From 2e0a6effbe8c9fe9bb220ec48cf010471ffcfd72 Mon Sep 17 00:00:00 2001 From: Kellin McAvoy Date: Tue, 29 Dec 2020 12:25:08 -0500 Subject: [PATCH 1/3] convert to multi-api --- PROJECT | 1 + api/v1alpha1/groupversion_info.go | 42 -------------- apis/doc.go | 18 ++++++ apis/externalsecrets/doc.go | 17 ++++++ .../externalsecrets/v1alpha1/doc.go | 13 ++--- .../v1alpha1/externalsecret_types.go | 4 -- .../v1alpha1/generic_store.go | 0 apis/externalsecrets/v1alpha1/register.go | 58 +++++++++++++++++++ .../v1alpha1/secretstore_awssm_types.go | 8 ++- .../v1alpha1/secretstore_types.go | 4 -- .../v1alpha1/zz_generated.deepcopy.go | 20 ------- apis/meta/doc.go | 16 +++++ apis/meta/v1/doc.go | 17 ++++++ apis/meta/v1/types.go | 37 ++++++++++++ apis/meta/v1/zz_generated.deepcopy.go | 57 ++++++++++++++++++ .../external-secrets.io_secretstores.yaml | 22 ++++++- controllers/externalsecret_controller.go | 2 +- controllers/secretstore_controller.go | 2 +- controllers/suite_test.go | 2 +- main.go | 2 +- .../aws/secretsmanager/secretsmanager.go | 2 +- pkg/provider/fake/fake.go | 2 +- pkg/provider/provider.go | 2 +- pkg/provider/schema/schema.go | 2 +- pkg/provider/schema/schema_test.go | 2 +- 25 files changed, 260 insertions(+), 92 deletions(-) delete mode 100644 api/v1alpha1/groupversion_info.go create mode 100644 apis/doc.go create mode 100644 apis/externalsecrets/doc.go rename api/v1alpha1/meta_types.go => apis/externalsecrets/v1alpha1/doc.go (74%) rename {api => apis/externalsecrets}/v1alpha1/externalsecret_types.go (98%) rename {api => apis/externalsecrets}/v1alpha1/generic_store.go (100%) create mode 100644 apis/externalsecrets/v1alpha1/register.go rename {api => apis/externalsecrets}/v1alpha1/secretstore_awssm_types.go (82%) rename {api => apis/externalsecrets}/v1alpha1/secretstore_types.go (97%) rename {api => apis/externalsecrets}/v1alpha1/zz_generated.deepcopy.go (95%) create mode 100644 apis/meta/doc.go create mode 100644 apis/meta/v1/doc.go create mode 100644 apis/meta/v1/types.go create mode 100644 apis/meta/v1/zz_generated.deepcopy.go diff --git a/PROJECT b/PROJECT index 20647a6b6..cac16ecf0 100644 --- a/PROJECT +++ b/PROJECT @@ -1,4 +1,5 @@ domain: io +multigroup: true repo: github.com/external-secrets/external-secrets resources: - group: external-secrets diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go deleted file mode 100644 index 90f82e5f2..000000000 --- a/api/v1alpha1/groupversion_info.go +++ /dev/null @@ -1,42 +0,0 @@ -/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package v1alpha1 contains API Schema definitions for the external-secrets v1alpha1 API group -// +kubebuilder:object:generate=true -// +groupName=external-secrets.io -package v1alpha1 - -import ( - "reflect" - - "k8s.io/apimachinery/pkg/runtime/schema" - "sigs.k8s.io/controller-runtime/pkg/scheme" -) - -var ( - // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "external-secrets.io", Version: "v1alpha1"} - - // SchemeBuilder is used to add go types to the GroupVersionKind scheme. - SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} - - // AddToScheme adds the types in this group-version to the given scheme. - AddToScheme = SchemeBuilder.AddToScheme -) - -// SecretStore type metadata. -var ( - SecretStoreKind = reflect.TypeOf(SecretStore{}).Name() - SecretStoreKindAPIVersion = SecretStoreKind + "." + GroupVersion.String() -) diff --git a/apis/doc.go b/apis/doc.go new file mode 100644 index 000000000..d2482c14e --- /dev/null +++ b/apis/doc.go @@ -0,0 +1,18 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +// +domain=external-secrets.io + +package apis diff --git a/apis/externalsecrets/doc.go b/apis/externalsecrets/doc.go new file mode 100644 index 000000000..760bd4841 --- /dev/null +++ b/apis/externalsecrets/doc.go @@ -0,0 +1,17 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +groupName=external-secrets.io + +package externalsecrets diff --git a/api/v1alpha1/meta_types.go b/apis/externalsecrets/v1alpha1/doc.go similarity index 74% rename from api/v1alpha1/meta_types.go rename to apis/externalsecrets/v1alpha1/doc.go index 4e8bfbc6a..a327e1186 100644 --- a/api/v1alpha1/meta_types.go +++ b/apis/externalsecrets/v1alpha1/doc.go @@ -12,13 +12,8 @@ See the License for the specific language governing permissions and limitations under the License. */ +// Package v1alpha1 contains resources for external-secrets +// +kubebuilder:object:generate=true +// +groupName=external-secrets.io +// +versionName=v1alpha1 package v1alpha1 - -// Refers to a Secret in Kubernetes. -type SecretKeySelector struct { - Name string `json:"name"` - Key string `json:"key"` - - // +optional - Namespace *string `json:"namespace,omitempty"` -} diff --git a/api/v1alpha1/externalsecret_types.go b/apis/externalsecrets/v1alpha1/externalsecret_types.go similarity index 98% rename from api/v1alpha1/externalsecret_types.go rename to apis/externalsecrets/v1alpha1/externalsecret_types.go index 076aaee01..142f853da 100644 --- a/api/v1alpha1/externalsecret_types.go +++ b/apis/externalsecrets/v1alpha1/externalsecret_types.go @@ -191,7 +191,3 @@ type ExternalSecretList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []ExternalSecret `json:"items"` } - -func init() { - SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{}) -} diff --git a/api/v1alpha1/generic_store.go b/apis/externalsecrets/v1alpha1/generic_store.go similarity index 100% rename from api/v1alpha1/generic_store.go rename to apis/externalsecrets/v1alpha1/generic_store.go diff --git a/apis/externalsecrets/v1alpha1/register.go b/apis/externalsecrets/v1alpha1/register.go new file mode 100644 index 000000000..dd40a6fce --- /dev/null +++ b/apis/externalsecrets/v1alpha1/register.go @@ -0,0 +1,58 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "reflect" + + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + Group = "external-secrets.io" + Version = "v1alpha1" +) + +var ( + // SchemeGroupVersion is group version used to register these objects. + SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme. + SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} + AddToScheme = SchemeBuilder.AddToScheme +) + +// ExternalSecret type metadata. +var ( + ExtSecretKind = reflect.TypeOf(ExternalSecret{}).Name() + ExtSecretGroupKind = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String() + ExtSecretKindAPIVersion = ExtSecretKind + "." + SchemeGroupVersion.String() + ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind) +) + +// SecretStore type metadata. +var ( + SecretStoreKind = reflect.TypeOf(SecretStore{}).Name() + SecretStoreGroupKind = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String() + SecretStoreKindAPIVersion = SecretStoreKind + "." + SchemeGroupVersion.String() + SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind) +) + +func init() { + SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{}) + SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{}) +} diff --git a/api/v1alpha1/secretstore_awssm_types.go b/apis/externalsecrets/v1alpha1/secretstore_awssm_types.go similarity index 82% rename from api/v1alpha1/secretstore_awssm_types.go rename to apis/externalsecrets/v1alpha1/secretstore_awssm_types.go index 6c526e8f5..e0a1fd1a8 100644 --- a/api/v1alpha1/secretstore_awssm_types.go +++ b/apis/externalsecrets/v1alpha1/secretstore_awssm_types.go @@ -14,6 +14,10 @@ limitations under the License. package v1alpha1 +import ( + esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" +) + type AWSSMAuth struct { SecretRef AWSSMAuthSecretRef `json:"secretRef"` } @@ -21,11 +25,11 @@ type AWSSMAuth struct { type AWSSMAuthSecretRef struct { // The AccessKeyID is used for authentication // +optional - AccessKeyID SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"` + AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"` // The SecretAccessKey is used for authentication // +optional - SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"` + SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"` } // Configures a store to sync secrets using the AWS Secret Manager provider. diff --git a/api/v1alpha1/secretstore_types.go b/apis/externalsecrets/v1alpha1/secretstore_types.go similarity index 97% rename from api/v1alpha1/secretstore_types.go rename to apis/externalsecrets/v1alpha1/secretstore_types.go index 22d6b08d8..19751ee40 100644 --- a/api/v1alpha1/secretstore_types.go +++ b/apis/externalsecrets/v1alpha1/secretstore_types.go @@ -105,7 +105,3 @@ type SecretStoreList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []SecretStore `json:"items"` } - -func init() { - SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{}) -} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go similarity index 95% rename from api/v1alpha1/zz_generated.deepcopy.go rename to apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go index 62a63a2de..045a74fef 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go @@ -287,26 +287,6 @@ func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMeta return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) { - *out = *in - if in.Namespace != nil { - in, out := &in.Namespace, &out.Namespace - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. -func (in *SecretKeySelector) DeepCopy() *SecretKeySelector { - if in == nil { - return nil - } - out := new(SecretKeySelector) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretStore) DeepCopyInto(out *SecretStore) { *out = *in diff --git a/apis/meta/doc.go b/apis/meta/doc.go new file mode 100644 index 000000000..8ad027322 --- /dev/null +++ b/apis/meta/doc.go @@ -0,0 +1,16 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package meta contains meta types for external-secret APIs. +package meta diff --git a/apis/meta/v1/doc.go b/apis/meta/v1/doc.go new file mode 100644 index 000000000..317234b72 --- /dev/null +++ b/apis/meta/v1/doc.go @@ -0,0 +1,17 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package meta contains meta types for external-secrets APIs +// +kubebuilder:object:generate=true +package v1 diff --git a/apis/meta/v1/types.go b/apis/meta/v1/types.go new file mode 100644 index 000000000..0a76bf8b1 --- /dev/null +++ b/apis/meta/v1/types.go @@ -0,0 +1,37 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +// A reference to an object in the same namespace as the referent. +type LocalObjectReference struct { + // Name of the resource being referred to. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + Name string `json:"name"` +} + +// A reference to a specific 'key' within a Secret resource, +// In some instances, `key` is a required field. +type SecretKeySelector struct { + // The name of the Secret resource being referred to. + LocalObjectReference `json:",inline"` + // Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + // to the namespace of the referent. + // +optional + Namespace *string `json:"namespace,omitempty"` + // The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + // defaulted, in others it may be required. + // +optional + Key string `json:"key,omitempty"` +} diff --git a/apis/meta/v1/zz_generated.deepcopy.go b/apis/meta/v1/zz_generated.deepcopy.go new file mode 100644 index 000000000..d2a13f14a --- /dev/null +++ b/apis/meta/v1/zz_generated.deepcopy.go @@ -0,0 +1,57 @@ +// +build !ignore_autogenerated + +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1 + +import () + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference. +func (in *LocalObjectReference) DeepCopy() *LocalObjectReference { + if in == nil { + return nil + } + out := new(LocalObjectReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) { + *out = *in + out.LocalObjectReference = in.LocalObjectReference + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. +func (in *SecretKeySelector) DeepCopy() *SecretKeySelector { + if in == nil { + return nil + } + out := new(SecretKeySelector) + in.DeepCopyInto(out) + return out +} diff --git a/config/crd/bases/external-secrets.io_secretstores.yaml b/config/crd/bases/external-secrets.io_secretstores.yaml index 24daa26fa..e18047010 100644 --- a/config/crd/bases/external-secrets.io_secretstores.yaml +++ b/config/crd/bases/external-secrets.io_secretstores.yaml @@ -61,26 +61,44 @@ spec: description: The AccessKeyID is used for authentication properties: key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. type: string name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. type: string required: - - key - name type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. type: string name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. type: string required: - - key - name type: object type: object diff --git a/controllers/externalsecret_controller.go b/controllers/externalsecret_controller.go index beaefd4ce..308c9e624 100644 --- a/controllers/externalsecret_controller.go +++ b/controllers/externalsecret_controller.go @@ -22,7 +22,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) // ExternalSecretReconciler reconciles a ExternalSecret object. diff --git a/controllers/secretstore_controller.go b/controllers/secretstore_controller.go index 58033ab3c..56cf64ab0 100644 --- a/controllers/secretstore_controller.go +++ b/controllers/secretstore_controller.go @@ -22,7 +22,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) // SecretStoreReconciler reconciles a SecretStore object. diff --git a/controllers/suite_test.go b/controllers/suite_test.go index 38c8ea3ea..87e123f5e 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -28,7 +28,7 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) // These tests use Ginkgo (BDD-style Go testing framework). Refer to diff --git a/main.go b/main.go index f52a49e2e..a8efa3617 100644 --- a/main.go +++ b/main.go @@ -25,7 +25,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log/zap" // +kubebuilder:scaffold:imports - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/controllers" ) diff --git a/pkg/provider/aws/secretsmanager/secretsmanager.go b/pkg/provider/aws/secretsmanager/secretsmanager.go index 698129074..e88325f34 100644 --- a/pkg/provider/aws/secretsmanager/secretsmanager.go +++ b/pkg/provider/aws/secretsmanager/secretsmanager.go @@ -18,7 +18,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" "github.com/external-secrets/external-secrets/pkg/provider/schema" ) diff --git a/pkg/provider/fake/fake.go b/pkg/provider/fake/fake.go index 0a3889b1b..c6f82fcf8 100644 --- a/pkg/provider/fake/fake.go +++ b/pkg/provider/fake/fake.go @@ -19,7 +19,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" "github.com/external-secrets/external-secrets/pkg/provider/schema" ) diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 0e3264c24..e4dfa588d 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -19,7 +19,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) // Provider is a common interface for interacting with secret backends. diff --git a/pkg/provider/schema/schema.go b/pkg/provider/schema/schema.go index 3978a892c..fb715ca20 100644 --- a/pkg/provider/schema/schema.go +++ b/pkg/provider/schema/schema.go @@ -19,7 +19,7 @@ import ( "fmt" "sync" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" ) diff --git a/pkg/provider/schema/schema_test.go b/pkg/provider/schema/schema_test.go index 4cd703d2b..0d4998ba6 100644 --- a/pkg/provider/schema/schema_test.go +++ b/pkg/provider/schema/schema_test.go @@ -20,7 +20,7 @@ import ( "github.com/stretchr/testify/assert" "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" ) From 3db006ddc442a05694f127324b718d5fa424484d Mon Sep 17 00:00:00 2001 From: Kellin McAvoy Date: Tue, 29 Dec 2020 13:02:29 -0500 Subject: [PATCH 2/3] feat: add cluster store --- .../externalsecrets/v1alpha1/generic_store.go | 30 +++- apis/externalsecrets/v1alpha1/register.go | 9 ++ .../v1alpha1/secretstore_types.go | 27 +++- .../v1alpha1/zz_generated.deepcopy.go | 58 +++++++ ...ternal-secrets.io_clustersecretstores.yaml | 142 ++++++++++++++++++ .../external-secrets.io_secretstores.yaml | 15 +- pkg/provider/schema/schema.go | 4 +- 7 files changed, 275 insertions(+), 10 deletions(-) create mode 100644 config/crd/bases/external-secrets.io_clustersecretstores.yaml diff --git a/apis/externalsecrets/v1alpha1/generic_store.go b/apis/externalsecrets/v1alpha1/generic_store.go index 85d833aa8..0945db17f 100644 --- a/apis/externalsecrets/v1alpha1/generic_store.go +++ b/apis/externalsecrets/v1alpha1/generic_store.go @@ -29,19 +29,39 @@ import ( type GenericStore interface { runtime.Object metav1.Object - GetProvider() *SecretStoreProvider + + GetObjectMeta() *metav1.ObjectMeta + GetSpec() *SecretStoreSpec } // +kubebuilder:object:root:false // +kubebuilder:object:generate:false var _ GenericStore = &SecretStore{} -// GetProvider returns the underlying provider. -func (c *SecretStore) GetProvider() *SecretStoreProvider { - return c.Spec.Provider +func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta { + return &c.ObjectMeta +} + +func (c *SecretStore) GetSpec() *SecretStoreSpec { + return &c.Spec } -// Copy returns a DeepCopy of the Store. func (c *SecretStore) Copy() GenericStore { return c.DeepCopy() } + +// +kubebuilder:object:root:false +// +kubebuilder:object:generate:false +var _ GenericStore = &ClusterSecretStore{} + +func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta { + return &c.ObjectMeta +} + +func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec { + return &c.Spec +} + +func (c *ClusterSecretStore) Copy() GenericStore { + return c.DeepCopy() +} diff --git a/apis/externalsecrets/v1alpha1/register.go b/apis/externalsecrets/v1alpha1/register.go index dd40a6fce..ba994aa3c 100644 --- a/apis/externalsecrets/v1alpha1/register.go +++ b/apis/externalsecrets/v1alpha1/register.go @@ -52,7 +52,16 @@ var ( SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind) ) +// ClusterSecretStore type metadata. +var ( + ClusterSecretStoreKind = reflect.TypeOf(ClusterSecretStore{}).Name() + ClusterSecretStoreGroupKind = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String() + ClusterSecretStoreKindAPIVersion = ClusterSecretStoreKind + "." + SchemeGroupVersion.String() + ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind) +) + func init() { SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{}) SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{}) + SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{}) } diff --git a/apis/externalsecrets/v1alpha1/secretstore_types.go b/apis/externalsecrets/v1alpha1/secretstore_types.go index 19751ee40..ecac32894 100644 --- a/apis/externalsecrets/v1alpha1/secretstore_types.go +++ b/apis/externalsecrets/v1alpha1/secretstore_types.go @@ -88,7 +88,10 @@ type SecretStoreStatus struct { // +kubebuilder:object:root=true -// SecretStore is the Schema for the secretstores API. +// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss type SecretStore struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` @@ -105,3 +108,25 @@ type SecretStoreList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []SecretStore `json:"items"` } + +// +kubebuilder:object:root=true + +// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css +type ClusterSecretStore struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec SecretStoreSpec `json:"spec,omitempty"` +} + +// +kubebuilder:object:root=true + +// ClusterSecretStoreList contains a list of ClusterSecretStore. +type ClusterSecretStoreList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ExternalSecret `json:"items"` +} diff --git a/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go index 045a74fef..186e4346c 100644 --- a/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go +++ b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go @@ -71,6 +71,64 @@ func (in *AWSSMProvider) DeepCopy() *AWSSMProvider { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore. +func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore { + if in == nil { + return nil + } + out := new(ClusterSecretStore) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterSecretStore) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ExternalSecret, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList. +func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList { + if in == nil { + return nil + } + out := new(ClusterSecretStoreList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) { *out = *in diff --git a/config/crd/bases/external-secrets.io_clustersecretstores.yaml b/config/crd/bases/external-secrets.io_clustersecretstores.yaml new file mode 100644 index 000000000..23789c014 --- /dev/null +++ b/config/crd/bases/external-secrets.io_clustersecretstores.yaml @@ -0,0 +1,142 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: clustersecretstores.external-secrets.io +spec: + group: external-secrets.io + names: + categories: + - externalsecrets + kind: ClusterSecretStore + listKind: ClusterSecretStoreList + plural: clustersecretstores + shortNames: + - css + singular: clustersecretstore + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSecretStore represents a secure external location for + storing secrets, which can be referenced as part of `storeRef` fields. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SecretStoreSpec defines the desired state of SecretStore. + properties: + controller: + description: 'Used to select the correct KES controller (think: ingress.ingressClassName) + The KES controller is instantiated with a specific controller name + and filters ES based on this property' + type: string + provider: + description: Used to configure the provider. Only one provider may + be set + maxProperties: 1 + minProperties: 1 + properties: + awssm: + description: AWSSM configures this store to sync secrets using + AWS Secret Manager provider + properties: + auth: + description: Auth defines the information necessary to authenticate + against AWS + properties: + secretRef: + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. + type: string + required: + - name + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. + type: string + required: + - name + type: object + type: object + required: + - secretRef + type: object + region: + description: AWS Region to be used for the provider + type: string + role: + description: Role is a Role ARN which the SecretManager provider + will assume + type: string + required: + - auth + - region + type: object + type: object + required: + - provider + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/external-secrets.io_secretstores.yaml b/config/crd/bases/external-secrets.io_secretstores.yaml index e18047010..60b2564ff 100644 --- a/config/crd/bases/external-secrets.io_secretstores.yaml +++ b/config/crd/bases/external-secrets.io_secretstores.yaml @@ -10,16 +10,25 @@ metadata: spec: group: external-secrets.io names: + categories: + - externalsecrets kind: SecretStore listKind: SecretStoreList plural: secretstores + shortNames: + - ss singular: secretstore scope: Namespaced versions: - - name: v1alpha1 + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 schema: openAPIV3Schema: - description: SecretStore is the Schema for the secretstores API. + description: SecretStore represents a secure external location for storing + secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -148,6 +157,8 @@ spec: type: object served: true storage: true + subresources: + status: {} status: acceptedNames: kind: "" diff --git a/pkg/provider/schema/schema.go b/pkg/provider/schema/schema.go index fb715ca20..82e5e308c 100644 --- a/pkg/provider/schema/schema.go +++ b/pkg/provider/schema/schema.go @@ -71,8 +71,8 @@ func GetProviderByName(name string) (provider.Provider, bool) { // GetProvider returns the provider from the generic store. func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) { - provider := s.GetProvider() - storeName, err := getProviderName(provider) + spec := s.GetSpec() + storeName, err := getProviderName(spec.Provider) if err != nil { return nil, fmt.Errorf("store error for %s: %w", s.GetName(), err) } From 3fd758603310e1c32f218874b25cecfbb52609c9 Mon Sep 17 00:00:00 2001 From: Kellin McAvoy Date: Tue, 29 Dec 2020 15:50:43 -0500 Subject: [PATCH 3/3] move controller into pkg --- .github/ci/ct.yaml | 5 + .github/workflows/all.yml | 4 + .github/workflows/helm.yml | 55 ++++++++++ .github/workflows/main.yml | 4 + .gitignore | 2 + Dockerfile | 4 +- Makefile | 26 ++++- .../v1alpha1/externalsecret_types.go | 4 +- .../v1alpha1/secretstore_types.go | 6 +- .../v1alpha1/zz_generated.deepcopy.go | 2 +- apis/meta/v1/types.go | 9 +- apis/meta/v1/zz_generated.deepcopy.go | 16 --- ...ternal-secrets.io_clustersecretstores.yaml | 10 +- .../external-secrets.io_externalsecrets.yaml | 4 +- .../external-secrets.io_secretstores.yaml | 10 +- deploy/charts/external-secrets/.helmignore | 26 +++++ deploy/charts/external-secrets/Chart.yaml | 14 +++ deploy/charts/external-secrets/README.md | 63 +++++++++++ .../charts/external-secrets/README.md.gotmpl | 38 +++++++ .../external-secrets/ci/main-values.yaml | 2 + .../external-secrets/templates/NOTES.txt | 7 ++ .../external-secrets/templates/_helpers.tpl | 62 +++++++++++ .../external-secrets/templates/crds/README.md | 4 + .../templates/deployment.yaml | 74 +++++++++++++ .../external-secrets/templates/rbac.yaml | 101 ++++++++++++++++++ .../external-secrets/templates/service.yaml | 20 ++++ .../templates/serviceaccount.yaml | 12 +++ deploy/charts/external-secrets/values.yaml | 68 ++++++++++++ main.go | 13 +-- .../externalsecret_controller.go | 14 +-- .../controllers/externalsecret}/suite_test.go | 8 +- .../secretstore}/secretstore_controller.go | 14 +-- pkg/controllers/secretstore/suite_test.go | 81 ++++++++++++++ pkg/provider/schema/schema_test.go | 26 +++-- 34 files changed, 729 insertions(+), 79 deletions(-) create mode 100644 .github/ci/ct.yaml create mode 100644 .github/workflows/helm.yml create mode 100644 deploy/charts/external-secrets/.helmignore create mode 100644 deploy/charts/external-secrets/Chart.yaml create mode 100644 deploy/charts/external-secrets/README.md create mode 100644 deploy/charts/external-secrets/README.md.gotmpl create mode 100644 deploy/charts/external-secrets/ci/main-values.yaml create mode 100644 deploy/charts/external-secrets/templates/NOTES.txt create mode 100644 deploy/charts/external-secrets/templates/_helpers.tpl create mode 100644 deploy/charts/external-secrets/templates/crds/README.md create mode 100644 deploy/charts/external-secrets/templates/deployment.yaml create mode 100644 deploy/charts/external-secrets/templates/rbac.yaml create mode 100644 deploy/charts/external-secrets/templates/service.yaml create mode 100644 deploy/charts/external-secrets/templates/serviceaccount.yaml create mode 100644 deploy/charts/external-secrets/values.yaml rename {controllers => pkg/controllers/externalsecret}/externalsecret_controller.go (73%) rename {controllers => pkg/controllers/externalsecret}/suite_test.go (89%) rename {controllers => pkg/controllers/secretstore}/secretstore_controller.go (73%) create mode 100644 pkg/controllers/secretstore/suite_test.go diff --git a/.github/ci/ct.yaml b/.github/ci/ct.yaml new file mode 100644 index 000000000..e5206d409 --- /dev/null +++ b/.github/ci/ct.yaml @@ -0,0 +1,5 @@ +chart-dirs: + - deploy/charts +helm-extra-args: "--timeout=5m" +check-version-increment: false +target-branch: main diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index c09d531ca..67bb8cd97 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -7,8 +7,12 @@ on: - '*/*' # matches every branch containing a single '/' - '**' # matches every branch - '!main' # excludes main + paths-ignore: + - 'deploy/**' pull_request: branches: [ '!main' ] + paths-ignore: + - 'deploy/**' env: KUBEBUILDER_VERSION: 2.3.1 diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml new file mode 100644 index 000000000..d50b78414 --- /dev/null +++ b/.github/workflows/helm.yml @@ -0,0 +1,55 @@ +name: Helm + +on: + push: + tags: + - '*' + paths: + - 'deploy/charts/**' + pull_request: + branches: main + paths: + - 'deploy/charts/**' + +jobs: + lint-and-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Generate chart + run: | + make crds-to-chart + + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.2 + + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config=.github/ci/ct.yaml) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + run: ct lint --config=.github/ci/ct.yaml + + - name: Create kind cluster + uses: helm/kind-action@v1.1.0 + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + run: ct install --config=.github/ci/ct.yaml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 41fac71ca..2df33648b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,8 +5,12 @@ on: branches: [ main ] tags: - '*' + paths-ignore: + - 'deploy/**' pull_request: branches: [ main ] + paths-ignore: + - 'deploy/**' env: KUBEBUILDER_VERSION: 2.3.1 diff --git a/.gitignore b/.gitignore index eb7ef50af..d967a5893 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,5 @@ bin # Code test output cover.out + +deploy/charts/external-secrets/templates/crds/*.yaml diff --git a/Dockerfile b/Dockerfile index 74eb9d741..3b770ef57 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,8 +11,8 @@ RUN go mod download # Copy the go source COPY main.go main.go -COPY api/ api/ -COPY controllers/ controllers/ +COPY apis/ apis/ +COPY pkg/ pkg/ # Build RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go diff --git a/Makefile b/Makefile index 403b86e98..d4c554cff 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,8 @@ SHELL := /bin/bash IMG ?= controller:latest # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) CRD_OPTIONS ?= "crd:trivialVersions=true" +HELM_DIR ?= deploy/charts/external-secrets +CRD_DIR ?= config/crd/bases # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -43,7 +45,13 @@ deploy: manifests ## Deploy controller in the Kubernetes cluster of current cont kustomize build config/default | kubectl apply -f - manifests: controller-gen ## Generate manifests e.g. CRD, RBAC etc. - $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=$(CRD_DIR) +# Remove extra header lines in generated CRDs + @for i in $(CRD_DIR)/*.yaml; do \ + tail -n +3 <"$$i" >"$$i.bkp" && \ + cp "$$i.bkp" "$$i" && \ + rm "$$i.bkp"; \ + done lint/check: # Check install of golanci-lint @if ! golangci-lint --version > /dev/null 2>&1; then \ @@ -77,6 +85,22 @@ docker-build: test ## Build the docker image docker-push: ## Push the docker image docker push ${IMG} +helm-docs: ## Generate helm docs + cd $(HELM_DIR); \ + docker run --rm -v $(shell pwd)/$(HELM_DIR):/helm-docs -u $(shell id -u) jnorwood/helm-docs:latest + +crds-to-chart: # Copy crds to helm chart directory + cp $(CRD_DIR)/*.yaml $(HELM_DIR)/templates/crds/ +# Add helm chart if statement for installing CRDs + @for i in $(HELM_DIR)/templates/crds/*.yaml; do \ + cp "$$i" "$$i.bkp" && \ + echo "{{- if .Values.installCRDs }}" > "$$i" && \ + cat "$$i.bkp" >> "$$i" && \ + echo "{{- end }}" >> "$$i" && \ + rm "$$i.bkp"; \ + done + + # find or download controller-gen # download controller-gen if necessary controller-gen: diff --git a/apis/externalsecrets/v1alpha1/externalsecret_types.go b/apis/externalsecrets/v1alpha1/externalsecret_types.go index 142f853da..eaf423b9c 100644 --- a/apis/externalsecrets/v1alpha1/externalsecret_types.go +++ b/apis/externalsecrets/v1alpha1/externalsecret_types.go @@ -174,7 +174,7 @@ type ExternalSecretStatus struct { // +kubebuilder:object:root=true -// ExternalSecret is the Schema for the externalsecrets API. +// ExternalSecret is the Schema for the external-secrets API. type ExternalSecret struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` @@ -185,7 +185,7 @@ type ExternalSecret struct { // +kubebuilder:object:root=true -// ExternalSecretList contains a list of ExternalSecret. +// ExternalSecretList contains a list of ExternalSecret resources. type ExternalSecretList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` diff --git a/apis/externalsecrets/v1alpha1/secretstore_types.go b/apis/externalsecrets/v1alpha1/secretstore_types.go index ecac32894..72291d764 100644 --- a/apis/externalsecrets/v1alpha1/secretstore_types.go +++ b/apis/externalsecrets/v1alpha1/secretstore_types.go @@ -102,7 +102,7 @@ type SecretStore struct { // +kubebuilder:object:root=true -// SecretStoreList contains a list of SecretStore. +// SecretStoreList contains a list of SecretStore resources. type SecretStoreList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` @@ -124,9 +124,9 @@ type ClusterSecretStore struct { // +kubebuilder:object:root=true -// ClusterSecretStoreList contains a list of ClusterSecretStore. +// ClusterSecretStoreList contains a list of ClusterSecretStore resources. type ClusterSecretStoreList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` - Items []ExternalSecret `json:"items"` + Items []ClusterSecretStore `json:"items"` } diff --git a/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go index 186e4346c..dee3e865c 100644 --- a/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go +++ b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go @@ -104,7 +104,7 @@ func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) { in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items - *out = make([]ExternalSecret, len(*in)) + *out = make([]ClusterSecretStore, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/apis/meta/v1/types.go b/apis/meta/v1/types.go index 0a76bf8b1..cc087b656 100644 --- a/apis/meta/v1/types.go +++ b/apis/meta/v1/types.go @@ -14,18 +14,11 @@ limitations under the License. package v1 -// A reference to an object in the same namespace as the referent. -type LocalObjectReference struct { - // Name of the resource being referred to. - // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - Name string `json:"name"` -} - // A reference to a specific 'key' within a Secret resource, // In some instances, `key` is a required field. type SecretKeySelector struct { // The name of the Secret resource being referred to. - LocalObjectReference `json:",inline"` + Name string `json:"name"` // Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults // to the namespace of the referent. // +optional diff --git a/apis/meta/v1/zz_generated.deepcopy.go b/apis/meta/v1/zz_generated.deepcopy.go index d2a13f14a..cc2c5684a 100644 --- a/apis/meta/v1/zz_generated.deepcopy.go +++ b/apis/meta/v1/zz_generated.deepcopy.go @@ -20,25 +20,9 @@ package v1 import () -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference. -func (in *LocalObjectReference) DeepCopy() *LocalObjectReference { - if in == nil { - return nil - } - out := new(LocalObjectReference) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) { *out = *in - out.LocalObjectReference = in.LocalObjectReference if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/config/crd/bases/external-secrets.io_clustersecretstores.yaml b/config/crd/bases/external-secrets.io_clustersecretstores.yaml index 23789c014..133bfa625 100644 --- a/config/crd/bases/external-secrets.io_clustersecretstores.yaml +++ b/config/crd/bases/external-secrets.io_clustersecretstores.yaml @@ -1,5 +1,3 @@ - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -76,8 +74,8 @@ spec: may be required. type: string name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: The name of the Secret resource being + referred to. type: string namespace: description: Namespace of the resource being referred @@ -98,8 +96,8 @@ spec: may be required. type: string name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: The name of the Secret resource being + referred to. type: string namespace: description: Namespace of the resource being referred diff --git a/config/crd/bases/external-secrets.io_externalsecrets.yaml b/config/crd/bases/external-secrets.io_externalsecrets.yaml index 926af685c..b5c8488aa 100644 --- a/config/crd/bases/external-secrets.io_externalsecrets.yaml +++ b/config/crd/bases/external-secrets.io_externalsecrets.yaml @@ -1,5 +1,3 @@ - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -19,7 +17,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ExternalSecret is the Schema for the externalsecrets API. + description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation diff --git a/config/crd/bases/external-secrets.io_secretstores.yaml b/config/crd/bases/external-secrets.io_secretstores.yaml index 60b2564ff..8dc60713f 100644 --- a/config/crd/bases/external-secrets.io_secretstores.yaml +++ b/config/crd/bases/external-secrets.io_secretstores.yaml @@ -1,5 +1,3 @@ - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -76,8 +74,8 @@ spec: may be required. type: string name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: The name of the Secret resource being + referred to. type: string namespace: description: Namespace of the resource being referred @@ -98,8 +96,8 @@ spec: may be required. type: string name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: The name of the Secret resource being + referred to. type: string namespace: description: Namespace of the resource being referred diff --git a/deploy/charts/external-secrets/.helmignore b/deploy/charts/external-secrets/.helmignore new file mode 100644 index 000000000..855edc3fb --- /dev/null +++ b/deploy/charts/external-secrets/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# CRD README.md +templates/crds/README.md diff --git a/deploy/charts/external-secrets/Chart.yaml b/deploy/charts/external-secrets/Chart.yaml new file mode 100644 index 000000000..ad13f1042 --- /dev/null +++ b/deploy/charts/external-secrets/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: external-secrets +description: External secret management for Kubernetes +type: application +version: "0.1.0" +appVersion: "0.1.0" +kubeVersion: ">= 1.11.0" +keywords: + - kubernetes-external-secrets + - secrets +home: https://github.com/external-secrets/external-secrets +maintainers: + - name: mcavoyk + email: kellinmcavoy@gmail.com diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md new file mode 100644 index 000000000..c3ef4544f --- /dev/null +++ b/deploy/charts/external-secrets/README.md @@ -0,0 +1,63 @@ +# external-secrets + +[//]: # (README.md generated by gotmpl. DO NOT EDIT.) + +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) + +External secret management for Kubernetes + +## TL;DR +```bash +helm repo add external-secrets https://external-secrets.github.io/external-secrets +helm install external-secrets/external-secrets +``` + +## Installing the Chart +To install the chart with the release name `external-secrets`: +```bash +helm install external-secrets external-secrets/external-secrets +``` + +### Custom Resources +By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value. + +## Uninstalling the Chart +To uninstall the `external-secrets` deployment: +```bash +helm uninstall external-secrets +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration +Read through the external-secrets [values.yaml](https://github.com/external-secrets/external-secrets/blob/master/deploy/charts/external-secrets/values.yaml) +file. It has several commented out suggested values. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| extraArgs | object | `{}` | | +| extraEnv | list | `[]` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | +| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | +| imagePullSecrets | list | `[]` | | +| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. | +| leaderElect | bool | `true` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podLabels | object | `{}` | | +| podSecurityContext | object | `{}` | | +| prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics | +| prometheus.service.port | int | `8080` | | +| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | +| tolerations | list | `[]` | | diff --git a/deploy/charts/external-secrets/README.md.gotmpl b/deploy/charts/external-secrets/README.md.gotmpl new file mode 100644 index 000000000..1762e4b1d --- /dev/null +++ b/deploy/charts/external-secrets/README.md.gotmpl @@ -0,0 +1,38 @@ +{{- $valuesYAML := "https://github.com/external-secrets/external-secrets/blob/master/deploy/charts/external-secrets/values.yaml" -}} +{{- $chartRepo := "https://external-secrets.github.io/external-secrets" -}} +{{- $org := "external-secrets" -}} +{{ template "chart.header" . }} + +[//]: # (README.md generated by gotmpl. DO NOT EDIT.) + +{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +## TL;DR +```bash +helm repo add {{ $org }} {{ $chartRepo }} +helm install {{ $org }}/{{ template "chart.name" . }} +``` + +## Installing the Chart +To install the chart with the release name `{{ template "chart.name" . }}`: +```bash +helm install {{ template "chart.name" . }} {{ $org }}/{{ template "chart.name" . }} +``` + +### Custom Resources +By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value. + +## Uninstalling the Chart +To uninstall the `{{ template "chart.name" . }}` deployment: +```bash +helm uninstall {{ template "chart.name" . }} +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration +Read through the {{ template "chart.name" . }} [values.yaml]({{ $valuesYAML }}) +file. It has several commented out suggested values. + +{{ template "chart.valuesSection" . }} diff --git a/deploy/charts/external-secrets/ci/main-values.yaml b/deploy/charts/external-secrets/ci/main-values.yaml new file mode 100644 index 000000000..75eb234e3 --- /dev/null +++ b/deploy/charts/external-secrets/ci/main-values.yaml @@ -0,0 +1,2 @@ +image: + tag: main diff --git a/deploy/charts/external-secrets/templates/NOTES.txt b/deploy/charts/external-secrets/templates/NOTES.txt new file mode 100644 index 000000000..4fd716993 --- /dev/null +++ b/deploy/charts/external-secrets/templates/NOTES.txt @@ -0,0 +1,7 @@ +external-secrets has been deployed successfully! + +In order to begin using ExternalSecrets, you will need to set up a SecretStore +or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore). + +More information on the different types of SecretStores and how to configure them +can be found in our Github: {{ .Chart.Home }} diff --git a/deploy/charts/external-secrets/templates/_helpers.tpl b/deploy/charts/external-secrets/templates/_helpers.tpl new file mode 100644 index 000000000..23c759fe2 --- /dev/null +++ b/deploy/charts/external-secrets/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "external-secrets.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "external-secrets.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "external-secrets.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "external-secrets.labels" -}} +helm.sh/chart: {{ include "external-secrets.chart" . }} +{{ include "external-secrets.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "external-secrets.selectorLabels" -}} +app.kubernetes.io/name: {{ include "external-secrets.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "external-secrets.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "external-secrets.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/deploy/charts/external-secrets/templates/crds/README.md b/deploy/charts/external-secrets/templates/crds/README.md new file mode 100644 index 000000000..6761190f7 --- /dev/null +++ b/deploy/charts/external-secrets/templates/crds/README.md @@ -0,0 +1,4 @@ +# CRD Template Directory +the CRDs are generated in pipeline during helm package. To install the CRDs please set `installCRDS: true`. + +The latest CRDs in the repository are located [here](../../../../../config/crd/bases) diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml new file mode 100644 index 000000000..a54ca1700 --- /dev/null +++ b/deploy/charts/external-secrets/templates/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "external-secrets.fullname" . }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "external-secrets.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "external-secrets.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "external-secrets.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.leaderElect }} + - --enable-leader-election=true + {{- end }} + {{- range $key, $value := .Values.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.prometheus.service.port }} + protocol: TCP + {{- with .Values.extraEnv }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/deploy/charts/external-secrets/templates/rbac.yaml b/deploy/charts/external-secrets/templates/rbac.yaml new file mode 100644 index 000000000..a72568d6b --- /dev/null +++ b/deploy/charts/external-secrets/templates/rbac.yaml @@ -0,0 +1,101 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "external-secrets.fullname" . }}-controller + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "secretstores" + - "clustersecretstores" + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + - "externalsecrets/status" + verbs: + - "update" + - "patch" + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" + - apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "external-secrets.fullname" . }}-controller + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "external-secrets.fullname" . }}-controller +subjects: + - name: {{ include "external-secrets.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "external-secrets.fullname" . }}-leaderelection + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - "configmaps" + resourceNames: + - "external-secrets-controller" + verbs: + - "get" + - "update" + - "patch" + - apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "create" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "external-secrets.fullname" . }}-leaderelection + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "external-secrets.fullname" . }}-leaderelection +subjects: + - kind: ServiceAccount + name: {{ include "external-secrets.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/deploy/charts/external-secrets/templates/service.yaml b/deploy/charts/external-secrets/templates/service.yaml new file mode 100644 index 000000000..6c95edd05 --- /dev/null +++ b/deploy/charts/external-secrets/templates/service.yaml @@ -0,0 +1,20 @@ +{{- if .Values.prometheus.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "external-secrets.fullname" . }}-metrics + labels: + {{- include "external-secrets.labels" . | nindent 4 }} + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.service.port | quote }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.prometheus.service.port }} + targetPort: {{ .Values.prometheus.service.port }} + protocol: TCP + selector: + {{- include "external-secrets.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/deploy/charts/external-secrets/templates/serviceaccount.yaml b/deploy/charts/external-secrets/templates/serviceaccount.yaml new file mode 100644 index 000000000..911638fb4 --- /dev/null +++ b/deploy/charts/external-secrets/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "external-secrets.serviceAccountName" . }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml new file mode 100644 index 000000000..419b06473 --- /dev/null +++ b/deploy/charts/external-secrets/values.yaml @@ -0,0 +1,68 @@ +replicaCount: 1 + +image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: IfNotPresent + # -- The image tag to use. The default is the chart appVersion. + tag: "" + +# -- If set, install and upgrade CRDs through helm chart. +installCRDs: true + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- If true, external-secrets will perform leader election between instances to ensure no more +# than one instance of external-secrets operates at a time. +leaderElect: false + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + +rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + +## -- Extra environment variables to add to container. +extraEnv: [] + +## -- Map of extra arguments to pass to container. +extraArgs: {} + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + +prometheus: + # -- Specifies whether to expose Service resource for collecting Prometheus metrics + enabled: false + service: + port: 8080 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/main.go b/main.go index a8efa3617..8a5b97a14 100644 --- a/main.go +++ b/main.go @@ -25,8 +25,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log/zap" // +kubebuilder:scaffold:imports - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" - "github.com/external-secrets/external-secrets/controllers" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" + "github.com/external-secrets/external-secrets/pkg/controllers/externalsecret" + "github.com/external-secrets/external-secrets/pkg/controllers/secretstore" ) var ( @@ -37,7 +38,7 @@ var ( func init() { _ = clientgoscheme.AddToScheme(scheme) - _ = externalsecretsv1alpha1.AddToScheme(scheme) + _ = esv1alpha1.AddToScheme(scheme) // +kubebuilder:scaffold:scheme } @@ -57,14 +58,14 @@ func main() { MetricsBindAddress: metricsAddr, Port: 9443, LeaderElection: enableLeaderElection, - LeaderElectionID: "1fc40399.io", + LeaderElectionID: "external-secrets-controller", }) if err != nil { setupLog.Error(err, "unable to start manager") os.Exit(1) } - if err = (&controllers.SecretStoreReconciler{ + if err = (&secretstore.Reconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("SecretStore"), Scheme: mgr.GetScheme(), @@ -72,7 +73,7 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "SecretStore") os.Exit(1) } - if err = (&controllers.ExternalSecretReconciler{ + if err = (&externalsecret.Reconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("ExternalSecret"), Scheme: mgr.GetScheme(), diff --git a/controllers/externalsecret_controller.go b/pkg/controllers/externalsecret/externalsecret_controller.go similarity index 73% rename from controllers/externalsecret_controller.go rename to pkg/controllers/externalsecret/externalsecret_controller.go index 308c9e624..b23878bf2 100644 --- a/controllers/externalsecret_controller.go +++ b/pkg/controllers/externalsecret/externalsecret_controller.go @@ -12,7 +12,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package externalsecret import ( "context" @@ -22,11 +22,11 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) -// ExternalSecretReconciler reconciles a ExternalSecret object. -type ExternalSecretReconciler struct { +// Reconciler reconciles a ExternalSecret object. +type Reconciler struct { client.Client Log logr.Logger Scheme *runtime.Scheme @@ -35,7 +35,7 @@ type ExternalSecretReconciler struct { // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets/status,verbs=get;update;patch -func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { +func (r *Reconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { _ = context.Background() _ = r.Log.WithValues("externalsecret", req.NamespacedName) @@ -44,8 +44,8 @@ func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err return ctrl.Result{}, nil } -func (r *ExternalSecretReconciler) SetupWithManager(mgr ctrl.Manager) error { +func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&externalsecretsv1alpha1.ExternalSecret{}). + For(&esv1alpha1.ExternalSecret{}). Complete(r) } diff --git a/controllers/suite_test.go b/pkg/controllers/externalsecret/suite_test.go similarity index 89% rename from controllers/suite_test.go rename to pkg/controllers/externalsecret/suite_test.go index 87e123f5e..7c73e2e94 100644 --- a/controllers/suite_test.go +++ b/pkg/controllers/externalsecret/suite_test.go @@ -12,7 +12,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package externalsecret import ( "path/filepath" @@ -28,7 +28,7 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) // These tests use Ginkgo (BDD-style Go testing framework). Refer to @@ -59,10 +59,10 @@ var _ = BeforeSuite(func(done Done) { Expect(err).ToNot(HaveOccurred()) Expect(cfg).ToNot(BeNil()) - err = externalsecretsv1alpha1.AddToScheme(scheme.Scheme) + err = esv1alpha1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) - err = externalsecretsv1alpha1.AddToScheme(scheme.Scheme) + err = esv1alpha1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) // +kubebuilder:scaffold:scheme diff --git a/controllers/secretstore_controller.go b/pkg/controllers/secretstore/secretstore_controller.go similarity index 73% rename from controllers/secretstore_controller.go rename to pkg/controllers/secretstore/secretstore_controller.go index 56cf64ab0..81c9abbbb 100644 --- a/controllers/secretstore_controller.go +++ b/pkg/controllers/secretstore/secretstore_controller.go @@ -12,7 +12,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package secretstore import ( "context" @@ -22,11 +22,11 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) -// SecretStoreReconciler reconciles a SecretStore object. -type SecretStoreReconciler struct { +// Reconciler reconciles a SecretStore object. +type Reconciler struct { client.Client Log logr.Logger Scheme *runtime.Scheme @@ -35,7 +35,7 @@ type SecretStoreReconciler struct { // +kubebuilder:rbac:groups=external-secrets.io,resources=secretstores,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=external-secrets.io,resources=secretstores/status,verbs=get;update;patch -func (r *SecretStoreReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { +func (r *Reconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { _ = context.Background() _ = r.Log.WithValues("secretstore", req.NamespacedName) @@ -44,8 +44,8 @@ func (r *SecretStoreReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) return ctrl.Result{}, nil } -func (r *SecretStoreReconciler) SetupWithManager(mgr ctrl.Manager) error { +func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&externalsecretsv1alpha1.SecretStore{}). + For(&esv1alpha1.SecretStore{}). Complete(r) } diff --git a/pkg/controllers/secretstore/suite_test.go b/pkg/controllers/secretstore/suite_test.go new file mode 100644 index 000000000..422c9f4b5 --- /dev/null +++ b/pkg/controllers/secretstore/suite_test.go @@ -0,0 +1,81 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package secretstore + +import ( + "path/filepath" + "testing" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + "sigs.k8s.io/controller-runtime/pkg/envtest/printer" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var cfg *rest.Config +var k8sClient client.Client +var testEnv *envtest.Environment + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecsWithDefaultAndCustomReporters(t, + "Controller Suite", + []Reporter{printer.NewlineReporter{}}) +} + +var _ = BeforeSuite(func(done Done) { + logf.SetLogger(zap.LoggerTo(GinkgoWriter, true)) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, + } + + var err error + cfg, err = testEnv.Start() + Expect(err).ToNot(HaveOccurred()) + Expect(cfg).ToNot(BeNil()) + + err = esv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = esv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + // +kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + Expect(err).ToNot(HaveOccurred()) + Expect(k8sClient).ToNot(BeNil()) + + close(done) +}, 60) + +var _ = AfterSuite(func() { + By("tearing down the test environment") + err := testEnv.Stop() + Expect(err).ToNot(HaveOccurred()) +}) diff --git a/pkg/provider/schema/schema_test.go b/pkg/provider/schema/schema_test.go index 0d4998ba6..a399e3e37 100644 --- a/pkg/provider/schema/schema_test.go +++ b/pkg/provider/schema/schema_test.go @@ -44,11 +44,23 @@ func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretData func TestRegister(t *testing.T) { p, ok := GetProviderByName("awssm") assert.Nil(t, p) - assert.False(t, ok) - ForceRegister(&PP{}, &esv1alpha1.SecretStoreProvider{ - AWSSM: &esv1alpha1.AWSSMProvider{}, - }) - p, ok = GetProviderByName("awssm") - assert.NotNil(t, p) - assert.True(t, ok) + assert.False(t, ok, "provider should not be registered") + + testProvider := &PP{} + secretStore := &esv1alpha1.SecretStore{ + Spec: esv1alpha1.SecretStoreSpec{ + Provider: &esv1alpha1.SecretStoreProvider{ + AWSSM: &esv1alpha1.AWSSMProvider{}, + }, + }, + } + + ForceRegister(testProvider, secretStore.Spec.Provider) + p1, ok := GetProviderByName("awssm") + assert.True(t, ok, "provider should be registered") + assert.Equal(t, testProvider, p1) + + p2, err := GetProvider(secretStore) + assert.Nil(t, err) + assert.Equal(t, testProvider, p2) }