From 8ef07f515df81a493206839359c53b9b3cb71c1b Mon Sep 17 00:00:00 2001 From: Tsubasa Nagasawa Date: Tue, 18 Jun 2024 07:50:45 +0900 Subject: [PATCH] feat(chart): Enable partial cache for certcontroller when installCRDs=true (#3589) * chore(chart): Remove unnecessary line breaks to format the list of args Signed-off-by: Tsubasa Nagasawa * feat(chart): Enable partial cache for certcontroller when installCRDs=true If CRDs are managed by a Helm chart, the addition of the label to the CRDs required for the partial cache feature is reflected in the update. Therefore, if installCRDs=true, the partial cache feature is automatically enabled. Signed-off-by: Tsubasa Nagasawa * fix: run ct using main images Signed-off-by: Moritz Johner * fix: set helm test values Signed-off-by: Moritz Johner * chore: bump CRDs in helm tests Signed-off-by: Moritz Johner --------- Signed-off-by: Tsubasa Nagasawa Signed-off-by: Moritz Johner Co-authored-by: Moritz Johner --- .../external-secrets/ci/main-values.yaml | 8 ++ .../templates/cert-controller-deployment.yaml | 7 +- .../cert_controller_test.yaml.snap | 1 + .../tests/__snapshot__/crds_test.yaml.snap | 114 ++++++++++++++++++ 4 files changed, 128 insertions(+), 2 deletions(-) diff --git a/deploy/charts/external-secrets/ci/main-values.yaml b/deploy/charts/external-secrets/ci/main-values.yaml index 75eb234e3..61b16e836 100644 --- a/deploy/charts/external-secrets/ci/main-values.yaml +++ b/deploy/charts/external-secrets/ci/main-values.yaml @@ -1,2 +1,10 @@ image: tag: main + +webhook: + image: + tag: main + +certController: + image: + tag: main diff --git a/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml b/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml index cf045a03a..a843f045a 100644 --- a/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml +++ b/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml @@ -62,10 +62,13 @@ spec: - --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }} - --loglevel={{ .Values.certController.log.level }} - --zap-time-encoding={{ .Values.certController.log.timeEncoding }} - {{ if not .Values.crds.createClusterSecretStore -}} + {{- if not .Values.crds.createClusterSecretStore }} - --crd-names=externalsecrets.external-secrets.io - --crd-names=secretstores.external-secrets.io - {{- end -}} + {{- end }} + {{- if .Values.installCRDs }} + - --enable-partial-cache=true + {{- end }} {{- range $key, $value := .Values.certController.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} diff --git a/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap b/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap index 70f95f29f..3700d6b7e 100644 --- a/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap +++ b/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap @@ -40,6 +40,7 @@ should match snapshot of default values: - --healthz-addr=:8081 - --loglevel=info - --zap-time-encoding=epoch + - --enable-partial-cache=true image: ghcr.io/external-secrets/external-secrets:v0.9.19 imagePullPolicy: IfNotPresent name: cert-controller diff --git a/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap b/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap index d4183d8c7..1b789904c 100644 --- a/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap +++ b/deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap @@ -5,6 +5,8 @@ should match snapshot of default values: metadata: annotations: controller-gen.kubebuilder.io/version: v0.15.0 + labels: + external-secrets.io/component: controller name: secretstores.external-secrets.io spec: conversion: @@ -1555,6 +1557,11 @@ should match snapshot of default values: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. properties: + namespaceRegexes: + description: Choose namespaces by using regex matching + items: + type: string + type: array namespaceSelector: description: Choose namespace using a labelSelector properties: @@ -2412,6 +2419,42 @@ should match snapshot of default values: - clientSecret - tenant type: object + device42: + description: Device42 configures this store to sync secrets using the Device42 provider + properties: + auth: + description: Auth configures how secret-manager authenticates with a Device42 instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + host: + description: URL configures the Device42 instance URL. + type: string + required: + - auth + - host + type: object doppler: description: Doppler configures this store to sync secrets using the Doppler provider properties: @@ -2693,6 +2736,77 @@ should match snapshot of default values: required: - auth type: object + infisical: + description: Infisical configures this store to sync secrets using the Infisical provider + properties: + auth: + description: Auth configures how the Operator authenticates with the Infisical API + properties: + universalAuthCredentials: + properties: + clientId: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + clientSecret: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - clientId + - clientSecret + type: object + type: object + hostAPI: + default: https://app.infisical.com/api + type: string + secretsScope: + properties: + environmentSlug: + type: string + projectSlug: + type: string + secretsPath: + default: / + type: string + required: + - environmentSlug + - projectSlug + type: object + required: + - auth + - secretsScope + type: object keepersecurity: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: