mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

fix: remove sourceRef.generatorRef from .data[] (#2735)

Browse source 
fix: deprecate sourceRef.generatorRef from .data[]

A generator is supposed to be used via .dataFrom[]. Usage in .data[]
is not implemented and doesn't make sense, see #2720.

This commit splits the SourceRef into two types:
- one that only defines a secretStoreRef
- one that allows to define either secretStoreRef or generatorRef

The former is used in .data[] and the latter is used in .dataFrom[].

The Deprecated field is going to be removed with v1.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
This commit is contained in:
Moritz Johner 2023-11-02 14:37:59 +01:00 committed by GitHub
parent 22ca0ad35d
commit 9ff86eab51
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 162 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
apis/externalsecrets/v1beta1/externalsecret_types.go
View file

@ -197,7 +197,7 @@ type ExternalSecretData struct {
// SourceRef allows you to override the source
// from which the value will pulled from.
SourceRef *SourceRef `json:"sourceRef,omitempty"`
SourceRef *StoreSourceRef `json:"sourceRef,omitempty"`
}
// ExternalSecretDataRemoteRef defines Provider data location.
@ -276,7 +276,7 @@ type ExternalSecretDataFromRemoteRef struct {
// a specific SecretStore.
// When sourceRef points to a generator Extract or Find is not supported.
// The generator returns a static map of values
SourceRef *SourceRef `json:"sourceRef,omitempty"`
SourceRef *StoreGeneratorSourceRef `json:"sourceRef,omitempty"`
}
type ExternalSecretRewrite struct {
@ -357,15 +357,30 @@ type ExternalSecretSpec struct {
DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
}
// SourceRef allows you to override the source
// StoreSourceRef allows you to override the SecretStore source
// from which the secret will be pulled from.
// You can define at maximum one property.
// +kubebuilder:validation:MaxProperties=1
type SourceRef struct {
type StoreSourceRef struct {
// +optional
SecretStoreRef SecretStoreRef `json:"storeRef"`
// GeneratorRef points to a generator custom resource.
//
// Deprecated: The generatorRef is not implemented in .data[].
// this will be removed with v1.
GeneratorRef *GeneratorRef `json:"generatorRef,omitempty"`
}
// StoreGeneratorSourceRef allows you to override the source
// from which the secret will be pulled from.
// You can define at maximum one property.
// +kubebuilder:validation:MaxProperties=1
type StoreGeneratorSourceRef struct {
// +optional
SecretStoreRef *SecretStoreRef `json:"storeRef,omitempty"`
// GeneratorRef points to a generator custom resource in
// GeneratorRef points to a generator custom resource.
// +optional
GeneratorRef *GeneratorRef `json:"generatorRef,omitempty"`
}

4
apis/externalsecrets/v1beta1/externalsecret_validator_test.go
View file

@ -61,7 +61,7 @@ func TestValidateExternalSecret(t *testing.T) {
DataFrom: []ExternalSecretDataFromRemoteRef{
{
Find: &ExternalSecretFind{},
SourceRef: &SourceRef{
SourceRef: &StoreGeneratorSourceRef{
GeneratorRef: &GeneratorRef{},
},
},
@ -77,7 +77,7 @@ func TestValidateExternalSecret(t *testing.T) {
DataFrom: []ExternalSecretDataFromRemoteRef{
{
Extract: &ExternalSecretDataRemoteRef{},
SourceRef: &SourceRef{
SourceRef: &StoreGeneratorSourceRef{
GeneratorRef: &GeneratorRef{},
},
},

33
apis/externalsecrets/v1beta1/zz_generated.deepcopy.go
View file

@ -889,7 +889,7 @@ func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
out.RemoteRef = in.RemoteRef
if in.SourceRef != nil {
in, out := &in.SourceRef, &out.SourceRef
*out = new(SourceRef)
*out = new(StoreSourceRef)
(*in).DeepCopyInto(*out)
}
}
@ -926,7 +926,7 @@ func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataF
}
if in.SourceRef != nil {
in, out := &in.SourceRef, &out.SourceRef
*out = new(SourceRef)
*out = new(StoreGeneratorSourceRef)
(*in).DeepCopyInto(*out)
}
}
@ -2142,7 +2142,7 @@ func (in *SenhaseguraProvider) DeepCopy() *SenhaseguraProvider {
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SourceRef) DeepCopyInto(out *SourceRef) {
func (in *StoreGeneratorSourceRef) DeepCopyInto(out *StoreGeneratorSourceRef) {
*out = *in
if in.SecretStoreRef != nil {
in, out := &in.SecretStoreRef, &out.SecretStoreRef
@ -2156,12 +2156,33 @@ func (in *SourceRef) DeepCopyInto(out *SourceRef) {
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceRef.
func (in *SourceRef) DeepCopy() *SourceRef {
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StoreGeneratorSourceRef.
func (in *StoreGeneratorSourceRef) DeepCopy() *StoreGeneratorSourceRef {
if in == nil {
return nil
}
out := new(SourceRef)
out := new(StoreGeneratorSourceRef)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *StoreSourceRef) DeepCopyInto(out *StoreSourceRef) {
*out = *in
out.SecretStoreRef = in.SecretStoreRef
if in.GeneratorRef != nil {
in, out := &in.GeneratorRef, &out.GeneratorRef
*out = new(GeneratorRef)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StoreSourceRef.
func (in *StoreSourceRef) DeepCopy() *StoreSourceRef {
if in == nil {
return nil
}
out := new(StoreSourceRef)
in.DeepCopyInto(out)
return out
}

7
config/crds/bases/external-secrets.io_clusterexternalsecrets.yaml
View file

@ -128,8 +128,9 @@ spec:
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom
resource in
description: "GeneratorRef points to a generator custom
resource. \n Deprecated: The generatorRef is not implemented
in .data[]. this will be removed with v1."
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
@ -303,7 +304,7 @@ spec:
properties:
generatorRef:
description: GeneratorRef points to a generator custom
resource in
resource.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1

8
config/crds/bases/external-secrets.io_externalsecrets.yaml
View file

@ -377,8 +377,9 @@ spec:
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource
in
description: "GeneratorRef points to a generator custom
resource. \n Deprecated: The generatorRef is not implemented
in .data[]. this will be removed with v1."
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
@ -550,8 +551,7 @@ spec:
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource
in
description: GeneratorRef points to a generator custom resource.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1

8
deploy/crds/bundle.yaml
View file

@ -112,7 +112,7 @@ spec:
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource in
description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1."
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
@ -256,7 +256,7 @@ spec:
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource in
description: GeneratorRef points to a generator custom resource.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
@ -3840,7 +3840,7 @@ spec:
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource in
description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1."
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
@ -3984,7 +3984,7 @@ spec:
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource in
description: GeneratorRef points to a generator custom resource.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1

70
docs/api/spec.md
View file

@ -2454,8 +2454,8 @@ which secret (version/property/..) to fetch.</p>
<td>
<code>sourceRef</code></br>
<em>
<a href="#external-secrets.io/v1beta1.SourceRef">
SourceRef
<a href="#external-secrets.io/v1beta1.StoreSourceRef">
StoreSourceRef
</a>
</em>
</td>
@ -2531,8 +2531,8 @@ Multiple Rewrite operations can be provided. They are applied in a layered order
<td>
<code>sourceRef</code></br>
<em>
<a href="#external-secrets.io/v1beta1.SourceRef">
SourceRef
<a href="#external-secrets.io/v1beta1.StoreGeneratorSourceRef">
StoreGeneratorSourceRef
</a>
</em>
</td>
@ -3710,7 +3710,8 @@ string
</h3>
<p>
(<em>Appears on:</em>
<a href="#external-secrets.io/v1beta1.SourceRef">SourceRef</a>)
<a href="#external-secrets.io/v1beta1.StoreGeneratorSourceRef">StoreGeneratorSourceRef</a>,
<a href="#external-secrets.io/v1beta1.StoreSourceRef">StoreSourceRef</a>)
</p>
<p>
<p>GeneratorRef points to a generator custom resource.</p>
@ -5249,7 +5250,8 @@ DelineaProvider
<p>
(<em>Appears on:</em>
<a href="#external-secrets.io/v1beta1.ExternalSecretSpec">ExternalSecretSpec</a>,
<a href="#external-secrets.io/v1beta1.SourceRef">SourceRef</a>)
<a href="#external-secrets.io/v1beta1.StoreGeneratorSourceRef">StoreGeneratorSourceRef</a>,
<a href="#external-secrets.io/v1beta1.StoreSourceRef">StoreSourceRef</a>)
</p>
<p>
<p>SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.</p>
@ -5671,15 +5673,14 @@ bool
</tr>
</tbody>
</table>
<h3 id="external-secrets.io/v1beta1.SourceRef">SourceRef
<h3 id="external-secrets.io/v1beta1.StoreGeneratorSourceRef">StoreGeneratorSourceRef
</h3>
<p>
(<em>Appears on:</em>
<a href="#external-secrets.io/v1beta1.ExternalSecretData">ExternalSecretData</a>,
<a href="#external-secrets.io/v1beta1.ExternalSecretDataFromRemoteRef">ExternalSecretDataFromRemoteRef</a>)
</p>
<p>
<p>SourceRef allows you to override the source
<p>StoreGeneratorSourceRef allows you to override the source
from which the secret will be pulled from.
You can define at maximum one property.</p>
</p>
@ -5715,7 +5716,56 @@ GeneratorRef
</td>
<td>
<em>(Optional)</em>
<p>GeneratorRef points to a generator custom resource in</p>
<p>GeneratorRef points to a generator custom resource.</p>
</td>
</tr>
</tbody>
</table>
<h3 id="external-secrets.io/v1beta1.StoreSourceRef">StoreSourceRef
</h3>
<p>
(<em>Appears on:</em>
<a href="#external-secrets.io/v1beta1.ExternalSecretData">ExternalSecretData</a>)
</p>
<p>
<p>StoreSourceRef allows you to override the SecretStore source
from which the secret will be pulled from.
You can define at maximum one property.</p>
</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>storeRef</code></br>
<em>
<a href="#external-secrets.io/v1beta1.SecretStoreRef">
SecretStoreRef
</a>
</em>
</td>
<td>
<em>(Optional)</em>
</td>
</tr>
<tr>
<td>
<code>generatorRef</code></br>
<em>
<a href="#external-secrets.io/v1beta1.GeneratorRef">
GeneratorRef
</a>
</em>
</td>
<td>
<p>GeneratorRef points to a generator custom resource.</p>
<p>Deprecated: The generatorRef is not implemented in .data[].
this will be removed with v1.</p>
</td>
</tr>
</tbody>

6
docs/snippets/full-external-secret.yaml
View file

@ -84,12 +84,6 @@ spec:
name: aws-secretstore
kind: ClusterSecretStore
# point to a generator resource that provides the secret value
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
name: db-password
# Used to fetch all properties from the Provider key
# If multiple dataFrom are specified, secrets are merged in the specified order
dataFrom:

2
e2e/suites/generator/ecr.go
View file

@ -85,7 +85,7 @@ var _ = Describe("ecr generator", Label("ecr"), func() {
customResourceGenerator := func(tc *testCase) {
tc.ExternalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
SourceRef: &esv1beta1.SourceRef{
SourceRef: &esv1beta1.StoreGeneratorSourceRef{
GeneratorRef: &esv1beta1.GeneratorRef{
// we don't need to specify the apiVersion,
// this should be inferred by the controller.

2
e2e/suites/generator/fake.go
View file

@ -58,7 +58,7 @@ var _ = Describe("fake generator", Label("fake"), func() {
customResourceGenerator := func(tc *testCase) {
tc.ExternalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
SourceRef: &esv1beta1.SourceRef{
SourceRef: &esv1beta1.StoreGeneratorSourceRef{
GeneratorRef: &esv1beta1.GeneratorRef{
// we don't need to specify the apiVersion,
// this should be inferred by the controller.

2
e2e/suites/generator/password.go
View file

@ -51,7 +51,7 @@ var _ = Describe("password generator", Label("password"), func() {
customResourceGenerator := func(tc *testCase) {
tc.ExternalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
SourceRef: &esv1beta1.SourceRef{
SourceRef: &esv1beta1.StoreGeneratorSourceRef{
GeneratorRef: &esv1beta1.GeneratorRef{
// we don't need to specify the apiVersion,
// this should be inferred by the controller.

10
e2e/suites/provider/cases/scaleway/provider.go
View file

@ -88,14 +88,19 @@ func (p *secretStoreProvider) DeleteSecret(key string) {
gomega.Expect(key).To(gomega.HavePrefix(remoteRefPrefix))
secretName := key[len(remoteRefPrefix):]
secret, err := p.api.GetSecretByName(&smapi.GetSecretByNameRequest{
SecretName: secretName,
p.api.GetSecret(&smapi.GetSecretRequest{
Region: "",
SecretID: "",
})
res, err := p.api.ListSecrets(&smapi.ListSecretsRequest{
Name: &secretName,
})
if _, isErrNotFound := err.(*scw.ResourceNotFoundError); isErrNotFound {
return
}
gomega.Expect(err).ToNot(gomega.HaveOccurred())
for _, secret := range res.Secrets {
err = p.api.DeleteSecret(&smapi.DeleteSecretRequest{
SecretID: secret.ID,
})
@ -104,3 +109,4 @@ func (p *secretStoreProvider) DeleteSecret(key string) {
}
gomega.Expect(err).ToNot(gomega.HaveOccurred())
}
}

6
pkg/controllers/externalsecret/externalsecret_controller.go
View file

@ -507,8 +507,8 @@ func shouldSkipUnmanagedStore(ctx context.Context, namespace string, r *Reconcil
}
for _, ref := range es.Spec.Data {
if ref.SourceRef != nil && ref.SourceRef.SecretStoreRef != nil {
storeList = append(storeList, *ref.SourceRef.SecretStoreRef)
if ref.SourceRef != nil {
storeList = append(storeList, ref.SourceRef.SecretStoreRef)
}
}
@ -519,7 +519,7 @@ func shouldSkipUnmanagedStore(ctx context.Context, namespace string, r *Reconcil
// verify that generator's controllerClass matches
if ref.SourceRef != nil && ref.SourceRef.GeneratorRef != nil {
genDef, err := r.getGeneratorDefinition(ctx, namespace, ref.SourceRef)
genDef, err := r.getGeneratorDefinition(ctx, namespace, ref.SourceRef.GeneratorRef)
if err != nil {
return false, err
}

21
pkg/controllers/externalsecret/externalsecret_controller_secret.go
View file

@ -89,7 +89,7 @@ func (r *Reconciler) getProviderSecretData(ctx context.Context, externalSecret *
}
func (r *Reconciler) handleSecretData(ctx context.Context, i int, externalSecret esv1beta1.ExternalSecret, secretRef esv1beta1.ExternalSecretData, providerData map[string][]byte, cmgr *secretstore.Manager) error {
client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, secretRef.SourceRef)
client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, toStoreGenSourceRef(secretRef.SourceRef))
if err != nil {
return err
}
@ -105,8 +105,17 @@ func (r *Reconciler) handleSecretData(ctx context.Context, i int, externalSecret
return nil
}
func toStoreGenSourceRef(ref *esv1beta1.StoreSourceRef) *esv1beta1.StoreGeneratorSourceRef {
if ref == nil {
return nil
}
return &esv1beta1.StoreGeneratorSourceRef{
SecretStoreRef: &ref.SecretStoreRef,
}
}
func (r *Reconciler) handleGenerateSecrets(ctx context.Context, namespace string, remoteRef esv1beta1.ExternalSecretDataFromRemoteRef, i int) (map[string][]byte, error) {
genDef, err := r.getGeneratorDefinition(ctx, namespace, remoteRef.SourceRef)
genDef, err := r.getGeneratorDefinition(ctx, namespace, remoteRef.SourceRef.GeneratorRef)
if err != nil {
return nil, err
}
@ -130,7 +139,7 @@ func (r *Reconciler) handleGenerateSecrets(ctx context.Context, namespace string
// getGeneratorDefinition returns the generator JSON for a given sourceRef
// when it uses a generatorRef it fetches the resource and returns the JSON.
func (r *Reconciler) getGeneratorDefinition(ctx context.Context, namespace string, sourceRef *esv1beta1.SourceRef) (*apiextensions.JSON, error) {
func (r *Reconciler) getGeneratorDefinition(ctx context.Context, namespace string, generatorRef *esv1beta1.GeneratorRef) (*apiextensions.JSON, error) {
// client-go dynamic client needs a GVR to fetch the resource
// But we only have the GVK in our generatorRef.
//
@ -142,14 +151,14 @@ func (r *Reconciler) getGeneratorDefinition(ctx context.Context, namespace strin
return nil, err
}
gv, err := schema.ParseGroupVersion(sourceRef.GeneratorRef.APIVersion)
gv, err := schema.ParseGroupVersion(generatorRef.APIVersion)
if err != nil {
return nil, err
}
mapper := restmapper.NewDiscoveryRESTMapper(groupResources)
mapping, err := mapper.RESTMapping(schema.GroupKind{
Group: gv.Group,
Kind: sourceRef.GeneratorRef.Kind,
Kind: generatorRef.Kind,
})
if err != nil {
return nil, err
@ -160,7 +169,7 @@ func (r *Reconciler) getGeneratorDefinition(ctx context.Context, namespace strin
}
res, err := d.Resource(mapping.Resource).
Namespace(namespace).
Get(ctx, sourceRef.GeneratorRef.Name, metav1.GetOptions{})
Get(ctx, generatorRef.Name, metav1.GetOptions{})
if err != nil {
return nil, err
}

6
pkg/controllers/externalsecret/externalsecret_controller_test.go
View file

@ -527,7 +527,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
tc.externalSecret.Spec.Data = nil
tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
{
SourceRef: &esv1beta1.SourceRef{
SourceRef: &esv1beta1.StoreGeneratorSourceRef{
GeneratorRef: &esv1beta1.GeneratorRef{
APIVersion: genv1alpha1.Group + "/" + genv1alpha1.Version,
Kind: "Fake",
@ -652,7 +652,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
Extract: &esv1beta1.ExternalSecretDataRemoteRef{
Key: "foo",
},
SourceRef: &esv1beta1.SourceRef{
SourceRef: &esv1beta1.StoreGeneratorSourceRef{
SecretStoreRef: &esv1beta1.SecretStoreRef{
Name: "foo",
Kind: esv1beta1.SecretStoreKind,
@ -663,7 +663,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
Extract: &esv1beta1.ExternalSecretDataRemoteRef{
Key: "baz",
},
SourceRef: &esv1beta1.SourceRef{
SourceRef: &esv1beta1.StoreGeneratorSourceRef{
SecretStoreRef: &esv1beta1.SecretStoreRef{
Name: "baz",
Kind: esv1beta1.SecretStoreKind,

2
pkg/controllers/secretstore/client_manager.go
View file

@ -103,7 +103,7 @@ func (m *Manager) GetFromStore(ctx context.Context, store esv1beta1.GenericStore
// while sourceRef.SecretStoreRef takes precedence over storeRef.
// Do not close the client returned from this func, instead close
// the manager once you're done with recinciling the external secret.
func (m *Manager) Get(ctx context.Context, storeRef esv1beta1.SecretStoreRef, namespace string, sourceRef *esv1beta1.SourceRef) (esv1beta1.SecretsClient, error) {
func (m *Manager) Get(ctx context.Context, storeRef esv1beta1.SecretStoreRef, namespace string, sourceRef *esv1beta1.StoreGeneratorSourceRef) (esv1beta1.SecretsClient, error) {
if sourceRef != nil && sourceRef.SecretStoreRef != nil {
storeRef = *sourceRef.SecretStoreRef
}

4
pkg/controllers/secretstore/client_manager_test.go
View file

@ -100,7 +100,7 @@ func TestManagerGet(t *testing.T) {
type args struct {
storeRef esv1beta1.SecretStoreRef
namespace string
sourceRef *esv1beta1.SourceRef
sourceRef *esv1beta1.StoreGeneratorSourceRef
}
tests := []struct {
name string
@ -168,7 +168,7 @@ func TestManagerGet(t *testing.T) {
Kind: esv1beta1.SecretStoreKind,
},
// this should take precedence
sourceRef: &esv1beta1.SourceRef{
sourceRef: &esv1beta1.StoreGeneratorSourceRef{
SecretStoreRef: &esv1beta1.SecretStoreRef{
Name: otherStore.Name,
Kind: esv1beta1.SecretStoreKind,