SecretStore resources.
type SecretStoreList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []SecretStore `json:"items"`
}
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css
type ClusterSecretStore struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec SecretStoreSpec `json:"spec,omitempty"`
Status SecretStoreStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
type ClusterSecretStoreList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ClusterSecretStore `json:"items"`
}

235
apis/externalsecrets/v1beta1/secretstore_vault_types.go Normal file
View file

@ -0,0 +1,235 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
type VaultKVStoreVersion string
const (
VaultKVStoreV1 VaultKVStoreVersion = "v1"
VaultKVStoreV2 VaultKVStoreVersion = "v2"
)
type CAProviderType string
const (
CAProviderTypeSecret CAProviderType = "Secret"
CAProviderTypeConfigMap CAProviderType = "ConfigMap"
)
// Defines a location to fetch the cert for the vault provider from.
type CAProvider struct {
// The type of provider to use such as "Secret", or "ConfigMap".
// +kubebuilder:validation:Enum="Secret";"ConfigMap"
Type CAProviderType `json:"type"`
// The name of the object located at the provider type.
Name string `json:"name"`
// The key the value inside of the provider type to use, only used with "Secret" type
// +kubebuilder:validation:Optional
Key string `json:"key,omitempty"`
// The namespace the Provider type is in.
// +optional
Namespace *string `json:"namespace,omitempty"`
}
// Configures an store to sync secrets using a HashiCorp Vault
// KV backend.
type VaultProvider struct {
// Auth configures how secret-manager authenticates with the Vault server.
Auth VaultAuth `json:"auth"`
// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
Server string `json:"server"`
// Path is the mount path of the Vault KV backend endpoint, e.g:
// "secret". The v2 KV secret engine version specific "/data" path suffix
// for fetching secrets from Vault is optional and will be appended
// if not present in specified path.
// +optional
Path *string `json:"path"`
// Version is the Vault KV secret engine version. This can be either "v1" or
// "v2". Version defaults to "v2".
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Enum="v1";"v2"
// +kubebuilder:default:="v2"
Version VaultKVStoreVersion `json:"version"`
// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
// +optional
Namespace *string `json:"namespace,omitempty"`
// PEM encoded CA bundle used to validate Vault server certificate. Only used
// if the Server URL is using HTTPS protocol. This parameter is ignored for
// plain HTTP protocol connection. If not set the system root certificates
// are used to validate the TLS connection.
// +optional
CABundle []byte `json:"caBundle,omitempty"`
// The provider for the CA bundle to use to validate Vault server certificate.
// +optional
CAProvider *CAProvider `json:"caProvider,omitempty"`
// ReadYourWrites ensures isolated read-after-write semantics by
// providing discovered cluster replication states in each request.
// More information about eventual consistency in Vault can be found here
// https://www.vaultproject.io/docs/enterprise/consistency
// +optional
ReadYourWrites bool `json:"readYourWrites,omitempty"`
// ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
// leader instead of simply retrying within a loop. This can increase performance if
// the option is enabled serverside.
// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
// +optional
ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
}
// VaultAuth is the configuration used to authenticate with a Vault server.
// Only one of `tokenSecretRef`, `appRole`, `kubernetes`, `ldap`, `jwt` or `cert`
// can be specified.
type VaultAuth struct {
// TokenSecretRef authenticates with Vault by presenting a token.
// +optional
TokenSecretRef *esmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`
// AppRole authenticates with Vault using the App Role auth mechanism,
// with the role and secret stored in a Kubernetes Secret resource.
// +optional
AppRole *VaultAppRole `json:"appRole,omitempty"`
// Kubernetes authenticates with Vault by passing the ServiceAccount
// token stored in the named Secret resource to the Vault server.
// +optional
Kubernetes *VaultKubernetesAuth `json:"kubernetes,omitempty"`
// Ldap authenticates with Vault by passing username/password pair using
// the LDAP authentication method
// +optional
Ldap *VaultLdapAuth `json:"ldap,omitempty"`
// Jwt authenticates with Vault by passing role and JWT token using the
// JWT/OIDC authentication method
// +optional
Jwt *VaultJwtAuth `json:"jwt,omitempty"`
// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
// Cert authentication method
// +optional
Cert *VaultCertAuth `json:"cert,omitempty"`
}
// VaultAppRole authenticates with Vault using the App Role auth mechanism,
// with the role and secret stored in a Kubernetes Secret resource.
type VaultAppRole struct {
// Path where the App Role authentication backend is mounted
// in Vault, e.g: "approle"
// +kubebuilder:default=approle
Path string `json:"path"`
// RoleID configured in the App Role authentication backend when setting
// up the authentication backend in Vault.
RoleID string `json:"roleId"`
// Reference to a key in a Secret that contains the App Role secret used
// to authenticate with Vault.
// The `key` field must be specified and denotes which entry within the Secret
// resource is used as the app role secret.
SecretRef esmeta.SecretKeySelector `json:"secretRef"`
}
// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
// a Secret.
type VaultKubernetesAuth struct {
// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
// "kubernetes"
// +kubebuilder:default=kubernetes
Path string `json:"mountPath"`
// Optional service account field containing the name of a kubernetes ServiceAccount.
// If the service account is specified, the service account secret token JWT will be used
// for authenticating with Vault. If the service account selector is not supplied,
// the secretRef will be used instead.
// +optional
ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
// Optional secret field containing a Kubernetes ServiceAccount JWT used
// for authenticating with Vault. If a name is specified without a key,
// `token` is the default. If one is not specified, the one bound to
// the controller will be used.
// +optional
SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
Role string `json:"role"`
}
// VaultLdapAuth authenticates with Vault using the LDAP authentication method,
// with the username and password stored in a Kubernetes Secret resource.
type VaultLdapAuth struct {
// Path where the LDAP authentication backend is mounted
// in Vault, e.g: "ldap"
// +kubebuilder:default=ldap
Path string `json:"path"`
// Username is a LDAP user name used to authenticate using the LDAP Vault
// authentication method
Username string `json:"username"`
// SecretRef to a key in a Secret resource containing password for the LDAP
// user used to authenticate with Vault using the LDAP authentication
// method
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
}
// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
// method, with the role name and token stored in a Kubernetes Secret resource.
type VaultJwtAuth struct {
// Path where the JWT authentication backend is mounted
// in Vault, e.g: "jwt"
// +kubebuilder:default=jwt
Path string `json:"path"`
// Role is a JWT role to authenticate using the JWT/OIDC Vault
// authentication method
// +optional
Role string `json:"role"`
// SecretRef to a key in a Secret resource containing JWT token to
// authenticate with Vault using the JWT/OIDC authentication method
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
}
// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
// method, with the role name and token stored in a Kubernetes Secret resource.
type VaultCertAuth struct {
// ClientCert is a certificate to authenticate using the Cert Vault
// authentication method
// +optional
ClientCert esmeta.SecretKeySelector `json:"clientCert,omitempty"`
// SecretRef to a key in a Secret resource containing client private key to
// authenticate with Vault using the Cert authentication method
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
}

34
apis/externalsecrets/v1beta1/secretstore_webhook.go Normal file
View file

@ -0,0 +1,34 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
ctrl "sigs.k8s.io/controller-runtime"
)
// log is for logging in this package.
// var secretStorelog = logf.Log.WithName("secretStore-resource")
func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(c).
Complete()
}
func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(c).
Complete()
}

101
apis/externalsecrets/v1beta1/secretstore_webhook_types.go Normal file
View file

@ -0,0 +1,101 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
// AkeylessProvider Configures an store to sync secrets using Akeyless KV.
type WebhookProvider struct {
// Webhook Method
// +optional, default GET
Method string `json:"method,omitempty"`
// Webhook url to call
URL string `json:"url"`
// Headers
// +optional
Headers map[string]string `json:"headers,omitempty"`
// Body
// +optional
Body string `json:"body,omitempty"`
// Timeout
// +optional
Timeout *metav1.Duration `json:"timeout,omitempty"`
// Result formatting
Result WebhookResult `json:"result"`
// Secrets to fill in templates
// These secrets will be passed to the templating function as key value pairs under the given name
// +optional
Secrets []WebhookSecret `json:"secrets,omitempty"`
// PEM encoded CA bundle used to validate webhook server certificate. Only used
// if the Server URL is using HTTPS protocol. This parameter is ignored for
// plain HTTP protocol connection. If not set the system root certificates
// are used to validate the TLS connection.
// +optional
CABundle []byte `json:"caBundle,omitempty"`
// The provider for the CA bundle to use to validate webhook server certificate.
// +optional
CAProvider *WebhookCAProvider `json:"caProvider,omitempty"`
}
type WebhookCAProviderType string
const (
WebhookCAProviderTypeSecret WebhookCAProviderType = "Secret"
WebhookCAProviderTypeConfigMap WebhookCAProviderType = "ConfigMap"
)
// Defines a location to fetch the cert for the webhook provider from.
type WebhookCAProvider struct {
// The type of provider to use such as "Secret", or "ConfigMap".
// +kubebuilder:validation:Enum="Secret";"ConfigMap"
Type WebhookCAProviderType `json:"type"`
// The name of the object located at the provider type.
Name string `json:"name"`
// The key the value inside of the provider type to use, only used with "Secret" type
// +kubebuilder:validation:Optional
Key string `json:"key,omitempty"`
// The namespace the Provider type is in.
// +optional
Namespace *string `json:"namespace,omitempty"`
}
type WebhookResult struct {
// Json path of return value
// +optional
JSONPath string `json:"jsonPath,omitempty"`
}
type WebhookSecret struct {
// Name of this secret in templates
Name string `json:"name"`
// Secret ref to fill in credentials
SecretRef esmeta.SecretKeySelector `json:"secretRef"`
}

43
apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types.go Normal file
View file

@ -0,0 +1,43 @@
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
type YandexLockboxAuth struct {
// The authorized key used for authentication
// +optional
AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
}
type YandexLockboxCAProvider struct {
Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
}
// YandexLockboxProvider Configures a store to sync secrets using the Yandex Lockbox provider.
type YandexLockboxProvider struct {
// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
// +optional
APIEndpoint string `json:"apiEndpoint,omitempty"`
// Auth defines the information necessary to authenticate against Yandex Lockbox
Auth YandexLockboxAuth `json:"auth"`
// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
// +optional
CAProvider *YandexLockboxCAProvider `json:"caProvider,omitempty"`
}

1541
apis/externalsecrets/v1beta1/zz_generated.deepcopy.go Normal file
View file

File diff suppressed because it is too large Load diff

1145
deploy/crds/external-secrets.io_clustersecretstores.yaml
View file

File diff suppressed because it is too large Load diff

251
deploy/crds/external-secrets.io_externalsecrets.yaml
View file

@ -244,6 +244,257 @@ spec:
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshInterval
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ExternalSecret is the Schema for the external-secrets API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExternalSecretSpec defines the desired state of ExternalSecret.
properties:
data:
description: Data defines the connection between the Kubernetes Secret
keys and the Provider data
items:
description: ExternalSecretData defines the connection between the
Kubernetes Secret key (spec.data.<key>) and the Provider data.
properties:
remoteRef:
description: ExternalSecretDataRemoteRef defines Provider data
location.
properties:
key:
description: Key is the key used in the Provider, mandatory
type: string
property:
description: Used to select a specific property of the Provider
value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider
value, if supported
type: string
required:
- key
type: object
secretKey:
type: string
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
description: DataFrom is used to fetch all properties from a specific
Provider data If multiple entries are specified, the Secret keys
are merged in the specified order
items:
properties:
extract:
description: Used to select a specific version and property
from the secret
properties:
key:
description: Key is the key used in the Provider, mandatory
type: string
property:
description: Used to select a specific property of the Provider
value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider
value, if supported
type: string
required:
- key
type: object
find:
description: Used to find secrets based on tags or regular expressions
properties:
name:
description: Key is the key used in the Provider
properties:
regexp:
description: Used to select multiple secrets based on
a regular expression of the name
type: string
type: object
tags:
additionalProperties:
type: string
description: Used to select a specific version of the Provider
value, if supported
type: object
type: object
type: object
type: array
refreshInterval:
default: 1h
description: RefreshInterval is the amount of time before the values
are read again from the SecretStore provider Valid time units are
"ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to
fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the
ExternalSecret data.
properties:
kind:
description: Kind of the SecretStore resource (SecretStore or
ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
target:
description: ExternalSecretTarget defines the Kubernetes Secret to
be created There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
description: CreationPolicy defines rules on how to create the
resulting Secret Defaults to 'Owner'
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
description: Name defines the name of the Secret resource to be
managed This field is immutable Defaults to the .metadata.name
of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret
resource.
properties:
data:
additionalProperties:
type: string
type: object
metadata:
description: ExternalSecretTemplateMetadata defines metadata
fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
maxProperties: 1
minProperties: 1
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
type: object
type: array
type:
type: string
type: object
type: object
required:
- secretStoreRef
- target
type: object
status:
properties:
conditions:
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
refreshTime:
description: refreshTime is the time and date the external secret
was fetched and the target secret updated
format: date-time
nullable: true
type: string
syncedResourceVersion:
description: SyncedResourceVersion keeps track of the last synced
version
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

1148
deploy/crds/external-secrets.io_secretstores.yaml
View file

File diff suppressed because it is too large Load diff

4
main.go
View file

@ -27,7 +27,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret"
"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
)
@ -41,7 +41,7 @@ const errCreateController = "unable to create controller"
func init() {
_ = clientgoscheme.AddToScheme(scheme)
_ = esv1alpha1.AddToScheme(scheme)
_ = esv1beta1.AddToScheme(scheme)
}
func main() {

69
pkg/controllers/externalsecret/externalsecret_controller.go
View file

@ -33,7 +33,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
"github.com/external-secrets/external-secrets/pkg/provider"
@ -88,13 +88,13 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
syncCallsMetricLabels := prometheus.Labels{"name": req.Name, "namespace": req.Namespace}
var externalSecret esv1alpha1.ExternalSecret
var externalSecret esv1beta1.ExternalSecret
err := r.Get(ctx, req.NamespacedName, &externalSecret)
if apierrors.IsNotFound(err) {
syncCallsTotal.With(syncCallsMetricLabels).Inc()
conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretDeleted, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretDeleted, "Secret was deleted")
SetExternalSecretCondition(&esv1alpha1.ExternalSecret{
conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretDeleted, v1.ConditionFalse, esv1beta1.ConditionReasonSecretDeleted, "Secret was deleted")
SetExternalSecretCondition(&esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Name: req.Name,
Namespace: req.Namespace,
@ -119,8 +119,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
store, err := r.getStore(ctx, &externalSecret)
if err != nil {
log.Error(err, errStoreRef)
r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1alpha1.ReasonInvalidStoreRef, err.Error())
conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, errStoreRef)
r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1beta1.ReasonInvalidStoreRef, err.Error())
conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionFalse, esv1beta1.ConditionReasonSecretSyncedError, errStoreRef)
SetExternalSecretCondition(&externalSecret, *conditionSynced)
syncCallsError.With(syncCallsMetricLabels).Inc()
return ctrl.Result{RequeueAfter: requeueAfter}, nil
@ -144,9 +144,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
secretClient, err := storeProvider.NewClient(ctx, store, r.Client, req.Namespace)
if err != nil {
log.Error(err, errStoreClient)
conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, errStoreClient)
conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionFalse, esv1beta1.ConditionReasonSecretSyncedError, errStoreClient)
SetExternalSecretCondition(&externalSecret, *conditionSynced)
r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1alpha1.ReasonProviderClientConfig, err.Error())
r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1beta1.ReasonProviderClientConfig, err.Error())
syncCallsError.With(syncCallsMetricLabels).Inc()
return ctrl.Result{RequeueAfter: requeueAfter}, nil
}
@ -205,7 +205,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
}
mutationFunc := func() error {
if externalSecret.Spec.Target.CreationPolicy == esv1alpha1.Owner {
if externalSecret.Spec.Target.CreationPolicy == esv1beta1.Owner {
err = controllerutil.SetControllerReference(&externalSecret, &secret.ObjectMeta, r.Scheme)
if err != nil {
return fmt.Errorf(errSetCtrlReference, err)
@ -227,9 +227,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
// nolint
switch externalSecret.Spec.Target.CreationPolicy {
case esv1alpha1.Merge:
case esv1beta1.Merge:
err = patchSecret(ctx, r.Client, r.Scheme, secret, mutationFunc)
case esv1alpha1.None:
case esv1beta1.None:
log.V(1).Info("secret creation skipped due to creationPolicy=None")
err = nil
default:
@ -238,16 +238,16 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
if err != nil {
log.Error(err, errUpdateSecret)
r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1alpha1.ReasonUpdateFailed, err.Error())
conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, errUpdateSecret)
r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1beta1.ReasonUpdateFailed, err.Error())
conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionFalse, esv1beta1.ConditionReasonSecretSyncedError, errUpdateSecret)
SetExternalSecretCondition(&externalSecret, *conditionSynced)
syncCallsError.With(syncCallsMetricLabels).Inc()
return ctrl.Result{RequeueAfter: requeueAfter}, nil
}
r.recorder.Event(&externalSecret, v1.EventTypeNormal, esv1alpha1.ReasonUpdated, "Updated Secret")
conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionTrue, esv1alpha1.ConditionReasonSecretSynced, "Secret was synced")
currCond := GetExternalSecretCondition(externalSecret.Status, esv1alpha1.ExternalSecretReady)
r.recorder.Event(&externalSecret, v1.EventTypeNormal, esv1beta1.ReasonUpdated, "Updated Secret")
conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionTrue, esv1beta1.ConditionReasonSecretSynced, "Secret was synced")
currCond := GetExternalSecretCondition(externalSecret.Status, esv1beta1.ExternalSecretReady)
SetExternalSecretCondition(&externalSecret, *conditionSynced)
externalSecret.Status.RefreshTime = metav1.NewTime(time.Now())
externalSecret.Status.SyncedResourceVersion = getResourceVersion(externalSecret)
@ -304,7 +304,7 @@ func patchSecret(ctx context.Context, c client.Client, scheme *runtime.Scheme, s
return nil
}
func getResourceVersion(es esv1alpha1.ExternalSecret) string {
func getResourceVersion(es esv1beta1.ExternalSecret) string {
return fmt.Sprintf("%d-%s", es.ObjectMeta.GetGeneration(), hashMeta(es.ObjectMeta))
}
@ -319,7 +319,7 @@ func hashMeta(m metav1.ObjectMeta) string {
})
}
func shouldRefresh(es esv1alpha1.ExternalSecret) bool {
func shouldRefresh(es esv1beta1.ExternalSecret) bool {
// refresh if resource version changed
if es.Status.SyncedResourceVersion != getResourceVersion(es) {
return true
@ -335,14 +335,14 @@ func shouldRefresh(es esv1alpha1.ExternalSecret) bool {
return !es.Status.RefreshTime.Add(es.Spec.RefreshInterval.Duration).After(time.Now())
}
func shouldReconcile(es esv1alpha1.ExternalSecret) bool {
func shouldReconcile(es esv1beta1.ExternalSecret) bool {
if es.Spec.Target.Immutable && hasSyncedCondition(es) {
return false
}
return true
}
func hasSyncedCondition(es esv1alpha1.ExternalSecret) bool {
func hasSyncedCondition(es esv1beta1.ExternalSecret) bool {
for _, condition := range es.Status.Conditions {
if condition.Reason == "SecretSynced" {
return true
@ -359,20 +359,20 @@ func isSecretValid(existingSecret v1.Secret) bool {
}
// if the calculated hash is different from the calculation, then it's invalid
if existingSecret.Annotations[esv1alpha1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
if existingSecret.Annotations[esv1beta1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
return false
}
return true
}
// getStore returns the store with the provided ExternalSecret.
func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) {
func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1beta1.ExternalSecret) (esv1beta1.GenericStore, error) {
ref := types.NamespacedName{
Name: externalSecret.Spec.SecretStoreRef.Name,
}
if externalSecret.Spec.SecretStoreRef.Kind == esv1alpha1.ClusterSecretStoreKind {
var store esv1alpha1.ClusterSecretStore
if externalSecret.Spec.SecretStoreRef.Kind == esv1beta1.ClusterSecretStoreKind {
var store esv1beta1.ClusterSecretStore
err := r.Get(ctx, ref, &store)
if err != nil {
return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
@ -383,7 +383,7 @@ func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.Ex
ref.Namespace = externalSecret.Namespace
var store esv1alpha1.SecretStore
var store esv1beta1.SecretStore
err := r.Get(ctx, ref, &store)
if err != nil {
return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
@ -392,13 +392,22 @@ func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.Ex
}
// getProviderSecretData returns the provider's secret data with the provided ExternalSecret.
func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.SecretsClient, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) {
func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.SecretsClient, externalSecret *esv1beta1.ExternalSecret) (map[string][]byte, error) {
providerData := make(map[string][]byte)
for _, remoteRef := range externalSecret.Spec.DataFrom {
secretMap, err := providerClient.GetSecretMap(ctx, remoteRef)
if err != nil {
return nil, fmt.Errorf(errGetSecretKey, remoteRef.Key, externalSecret.Name, err)
var secretMap map[string][]byte
var err error
if len(remoteRef.Find.Tags) > 0 || len(remoteRef.Find.Name.RegExp) > 0 {
secretMap, err = providerClient.GetAllSecrets(ctx, remoteRef.Find)
if err != nil {
return nil, fmt.Errorf(errGetSecretKey, remoteRef.Extract.Key, externalSecret.Name, err)
}
} else if remoteRef.Extract.Key != "" {
secretMap, err = providerClient.GetSecretMap(ctx, remoteRef.Extract)
if err != nil {
return nil, fmt.Errorf(errGetSecretKey, remoteRef.Extract.Key, externalSecret.Name, err)
}
}
providerData = utils.MergeByteMap(providerData, secretMap)
@ -422,7 +431,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
return ctrl.NewControllerManagedBy(mgr).
WithOptions(opts).
For(&esv1alpha1.ExternalSecret{}).
For(&esv1beta1.ExternalSecret{}).
Owns(&v1.Secret{}).
Complete(r)
}

16
pkg/controllers/externalsecret/externalsecret_controller_template.go
View file

@ -22,7 +22,7 @@ import (
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
// Loading registered providers.
_ "github.com/external-secrets/external-secrets/pkg/provider/register"
@ -34,13 +34,13 @@ import (
// * template.Data (highest precedence)
// * template.templateFrom
// * secret via es.data or es.dataFrom.
func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1alpha1.ExternalSecret, secret *v1.Secret, dataMap map[string][]byte) error {
func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1beta1.ExternalSecret, secret *v1.Secret, dataMap map[string][]byte) error {
mergeMetadata(secret, es)
// no template: copy data and return
if es.Spec.Target.Template == nil {
secret.Data = dataMap
secret.Annotations[esv1alpha1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
secret.Annotations[esv1beta1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
return nil
}
@ -66,14 +66,14 @@ func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1alpha1.ExternalS
if len(es.Spec.Target.Template.Data) == 0 {
secret.Data = dataMap
}
secret.Annotations[esv1alpha1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
secret.Annotations[esv1beta1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
return nil
}
// we do not want to force-override the label/annotations
// and only copy the necessary key/value pairs.
func mergeMetadata(secret *v1.Secret, externalSecret *esv1alpha1.ExternalSecret) {
func mergeMetadata(secret *v1.Secret, externalSecret *esv1beta1.ExternalSecret) {
if secret.ObjectMeta.Labels == nil {
secret.ObjectMeta.Labels = make(map[string]string)
}
@ -91,7 +91,7 @@ func mergeMetadata(secret *v1.Secret, externalSecret *esv1alpha1.ExternalSecret)
utils.MergeStringMap(secret.ObjectMeta.Annotations, externalSecret.Spec.Target.Template.Metadata.Annotations)
}
func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) {
func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1beta1.ExternalSecret) (map[string][]byte, error) {
out := make(map[string][]byte)
if externalSecret.Spec.Target.Template == nil {
return out, nil
@ -109,7 +109,7 @@ func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1al
return out, nil
}
func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1alpha1.ExternalSecret, tpl esv1alpha1.TemplateFrom, out map[string][]byte) error {
func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1beta1.ExternalSecret, tpl esv1beta1.TemplateFrom, out map[string][]byte) error {
if tpl.ConfigMap == nil {
return nil
}
@ -132,7 +132,7 @@ func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1alpha1
return nil
}
func mergeSecret(ctx context.Context, k8sClient client.Client, es *esv1alpha1.ExternalSecret, tpl esv1alpha1.TemplateFrom, out map[string][]byte) error {
func mergeSecret(ctx context.Context, k8sClient client.Client, es *esv1beta1.ExternalSecret, tpl esv1beta1.TemplateFrom, out map[string][]byte) error {
if tpl.Secret == nil {
return nil
}

310
pkg/controllers/externalsecret/externalsecret_controller_test.go
View file

@ -29,7 +29,7 @@ import (
"k8s.io/apimachinery/pkg/util/wait"
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
@ -43,19 +43,19 @@ var (
)
type testCase struct {
secretStore *esv1alpha1.SecretStore
externalSecret *esv1alpha1.ExternalSecret
secretStore *esv1beta1.SecretStore
externalSecret *esv1beta1.ExternalSecret
// checkCondition should return true if the externalSecret
// has the expected condition
checkCondition func(*esv1alpha1.ExternalSecret) bool
checkCondition func(*esv1beta1.ExternalSecret) bool
// checkExternalSecret is called after the condition has been verified
// use this to verify the externalSecret
checkExternalSecret func(*esv1alpha1.ExternalSecret)
checkExternalSecret func(*esv1beta1.ExternalSecret)
// optional. use this to test the secret value
checkSecret func(*esv1alpha1.ExternalSecret, *v1.Secret)
checkSecret func(*esv1beta1.ExternalSecret, *v1.Secret)
}
type testTweaks func(*testCase)
@ -98,7 +98,7 @@ var _ = Describe("Kind=secret existence logic", func() {
ObjectMeta: metav1.ObjectMeta{
UID: "xxx",
Annotations: map[string]string{
esv1alpha1.AnnotationDataHash: "xxxxxx",
esv1beta1.AnnotationDataHash: "xxxxxx",
},
},
},
@ -110,7 +110,7 @@ var _ = Describe("Kind=secret existence logic", func() {
ObjectMeta: metav1.ObjectMeta{
UID: "xxx",
Annotations: map[string]string{
esv1alpha1.AnnotationDataHash: "caa0155759a6a9b3b6ada5a6883ee2bb",
esv1beta1.AnnotationDataHash: "caa0155759a6a9b3b6ada5a6883ee2bb",
},
},
Data: map[string][]byte{
@ -165,7 +165,7 @@ var _ = Describe("ExternalSecret controller", func() {
Name: ExternalSecretNamespace,
},
}, client.PropagationPolicy(metav1.DeletePropagationBackground)), client.GracePeriodSeconds(0)).To(Succeed())
Expect(k8sClient.Delete(context.Background(), &esv1alpha1.SecretStore{
Expect(k8sClient.Delete(context.Background(), &esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Name: ExternalSecretStore,
Namespace: ExternalSecretNamespace,
@ -180,43 +180,43 @@ var _ = Describe("ExternalSecret controller", func() {
makeDefaultTestcase := func() *testCase {
return &testCase{
// default condition: es should be ready
checkCondition: func(es *esv1alpha1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
checkCondition: func(es *esv1beta1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionTrue {
return false
}
return true
},
checkExternalSecret: func(es *esv1alpha1.ExternalSecret) {},
secretStore: &esv1alpha1.SecretStore{
checkExternalSecret: func(es *esv1beta1.ExternalSecret) {},
secretStore: &esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Name: ExternalSecretStore,
Namespace: ExternalSecretNamespace,
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceSecretsManager,
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceSecretsManager,
},
},
},
},
externalSecret: &esv1alpha1.ExternalSecret{
externalSecret: &esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Name: ExternalSecretName,
Namespace: ExternalSecretNamespace,
},
Spec: esv1alpha1.ExternalSecretSpec{
SecretStoreRef: esv1alpha1.SecretStoreRef{
Spec: esv1beta1.ExternalSecretSpec{
SecretStoreRef: esv1beta1.SecretStoreRef{
Name: ExternalSecretStore,
},
Target: esv1alpha1.ExternalSecretTarget{
Target: esv1beta1.ExternalSecretTarget{
Name: ExternalSecretTargetSecretName,
},
Data: []esv1alpha1.ExternalSecretData{
Data: []esv1beta1.ExternalSecretData{
{
SecretKey: targetProp,
RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
Key: remoteKey,
Property: remoteProperty,
},
@ -230,7 +230,7 @@ var _ = Describe("ExternalSecret controller", func() {
// if target Secret name is not specified it should use the ExternalSecret name.
syncWithoutTargetName := func(tc *testCase) {
tc.externalSecret.Spec.Target.Name = ""
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check secret name
Expect(secret.ObjectMeta.Name).To(Equal(ExternalSecretName))
@ -248,7 +248,7 @@ var _ = Describe("ExternalSecret controller", func() {
"hihihih": "hehehe",
}
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check value
Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@ -265,9 +265,9 @@ var _ = Describe("ExternalSecret controller", func() {
checkPrometheusCounters := func(tc *testCase) {
const secretVal = "someValue"
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
Eventually(func() bool {
Expect(syncCallsTotal.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
return metric.GetCounter().GetValue() == 1.0
@ -282,7 +282,7 @@ var _ = Describe("ExternalSecret controller", func() {
const secretVal = "someValue"
const existingKey = "pre-existing-key"
existingVal := "pre-existing-value"
tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
// create secret beforehand
Expect(k8sClient.Create(context.Background(), &v1.Secret{
@ -296,7 +296,7 @@ var _ = Describe("ExternalSecret controller", func() {
}, client.FieldOwner(FakeManager))).To(Succeed())
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check value
Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@ -311,7 +311,7 @@ var _ = Describe("ExternalSecret controller", func() {
Expect(hasFieldOwnership(
secret.ObjectMeta,
"external-secrets",
fmt.Sprintf("{\"f:data\":{\"f:targetProperty\":{}},\"f:immutable\":{},\"f:metadata\":{\"f:annotations\":{\"f:%s\":{}}}}", esv1alpha1.AnnotationDataHash)),
fmt.Sprintf("{\"f:data\":{\"f:targetProperty\":{}},\"f:immutable\":{},\"f:metadata\":{\"f:annotations\":{\"f:%s\":{}}}}", esv1beta1.AnnotationDataHash)),
).To(BeTrue())
Expect(hasFieldOwnership(secret.ObjectMeta, FakeManager, "{\"f:data\":{\".\":{},\"f:pre-existing-key\":{}},\"f:type\":{}}")).To(BeTrue())
}
@ -321,7 +321,7 @@ var _ = Describe("ExternalSecret controller", func() {
mergeWithSecretNoChange := func(tc *testCase) {
const existingKey = "pre-existing-key"
existingVal := "someValue"
tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
// create secret beforehand
Expect(k8sClient.Create(context.Background(), &v1.Secret{
@ -334,7 +334,7 @@ var _ = Describe("ExternalSecret controller", func() {
},
}, client.FieldOwner(FakeManager))).To(Succeed())
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
oldResourceVersion := secret.ResourceVersion
cleanSecret := secret.DeepCopy()
@ -361,23 +361,23 @@ var _ = Describe("ExternalSecret controller", func() {
// should not merge with secret if it doesn't exist
mergeWithSecretErr := func(tc *testCase) {
const secretVal = "someValue"
tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
return false
}
return true
}
tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
Eventually(func() bool {
Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
return metric.GetCounter().GetValue() >= 2.0
}, timeout, interval).Should(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
}
}
@ -387,7 +387,7 @@ var _ = Describe("ExternalSecret controller", func() {
// this should confict
const existingKey = targetProp
existingVal := "pre-existing-value"
tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
// create secret beforehand
Expect(k8sClient.Create(context.Background(), &v1.Secret{
@ -401,7 +401,7 @@ var _ = Describe("ExternalSecret controller", func() {
}, client.FieldOwner(FakeManager))).To(Succeed())
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check that value stays the same
Expect(string(secret.Data[existingKey])).To(Equal(secretVal))
@ -424,8 +424,8 @@ var _ = Describe("ExternalSecret controller", func() {
tc.externalSecret.ObjectMeta.Annotations = map[string]string{
"hihihih": "hehehe",
}
tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
Metadata: esv1beta1.ExternalSecretTemplateMetadata{
Labels: map[string]string{
"foos": "ball",
},
@ -440,7 +440,7 @@ var _ = Describe("ExternalSecret controller", func() {
},
}
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@ -486,14 +486,14 @@ var _ = Describe("ExternalSecret controller", func() {
tplFromSecKey: []byte(tplFromSecVal),
},
})).To(Succeed())
tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
Metadata: esv1alpha1.ExternalSecretTemplateMetadata{},
tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
Metadata: esv1beta1.ExternalSecretTemplateMetadata{},
Type: v1.SecretTypeOpaque,
TemplateFrom: []esv1alpha1.TemplateFrom{
TemplateFrom: []esv1beta1.TemplateFrom{
{
ConfigMap: &esv1alpha1.TemplateRef{
ConfigMap: &esv1beta1.TemplateRef{
Name: tplFromCMName,
Items: []esv1alpha1.TemplateRefItem{
Items: []esv1beta1.TemplateRefItem{
{
Key: tplFromKey,
},
@ -501,9 +501,9 @@ var _ = Describe("ExternalSecret controller", func() {
},
},
{
Secret: &esv1alpha1.TemplateRef{
Secret: &esv1beta1.TemplateRef{
Name: tplFromSecretName,
Items: []esv1alpha1.TemplateRefItem{
Items: []esv1beta1.TemplateRefItem{
{
Key: tplFromSecKey,
},
@ -520,9 +520,11 @@ var _ = Describe("ExternalSecret controller", func() {
tplStaticKey: tplStaticVal,
},
}
tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
Key: "datamap",
Extract: esv1beta1.ExternalSecretDataRemoteRef{
Key: "datamap",
},
},
}
fakeProvider.WithGetSecret([]byte(secretVal), nil)
@ -530,7 +532,7 @@ var _ = Describe("ExternalSecret controller", func() {
"targetProperty": []byte(FooValue),
"bar": []byte(BarValue),
}, nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@ -545,8 +547,8 @@ var _ = Describe("ExternalSecret controller", func() {
const tplStaticKey = "tplstatickey"
const tplStaticVal = "tplstaticvalue"
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
Metadata: esv1beta1.ExternalSecretTemplateMetadata{
Labels: map[string]string{"foo": "bar"},
Annotations: map[string]string{"foo": "bar"},
},
@ -557,7 +559,7 @@ var _ = Describe("ExternalSecret controller", func() {
},
}
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@ -605,14 +607,14 @@ var _ = Describe("ExternalSecret controller", func() {
onlyMetadataFromTemplate := func(tc *testCase) {
const secretVal = "someValue"
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
Metadata: esv1beta1.ExternalSecretTemplateMetadata{
Labels: map[string]string{"foo": "bar"},
Annotations: map[string]string{"foo": "bar"},
},
}
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@ -631,7 +633,7 @@ var _ = Describe("ExternalSecret controller", func() {
const secretVal = "someValue"
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@ -661,14 +663,16 @@ var _ = Describe("ExternalSecret controller", func() {
"foo": []byte("1111"),
"bar": []byte("2222"),
}, nil)
tc.externalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{}
tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
tc.externalSecret.Spec.Data = []esv1beta1.ExternalSecretData{}
tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
Key: remoteKey,
Extract: esv1beta1.ExternalSecretDataRemoteRef{
Key: remoteKey,
},
},
}
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data["foo"])).To(Equal("1111"))
Expect(string(secret.Data["bar"])).To(Equal("2222"))
@ -700,15 +704,17 @@ var _ = Describe("ExternalSecret controller", func() {
"foo": []byte("1111"),
"bar": []byte("2222"),
}, nil)
tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{}
tc.externalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{}
tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{}
tc.externalSecret.Spec.Data = []esv1beta1.ExternalSecretData{}
tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
Key: remoteKey,
Extract: esv1beta1.ExternalSecretDataRemoteRef{
Key: remoteKey,
},
},
}
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data["foo"])).To(Equal("1111"))
Expect(string(secret.Data["bar"])).To(Equal("2222"))
@ -738,7 +744,7 @@ var _ = Describe("ExternalSecret controller", func() {
const secretVal = "someValue"
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: 0}
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@ -765,16 +771,18 @@ var _ = Describe("ExternalSecret controller", func() {
// should be put into the secret
syncWithDataFrom := func(tc *testCase) {
tc.externalSecret.Spec.Data = nil
tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
Key: remoteKey,
Extract: esv1beta1.ExternalSecretDataRemoteRef{
Key: remoteKey,
},
},
}
fakeProvider.WithGetSecretMap(map[string][]byte{
"foo": []byte(FooValue),
"bar": []byte(BarValue),
}, nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
Expect(string(secret.Data["foo"])).To(Equal(FooValue))
Expect(string(secret.Data["bar"])).To(Equal(BarValue))
@ -785,23 +793,25 @@ var _ = Describe("ExternalSecret controller", func() {
// should be put into the secret
syncWithDataFromTemplate := func(tc *testCase) {
tc.externalSecret.Spec.Data = nil
tc.externalSecret.Spec.Target = esv1alpha1.ExternalSecretTarget{
tc.externalSecret.Spec.Target = esv1beta1.ExternalSecretTarget{
Name: ExternalSecretTargetSecretName,
Template: &esv1alpha1.ExternalSecretTemplate{
Template: &esv1beta1.ExternalSecretTemplate{
Type: v1.SecretTypeTLS,
},
}
tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
Key: remoteKey,
Extract: esv1beta1.ExternalSecretDataRemoteRef{
Key: remoteKey,
},
},
}
fakeProvider.WithGetSecretMap(map[string][]byte{
"tls.crt": []byte(FooValue),
"tls.key": []byte(BarValue),
}, nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
Expect(secret.Type).To(Equal(v1.SecretTypeTLS))
// check values
Expect(string(secret.Data["tls.crt"])).To(Equal(FooValue))
@ -815,20 +825,20 @@ var _ = Describe("ExternalSecret controller", func() {
const secretVal = "foobar"
fakeProvider.WithGetSecret(nil, fmt.Errorf("boom"))
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Millisecond * 100}
tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
return false
}
return true
}
tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
Eventually(func() bool {
Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
return metric.GetCounter().GetValue() >= 2.0
}, timeout, interval).Should(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
// es condition should reflect recovered provider error
fakeProvider.WithGetSecret([]byte(secretVal), nil)
@ -839,7 +849,7 @@ var _ = Describe("ExternalSecret controller", func() {
return false
}
// condition must now be true!
cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
if cond == nil && cond.Status != v1.ConditionTrue {
return false
}
@ -852,45 +862,45 @@ var _ = Describe("ExternalSecret controller", func() {
// a error condition must be set.
storeMissingErrCondition := func(tc *testCase) {
tc.externalSecret.Spec.SecretStoreRef.Name = "nonexistent"
tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
return false
}
return true
}
tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
Eventually(func() bool {
Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
return metric.GetCounter().GetValue() >= 2.0
}, timeout, interval).Should(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
}
}
// when the provider constructor errors (e.g. invalid configuration)
// a SecretSyncedError status condition must be set
storeConstructErrCondition := func(tc *testCase) {
fakeProvider.WithNew(func(context.Context, esv1alpha1.GenericStore, client.Client,
fakeProvider.WithNew(func(context.Context, esv1beta1.GenericStore, client.Client,
string) (provider.SecretsClient, error) {
return nil, fmt.Errorf("artificial constructor error")
})
tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
// condition must be false
cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
return false
}
return true
}
tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
Eventually(func() bool {
Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
return metric.GetCounter().GetValue() >= 2.0
}, timeout, interval).Should(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
}
}
@ -898,24 +908,24 @@ var _ = Describe("ExternalSecret controller", func() {
// the externalSecret must not be touched
ignoreMismatchController := func(tc *testCase) {
tc.secretStore.Spec.Controller = "nop"
tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
return cond == nil
}
tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
// Condition True and False should be 0, since the Condition was not created
Eventually(func() float64 {
Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1beta1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
return metric.GetGauge().GetValue()
}, timeout, interval).Should(Equal(0.0))
Eventually(func() float64 {
Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha1.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric)).To(Succeed())
Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1beta1.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric)).To(Succeed())
return metric.GetGauge().GetValue()
}, timeout, interval).Should(Equal(0.0))
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
}
}
@ -925,7 +935,7 @@ var _ = Describe("ExternalSecret controller", func() {
const secretVal = "someValue"
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
// check values
oldUID := secret.UID
@ -954,8 +964,8 @@ var _ = Describe("ExternalSecret controller", func() {
checkSecretDataHashAnnotation := func(tc *testCase) {
const secretVal = "someValue"
fakeProvider.WithGetSecret([]byte(secretVal), nil)
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
Expect(secret.Annotations[esv1alpha1.AnnotationDataHash]).To(Equal("9d30b95ca81e156f9454b5ef3bfcc6ee"))
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
Expect(secret.Annotations[esv1beta1.AnnotationDataHash]).To(Equal("9d30b95ca81e156f9454b5ef3bfcc6ee"))
}
}
@ -966,14 +976,14 @@ var _ = Describe("ExternalSecret controller", func() {
}
fakeProvider.WithGetSecretMap(fakeData, nil)
tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
oldHash := secret.Annotations[esv1alpha1.AnnotationDataHash]
tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
oldHash := secret.Annotations[esv1beta1.AnnotationDataHash]
oldResourceVersion := secret.ResourceVersion
Expect(oldHash).NotTo(BeEmpty())
cleanSecret := secret.DeepCopy()
secret.Data["new"] = []byte("value")
secret.ObjectMeta.Annotations[esv1alpha1.AnnotationDataHash] = "thisiswronghash"
secret.ObjectMeta.Annotations[esv1beta1.AnnotationDataHash] = "thisiswronghash"
Expect(k8sClient.Patch(context.Background(), secret, client.MergeFrom(cleanSecret))).To(Succeed())
var refreshedSecret v1.Secret
@ -988,7 +998,7 @@ var _ = Describe("ExternalSecret controller", func() {
}
// refreshed secret should have a different generation (sign that it was updated), but since
// the secret source is the same (not changed), the hash should be reverted to an old value
return refreshedSecret.ResourceVersion != oldResourceVersion && refreshedSecret.Annotations[esv1alpha1.AnnotationDataHash] == oldHash
return refreshedSecret.ResourceVersion != oldResourceVersion && refreshedSecret.Annotations[esv1beta1.AnnotationDataHash] == oldHash
}, timeout, interval).Should(BeTrue())
}
}
@ -1004,7 +1014,7 @@ var _ = Describe("ExternalSecret controller", func() {
Expect(k8sClient.Create(ctx, tc.secretStore)).To(Succeed())
Expect(k8sClient.Create(ctx, tc.externalSecret)).Should(Succeed())
esKey := types.NamespacedName{Name: ExternalSecretName, Namespace: ExternalSecretNamespace}
createdES := &esv1alpha1.ExternalSecret{}
createdES := &esv1beta1.ExternalSecret{}
By("checking the es condition")
Eventually(func() bool {
err := k8sClient.Get(ctx, esKey, createdES)
@ -1065,24 +1075,24 @@ var _ = Describe("ExternalSecret controller", func() {
var _ = Describe("ExternalSecret refresh logic", func() {
Context("secret refresh", func() {
It("should refresh when resource version does not match", func() {
Expect(shouldRefresh(esv1alpha1.ExternalSecret{
Status: esv1alpha1.ExternalSecretStatus{
Expect(shouldRefresh(esv1beta1.ExternalSecret{
Status: esv1beta1.ExternalSecretStatus{
SyncedResourceVersion: "some resource version",
},
})).To(BeTrue())
})
It("should refresh when labels change", func() {
es := esv1alpha1.ExternalSecret{
es := esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Generation: 1,
Labels: map[string]string{
"foo": "bar",
},
},
Spec: esv1alpha1.ExternalSecretSpec{
Spec: esv1beta1.ExternalSecretSpec{
RefreshInterval: &metav1.Duration{Duration: time.Minute},
},
Status: esv1alpha1.ExternalSecretStatus{
Status: esv1beta1.ExternalSecretStatus{
RefreshTime: metav1.Now(),
},
}
@ -1096,17 +1106,17 @@ var _ = Describe("ExternalSecret refresh logic", func() {
})
It("should refresh when annotations change", func() {
es := esv1alpha1.ExternalSecret{
es := esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Generation: 1,
Annotations: map[string]string{
"foo": "bar",
},
},
Spec: esv1alpha1.ExternalSecretSpec{
Spec: esv1beta1.ExternalSecretSpec{
RefreshInterval: &metav1.Duration{Duration: time.Minute},
},
Status: esv1alpha1.ExternalSecretStatus{
Status: esv1beta1.ExternalSecretStatus{
RefreshTime: metav1.Now(),
},
}
@ -1120,14 +1130,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
})
It("should refresh when generation has changed", func() {
es := esv1alpha1.ExternalSecret{
es := esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Generation: 1,
},
Spec: esv1alpha1.ExternalSecretSpec{
Spec: esv1beta1.ExternalSecretSpec{
RefreshInterval: &metav1.Duration{Duration: 0},
},
Status: esv1alpha1.ExternalSecretStatus{
Status: esv1beta1.ExternalSecretStatus{
RefreshTime: metav1.Now(),
},
}
@ -1140,14 +1150,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
})
It("should skip refresh when refreshInterval is 0", func() {
es := esv1alpha1.ExternalSecret{
es := esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Generation: 1,
},
Spec: esv1alpha1.ExternalSecretSpec{
Spec: esv1beta1.ExternalSecretSpec{
RefreshInterval: &metav1.Duration{Duration: 0},
},
Status: esv1alpha1.ExternalSecretStatus{},
Status: esv1beta1.ExternalSecretStatus{},
}
// resource version matches
es.Status.SyncedResourceVersion = getResourceVersion(es)
@ -1155,14 +1165,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
})
It("should refresh when refresh interval has passed", func() {
es := esv1alpha1.ExternalSecret{
es := esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Generation: 1,
},
Spec: esv1alpha1.ExternalSecretSpec{
Spec: esv1beta1.ExternalSecretSpec{
RefreshInterval: &metav1.Duration{Duration: time.Second},
},
Status: esv1alpha1.ExternalSecretStatus{
Status: esv1beta1.ExternalSecretStatus{
RefreshTime: metav1.NewTime(metav1.Now().Add(-time.Second * 5)),
},
}
@ -1172,14 +1182,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
})
It("should refresh when no refresh time was set", func() {
es := esv1alpha1.ExternalSecret{
es := esv1beta1.ExternalSecret{
ObjectMeta: metav1.ObjectMeta{
Generation: 1,
},
Spec: esv1alpha1.ExternalSecretSpec{
Spec: esv1beta1.ExternalSecretSpec{
RefreshInterval: &metav1.Duration{Duration: time.Second},
},
Status: esv1alpha1.ExternalSecretStatus{},
Status: esv1beta1.ExternalSecretStatus{},
}
// resource version matches
es.Status.SyncedResourceVersion = getResourceVersion(es)
@ -1255,18 +1265,18 @@ var _ = Describe("ExternalSecret refresh logic", func() {
var _ = Describe("Controller Reconcile logic", func() {
Context("controller reconcile", func() {
It("should reconcile when resource is not synced", func() {
Expect(shouldReconcile(esv1alpha1.ExternalSecret{
Status: esv1alpha1.ExternalSecretStatus{
Expect(shouldReconcile(esv1beta1.ExternalSecret{
Status: esv1beta1.ExternalSecretStatus{
SyncedResourceVersion: "some resource version",
Conditions: []esv1alpha1.ExternalSecretStatusCondition{{Reason: "NotASecretSynced"}},
Conditions: []esv1beta1.ExternalSecretStatusCondition{{Reason: "NotASecretSynced"}},
},
})).To(BeTrue())
})
It("should reconcile when secret isn't immutable", func() {
Expect(shouldReconcile(esv1alpha1.ExternalSecret{
Spec: esv1alpha1.ExternalSecretSpec{
Target: esv1alpha1.ExternalSecretTarget{
Expect(shouldReconcile(esv1beta1.ExternalSecret{
Spec: esv1beta1.ExternalSecretSpec{
Target: esv1beta1.ExternalSecretTarget{
Immutable: false,
},
},
@ -1274,15 +1284,15 @@ var _ = Describe("Controller Reconcile logic", func() {
})
It("should not reconcile if secret is immutable and has synced condition", func() {
Expect(shouldReconcile(esv1alpha1.ExternalSecret{
Spec: esv1alpha1.ExternalSecretSpec{
Target: esv1alpha1.ExternalSecretTarget{
Expect(shouldReconcile(esv1beta1.ExternalSecret{
Spec: esv1beta1.ExternalSecretSpec{
Target: esv1beta1.ExternalSecretTarget{
Immutable: true,
},
},
Status: esv1alpha1.ExternalSecretStatus{
Status: esv1beta1.ExternalSecretStatus{
SyncedResourceVersion: "some resource version",
Conditions: []esv1alpha1.ExternalSecretStatusCondition{{Reason: "SecretSynced"}},
Conditions: []esv1beta1.ExternalSecretStatusCondition{{Reason: "SecretSynced"}},
},
})).To(BeFalse())
})
@ -1329,7 +1339,7 @@ func hasFieldOwnership(meta metav1.ObjectMeta, mgr, rawFields string) bool {
return false
}
func externalSecretConditionShouldBe(name, ns string, ct esv1alpha1.ExternalSecretConditionType, cs v1.ConditionStatus, v float64) bool {
func externalSecretConditionShouldBe(name, ns string, ct esv1beta1.ExternalSecretConditionType, cs v1.ConditionStatus, v float64) bool {
return Eventually(func() float64 {
Expect(externalSecretCondition.WithLabelValues(name, ns, string(ct), string(cs)).Write(&metric)).To(Succeed())
return metric.GetGauge().GetValue()
@ -1338,9 +1348,9 @@ func externalSecretConditionShouldBe(name, ns string, ct esv1alpha1.ExternalSecr
func init() {
fakeProvider = fake.New()
schema.ForceRegister(fakeProvider, &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceSecretsManager,
schema.ForceRegister(fakeProvider, &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceSecretsManager,
},
})
}

20
pkg/controllers/externalsecret/metrics.go
View file

@ -19,7 +19,7 @@ import (
v1 "k8s.io/api/core/v1"
"sigs.k8s.io/controller-runtime/pkg/metrics"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
const (
@ -50,35 +50,35 @@ var (
)
// updateExternalSecretCondition updates the ExternalSecret conditions.
func updateExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition *esv1alpha1.ExternalSecretStatusCondition, value float64) {
func updateExternalSecretCondition(es *esv1beta1.ExternalSecret, condition *esv1beta1.ExternalSecretStatusCondition, value float64) {
switch condition.Type {
case esv1alpha1.ExternalSecretDeleted:
case esv1beta1.ExternalSecretDeleted:
// Remove condition=Ready metrics when the object gets deleted.
externalSecretCondition.Delete(prometheus.Labels{
"name": es.Name,
"namespace": es.Namespace,
"condition": string(esv1alpha1.ExternalSecretReady),
"condition": string(esv1beta1.ExternalSecretReady),
"status": string(v1.ConditionFalse),
})
externalSecretCondition.Delete(prometheus.Labels{
"name": es.Name,
"namespace": es.Namespace,
"condition": string(esv1alpha1.ExternalSecretReady),
"condition": string(esv1beta1.ExternalSecretReady),
"status": string(v1.ConditionTrue),
})
case esv1alpha1.ExternalSecretReady:
case esv1beta1.ExternalSecretReady:
// Remove condition=Deleted metrics when the object gets ready.
externalSecretCondition.Delete(prometheus.Labels{
"name": es.Name,
"namespace": es.Namespace,
"condition": string(esv1alpha1.ExternalSecretDeleted),
"condition": string(esv1beta1.ExternalSecretDeleted),
"status": string(v1.ConditionFalse),
})
externalSecretCondition.Delete(prometheus.Labels{
"name": es.Name,
"namespace": es.Namespace,
"condition": string(esv1alpha1.ExternalSecretDeleted),
"condition": string(esv1beta1.ExternalSecretDeleted),
"status": string(v1.ConditionTrue),
})
// Toggle opposite Status to 0
@ -87,14 +87,14 @@ func updateExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition *esv
externalSecretCondition.With(prometheus.Labels{
"name": es.Name,
"namespace": es.Namespace,
"condition": string(esv1alpha1.ExternalSecretReady),
"condition": string(esv1beta1.ExternalSecretReady),
"status": string(v1.ConditionTrue),
}).Set(0)
case v1.ConditionTrue:
externalSecretCondition.With(prometheus.Labels{
"name": es.Name,
"namespace": es.Namespace,
"condition": string(esv1alpha1.ExternalSecretReady),
"condition": string(esv1beta1.ExternalSecretReady),
"status": string(v1.ConditionFalse),
}).Set(0)
case v1.ConditionUnknown:

4
pkg/controllers/externalsecret/suite_test.go
View file

@ -32,7 +32,7 @@ import (
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
// These tests use Ginkgo (BDD-style Go testing framework). Refer to
@ -66,7 +66,7 @@ var _ = BeforeSuite(func() {
Expect(err).ToNot(HaveOccurred())
Expect(cfg).ToNot(BeNil())
err = esv1alpha1.AddToScheme(scheme.Scheme)
err = esv1beta1.AddToScheme(scheme.Scheme)
Expect(err).NotTo(HaveOccurred())
k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{

14
pkg/controllers/externalsecret/util.go
View file

@ -17,12 +17,12 @@ import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
// NewExternalSecretCondition a set of default options for creating an External Secret Condition.
func NewExternalSecretCondition(condType esv1alpha1.ExternalSecretConditionType, status v1.ConditionStatus, reason, message string) *esv1alpha1.ExternalSecretStatusCondition {
return &esv1alpha1.ExternalSecretStatusCondition{
func NewExternalSecretCondition(condType esv1beta1.ExternalSecretConditionType, status v1.ConditionStatus, reason, message string) *esv1beta1.ExternalSecretStatusCondition {
return &esv1beta1.ExternalSecretStatusCondition{
Type: condType,
Status: status,
LastTransitionTime: metav1.Now(),
@ -32,7 +32,7 @@ func NewExternalSecretCondition(condType esv1alpha1.ExternalSecretConditionType,
}
// GetExternalSecretCondition returns the condition with the provided type.
func GetExternalSecretCondition(status esv1alpha1.ExternalSecretStatus, condType esv1alpha1.ExternalSecretConditionType) *esv1alpha1.ExternalSecretStatusCondition {
func GetExternalSecretCondition(status esv1beta1.ExternalSecretStatus, condType esv1beta1.ExternalSecretConditionType) *esv1beta1.ExternalSecretStatusCondition {
for i := range status.Conditions {
c := status.Conditions[i]
if c.Type == condType {
@ -44,7 +44,7 @@ func GetExternalSecretCondition(status esv1alpha1.ExternalSecretStatus, condType
// SetExternalSecretCondition updates the external secret to include the provided
// condition.
func SetExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition esv1alpha1.ExternalSecretStatusCondition) {
func SetExternalSecretCondition(es *esv1beta1.ExternalSecret, condition esv1beta1.ExternalSecretStatusCondition) {
currentCond := GetExternalSecretCondition(es.Status, condition.Type)
if currentCond != nil && currentCond.Status == condition.Status &&
@ -68,8 +68,8 @@ func SetExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition esv1alp
}
// filterOutCondition returns an empty set of conditions with the provided type.
func filterOutCondition(conditions []esv1alpha1.ExternalSecretStatusCondition, condType esv1alpha1.ExternalSecretConditionType) []esv1alpha1.ExternalSecretStatusCondition {
newConditions := make([]esv1alpha1.ExternalSecretStatusCondition, 0, len(conditions))
func filterOutCondition(conditions []esv1beta1.ExternalSecretStatusCondition, condType esv1beta1.ExternalSecretConditionType) []esv1beta1.ExternalSecretStatusCondition {
newConditions := make([]esv1beta1.ExternalSecretStatusCondition, 0, len(conditions))
for _, c := range conditions {
if c.Type == condType {
continue

2
pkg/controllers/secretstore/clustersecretstore_controller.go
View file

@ -25,7 +25,7 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
// Loading registered providers.
_ "github.com/external-secrets/external-secrets/pkg/provider/register"

2
pkg/controllers/secretstore/common.go
View file

@ -24,7 +24,7 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
)

2
pkg/controllers/secretstore/common_test.go
View file

@ -23,7 +23,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
type testCase struct {

2
pkg/controllers/secretstore/secretstore_controller.go
View file

@ -25,7 +25,7 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
// Loading registered providers.
_ "github.com/external-secrets/external-secrets/pkg/provider/register"

2
pkg/controllers/secretstore/suite_test.go
View file

@ -29,7 +29,7 @@ import (
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
var cfg *rest.Config

2
pkg/controllers/secretstore/util.go
View file

@ -18,7 +18,7 @@ import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
// NewSecretStoreCondition a set of default options for creating an External Secret Condition.

22
pkg/provider/akeyless/akeyless.go
View file

@ -23,7 +23,7 @@ import (
"github.com/akeylesslabs/akeyless-go/v2"
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
"github.com/external-secrets/external-secrets/pkg/utils"
@ -39,7 +39,7 @@ type Provider struct{}
// akeylessBase satisfies the provider.SecretsClient interface.
type akeylessBase struct {
kube client.Client
store esv1alpha1.GenericStore
store esv1beta1.GenericStore
namespace string
akeylessGwAPIURL string
@ -56,17 +56,17 @@ type akeylessVaultInterface interface {
}
func init() {
schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
Akeyless: &esv1alpha1.AkeylessProvider{},
schema.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
Akeyless: &esv1beta1.AkeylessProvider{},
})
}
// NewClient constructs a new secrets client based on the provided store.
func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
return newClient(ctx, store, kube, namespace)
}
func newClient(_ context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func newClient(_ context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
akl := &akeylessBase{
kube: kube,
store: store,
@ -109,7 +109,7 @@ func (a *Akeyless) Validate() error {
// Implements store.Client.GetSecret Interface.
// Retrieves a secret with the secret name defined in ref.Name.
func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (a *Akeyless) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
if utils.IsNil(a.Client) {
return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
}
@ -132,9 +132,15 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
return []byte(value), nil
}
// Empty GetAllSecrets.
func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// Implements store.Client.GetSecretMap Interface.
// New version of GetSecretMap.
func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
if utils.IsNil(a.Client) {
return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
}

8
pkg/provider/akeyless/akeyless_test.go
View file

@ -20,7 +20,7 @@ import (
"strings"
"testing"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
fakeakeyless "github.com/external-secrets/external-secrets/pkg/provider/akeyless/fake"
)
@ -28,7 +28,7 @@ type akeylessTestCase struct {
mockClient *fakeakeyless.AkeylessMockClient
apiInput *fakeakeyless.Input
apiOutput *fakeakeyless.Output
ref *esv1alpha1.ExternalSecretDataRemoteRef
ref *esv1beta1.ExternalSecretDataRemoteRef
expectError string
expectedSecret string
// for testing secretmap
@ -49,8 +49,8 @@ func makeValidAkeylessTestCase() *akeylessTestCase {
return &smtc
}
func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "test-secret",
Version: "1",
}

8
pkg/provider/akeyless/auth.go
View file

@ -21,7 +21,7 @@ import (
v1 "k8s.io/api/core/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
const (
@ -44,7 +44,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
Namespace: a.namespace, // default to ExternalSecret namespace
}
// only ClusterStore is allowed to set namespace (and then it's required)
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if prov.Auth.SecretRef.AccessID.Namespace == nil {
return "", fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
}
@ -60,7 +60,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
Namespace: a.namespace, // default to ExternalSecret namespace
}
// only ClusterStore is allowed to set namespace (and then it's required)
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if prov.Auth.SecretRef.AccessType.Namespace == nil {
return "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
}
@ -77,7 +77,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
Namespace: a.namespace, // default to ExternalSecret namespace
}
// only ClusterStore is allowed to set namespace (and then it's required)
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if prov.Auth.SecretRef.AccessType.Namespace == nil {
return "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
}

4
pkg/provider/akeyless/utils.go
View file

@ -21,7 +21,7 @@ import (
"strings"
"time"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
const (
@ -34,7 +34,7 @@ const (
)
// GetAKeylessProvider does the necessary nil checks and returns the akeyless provider or an error.
func GetAKeylessProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AkeylessProvider, error) {
func GetAKeylessProvider(store esv1beta1.GenericStore) (*esv1beta1.AkeylessProvider, error) {
if store == nil {
return nil, fmt.Errorf(errNilStore)
}

24
pkg/provider/alibaba/kms.go
View file

@ -25,7 +25,7 @@ import (
"k8s.io/apimachinery/pkg/types"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
@ -45,7 +45,7 @@ const (
type Client struct {
kube kclient.Client
store *esv1alpha1.AlibabaProvider
store *esv1beta1.AlibabaProvider
namespace string
storeKind string
regionID string
@ -74,7 +74,7 @@ func (c *Client) setAuth(ctx context.Context) error {
}
// only ClusterStore is allowed to set namespace (and then it's required)
if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
if c.storeKind == esv1beta1.ClusterSecretStoreKind {
if c.store.Auth.SecretRef.AccessKeyID.Namespace == nil {
return fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
}
@ -90,7 +90,7 @@ func (c *Client) setAuth(ctx context.Context) error {
Name: c.store.Auth.SecretRef.AccessKeySecret.Name,
Namespace: c.namespace,
}
if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
if c.storeKind == esv1beta1.ClusterSecretStoreKind {
if c.store.Auth.SecretRef.AccessKeySecret.Namespace == nil {
return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
}
@ -110,8 +110,14 @@ func (c *Client) setAuth(ctx context.Context) error {
return nil
}
// Empty GetAllSecrets.
func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// GetSecret returns a single secret from the provider.
func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
if utils.IsNil(kms.Client) {
return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
}
@ -141,7 +147,7 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.E
}
// GetSecretMap returns multiple k/v pairs from the provider.
func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
data, err := kms.GetSecret(ctx, ref)
if err != nil {
return nil, err
@ -159,7 +165,7 @@ func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha
}
// NewClient constructs a new secrets client based on the provided store.
func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
storeSpec := store.GetSpec()
alibabaSpec := storeSpec.Provider.Alibaba
iStore := &Client{
@ -191,7 +197,7 @@ func (kms *KeyManagementService) Validate() error {
}
func init() {
schema.Register(&KeyManagementService{}, &esv1alpha1.SecretStoreProvider{
Alibaba: &esv1alpha1.AlibabaProvider{},
schema.Register(&KeyManagementService{}, &esv1beta1.SecretStoreProvider{
Alibaba: &esv1beta1.AlibabaProvider{},
})
}

8
pkg/provider/alibaba/kms_test.go
View file

@ -24,7 +24,7 @@ import (
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
kmssdk "github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
fakesm "github.com/external-secrets/external-secrets/pkg/provider/alibaba/fake"
)
@ -37,7 +37,7 @@ type keyManagementServiceTestCase struct {
mockClient *fakesm.AlibabaMockClient
apiInput *kmssdk.GetSecretValueRequest
apiOutput *kmssdk.GetSecretValueResponse
ref *esv1alpha1.ExternalSecretDataRemoteRef
ref *esv1beta1.ExternalSecretDataRemoteRef
apiErr error
expectError string
expectedSecret string
@ -60,8 +60,8 @@ func makeValidKMSTestCase() *keyManagementServiceTestCase {
return &kmstc
}
func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: secretName,
}
}

14
pkg/provider/aws/auth/auth.go
View file

@ -33,7 +33,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
)
@ -62,7 +62,7 @@ const (
// * service-account token authentication via AssumeRoleWithWebIdentity
// * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
// * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
func New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
prov, err := util.GetAWSProvider(store)
if err != nil {
return nil, err
@ -113,13 +113,13 @@ func New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client,
return sess, nil
}
func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string) (*credentials.Credentials, error) {
func sessionFromSecretRef(ctx context.Context, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, kube client.Client, namespace string) (*credentials.Credentials, error) {
ke := client.ObjectKey{
Name: prov.Auth.SecretRef.AccessKeyID.Name,
Namespace: namespace, // default to ExternalSecret namespace
}
// only ClusterStore is allowed to set namespace (and then it's required)
if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if prov.Auth.SecretRef.AccessKeyID.Namespace == nil {
return nil, fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
}
@ -135,7 +135,7 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
Namespace: namespace, // default to ExternalSecret namespace
}
// only ClusterStore is allowed to set namespace (and then it's required)
if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if prov.Auth.SecretRef.SecretAccessKey.Namespace == nil {
return nil, fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
}
@ -158,8 +158,8 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
return credentials.NewStaticCredentials(aks, sak, ""), err
}
func sessionFromServiceAccount(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
func sessionFromServiceAccount(ctx context.Context, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if prov.Auth.JWTAuth.ServiceAccountRef.Namespace == nil {
return nil, fmt.Errorf("serviceAccountRef has no Namespace field (mandatory for ClusterSecretStore specs)")
}

144
pkg/provider/aws/auth/auth_test.go
View file

@ -32,7 +32,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
fakesess "github.com/external-secrets/external-secrets/pkg/provider/aws/auth/fake"
)
@ -54,30 +54,30 @@ func TestNewSession(t *testing.T) {
{
name: "not store spec",
expectErr: "storeSpec is missing provider",
store: &esv1alpha1.SecretStore{},
store: &esv1beta1.SecretStore{},
},
{
name: "store spec has no provider",
expectErr: "storeSpec is missing provider",
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{},
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{},
},
},
{
name: "spec has no awssm field",
expectErr: "Missing AWS field",
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{},
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{},
},
},
},
{
name: "configure aws using environment variables",
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{},
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{},
},
},
},
@ -110,10 +110,10 @@ func TestNewSession(t *testing.T) {
},
}
},
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Role: "foo-bar-baz",
},
},
@ -130,12 +130,12 @@ func TestNewSession(t *testing.T) {
{
name: "error out when secret with credentials does not exist",
namespace: "foo",
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Auth: esv1alpha1.AWSAuth{
SecretRef: &esv1alpha1.AWSAuthSecretRef{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
Name: "othersecret",
Key: "one",
@ -155,12 +155,12 @@ func TestNewSession(t *testing.T) {
{
name: "use credentials from secret to configure aws",
namespace: "foo",
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Auth: esv1alpha1.AWSAuth{
SecretRef: &esv1alpha1.AWSAuthSecretRef{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
Name: "onesecret",
// Namespace is not set
@ -196,12 +196,12 @@ func TestNewSession(t *testing.T) {
{
name: "error out when secret key does not exist",
namespace: "foo",
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Auth: esv1alpha1.AWSAuth{
SecretRef: &esv1alpha1.AWSAuthSecretRef{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
Name: "brokensecret",
Key: "one",
@ -230,12 +230,12 @@ func TestNewSession(t *testing.T) {
{
name: "should not be able to access secrets from different namespace",
namespace: "foo",
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Auth: esv1alpha1.AWSAuth{
SecretRef: &esv1alpha1.AWSAuthSecretRef{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
Name: "onesecret",
Namespace: aws.String("evil"), // this should not be possible!
@ -269,16 +269,16 @@ func TestNewSession(t *testing.T) {
{
name: "ClusterStore should use credentials from a specific namespace",
namespace: esNamespaceKey,
store: &esv1alpha1.ClusterSecretStore{
store: &esv1beta1.ClusterSecretStore{
TypeMeta: metav1.TypeMeta{
APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
Kind: esv1alpha1.ClusterSecretStoreKind,
APIVersion: esv1beta1.ClusterSecretStoreKindAPIVersion,
Kind: esv1beta1.ClusterSecretStoreKind,
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Auth: esv1alpha1.AWSAuth{
SecretRef: &esv1alpha1.AWSAuthSecretRef{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
Name: "onesecret",
Namespace: aws.String(platformTeamNsKey),
@ -314,16 +314,16 @@ func TestNewSession(t *testing.T) {
{
name: "namespace is mandatory when using ClusterStore with SecretKeySelector",
namespace: esNamespaceKey,
store: &esv1alpha1.ClusterSecretStore{
store: &esv1beta1.ClusterSecretStore{
TypeMeta: metav1.TypeMeta{
APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
Kind: esv1alpha1.ClusterSecretStoreKind,
APIVersion: esv1beta1.ClusterSecretStoreKindAPIVersion,
Kind: esv1beta1.ClusterSecretStoreKind,
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Auth: esv1alpha1.AWSAuth{
SecretRef: &esv1alpha1.AWSAuthSecretRef{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
Name: "onesecret",
Key: "one",
@ -368,16 +368,16 @@ func TestNewSession(t *testing.T) {
IsExpiredFunc: func() bool { return false },
}, nil
},
store: &esv1alpha1.ClusterSecretStore{
store: &esv1beta1.ClusterSecretStore{
TypeMeta: metav1.TypeMeta{
APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
Kind: esv1alpha1.ClusterSecretStoreKind,
APIVersion: esv1beta1.ClusterSecretStoreKindAPIVersion,
Kind: esv1beta1.ClusterSecretStoreKind,
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Auth: esv1alpha1.AWSAuth{
JWTAuth: &esv1alpha1.AWSJWTAuth{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Auth: esv1beta1.AWSAuth{
JWTAuth: &esv1beta1.AWSJWTAuth{
ServiceAccountRef: &esmeta.ServiceAccountSelector{
Name: myServiceAccountKey,
Namespace: aws.String(otherNsName),
@ -403,7 +403,7 @@ func TestNewSession(t *testing.T) {
type TestSessionRow struct {
name string
store esv1alpha1.GenericStore
store esv1beta1.GenericStore
secrets []v1.Secret
sa *v1.ServiceAccount
jwtProvider jwtProviderFactory
@ -464,11 +464,11 @@ func TestSMEnvCredentials(t *testing.T) {
os.Setenv("AWS_ACCESS_KEY_ID", "2222")
defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
defer os.Unsetenv("AWS_ACCESS_KEY_ID")
s, err := New(context.Background(), &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
s, err := New(context.Background(), &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
// defaults
AWS: &esv1alpha1.AWSProvider{},
AWS: &esv1beta1.AWSProvider{},
},
},
}, k8sClient, "example-ns", DefaultSTSProvider, nil)
@ -504,11 +504,11 @@ func TestSMAssumeRole(t *testing.T) {
os.Setenv("AWS_ACCESS_KEY_ID", "2222")
defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
defer os.Unsetenv("AWS_ACCESS_KEY_ID")
s, err := New(context.Background(), &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
s, err := New(context.Background(), &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
// do assume role!
AWS: &esv1alpha1.AWSProvider{
AWS: &esv1beta1.AWSProvider{
Role: "my-awesome-role",
},
},

12
pkg/provider/aws/parameterstore/parameterstore.go
View file

@ -24,7 +24,7 @@ import (
"github.com/tidwall/gjson"
ctrl "sigs.k8s.io/controller-runtime"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
)
@ -50,8 +50,14 @@ func New(sess *session.Session) (*ParameterStore, error) {
}, nil
}
// Empty GetAllSecrets.
func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// GetSecret returns a single secret from the provider.
func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
log.Info("fetching secret value", "key", ref.Key)
out, err := pm.client.GetParameter(&ssm.GetParameterInput{
Name: &ref.Key,
@ -74,7 +80,7 @@ func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.External
}
// GetSecretMap returns multiple k/v pairs from the provider.
func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
log.Info("fetching secret map", "key", ref.Key)
data, err := pm.GetSecret(ctx, ref)
if err != nil {

8
pkg/provider/aws/parameterstore/parameterstore_test.go
View file

@ -23,7 +23,7 @@ import (
"github.com/aws/aws-sdk-go/service/ssm"
"github.com/google/go-cmp/cmp"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
fake "github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore/fake"
)
@ -31,7 +31,7 @@ type parameterstoreTestCase struct {
fakeClient *fake.Client
apiInput *ssm.GetParameterInput
apiOutput *ssm.GetParameterOutput
remoteRef *esv1alpha1.ExternalSecretDataRemoteRef
remoteRef *esv1beta1.ExternalSecretDataRemoteRef
apiErr error
expectError string
expectedSecret string
@ -66,8 +66,8 @@ func makeValidAPIOutput() *ssm.GetParameterOutput {
}
}
func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRemoteRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "/baz",
}
}

14
pkg/provider/aws/provider.go
View file

@ -20,7 +20,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
@ -38,11 +38,11 @@ const (
)
// NewClient constructs a new secrets client based on the provided store.
func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
return newClient(ctx, store, kube, namespace, awsauth.DefaultSTSProvider)
}
func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (provider.SecretsClient, error) {
func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (provider.SecretsClient, error) {
prov, err := util.GetAWSProvider(store)
if err != nil {
return nil, err
@ -54,16 +54,16 @@ func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.C
}
switch prov.Service {
case esv1alpha1.AWSServiceSecretsManager:
case esv1beta1.AWSServiceSecretsManager:
return secretsmanager.New(sess)
case esv1alpha1.AWSServiceParameterStore:
case esv1beta1.AWSServiceParameterStore:
return parameterstore.New(sess)
}
return nil, fmt.Errorf(errUnknownProviderService, prov.Service)
}
func init() {
schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{},
schema.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{},
})
}

56
pkg/provider/aws/provider_test.go
View file

@ -23,7 +23,7 @@ import (
"github.com/stretchr/testify/assert"
clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
"github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager"
@ -43,7 +43,7 @@ func TestProvider(t *testing.T) {
tbl := []struct {
test string
store esv1alpha1.GenericStore
store esv1beta1.GenericStore
expType interface{}
expErr bool
}{
@ -55,16 +55,16 @@ func TestProvider(t *testing.T) {
{
test: "should not create provider due to missing provider",
expErr: true,
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{},
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{},
},
},
{
test: "should not create provider due to missing provider field",
expErr: true,
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{},
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{},
},
},
},
@ -72,11 +72,11 @@ func TestProvider(t *testing.T) {
test: "should create parameter store client",
expErr: false,
expType: &parameterstore.ParameterStore{},
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceParameterStore,
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceParameterStore,
},
},
},
@ -86,11 +86,11 @@ func TestProvider(t *testing.T) {
test: "should create secretsmanager client",
expErr: false,
expType: &secretsmanager.SecretsManager{},
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceSecretsManager,
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceSecretsManager,
},
},
},
@ -99,10 +99,10 @@ func TestProvider(t *testing.T) {
{
test: "invalid service should return an error",
expErr: true,
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: "HIHIHIHHEHEHEHEHEHE",
},
},
@ -112,13 +112,13 @@ func TestProvider(t *testing.T) {
{
test: "newSession error should be returned",
expErr: true,
store: &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceParameterStore,
Auth: esv1alpha1.AWSAuth{
SecretRef: &esv1alpha1.AWSAuthSecretRef{
store: &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceParameterStore,
Auth: esv1beta1.AWSAuth{
SecretRef: &esv1beta1.AWSAuthSecretRef{
AccessKeyID: esmeta.SecretKeySelector{
Name: "foo",
Namespace: aws.String("NOOP"),

14
pkg/provider/aws/secretsmanager/secretsmanager.go
View file

@ -24,7 +24,7 @@ import (
"github.com/tidwall/gjson"
ctrl "sigs.k8s.io/controller-runtime"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
)
@ -52,7 +52,7 @@ func New(sess *session.Session) (*SecretsManager, error) {
}, nil
}
func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
func (sm *SecretsManager) fetch(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
ver := "AWSCURRENT"
if ref.Version != "" {
ver = ref.Version
@ -76,8 +76,14 @@ func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecret
return secretOut, nil
}
// Empty GetAllSecrets.
func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// GetSecret returns a single secret from the provider.
func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
secretOut, err := sm.fetch(ctx, ref)
if err != nil {
return nil, util.SanitizeErr(err)
@ -107,7 +113,7 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.External
}
// GetSecretMap returns multiple k/v pairs from the provider.
func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
log.Info("fetching secret map", "key", ref.Key)
data, err := sm.GetSecret(ctx, ref)
if err != nil {

8
pkg/provider/aws/secretsmanager/secretsmanager_test.go
View file

@ -24,7 +24,7 @@ import (
awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
"github.com/google/go-cmp/cmp"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
fakesm "github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager/fake"
)
@ -32,7 +32,7 @@ type secretsManagerTestCase struct {
fakeClient *fakesm.Client
apiInput *awssm.GetSecretValueInput
apiOutput *awssm.GetSecretValueOutput
remoteRef *esv1alpha1.ExternalSecretDataRemoteRef
remoteRef *esv1beta1.ExternalSecretDataRemoteRef
apiErr error
expectError string
expectedSecret string
@ -59,8 +59,8 @@ func makeValidSecretsManagerTestCase() *secretsManagerTestCase {
return &smtc
}
func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRemoteRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "/baz",
Version: "AWSCURRENT",
}

4
pkg/provider/aws/util/provider.go
View file

@ -16,7 +16,7 @@ package util
import (
"fmt"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
const (
@ -28,7 +28,7 @@ const (
// GetAWSProvider does the necessary nil checks on the generic store
// it returns the aws provider or an error.
func GetAWSProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AWSProvider, error) {
func GetAWSProvider(store esv1beta1.GenericStore) (*esv1beta1.AWSProvider, error) {
if store == nil {
return nil, fmt.Errorf(errNilStore)
}

30
pkg/provider/azure/keyvault/keyvault.go
View file

@ -27,7 +27,7 @@ import (
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
@ -48,24 +48,24 @@ type SecretClient interface {
type Azure struct {
kube client.Client
store esv1alpha1.GenericStore
store esv1beta1.GenericStore
baseClient SecretClient
vaultURL string
namespace string
}
func init() {
schema.Register(&Azure{}, &esv1alpha1.SecretStoreProvider{
AzureKV: &esv1alpha1.AzureKVProvider{},
schema.Register(&Azure{}, &esv1beta1.SecretStoreProvider{
AzureKV: &esv1beta1.AzureKVProvider{},
})
}
// NewClient constructs a new secrets client based on the provided store.
func (a *Azure) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func (a *Azure) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
return newClient(ctx, store, kube, namespace)
}
func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
anAzure := &Azure{
kube: kube,
store: store,
@ -85,10 +85,16 @@ func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.C
return nil, fmt.Errorf("cannot initialize Azure Client: no valid authType was specified")
}
// Empty GetAllSecrets.
func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// Implements store.Client.GetSecret Interface.
// Retrieves a secret/Key/Certificate with the secret name defined in ref.Name
// The Object Type is defined as a prefix in the ref.Name , if no prefix is defined , we assume a secret is required.
func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (a *Azure) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
version := ""
basicClient := a.baseClient
objectType, secretName := getObjType(ref)
@ -137,7 +143,7 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
// Implements store.Client.GetSecretMap Interface.
// New version of GetSecretMap.
func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (a *Azure) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
objectType, secretName := getObjType(ref)
switch objectType {
@ -171,7 +177,7 @@ func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretD
func (a *Azure) setAzureClientWithManagedIdentity() (bool, error) {
spec := *a.store.GetSpec().Provider.AzureKV
if *spec.AuthType != esv1alpha1.ManagedIdentity {
if *spec.AuthType != esv1beta1.ManagedIdentity {
return false, nil
}
@ -197,7 +203,7 @@ func (a *Azure) setAzureClientWithManagedIdentity() (bool, error) {
func (a *Azure) setAzureClientWithServicePrincipal(ctx context.Context) (bool, error) {
spec := *a.store.GetSpec().Provider.AzureKV
if *spec.AuthType != esv1alpha1.ServicePrincipal {
if *spec.AuthType != esv1beta1.ServicePrincipal {
return false, nil
}
@ -211,7 +217,7 @@ func (a *Azure) setAzureClientWithServicePrincipal(ctx context.Context) (bool, e
return true, fmt.Errorf("missing accessKeyID/secretAccessKey in store config")
}
clusterScoped := false
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
clusterScoped = true
}
cid, err := a.secretKeyRef(ctx, a.store.GetNamespace(), *spec.AuthSecretRef.ClientID, clusterScoped)
@ -268,7 +274,7 @@ func (a *Azure) Validate() error {
return nil
}
func getObjType(ref esv1alpha1.ExternalSecretDataRemoteRef) (string, string) {
func getObjType(ref esv1beta1.ExternalSecretDataRemoteRef) (string, string) {
objectType := defaultObjType
secretName := ref.Key

26
pkg/provider/azure/keyvault/keyvault_test.go
View file

@ -26,7 +26,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
fake "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
@ -38,7 +38,7 @@ type secretManagerTestCase struct {
secretName string
secretVersion string
serviceURL string
ref *esv1alpha1.ExternalSecretDataRemoteRef
ref *esv1beta1.ExternalSecretDataRemoteRef
apiErr error
secretOutput keyvault.SecretBundle
keyOutput keyvault.KeyBundle
@ -86,12 +86,12 @@ func TestNewClientManagedIdentityNoNeedForCredentials(t *testing.T) {
namespace := "internal"
vaultURL := "https://local.vault.url"
identityID := "1234"
authType := esv1alpha1.ManagedIdentity
store := esv1alpha1.SecretStore{
authType := esv1beta1.ManagedIdentity
store := esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
},
Spec: esv1alpha1.SecretStoreSpec{Provider: &esv1alpha1.SecretStoreProvider{AzureKV: &esv1alpha1.AzureKVProvider{
Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{AzureKV: &esv1beta1.AzureKVProvider{
AuthType: &authType,
IdentityID: &identityID,
VaultURL: &vaultURL,
@ -115,12 +115,12 @@ func TestNewClientNoCreds(t *testing.T) {
namespace := "internal"
vaultURL := "https://local.vault.url"
tenantID := "1234"
authType := esv1alpha1.ServicePrincipal
store := esv1alpha1.SecretStore{
authType := esv1beta1.ServicePrincipal
store := esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
},
Spec: esv1alpha1.SecretStoreSpec{Provider: &esv1alpha1.SecretStoreProvider{AzureKV: &esv1alpha1.AzureKVProvider{
Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{AzureKV: &esv1beta1.AzureKVProvider{
AuthType: &authType,
VaultURL: &vaultURL,
TenantID: &tenantID,
@ -132,7 +132,7 @@ func TestNewClientNoCreds(t *testing.T) {
_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
tassert.EqualError(t, err, "missing clientID/clientSecret in store config")
store.Spec.Provider.AzureKV.AuthSecretRef = &esv1alpha1.AzureKVAuth{}
store.Spec.Provider.AzureKV.AuthSecretRef = &esv1beta1.AzureKVAuth{}
_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
tassert.EqualError(t, err, "missing accessKeyID/secretAccessKey in store config")
@ -143,8 +143,8 @@ func TestNewClientNoCreds(t *testing.T) {
store.Spec.Provider.AzureKV.AuthSecretRef.ClientSecret = &v1.SecretKeySelector{Name: "password"}
_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
tassert.EqualError(t, err, "could not find secret internal/user: secrets \"user\" not found")
store.TypeMeta.Kind = esv1alpha1.ClusterSecretStoreKind
store.TypeMeta.APIVersion = esv1alpha1.ClusterSecretStoreKindAPIVersion
store.TypeMeta.Kind = esv1beta1.ClusterSecretStoreKind
store.TypeMeta.APIVersion = esv1beta1.ClusterSecretStoreKindAPIVersion
ns := "default"
store.Spec.Provider.AzureKV.AuthSecretRef.ClientID.Namespace = &ns
store.Spec.Provider.AzureKV.AuthSecretRef.ClientSecret.Namespace = &ns
@ -370,8 +370,8 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
}
}
func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "test-secret",
Version: "default",
}

22
pkg/provider/fake/fake.go
View file

@ -20,7 +20,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
)
@ -32,10 +32,10 @@ var (
)
type Provider struct {
config *esv1alpha1.FakeProvider
config *esv1beta1.FakeProvider
}
func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
cfg, err := getProvider(store)
if err != nil {
return nil, err
@ -45,7 +45,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore,
}, nil
}
func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.FakeProvider, error) {
func getProvider(store esv1beta1.GenericStore) (*esv1beta1.FakeProvider, error) {
if store == nil {
return nil, errMissingStore
}
@ -56,8 +56,14 @@ func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.FakeProvider, error
return spc.Provider.Fake, nil
}
// Empty GetAllSecrets.
func (p *Provider) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// GetSecret returns a single secret from the provider.
func (p *Provider) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (p *Provider) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
for _, data := range p.config.Data {
if data.Key == ref.Key && data.Version == ref.Version {
return []byte(data.Value), nil
@ -67,7 +73,7 @@ func (p *Provider) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
}
// GetSecretMap returns multiple k/v pairs from the provider.
func (p *Provider) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (p *Provider) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
for _, data := range p.config.Data {
if data.Key != ref.Key || data.Version != ref.Version || data.ValueMap == nil {
continue
@ -94,7 +100,7 @@ func (p *Provider) Validate() error {
}
func init() {
schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
Fake: &esv1alpha1.FakeProvider{},
schema.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
Fake: &esv1beta1.FakeProvider{},
})
}

44
pkg/provider/fake/fake_test.go
View file

@ -19,7 +19,7 @@ import (
"github.com/onsi/gomega"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
func TestNewClient(t *testing.T) {
@ -31,7 +31,7 @@ func TestNewClient(t *testing.T) {
gomega.Expect(err).To(gomega.HaveOccurred())
// missing provider
_, err = p.NewClient(context.Background(), &esv1alpha1.SecretStore{}, nil, "")
_, err = p.NewClient(context.Background(), &esv1beta1.SecretStore{}, nil, "")
gomega.Expect(err).To(gomega.HaveOccurred())
}
@ -44,8 +44,8 @@ func TestClose(t *testing.T) {
type testCase struct {
name string
input []esv1alpha1.FakeProviderData
request esv1alpha1.ExternalSecretDataRemoteRef
input []esv1beta1.FakeProviderData
request esv1beta1.ExternalSecretDataRemoteRef
expValue string
expErr string
}
@ -56,8 +56,8 @@ func TestGetSecret(t *testing.T) {
tbl := []testCase{
{
name: "return err when not found",
input: []esv1alpha1.FakeProviderData{},
request: esv1alpha1.ExternalSecretDataRemoteRef{
input: []esv1beta1.FakeProviderData{},
request: esv1beta1.ExternalSecretDataRemoteRef{
Key: "/foo",
Version: "v2",
},
@ -65,7 +65,7 @@ func TestGetSecret(t *testing.T) {
},
{
name: "get correct value from multiple versions",
input: []esv1alpha1.FakeProviderData{
input: []esv1beta1.FakeProviderData{
{
Key: "/foo",
Value: "bar2",
@ -81,7 +81,7 @@ func TestGetSecret(t *testing.T) {
Version: "v1",
},
},
request: esv1alpha1.ExternalSecretDataRemoteRef{
request: esv1beta1.ExternalSecretDataRemoteRef{
Key: "/foo",
Version: "v2",
},
@ -91,10 +91,10 @@ func TestGetSecret(t *testing.T) {
for _, row := range tbl {
t.Run(row.name, func(t *testing.T) {
cl, err := p.NewClient(context.Background(), &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
Fake: &esv1alpha1.FakeProvider{
cl, err := p.NewClient(context.Background(), &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
Fake: &esv1beta1.FakeProvider{
Data: row.input,
},
},
@ -114,8 +114,8 @@ func TestGetSecret(t *testing.T) {
type testMapCase struct {
name string
input []esv1alpha1.FakeProviderData
request esv1alpha1.ExternalSecretDataRemoteRef
input []esv1beta1.FakeProviderData
request esv1beta1.ExternalSecretDataRemoteRef
expValue map[string][]byte
expErr string
}
@ -126,8 +126,8 @@ func TestGetSecretMap(t *testing.T) {
tbl := []testMapCase{
{
name: "return err when not found",
input: []esv1alpha1.FakeProviderData{},
request: esv1alpha1.ExternalSecretDataRemoteRef{
input: []esv1beta1.FakeProviderData{},
request: esv1beta1.ExternalSecretDataRemoteRef{
Key: "/foo",
Version: "v2",
},
@ -135,7 +135,7 @@ func TestGetSecretMap(t *testing.T) {
},
{
name: "get correct value from multiple versions",
input: []esv1alpha1.FakeProviderData{
input: []esv1beta1.FakeProviderData{
{
Key: "junk",
ValueMap: map[string]string{
@ -159,7 +159,7 @@ func TestGetSecretMap(t *testing.T) {
Version: "v2",
},
},
request: esv1alpha1.ExternalSecretDataRemoteRef{
request: esv1beta1.ExternalSecretDataRemoteRef{
Key: "/foo",
Version: "v2",
},
@ -172,10 +172,10 @@ func TestGetSecretMap(t *testing.T) {
for _, row := range tbl {
t.Run(row.name, func(t *testing.T) {
cl, err := p.NewClient(context.Background(), &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
Fake: &esv1alpha1.FakeProvider{
cl, err := p.NewClient(context.Background(), &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
Fake: &esv1beta1.FakeProvider{
Data: row.input,
},
},

26
pkg/provider/gcp/secretmanager/secretsmanager.go
View file

@ -29,7 +29,7 @@ import (
"k8s.io/apimachinery/pkg/types"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
"github.com/external-secrets/external-secrets/pkg/utils"
@ -67,13 +67,13 @@ type ProviderGCP struct {
type gClient struct {
kube kclient.Client
store *esv1alpha1.GCPSMProvider
store *esv1beta1.GCPSMProvider
namespace string
storeKind string
workloadIdentity *workloadIdentity
}
func (c *gClient) getTokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
func (c *gClient) getTokenSource(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
ts, err := serviceAccountTokenSource(ctx, store, kube, namespace)
if ts != nil || err != nil {
return ts, err
@ -86,7 +86,7 @@ func (c *gClient) getTokenSource(ctx context.Context, store esv1alpha1.GenericSt
return google.DefaultTokenSource(ctx, CloudPlatformRole)
}
func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
func serviceAccountTokenSource(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
spec := store.GetSpec()
if spec == nil || spec.Provider.GCPSM == nil {
return nil, fmt.Errorf(errMissingStoreSpec)
@ -104,7 +104,7 @@ func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStor
}
// only ClusterStore is allowed to set namespace (and then it's required)
if storeKind == esv1alpha1.ClusterSecretStoreKind {
if storeKind == esv1beta1.ClusterSecretStoreKind {
if credentialsSecretName != "" && sr.SecretAccessKey.Namespace == nil {
return nil, fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
} else if credentialsSecretName != "" {
@ -127,7 +127,7 @@ func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStor
}
// NewClient constructs a GCP Provider.
func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
storeSpec := store.GetSpec()
if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.GCPSM == nil {
return nil, fmt.Errorf(errGCPSMStore)
@ -168,8 +168,14 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericSt
return sm, nil
}
// Empty GetAllSecrets.
func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// GetSecret returns a single secret from the provider.
func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
if utils.IsNil(sm.SecretManagerClient) || sm.projectID == "" {
return nil, fmt.Errorf(errUninitalizedGCPProvider)
}
@ -207,7 +213,7 @@ func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSec
}
// GetSecretMap returns multiple k/v pairs from the provider.
func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
if sm.SecretManagerClient == nil || sm.projectID == "" {
return nil, fmt.Errorf(errUninitalizedGCPProvider)
}
@ -250,7 +256,7 @@ func (sm *ProviderGCP) Validate() error {
}
func init() {
schema.Register(&ProviderGCP{}, &esv1alpha1.SecretStoreProvider{
GCPSM: &esv1alpha1.GCPSMProvider{},
schema.Register(&ProviderGCP{}, &esv1beta1.SecretStoreProvider{
GCPSM: &esv1beta1.GCPSMProvider{},
})
}

10
pkg/provider/gcp/secretmanager/secretsmanager_test.go
View file

@ -22,7 +22,7 @@ import (
secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
fakesm "github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager/fake"
)
@ -30,7 +30,7 @@ type secretManagerTestCase struct {
mockClient *fakesm.MockSMClient
apiInput *secretmanagerpb.AccessSecretVersionRequest
apiOutput *secretmanagerpb.AccessSecretVersionResponse
ref *esv1alpha1.ExternalSecretDataRemoteRef
ref *esv1beta1.ExternalSecretDataRemoteRef
projectID string
apiErr error
expectError string
@ -56,8 +56,8 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
return &smtc
}
func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "/baz",
Version: "default",
}
@ -110,7 +110,7 @@ func TestSecretManagerGetSecret(t *testing.T) {
// good case: ref with
setCustomRef := func(smtc *secretManagerTestCase) {
smtc.ref = &esv1alpha1.ExternalSecretDataRemoteRef{
smtc.ref = &esv1beta1.ExternalSecretDataRemoteRef{
Key: "/baz",
Version: "default",
Property: "name.first",

6
pkg/provider/gcp/secretmanager/secretsmanager_workload_identity.go
View file

@ -40,7 +40,7 @@ import (
kclient "sigs.k8s.io/controller-runtime/pkg/client"
ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
const (
@ -90,7 +90,7 @@ func newWorkloadIdentity(ctx context.Context) (*workloadIdentity, error) {
}, nil
}
func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
spec := store.GetSpec()
if spec == nil || spec.Provider == nil || spec.Provider.GCPSM == nil {
return nil, fmt.Errorf(errMissingStoreSpec)
@ -106,7 +106,7 @@ func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1alpha1.Gen
}
// only ClusterStore is allowed to set namespace (and then it's required)
if storeKind == esv1alpha1.ClusterSecretStoreKind {
if storeKind == esv1beta1.ClusterSecretStoreKind {
if wi.ServiceAccountRef.Namespace == nil {
return nil, fmt.Errorf(errInvalidClusterStoreMissingSANamespace)
}

44
pkg/provider/gcp/secretmanager/secretsmanager_workload_identity_test.go
View file

@ -32,7 +32,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
@ -44,7 +44,7 @@ type workloadIdentityTest struct {
genAccessToken func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
genIDBindToken func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
genSAToken func(c context.Context, s1, s2, s3 string) (*authv1.TokenRequest, error)
store esv1alpha1.GenericStore
store esv1beta1.GenericStore
kubeObjects []client.Object
}
@ -54,14 +54,14 @@ func TestWorkloadIdentity(t *testing.T) {
composeTestcase(
defaultTestCase("missing store spec should result in error"),
withErr("invalid: missing store spec"),
withStore(&esv1alpha1.SecretStore{}),
withStore(&esv1beta1.SecretStore{}),
),
composeTestcase(
defaultTestCase("should skip when no workload identity is configured: TokenSource and error must be nil"),
withStore(&esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
GCPSM: &esv1alpha1.GCPSMProvider{},
withStore(&esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
GCPSM: &esv1beta1.GCPSMProvider{},
},
},
}),
@ -210,7 +210,7 @@ func withErr(err string) testCaseMutator {
}
}
func withStore(store esv1alpha1.GenericStore) testCaseMutator {
func withStore(store esv1beta1.GenericStore) testCaseMutator {
return func(tc *workloadIdentityTest) {
tc.store = store
}
@ -282,8 +282,8 @@ func defaultTestCase(name string) *workloadIdentityTest {
}
}
func defaultStore() *esv1alpha1.SecretStore {
return &esv1alpha1.SecretStore{
func defaultStore() *esv1beta1.SecretStore {
return &esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Name: "foobar",
Namespace: "default",
@ -292,10 +292,10 @@ func defaultStore() *esv1alpha1.SecretStore {
}
}
func defaultClusterStore() *esv1alpha1.ClusterSecretStore {
return &esv1alpha1.ClusterSecretStore{
func defaultClusterStore() *esv1beta1.ClusterSecretStore {
return &esv1beta1.ClusterSecretStore{
TypeMeta: metav1.TypeMeta{
Kind: esv1alpha1.ClusterSecretStoreKind,
Kind: esv1beta1.ClusterSecretStoreKind,
},
ObjectMeta: metav1.ObjectMeta{
Name: "foobar",
@ -304,12 +304,12 @@ func defaultClusterStore() *esv1alpha1.ClusterSecretStore {
}
}
func defaultStoreSpec() esv1alpha1.SecretStoreSpec {
return esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
GCPSM: &esv1alpha1.GCPSMProvider{
Auth: esv1alpha1.GCPSMAuth{
WorkloadIdentity: &esv1alpha1.GCPWorkloadIdentity{
func defaultStoreSpec() esv1beta1.SecretStoreSpec {
return esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
GCPSM: &esv1beta1.GCPSMProvider{
Auth: esv1beta1.GCPSMAuth{
WorkloadIdentity: &esv1beta1.GCPWorkloadIdentity{
ServiceAccountRef: esmeta.ServiceAccountSelector{
Name: "example",
},
@ -323,9 +323,9 @@ func defaultStoreSpec() esv1alpha1.SecretStoreSpec {
}
}
type storeMutator func(spc esv1alpha1.GenericStore)
type storeMutator func(spc esv1beta1.GenericStore)
func composeStore(store esv1alpha1.GenericStore, mutators ...storeMutator) esv1alpha1.GenericStore {
func composeStore(store esv1beta1.GenericStore, mutators ...storeMutator) esv1beta1.GenericStore {
for _, m := range mutators {
m(store)
}
@ -333,7 +333,7 @@ func composeStore(store esv1alpha1.GenericStore, mutators ...storeMutator) esv1a
}
func withSANamespace(namespace string) storeMutator {
return func(store esv1alpha1.GenericStore) {
return func(store esv1beta1.GenericStore) {
spc := store.GetSpec()
spc.Provider.GCPSM.Auth.WorkloadIdentity.ServiceAccountRef.Namespace = &namespace
}

22
pkg/provider/gitlab/gitlab.go
View file

@ -25,7 +25,7 @@ import (
"k8s.io/apimachinery/pkg/types"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/e2e/framework/log"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
@ -56,15 +56,15 @@ type Gitlab struct {
// Client for interacting with kubernetes cluster...?
type gClient struct {
kube kclient.Client
store *esv1alpha1.GitlabProvider
store *esv1beta1.GitlabProvider
namespace string
storeKind string
credentials []byte
}
func init() {
schema.Register(&Gitlab{}, &esv1alpha1.SecretStoreProvider{
Gitlab: &esv1alpha1.GitlabProvider{},
schema.Register(&Gitlab{}, &esv1beta1.SecretStoreProvider{
Gitlab: &esv1beta1.GitlabProvider{},
})
}
@ -80,7 +80,7 @@ func (c *gClient) setAuth(ctx context.Context) error {
Namespace: c.namespace,
}
// only ClusterStore is allowed to set namespace (and then it's required)
if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
if c.storeKind == esv1beta1.ClusterSecretStoreKind {
if c.store.Auth.SecretRef.AccessToken.Namespace == nil {
return fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
}
@ -108,7 +108,7 @@ func NewGitlabProvider() *Gitlab {
}
// Method on Gitlab Provider to set up client with credentials and populate projectID.
func (g *Gitlab) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
func (g *Gitlab) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
storeSpec := store.GetSpec()
if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Gitlab == nil {
return nil, fmt.Errorf("no store type or wrong store type")
@ -148,7 +148,13 @@ func (g *Gitlab) NewClient(ctx context.Context, store esv1alpha1.GenericStore, k
return g, nil
}
func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
// Empty GetAllSecrets.
func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
func (g *Gitlab) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
if utils.IsNil(g.client) {
return nil, fmt.Errorf(errUninitalizedGitlabProvider)
}
@ -185,7 +191,7 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
return []byte(val.String()), nil
}
func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
// Gets a secret as normal, expecting secret value to be a json object
data, err := g.GetSecret(ctx, ref)
if err != nil {

8
pkg/provider/gitlab/gitlab_test.go
View file

@ -22,7 +22,7 @@ import (
gitlab "github.com/xanzy/go-gitlab"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
fakegitlab "github.com/external-secrets/external-secrets/pkg/provider/gitlab/fake"
)
@ -31,7 +31,7 @@ type secretManagerTestCase struct {
apiInputProjectID string
apiInputKey string
apiOutput *gitlab.ProjectVariable
ref *esv1alpha1.ExternalSecretDataRemoteRef
ref *esv1beta1.ExternalSecretDataRemoteRef
projectID *string
apiErr error
expectError string
@ -57,8 +57,8 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
return &smtc
}
func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "test-secret",
Version: "default",
}

26
pkg/provider/ibm/provider.go
View file

@ -26,7 +26,7 @@ import (
"k8s.io/apimachinery/pkg/types"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
"github.com/external-secrets/external-secrets/pkg/utils"
@ -56,7 +56,7 @@ type providerIBM struct {
type client struct {
kube kclient.Client
store *esv1alpha1.IBMProvider
store *esv1beta1.IBMProvider
namespace string
storeKind string
credentials []byte
@ -74,7 +74,7 @@ func (c *client) setAuth(ctx context.Context) error {
}
// only ClusterStore is allowed to set namespace (and then it's required)
if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
if c.storeKind == esv1beta1.ClusterSecretStoreKind {
if c.store.Auth.SecretRef.SecretAPIKey.Namespace == nil {
return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
}
@ -93,7 +93,13 @@ func (c *client) setAuth(ctx context.Context) error {
return nil
}
func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
// Empty GetAllSecrets.
func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
if utils.IsNil(ibm.IBMClient) {
return nil, fmt.Errorf(errUninitalizedIBMProvider)
}
@ -151,7 +157,7 @@ func getArbitrarySecret(ibm *providerIBM, secretName *string) ([]byte, error) {
return []byte(arbitrarySecretPayload), nil
}
func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
response, _, err := ibm.IBMClient.GetSecret(
&sm.GetSecretOptions{
SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst),
@ -186,7 +192,7 @@ func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, erro
return []byte(secretData), nil
}
func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
response, _, err := ibm.IBMClient.GetSecret(
&sm.GetSecretOptions{
SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst),
@ -205,7 +211,7 @@ func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alp
return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
}
func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
if utils.IsNil(ibm.IBMClient) {
return nil, fmt.Errorf(errUninitalizedIBMProvider)
}
@ -317,7 +323,7 @@ func (ibm *providerIBM) Validate() error {
return nil
}
func (ibm *providerIBM) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
func (ibm *providerIBM) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
storeSpec := store.GetSpec()
ibmSpec := storeSpec.Provider.IBM
@ -370,7 +376,7 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1alpha1.GenericS
}
func init() {
schema.Register(&providerIBM{}, &esv1alpha1.SecretStoreProvider{
IBM: &esv1alpha1.IBMProvider{},
schema.Register(&providerIBM{}, &esv1beta1.SecretStoreProvider{
IBM: &esv1beta1.IBMProvider{},
})
}

22
pkg/provider/ibm/provider_test.go
View file

@ -27,7 +27,7 @@ import (
utilpointer "k8s.io/utils/pointer"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
fakesm "github.com/external-secrets/external-secrets/pkg/provider/ibm/fake"
)
@ -36,7 +36,7 @@ type secretManagerTestCase struct {
mockClient *fakesm.IBMMockClient
apiInput *sm.GetSecretOptions
apiOutput *sm.GetSecret
ref *esv1alpha1.ExternalSecretDataRemoteRef
ref *esv1beta1.ExternalSecretDataRemoteRef
serviceURL *string
apiErr error
expectError string
@ -61,8 +61,8 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
return &smtc
}
func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "test-secret",
Version: "default",
}
@ -382,12 +382,12 @@ func TestValidRetryInput(t *testing.T) {
invalid := "Invalid"
serviceURL := "http://fake-service-url.cool"
spec := &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
IBM: &esv1alpha1.IBMProvider{
Auth: esv1alpha1.IBMAuth{
SecretRef: esv1alpha1.IBMAuthSecretRef{
spec := &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
IBM: &esv1beta1.IBMProvider{
Auth: esv1beta1.IBMAuth{
SecretRef: esv1beta1.IBMAuthSecretRef{
SecretAPIKey: v1.SecretKeySelector{
Name: "fake-secret",
Key: "fake-key",
@ -397,7 +397,7 @@ func TestValidRetryInput(t *testing.T) {
ServiceURL: &serviceURL,
},
},
RetrySettings: &esv1alpha1.SecretStoreRetrySettings{
RetrySettings: &esv1beta1.SecretStoreRetrySettings{
RetryInterval: &invalid,
},
},

22
pkg/provider/oracle/oracle.go
View file

@ -24,7 +24,7 @@ import (
"k8s.io/apimachinery/pkg/types"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
@ -54,7 +54,7 @@ const (
type client struct {
kube kclient.Client
store *esv1alpha1.OracleProvider
store *esv1beta1.OracleProvider
namespace string
storeKind string
tenancy string
@ -85,7 +85,7 @@ func (c *client) setAuth(ctx context.Context) error {
}
// only ClusterStore is allowed to set namespace (and then it's required)
if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
if c.storeKind == esv1beta1.ClusterSecretStoreKind {
if c.store.Auth.SecretRef.PrivateKey.Namespace == nil {
return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
}
@ -125,7 +125,13 @@ func (c *client) setAuth(ctx context.Context) error {
return nil
}
func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
// Empty GetAllSecrets.
func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
if utils.IsNil(vms.Client) {
return nil, fmt.Errorf(errUninitalizedOracleProvider)
}
@ -162,7 +168,7 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
return []byte(val.String()), nil
}
func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
data, err := vms.GetSecret(ctx, ref)
if err != nil {
return nil, err
@ -180,7 +186,7 @@ func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alp
}
// NewClient constructs a new secrets client based on the provided store.
func (vms *VaultManagementService) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
func (vms *VaultManagementService) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
storeSpec := store.GetSpec()
oracleSpec := storeSpec.Provider.Oracle
@ -226,7 +232,7 @@ func (vms *VaultManagementService) Validate() error {
}
func init() {
schema.Register(&VaultManagementService{}, &esv1alpha1.SecretStoreProvider{
Oracle: &esv1alpha1.OracleProvider{},
schema.Register(&VaultManagementService{}, &esv1beta1.SecretStoreProvider{
Oracle: &esv1beta1.OracleProvider{},
})
}

8
pkg/provider/oracle/oracle_test.go
View file

@ -22,7 +22,7 @@ import (
secrets "github.com/oracle/oci-go-sdk/v45/secrets"
utilpointer "k8s.io/utils/pointer"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
fakeoracle "github.com/external-secrets/external-secrets/pkg/provider/oracle/fake"
)
@ -30,7 +30,7 @@ type vaultTestCase struct {
mockClient *fakeoracle.OracleMockClient
apiInput *secrets.GetSecretBundleByNameRequest
apiOutput *secrets.GetSecretBundleByNameResponse
ref *esv1alpha1.ExternalSecretDataRemoteRef
ref *esv1beta1.ExternalSecretDataRemoteRef
apiErr error
expectError string
expectedSecret string
@ -53,8 +53,8 @@ func makeValidVaultTestCase() *vaultTestCase {
return &smtc
}
func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
return &esv1alpha1.ExternalSecretDataRemoteRef{
func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
return &esv1beta1.ExternalSecretDataRemoteRef{
Key: "test-secret",
Version: "default",
}

12
pkg/provider/provider.go
View file

@ -19,25 +19,29 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
// Provider is a common interface for interacting with secret backends.
type Provider interface {
// NewClient constructs a SecretsManager Provider
NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (SecretsClient, error)
NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (SecretsClient, error)
}
// SecretsClient provides access to secrets.
type SecretsClient interface {
// GetSecret returns a single secret from the provider
GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error)
// Validate checks if the client is configured correctly
// and is able to retrieve secrets from the provider
Validate() error
// GetSecretMap returns multiple k/v pairs from the provider
GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
// GetAllSecrets returns multiple k/v pairs from the provider
GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error)
Close(ctx context.Context) error
}

10
pkg/provider/schema/schema.go
View file

@ -19,7 +19,7 @@ import (
"fmt"
"sync"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
)
@ -32,7 +32,7 @@ func init() {
// Register a store backend type. Register panics if a
// backend with the same store is already registered.
func Register(s provider.Provider, storeSpec *esv1alpha1.SecretStoreProvider) {
func Register(s provider.Provider, storeSpec *esv1beta1.SecretStoreProvider) {
storeName, err := getProviderName(storeSpec)
if err != nil {
panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
@ -50,7 +50,7 @@ func Register(s provider.Provider, storeSpec *esv1alpha1.SecretStoreProvider) {
// ForceRegister adds to store schema, overwriting a store if
// already registered. Should only be used for testing.
func ForceRegister(s provider.Provider, storeSpec *esv1alpha1.SecretStoreProvider) {
func ForceRegister(s provider.Provider, storeSpec *esv1beta1.SecretStoreProvider) {
storeName, err := getProviderName(storeSpec)
if err != nil {
panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
@ -70,7 +70,7 @@ func GetProviderByName(name string) (provider.Provider, bool) {
}
// GetProvider returns the provider from the generic store.
func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) {
func GetProvider(s esv1beta1.GenericStore) (provider.Provider, error) {
spec := s.GetSpec()
storeName, err := getProviderName(spec.Provider)
if err != nil {
@ -90,7 +90,7 @@ func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) {
// getProviderName returns the name of the configured provider
// or an error if the provider is not configured.
func getProviderName(storeSpec *esv1alpha1.SecretStoreProvider) (string, error) {
func getProviderName(storeSpec *esv1beta1.SecretStoreProvider) (string, error) {
storeBytes, err := json.Marshal(storeSpec)
if err != nil || storeBytes == nil {
return "", fmt.Errorf("failed to marshal store spec: %w", err)

60
pkg/provider/schema/schema_test.go
View file

@ -20,7 +20,7 @@ import (
"github.com/stretchr/testify/assert"
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
)
@ -29,17 +29,23 @@ type PP struct{}
const shouldBeRegistered = "provider should be registered"
// New constructs a SecretsManager Provider.
func (p *PP) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func (p *PP) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
return p, nil
}
// GetSecret returns a single secret from the provider.
func (p *PP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (p *PP) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
return []byte("NOOP"), nil
}
// GetSecretMap returns multiple k/v pairs from the provider.
func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (p *PP) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
return map[string][]byte{}, nil
}
// Empty GetAllSecrets.
func (p *PP) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return map[string][]byte{}, nil
}
@ -60,22 +66,22 @@ func TestRegister(t *testing.T) {
name string
expPanic bool
expExists bool
provider *esv1alpha1.SecretStoreProvider
provider *esv1beta1.SecretStoreProvider
}{
{
test: "should panic when given an invalid provider",
name: "aws",
expPanic: true,
expExists: false,
provider: &esv1alpha1.SecretStoreProvider{},
provider: &esv1beta1.SecretStoreProvider{},
},
{
test: "should register an correct provider",
name: "aws",
expExists: false,
provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceSecretsManager,
provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceSecretsManager,
},
},
},
@ -84,9 +90,9 @@ func TestRegister(t *testing.T) {
name: "aws",
expPanic: true,
expExists: true,
provider: &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceSecretsManager,
provider: &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceSecretsManager,
},
},
},
@ -103,10 +109,10 @@ func TestRegister(t *testing.T) {
}
}
func runTest(t *testing.T, name string, provider *esv1alpha1.SecretStoreProvider, expPanic bool) {
func runTest(t *testing.T, name string, provider *esv1beta1.SecretStoreProvider, expPanic bool) {
testProvider := &PP{}
secretStore := &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
secretStore := &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: provider,
},
}
@ -129,19 +135,19 @@ func runTest(t *testing.T, name string, provider *esv1alpha1.SecretStoreProvider
// ForceRegister is used by other tests, we should ensure it works as expected.
func TestForceRegister(t *testing.T) {
testProvider := &PP{}
provider := &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceParameterStore,
provider := &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceParameterStore,
},
}
secretStore := &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
secretStore := &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: provider,
},
}
ForceRegister(testProvider, &esv1alpha1.SecretStoreProvider{
AWS: &esv1alpha1.AWSProvider{
Service: esv1alpha1.AWSServiceParameterStore,
ForceRegister(testProvider, &esv1beta1.SecretStoreProvider{
AWS: &esv1beta1.AWSProvider{
Service: esv1beta1.AWSServiceParameterStore,
},
})
p1, ok := GetProviderByName("aws")
@ -158,10 +164,10 @@ func TestRegisterGCP(t *testing.T) {
assert.False(t, ok, "provider should not be registered")
testProvider := &PP{}
secretStore := &esv1alpha1.SecretStore{
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
GCPSM: &esv1alpha1.GCPSMProvider{},
secretStore := &esv1beta1.SecretStore{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
GCPSM: &esv1beta1.GCPSMProvider{},
},
},
}

37
pkg/provider/testing/fake/fake.go
View file

@ -19,7 +19,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
)
@ -28,24 +28,28 @@ var _ provider.Provider = &Client{}
// Client is a fake client for testing.
type Client struct {
NewFn func(context.Context, esv1alpha1.GenericStore, client.Client,
NewFn func(context.Context, esv1beta1.GenericStore, client.Client,
string) (provider.SecretsClient, error)
GetSecretFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
GetSecretFn func(context.Context, esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error)
GetSecretMapFn func(context.Context, esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
GetAllSecretsFn func(context.Context, esv1beta1.ExternalSecretFind) (map[string][]byte, error)
}
// New returns a fake provider/client.
func New() *Client {
v := &Client{
GetSecretFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
GetSecretFn: func(context.Context, esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
return nil, nil
},
GetSecretMapFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
GetSecretMapFn: func(context.Context, esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
return nil, nil
},
GetAllSecretsFn: func(context.Context, esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
return nil, nil
},
}
v.NewFn = func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.SecretsClient, error) {
v.NewFn = func(context.Context, esv1beta1.GenericStore, client.Client, string) (provider.SecretsClient, error) {
return v, nil
}
@ -53,25 +57,30 @@ func New() *Client {
}
// RegisterAs registers the fake client in the schema.
func (v *Client) RegisterAs(provider *esv1alpha1.SecretStoreProvider) {
func (v *Client) RegisterAs(provider *esv1beta1.SecretStoreProvider) {
schema.ForceRegister(v, provider)
}
// GetSecret implements the provider.Provider interface.
func (v *Client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (v *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
return v.GetAllSecretsFn(ctx, ref)
}
// GetSecret implements the provider.Provider interface.
func (v *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
return v.GetSecretFn(ctx, ref)
}
// WithGetSecret wraps secret data returned by this provider.
func (v *Client) WithGetSecret(secData []byte, err error) *Client {
v.GetSecretFn = func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
v.GetSecretFn = func(context.Context, esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
return secData, err
}
return v
}
// GetSecretMap imeplements the provider.Provider interface.
func (v *Client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (v *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
return v.GetSecretMapFn(ctx, ref)
}
@ -85,21 +94,21 @@ func (v *Client) Validate() error {
// WithGetSecretMap wraps the secret data map returned by this fake provider.
func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client {
v.GetSecretMapFn = func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
v.GetSecretMapFn = func(context.Context, esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
return secData, err
}
return v
}
// WithNew wraps the fake provider factory function.
func (v *Client) WithNew(f func(context.Context, esv1alpha1.GenericStore, client.Client,
func (v *Client) WithNew(f func(context.Context, esv1beta1.GenericStore, client.Client,
string) (provider.SecretsClient, error)) *Client {
v.NewFn = f
return v
}
// NewClient returns a new fake provider.
func (v *Client) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func (v *Client) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
c, err := v.NewFn(ctx, store, kube, namespace)
if err != nil {
return nil, err

46
pkg/provider/vault/vault.go
View file

@ -32,7 +32,7 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
@ -89,7 +89,7 @@ type Client interface {
type client struct {
kube kclient.Client
store *esv1alpha1.VaultProvider
store *esv1beta1.VaultProvider
log logr.Logger
client Client
namespace string
@ -99,8 +99,8 @@ type client struct {
func init() {
schema.Register(&connector{
newVaultClient: newVaultClient,
}, &esv1alpha1.SecretStoreProvider{
Vault: &esv1alpha1.VaultProvider{},
}, &esv1beta1.SecretStoreProvider{
Vault: &esv1beta1.VaultProvider{},
})
}
@ -112,7 +112,7 @@ type connector struct {
newVaultClient func(c *vault.Config) (Client, error)
}
func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
func (c *connector) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
storeSpec := store.GetSpec()
if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
return nil, errors.New(errVaultStore)
@ -154,7 +154,13 @@ func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore
return vStore, nil
}
func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
// Empty GetAllSecrets.
func (v *client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
func (v *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
data, err := v.readSecret(ctx, ref.Key, ref.Version)
if err != nil {
return nil, err
@ -166,7 +172,7 @@ func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
return value, nil
}
func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (v *client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
return v.readSecret(ctx, ref.Key, ref.Version)
}
@ -206,7 +212,7 @@ func (v *client) buildPath(path string) string {
cursor++
}
if v.store.Version == esv1alpha1.VaultKVStoreV2 {
if v.store.Version == esv1beta1.VaultKVStoreV2 {
// Add the required `data` part of the URL for the v2 API
if len(origPath) < 2 || origPath[1] != "data" {
newPath = append(newPath, "data")
@ -240,7 +246,7 @@ func (v *client) readSecret(ctx context.Context, path, version string) (map[stri
}
secretData := vaultSecret.Data
if v.store.Version == esv1alpha1.VaultKVStoreV2 {
if v.store.Version == esv1beta1.VaultKVStoreV2 {
// Vault KV2 has data embedded within sub-field
// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
dataInt, ok := vaultSecret.Data["data"]
@ -288,7 +294,7 @@ func (v *client) newConfig() (*vault.Config, error) {
}
}
if v.store.CAProvider != nil && v.storeKind == esv1alpha1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
if v.store.CAProvider != nil && v.storeKind == esv1beta1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
return nil, errors.New(errCANamespace)
}
@ -297,9 +303,9 @@ func (v *client) newConfig() (*vault.Config, error) {
var err error
switch v.store.CAProvider.Type {
case esv1alpha1.CAProviderTypeSecret:
case esv1beta1.CAProviderTypeSecret:
cert, err = getCertFromSecret(v)
case esv1alpha1.CAProviderTypeConfigMap:
case esv1beta1.CAProviderTypeConfigMap:
cert, err = getCertFromConfigMap(v)
default:
return nil, errors.New(errUnknownCAProvider)
@ -486,7 +492,7 @@ func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccou
Namespace: v.namespace,
Name: serviceAccountRef.Name,
}
if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
(serviceAccountRef.Namespace != nil) {
ref.Namespace = *serviceAccountRef.Namespace
}
@ -519,7 +525,7 @@ func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySe
Namespace: v.namespace,
Name: secretRef.Name,
}
if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
(secretRef.Namespace != nil) {
ref.Namespace = *secretRef.Namespace
}
@ -555,7 +561,7 @@ func appRoleParameters(role, secret string) map[string]string {
}
}
func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1beta1.VaultAppRole) (string, error) {
roleID := strings.TrimSpace(appRole.RoleID)
secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
@ -601,7 +607,7 @@ func kubeParameters(role, jwt string) map[string]string {
}
}
func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1beta1.VaultKubernetesAuth) (string, error) {
jwtString, err := getJwtString(ctx, v, kubernetesAuth)
if err != nil {
return "", err
@ -636,7 +642,7 @@ func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Clie
return token, nil
}
func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1beta1.VaultKubernetesAuth) (string, error) {
if kubernetesAuth.ServiceAccountRef != nil {
jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
if err != nil {
@ -669,7 +675,7 @@ func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1alpha1.Vau
}
}
func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1beta1.VaultLdapAuth) (string, error) {
username := strings.TrimSpace(ldapAuth.Username)
password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
@ -708,7 +714,7 @@ func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ld
return token, nil
}
func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1beta1.VaultJwtAuth) (string, error) {
role := strings.TrimSpace(jwtAuth.Role)
jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
@ -748,7 +754,7 @@ func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwt
return token, nil
}
func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1beta1.VaultCertAuth, cfg *vault.Config) (string, error) {
clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
if err != nil {
return "", err

88
pkg/provider/vault/vault_test.go
View file

@ -31,7 +31,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
"github.com/external-secrets/external-secrets/pkg/provider/vault/fake"
)
@ -45,20 +45,20 @@ var (
secretStorePath = "secret"
)
func makeValidSecretStoreWithVersion(v esv1alpha1.VaultKVStoreVersion) *esv1alpha1.SecretStore {
return &esv1alpha1.SecretStore{
func makeValidSecretStoreWithVersion(v esv1beta1.VaultKVStoreVersion) *esv1beta1.SecretStore {
return &esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Name: "vault-store",
Namespace: "default",
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
Vault: &esv1alpha1.VaultProvider{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
Vault: &esv1beta1.VaultProvider{
Server: "vault.example.com",
Path: &secretStorePath,
Version: v,
Auth: esv1alpha1.VaultAuth{
Kubernetes: &esv1alpha1.VaultKubernetesAuth{
Auth: esv1beta1.VaultAuth{
Kubernetes: &esv1beta1.VaultKubernetesAuth{
Path: "kubernetes",
Role: "kubernetes-auth-role",
ServiceAccountRef: &esmeta.ServiceAccountSelector{
@ -72,24 +72,24 @@ func makeValidSecretStoreWithVersion(v esv1alpha1.VaultKVStoreVersion) *esv1alph
}
}
func makeValidSecretStore() *esv1alpha1.SecretStore {
return makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV2)
func makeValidSecretStore() *esv1beta1.SecretStore {
return makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2)
}
func makeValidSecretStoreWithCerts() *esv1alpha1.SecretStore {
return &esv1alpha1.SecretStore{
func makeValidSecretStoreWithCerts() *esv1beta1.SecretStore {
return &esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Name: "vault-store",
Namespace: "default",
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
Vault: &esv1alpha1.VaultProvider{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
Vault: &esv1beta1.VaultProvider{
Server: "vault.example.com",
Path: &secretStorePath,
Version: esv1alpha1.VaultKVStoreV2,
Auth: esv1alpha1.VaultAuth{
Cert: &esv1alpha1.VaultCertAuth{
Version: esv1beta1.VaultKVStoreV2,
Auth: esv1beta1.VaultAuth{
Cert: &esv1beta1.VaultCertAuth{
ClientCert: esmeta.SecretKeySelector{
Name: "tls-auth-certs",
Key: "tls.crt",
@ -106,9 +106,9 @@ func makeValidSecretStoreWithCerts() *esv1alpha1.SecretStore {
}
}
func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1alpha1.SecretStore {
func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1beta1.SecretStore {
store := makeSecretStore()
caProvider := &esv1alpha1.CAProvider{
caProvider := &esv1beta1.CAProvider{
Name: "vault-cert",
Key: "cert",
}
@ -123,8 +123,8 @@ func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1alpha1.SecretStore {
return store
}
func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore {
return &esv1alpha1.ClusterSecretStore{
func makeInvalidClusterSecretStoreWithK8sCerts() *esv1beta1.ClusterSecretStore {
return &esv1beta1.ClusterSecretStore{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterSecretStore",
},
@ -132,14 +132,14 @@ func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore
Name: "vault-store",
Namespace: "default",
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
Vault: &esv1alpha1.VaultProvider{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
Vault: &esv1beta1.VaultProvider{
Server: "vault.example.com",
Path: &secretStorePath,
Version: "v2",
Auth: esv1alpha1.VaultAuth{
Kubernetes: &esv1alpha1.VaultKubernetesAuth{
Auth: esv1beta1.VaultAuth{
Kubernetes: &esv1beta1.VaultKubernetesAuth{
Path: "kubernetes",
Role: "kubernetes-auth-role",
ServiceAccountRef: &esmeta.ServiceAccountSelector{
@ -147,7 +147,7 @@ func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore
},
},
},
CAProvider: &esv1alpha1.CAProvider{
CAProvider: &esv1beta1.CAProvider{
Name: "vault-cert",
Key: "cert",
Type: "Secret",
@ -158,9 +158,9 @@ func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore
}
}
type secretStoreTweakFn func(s *esv1alpha1.SecretStore)
type secretStoreTweakFn func(s *esv1beta1.SecretStore)
func makeSecretStore(tweaks ...secretStoreTweakFn) *esv1alpha1.SecretStore {
func makeSecretStore(tweaks ...secretStoreTweakFn) *esv1beta1.SecretStore {
store := makeValidSecretStore()
for _, fn := range tweaks {
@ -193,7 +193,7 @@ func newVaultTokenIDResponse(token string) *vault.Response {
type args struct {
newClientFunc func(c *vault.Config) (Client, error)
store esv1alpha1.GenericStore
store esv1beta1.GenericStore
kube kclient.Client
ns string
}
@ -250,7 +250,7 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
"InvalidVaultStore": {
reason: "Should return error if given an invalid vault store.",
args: args{
store: &esv1alpha1.SecretStore{},
store: &esv1beta1.SecretStore{},
},
want: want{
err: errors.New(errVaultStore),
@ -259,7 +259,7 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
"AddVaultStoreCertsError": {
reason: "Should return error if given an invalid CA certificate.",
args: args{
store: makeSecretStore(func(s *esv1alpha1.SecretStore) {
store: makeSecretStore(func(s *esv1beta1.SecretStore) {
s.Spec.Provider.Vault.CABundle = []byte("badcertdata")
}),
},
@ -270,8 +270,8 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
"VaultAuthFormatError": {
reason: "Should return error if no valid authentication method is given.",
args: args{
store: makeSecretStore(func(s *esv1alpha1.SecretStore) {
s.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{}
store: makeSecretStore(func(s *esv1beta1.SecretStore) {
s.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{}
}),
},
want: want{
@ -293,7 +293,7 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
"GetKubeSecretError": {
reason: "Should return error if fetching kubernetes secret fails.",
args: args{
store: makeSecretStore(func(s *esv1alpha1.SecretStore) {
store: makeSecretStore(func(s *esv1beta1.SecretStore) {
s.Spec.Provider.Vault.Auth.Kubernetes.ServiceAccountRef = nil
s.Spec.Provider.Vault.Auth.Kubernetes.SecretRef = &esmeta.SecretKeySelector{
Name: "vault-secret",
@ -564,11 +564,11 @@ func TestGetSecretMap(t *testing.T) {
}
type args struct {
store *esv1alpha1.VaultProvider
store *esv1beta1.VaultProvider
kube kclient.Client
vClient Client
ns string
data esv1alpha1.ExternalSecretDataRemoteRef
data esv1beta1.ExternalSecretDataRemoteRef
}
type want struct {
@ -583,7 +583,7 @@ func TestGetSecretMap(t *testing.T) {
"ReadSecretKV1": {
reason: "Should map the secret even if it has a nil value",
args: args{
store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV1).Spec.Provider.Vault,
store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV1).Spec.Provider.Vault,
vClient: &fake.VaultClient{
MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@ -598,7 +598,7 @@ func TestGetSecretMap(t *testing.T) {
"ReadSecretKV2": {
reason: "Should map the secret even if it has a nil value",
args: args{
store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV2).Spec.Provider.Vault,
store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
vClient: &fake.VaultClient{
MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@ -617,7 +617,7 @@ func TestGetSecretMap(t *testing.T) {
"ReadSecretWithNilValueKV1": {
reason: "Should map the secret even if it has a nil value",
args: args{
store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV1).Spec.Provider.Vault,
store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV1).Spec.Provider.Vault,
vClient: &fake.VaultClient{
MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@ -632,7 +632,7 @@ func TestGetSecretMap(t *testing.T) {
"ReadSecretWithNilValueKV2": {
reason: "Should map the secret even if it has a nil value",
args: args{
store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV2).Spec.Provider.Vault,
store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
vClient: &fake.VaultClient{
MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@ -684,12 +684,12 @@ func TestGetSecretPath(t *testing.T) {
storeV2NoPath := storeV2.DeepCopy()
storeV2NoPath.Spec.Provider.Vault.Path = nil
storeV1 := makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV1)
storeV1 := makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV1)
storeV1NoPath := storeV1.DeepCopy()
storeV1NoPath.Spec.Provider.Vault.Path = nil
type args struct {
store *esv1alpha1.VaultProvider
store *esv1beta1.VaultProvider
path string
expected string
}

44
pkg/provider/webhook/webhook.go
View file

@ -32,7 +32,7 @@ import (
corev1 "k8s.io/api/core/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
@ -44,19 +44,19 @@ type Provider struct{}
type WebHook struct {
kube client.Client
store esv1alpha1.GenericStore
store esv1beta1.GenericStore
namespace string
storeKind string
http *http.Client
}
func init() {
schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
Webhook: &esv1alpha1.WebhookProvider{},
schema.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
Webhook: &esv1beta1.WebhookProvider{},
})
}
func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
whClient := &WebHook{
kube: kube,
store: store,
@ -74,7 +74,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore,
return whClient, nil
}
func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.WebhookProvider, error) {
func getProvider(store esv1beta1.GenericStore) (*esv1beta1.WebhookProvider, error) {
spc := store.GetSpec()
if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
return nil, fmt.Errorf("missing store provider webhook")
@ -87,7 +87,7 @@ func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
Name: ref.Name,
Namespace: w.namespace,
}
if w.storeKind == esv1alpha1.ClusterSecretStoreKind {
if w.storeKind == esv1beta1.ClusterSecretStoreKind {
if ref.Namespace == nil {
return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
}
@ -100,7 +100,13 @@ func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
return secret, nil
}
func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
// Empty GetAllSecrets.
func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
func (w *WebHook) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
provider, err := getProvider(w.store)
if err != nil {
return nil, fmt.Errorf("failed to get store: %w", err)
@ -129,7 +135,7 @@ func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDa
return result, nil
}
func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
provider, err := getProvider(w.store)
if err != nil {
return nil, fmt.Errorf("failed to get store: %w", err)
@ -178,7 +184,7 @@ func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecre
return values, nil
}
func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef, secrets []esv1alpha1.WebhookSecret) (map[string]map[string]string, error) {
func (w *WebHook) getTemplateData(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef, secrets []esv1beta1.WebhookSecret) (map[string]map[string]string, error) {
data := map[string]map[string]string{
"remoteRef": {
"key": url.QueryEscape(ref.Key),
@ -201,7 +207,7 @@ func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSe
return data, nil
}
func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1alpha1.WebhookProvider, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1beta1.WebhookProvider, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
if w.http == nil {
return nil, fmt.Errorf("http client not initialized")
}
@ -245,7 +251,7 @@ func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1alpha1.Webho
return io.ReadAll(resp.Body)
}
func (w *WebHook) getHTTPClient(provider *esv1alpha1.WebhookProvider) (*http.Client, error) {
func (w *WebHook) getHTTPClient(provider *esv1beta1.WebhookProvider) (*http.Client, error) {
client := &http.Client{}
if provider.Timeout != nil {
client.Timeout = provider.Timeout.Duration
@ -267,7 +273,7 @@ func (w *WebHook) getHTTPClient(provider *esv1alpha1.WebhookProvider) (*http.Cli
return client, nil
}
func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.CertPool, error) {
func (w *WebHook) getCACertPool(provider *esv1beta1.WebhookProvider) (*x509.CertPool, error) {
caCertPool := x509.NewCertPool()
if len(provider.CABundle) > 0 {
ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
@ -276,7 +282,7 @@ func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.Cer
}
}
if provider.CAProvider != nil && w.storeKind == esv1alpha1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
if provider.CAProvider != nil && w.storeKind == esv1beta1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
return nil, fmt.Errorf("missing namespace on CAProvider secret")
}
@ -285,9 +291,9 @@ func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.Cer
var err error
switch provider.CAProvider.Type {
case esv1alpha1.WebhookCAProviderTypeSecret:
case esv1beta1.WebhookCAProviderTypeSecret:
cert, err = w.getCertFromSecret(provider)
case esv1alpha1.WebhookCAProviderTypeConfigMap:
case esv1beta1.WebhookCAProviderTypeConfigMap:
cert, err = w.getCertFromConfigMap(provider)
default:
err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
@ -305,7 +311,7 @@ func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.Cer
return caCertPool, nil
}
func (w *WebHook) getCertFromSecret(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
func (w *WebHook) getCertFromSecret(provider *esv1beta1.WebhookProvider) ([]byte, error) {
secretRef := esmeta.SecretKeySelector{
Name: provider.CAProvider.Name,
Key: provider.CAProvider.Key,
@ -330,7 +336,7 @@ func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeyS
Namespace: w.namespace,
Name: secretRef.Name,
}
if (w.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
if (w.storeKind == esv1beta1.ClusterSecretStoreKind) &&
(secretRef.Namespace != nil) {
ref.Namespace = *secretRef.Namespace
}
@ -349,7 +355,7 @@ func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeyS
return valueStr, nil
}
func (w *WebHook) getCertFromConfigMap(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
func (w *WebHook) getCertFromConfigMap(provider *esv1beta1.WebhookProvider) ([]byte, error) {
objKey := client.ObjectKey{
Name: provider.CAProvider.Name,
}

18
pkg/provider/webhook/webhook_test.go
View file

@ -27,7 +27,7 @@ import (
"gopkg.in/yaml.v3"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
)
@ -269,7 +269,7 @@ func runTestCase(tc testCase, t *testing.T) {
}
func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient) {
testRef := esv1alpha1.ExternalSecretDataRemoteRef{
testRef := esv1beta1.ExternalSecretDataRemoteRef{
Key: tc.Args.Key,
Version: tc.Args.Version,
}
@ -294,7 +294,7 @@ func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient)
}
func testGetSecret(tc testCase, t *testing.T, client provider.SecretsClient) {
testRef := esv1alpha1.ExternalSecretDataRemoteRef{
testRef := esv1beta1.ExternalSecretDataRemoteRef{
Key: tc.Args.Key,
Version: tc.Args.Version,
}
@ -313,8 +313,8 @@ func testGetSecret(tc testCase, t *testing.T, client provider.SecretsClient) {
}
}
func makeClusterSecretStore(url string, args args) *esv1alpha1.ClusterSecretStore {
store := &esv1alpha1.ClusterSecretStore{
func makeClusterSecretStore(url string, args args) *esv1beta1.ClusterSecretStore {
store := &esv1beta1.ClusterSecretStore{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterSecretStore",
},
@ -322,16 +322,16 @@ func makeClusterSecretStore(url string, args args) *esv1alpha1.ClusterSecretStor
Name: "wehbook-store",
Namespace: "default",
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
Webhook: &esv1alpha1.WebhookProvider{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
Webhook: &esv1beta1.WebhookProvider{
URL: url + args.URL,
Body: args.Body,
Headers: map[string]string{
"Content-Type": "application.json",
"X-SecretKey": "{{ .remoteRef.key }}",
},
Result: esv1alpha1.WebhookResult{
Result: esv1beta1.WebhookResult{
JSONPath: args.JSONPath,
},
},

22
pkg/provider/yandex/lockbox/lockbox.go
View file

@ -29,7 +29,7 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/provider"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
"github.com/external-secrets/external-secrets/pkg/provider/yandex/lockbox/client"
@ -66,7 +66,7 @@ func newLockboxProvider(yandexCloudCreator client.YandexCloudCreator) *lockboxPr
}
// NewClient constructs a Yandex Lockbox Provider.
func (p *lockboxProvider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
func (p *lockboxProvider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
storeSpec := store.GetSpec()
if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.YandexLockbox == nil {
return nil, fmt.Errorf("received invalid Yandex Lockbox SecretStore resource")
@ -83,7 +83,7 @@ func (p *lockboxProvider) NewClient(ctx context.Context, store esv1alpha1.Generi
}
// only ClusterStore is allowed to set namespace (and then it's required)
if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if storeSpecYandexLockbox.Auth.AuthorizedKey.Namespace == nil {
return nil, fmt.Errorf("invalid ClusterSecretStore: missing AuthorizedKey Namespace")
}
@ -115,7 +115,7 @@ func (p *lockboxProvider) NewClient(ctx context.Context, store esv1alpha1.Generi
Namespace: namespace,
}
if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
if storeSpecYandexLockbox.CAProvider.Certificate.Namespace == nil {
return nil, fmt.Errorf("invalid ClusterSecretStore: missing CA certificate Namespace")
}
@ -224,8 +224,14 @@ type lockboxSecretsClient struct {
iamToken string
}
// Empty GetAllSecrets.
func (c *lockboxSecretsClient) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
// TO be implemented
return nil, fmt.Errorf("GetAllSecrets not implemented")
}
// GetSecret returns a single secret from the provider.
func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Key, ref.Version)
if err != nil {
return nil, fmt.Errorf("unable to request secret payload to get secret: %w", err)
@ -255,7 +261,7 @@ func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.Ext
}
// GetSecretMap returns multiple k/v pairs from the provider.
func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Key, ref.Version)
if err != nil {
return nil, fmt.Errorf("unable to request secret payload to get secret map: %w", err)
@ -323,8 +329,8 @@ func init() {
schema.Register(
lockboxProvider,
&esv1alpha1.SecretStoreProvider{
YandexLockbox: &esv1alpha1.YandexLockboxProvider{},
&esv1beta1.SecretStoreProvider{
YandexLockbox: &esv1beta1.YandexLockboxProvider{},
},
)
}

78
pkg/provider/yandex/lockbox/lockbox_test.go
View file

@ -32,7 +32,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
"github.com/external-secrets/external-secrets/pkg/provider/schema"
"github.com/external-secrets/external-secrets/pkg/provider/yandex/lockbox/client/fake"
@ -48,13 +48,13 @@ func TestNewClient(t *testing.T) {
ctx := context.Background()
const namespace = "namespace"
store := &esv1alpha1.SecretStore{
store := &esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
YandexLockbox: &esv1alpha1.YandexLockboxProvider{},
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
YandexLockbox: &esv1beta1.YandexLockboxProvider{},
},
},
}
@ -66,7 +66,7 @@ func TestNewClient(t *testing.T) {
tassert.EqualError(t, err, errMissingKey)
tassert.Nil(t, secretClient)
store.Spec.Provider.YandexLockbox.Auth = esv1alpha1.YandexLockboxAuth{}
store.Spec.Provider.YandexLockbox.Auth = esv1beta1.YandexLockboxAuth{}
secretClient, err = provider.NewClient(context.Background(), store, k8sClient, namespace)
tassert.EqualError(t, err, errMissingKey)
tassert.Nil(t, secretClient)
@ -89,7 +89,7 @@ func TestNewClient(t *testing.T) {
const caCertificateSecretName = "caCertificateSecretName"
const caCertificateSecretKey = "caCertificateSecretKey"
store.Spec.Provider.YandexLockbox.CAProvider = &esv1alpha1.YandexLockboxCAProvider{
store.Spec.Provider.YandexLockbox.CAProvider = &esv1beta1.YandexLockboxCAProvider{
Certificate: esmeta.SecretKeySelector{
Key: caCertificateSecretKey,
Name: caCertificateSecretName,
@ -131,7 +131,7 @@ func TestGetSecretForAllEntries(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID})
data, err := secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID})
tassert.Nil(t, err)
tassert.Equal(
@ -169,7 +169,7 @@ func TestGetSecretForTextEntry(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
data, err := secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
tassert.Nil(t, err)
tassert.Equal(t, v1, string(data))
@ -200,7 +200,7 @@ func TestGetSecretForBinaryEntry(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Property: k2})
data, err := secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Property: k2})
tassert.Nil(t, err)
tassert.Equal(t, v2, data)
@ -229,7 +229,7 @@ func TestGetSecretByVersionID(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
data, err := secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
tassert.Nil(t, err)
tassert.Equal(t, map[string]string{oldKey: oldVal}, unmarshalStringMap(t, data))
@ -239,11 +239,11 @@ func TestGetSecretByVersionID(t *testing.T) {
textEntry(newKey, newVal),
)
data, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
data, err = secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
tassert.Nil(t, err)
tassert.Equal(t, map[string]string{oldKey: oldVal}, unmarshalStringMap(t, data))
data, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Version: newVersionID})
data, err = secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Version: newVersionID})
tassert.Nil(t, err)
tassert.Equal(t, map[string]string{newKey: newVal}, unmarshalStringMap(t, data))
}
@ -271,7 +271,7 @@ func TestGetSecretUnauthorized(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
_, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID})
_, err = secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID})
tassert.EqualError(t, err, errSecretPayloadPermissionDenied)
}
@ -294,13 +294,13 @@ func TestGetSecretNotFound(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
_, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: "no-secret-with-this-id"})
_, err = secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: "no-secret-with-this-id"})
tassert.EqualError(t, err, errSecretPayloadNotFound)
secretID, _ := lockboxBackend.CreateSecret(authorizedKey,
textEntry("k1", "v1"),
)
_, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Version: "no-version-with-this-id"})
_, err = secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Version: "no-version-with-this-id"})
tassert.EqualError(t, err, "unable to request secret payload to get secret: version not found")
}
@ -339,17 +339,17 @@ func TestGetSecretWithTwoNamespaces(t *testing.T) {
secretsClient2, err := provider.NewClient(ctx, store2, k8sClient, namespace2)
tassert.Nil(t, err)
data, err := secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
data, err := secretsClient1.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
tassert.Equal(t, v1, string(data))
tassert.Nil(t, err)
data, err = secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
data, err = secretsClient1.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
tassert.Nil(t, data)
tassert.EqualError(t, err, errSecretPayloadPermissionDenied)
data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
data, err = secretsClient2.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
tassert.Nil(t, data)
tassert.EqualError(t, err, errSecretPayloadPermissionDenied)
data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
data, err = secretsClient2.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
tassert.Equal(t, v2, string(data))
tassert.Nil(t, err)
}
@ -400,17 +400,17 @@ func TestGetSecretWithTwoApiEndpoints(t *testing.T) {
var data []byte
data, err = secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
data, err = secretsClient1.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
tassert.Equal(t, v1, string(data))
tassert.Nil(t, err)
data, err = secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
data, err = secretsClient1.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
tassert.Nil(t, data)
tassert.EqualError(t, err, errSecretPayloadNotFound)
data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
data, err = secretsClient2.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
tassert.Nil(t, data)
tassert.EqualError(t, err, errSecretPayloadNotFound)
data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
data, err = secretsClient2.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
tassert.Equal(t, v2, string(data))
tassert.Nil(t, err)
}
@ -442,19 +442,19 @@ func TestGetSecretWithIamTokenExpiration(t *testing.T) {
oldSecretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err = oldSecretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
data, err = oldSecretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
tassert.Equal(t, v1, string(data))
tassert.Nil(t, err)
lockboxBackend.AdvanceClock(2 * tokenExpirationTime)
data, err = oldSecretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
data, err = oldSecretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
tassert.Nil(t, data)
tassert.EqualError(t, err, "unable to request secret payload to get secret: iam token expired")
newSecretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err = newSecretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
data, err = newSecretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
tassert.Equal(t, v1, string(data))
tassert.Nil(t, err)
}
@ -499,7 +499,7 @@ func TestGetSecretWithIamTokenCleanup(t *testing.T) {
// Access secretID1 with authorizedKey1, IAM token for authorizedKey1 should be cached
secretsClient, err := provider.NewClient(ctx, store1, k8sClient, namespace)
tassert.Nil(t, err)
_, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID1})
_, err = secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID1})
tassert.Nil(t, err)
tassert.True(t, provider.isIamTokenCached(authorizedKey1))
@ -510,7 +510,7 @@ func TestGetSecretWithIamTokenCleanup(t *testing.T) {
// Access secretID2 with authorizedKey2, IAM token for authorizedKey2 should be cached
secretsClient, err = provider.NewClient(ctx, store2, k8sClient, namespace)
tassert.Nil(t, err)
_, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID2})
_, err = secretsClient.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID2})
tassert.Nil(t, err)
tassert.True(t, provider.isIamTokenCached(authorizedKey1))
@ -562,7 +562,7 @@ func TestGetSecretMap(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err := secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID})
data, err := secretsClient.GetSecretMap(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID})
tassert.Nil(t, err)
tassert.Equal(
@ -598,7 +598,7 @@ func TestGetSecretMapByVersionID(t *testing.T) {
})
secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
tassert.Nil(t, err)
data, err := secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
data, err := secretsClient.GetSecretMap(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
tassert.Nil(t, err)
tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
@ -608,27 +608,27 @@ func TestGetSecretMapByVersionID(t *testing.T) {
textEntry(newKey, newVal),
)
data, err = secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
data, err = secretsClient.GetSecretMap(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
tassert.Nil(t, err)
tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
data, err = secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{Key: secretID, Version: newVersionID})
data, err = secretsClient.GetSecretMap(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: secretID, Version: newVersionID})
tassert.Nil(t, err)
tassert.Equal(t, map[string][]byte{newKey: []byte(newVal)}, data)
}
// helper functions
func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName, authorizedKeySecretKey string) esv1alpha1.GenericStore {
return &esv1alpha1.SecretStore{
func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName, authorizedKeySecretKey string) esv1beta1.GenericStore {
return &esv1beta1.SecretStore{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
},
Spec: esv1alpha1.SecretStoreSpec{
Provider: &esv1alpha1.SecretStoreProvider{
YandexLockbox: &esv1alpha1.YandexLockboxProvider{
Spec: esv1beta1.SecretStoreSpec{
Provider: &esv1beta1.SecretStoreProvider{
YandexLockbox: &esv1beta1.YandexLockboxProvider{
APIEndpoint: apiEndpoint,
Auth: esv1alpha1.YandexLockboxAuth{
Auth: esv1beta1.YandexLockboxAuth{
AuthorizedKey: esmeta.SecretKeySelector{
Name: authorizedKeySecretName,
Key: authorizedKeySecretKey,