diff --git a/cmd/root.go b/cmd/root.go index f83cd736a..31faab7c9 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -41,23 +41,24 @@ import ( ) var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") - dnsName string - certDir string - metricsAddr string - healthzAddr string - controllerClass string - enableLeaderElection bool - concurrent int - loglevel string - namespace string - enableClusterStoreReconciler bool - storeRequeueInterval time.Duration - serviceName, serviceNamespace string - secretName, secretNamespace string - crdRequeueInterval time.Duration - certCheckInterval time.Duration + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") + dnsName string + certDir string + metricsAddr string + healthzAddr string + controllerClass string + enableLeaderElection bool + concurrent int + loglevel string + namespace string + enableClusterStoreReconciler bool + enableClusterExternalSecretReconciler bool + storeRequeueInterval time.Duration + serviceName, serviceNamespace string + secretName, secretNamespace string + crdRequeueInterval time.Duration + certCheckInterval time.Duration ) const ( @@ -142,16 +143,18 @@ var rootCmd = &cobra.Command{ setupLog.Error(err, errCreateController, "controller", "ExternalSecret") os.Exit(1) } - if err = (&clusterexternalsecret.Reconciler{ - Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controllers").WithName("ClusterExternalSecret"), - Scheme: mgr.GetScheme(), - RequeueInterval: time.Hour, - }).SetupWithManager(mgr, controller.Options{ - MaxConcurrentReconciles: concurrent, - }); err != nil { - setupLog.Error(err, errCreateController, "controller", "ClusterExternalSecret") - os.Exit(1) + if enableClusterExternalSecretReconciler { + if err = (&clusterexternalsecret.Reconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("ClusterExternalSecret"), + Scheme: mgr.GetScheme(), + RequeueInterval: time.Hour, + }).SetupWithManager(mgr, controller.Options{ + MaxConcurrentReconciles: concurrent, + }); err != nil { + setupLog.Error(err, errCreateController, "controller", "ClusterExternalSecret") + os.Exit(1) + } } setupLog.Info("starting manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { @@ -176,5 +179,6 @@ func init() { rootCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal") rootCmd.Flags().StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces") rootCmd.Flags().BoolVar(&enableClusterStoreReconciler, "enable-cluster-store-reconciler", true, "Enable cluster store reconciler.") + rootCmd.Flags().BoolVar(&enableClusterExternalSecretReconciler, "enable-cluster-external-secret-reconciler", true, "Enable cluster external secret reconciler.") rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Time duration between reconciling (Cluster)SecretStores") } diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md index cb7e59e41..3e77c7141 100644 --- a/deploy/charts/external-secrets/README.md +++ b/deploy/charts/external-secrets/README.md @@ -80,13 +80,15 @@ The command removes all the Kubernetes components associated with the chart and | podLabels | object | `{}` | | | podSecurityContext | object | `{}` | | | priorityClassName | string | `""` | Pod priority class name. | +| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. | +| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. | | prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics | | prometheus.service.port | int | `8080` | | | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | replicaCount | int | `1` | | | resources | object | `{}` | | | scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace | -| scopedRBAC | bool | `false` | If true, disable ClusterSecretStore. If scopedNamespace is provided, create scoped RBAC roles under the scoped namespace. | +| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets | | securityContext | object | `{}` | | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml index 9cb47125b..4ee8eaaac 100644 --- a/deploy/charts/external-secrets/templates/deployment.yaml +++ b/deploy/charts/external-secrets/templates/deployment.yaml @@ -44,7 +44,7 @@ spec: {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.scopedRBAC) (.Values.concurrent) (.Values.extraArgs) }} + {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.concurrent) (.Values.extraArgs) }} args: {{- if .Values.leaderElect }} - --enable-leader-election=true @@ -52,8 +52,16 @@ spec: {{- if .Values.scopedNamespace }} - --namespace={{ .Values.scopedNamespace }} {{- end }} - {{- if .Values.scopedRBAC }} + {{- if and .Values.scopedNamespace .Values.scopedRBAC }} - --enable-cluster-store-reconciler=false + - --enable-cluster-external-secret-reconciler=false + {{- else }} + {{- if not .Values.processClusterStore }} + - --enable-cluster-store-reconciler=false + {{- end }} + {{- if not .Values.processClusterExternalSecret }} + - --enable-cluster-external-secret-reconciler=false + {{- end }} {{- end }} {{- if .Values.controllerClass }} - --controller-class={{ .Values.controllerClass }} diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml index f6175a0b7..fea287fa9 100644 --- a/deploy/charts/external-secrets/values.yaml +++ b/deploy/charts/external-secrets/values.yaml @@ -25,13 +25,19 @@ controllerClass: "" # provided namespace scopedNamespace: "" +# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace +# and implicitly disable cluster stores and cluster external secrets +scopedRBAC: false + +# -- if true, the operator will process cluster external secret. Else, it will ignore them. +processClusterExternalSecret: true + +# -- if true, the operator will process cluster store. Else, it will ignore them. +processClusterStore: true + # -- Specifies whether an external secret operator deployment be created. createOperator: true -# -- If true, disable ClusterSecretStore. -# If scopedNamespace is provided, create scoped RBAC roles under the scoped namespace. -scopedRBAC: false - # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at # a time. concurrent: 1