From 5e3c3e8d3fdb55ebe3be9e3db11f78b46b1ab383 Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Wed, 6 Jan 2021 16:49:59 +0100 Subject: [PATCH 01/11] Fix README examples and resource samples --- README.md | 2 +- config/samples/external-secrets_v1alpha1_externalsecret.yaml | 4 ++-- config/samples/external-secrets_v1alpha1_secretstore.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 72a67fc6b..a2c350daf 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ make run Apply the sample resources: ```shell kubectl apply -f config/samples/external-secrets_v1alpha1_secretstore.yaml -kubectl applt -f config/samples/external-secrets_v1alpha1_externalsecret.yaml +kubectl apply -f config/samples/external-secrets_v1alpha1_externalsecret.yaml ``` We will add more documentation once we have the implementation for the different providers. diff --git a/config/samples/external-secrets_v1alpha1_externalsecret.yaml b/config/samples/external-secrets_v1alpha1_externalsecret.yaml index 5aa07be2b..ecf61e60d 100644 --- a/config/samples/external-secrets_v1alpha1_externalsecret.yaml +++ b/config/samples/external-secrets_v1alpha1_externalsecret.yaml @@ -11,7 +11,7 @@ spec: name: secret-to-be-created creationPolicy: Owner - refreshInternal: 1h + refreshInterval: 1h data: - secretKey: secret-key-to-be-managed @@ -22,4 +22,4 @@ spec: dataFrom: - remoteRef: - key: remote-key-in-the-provider + key: remote-key-in-the-provider diff --git a/config/samples/external-secrets_v1alpha1_secretstore.yaml b/config/samples/external-secrets_v1alpha1_secretstore.yaml index f686b82b6..c2a59d13a 100644 --- a/config/samples/external-secrets_v1alpha1_secretstore.yaml +++ b/config/samples/external-secrets_v1alpha1_secretstore.yaml @@ -9,11 +9,11 @@ spec: awssm: auth: secretRef: - accessKeyID: + accessKeyIDSecretRef: name: awssm-secret key: access-key - secretAccessKey: + secretAccessKeySecretRef: name: awssm-secret key: secret-access-key From 1845b77c0cdddecf79e74db6a5276e6d05eaddee Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Wed, 6 Jan 2021 16:50:16 +0100 Subject: [PATCH 02/11] Add base for SecretStore controller --- controllers/externalsecret_controller.go | 120 ++++++++++++++++++++++- controllers/utils.go | 22 +++++ 2 files changed, 137 insertions(+), 5 deletions(-) create mode 100644 controllers/utils.go diff --git a/controllers/externalsecret_controller.go b/controllers/externalsecret_controller.go index beaefd4ce..72c768e74 100644 --- a/controllers/externalsecret_controller.go +++ b/controllers/externalsecret_controller.go @@ -16,13 +16,26 @@ package controllers import ( "context" + "fmt" + "time" "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + "github.com/external-secrets/external-secrets/pkg/provider" + _ "github.com/external-secrets/external-secrets/pkg/provider/register" + "github.com/external-secrets/external-secrets/pkg/provider/schema" +) + +const ( + requeueAfter = time.Second * 30 ) // ExternalSecretReconciler reconciles a ExternalSecret object. @@ -36,16 +49,113 @@ type ExternalSecretReconciler struct { // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets/status,verbs=get;update;patch func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { - _ = context.Background() - _ = r.Log.WithValues("externalsecret", req.NamespacedName) + ctx := context.Background() + log := r.Log.WithValues("external-secrets", req.NamespacedName) - // your logic here + var externalSecret esv1alpha1.ExternalSecret + + err := r.Get(ctx, req.NamespacedName, &externalSecret) + if err != nil { + log.Error(err, "could not get ExternalSecret") + return ctrl.Result{}, client.IgnoreNotFound(err) + } + + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: externalSecret.Name, + Namespace: externalSecret.Namespace, + }, + } + + _, err = ctrl.CreateOrUpdate(ctx, r.Client, secret, func() error { + store, err := r.getStore(ctx, &externalSecret) + if err != nil { + return fmt.Errorf("could not get store reference from ExternalSecret %q: %w", externalSecret.Name, err) + } + + storeProvider, err := schema.GetProvider(store) + if err != nil { + // TODO: add SecretStore name to the log message + return fmt.Errorf("could not get store provider: %w", err) + } + + // TODO: Does the * work? + // If not, should I change the Provider interface? + providerClient, err := storeProvider.New(ctx, *store.GetProvider(), r.Client, req.Namespace) + if err != nil { + return fmt.Errorf("could not get provider client: %w", err) + } + + err = controllerutil.SetControllerReference(&externalSecret, &secret.ObjectMeta, r.Scheme) + if err != nil { + return fmt.Errorf("could not set ExternalSecret controller reference: %w", err) + } + + secret.Labels = externalSecret.Labels + secret.Annotations = externalSecret.Annotations + + // TODO: Pass reference to the client (not a copy)? + secret.Data, err = r.getProviderSecretData(ctx, providerClient, &externalSecret) + if err != nil { + return fmt.Errorf("could not get secret data from provider: %w", err) + } + + return nil + }) + + if err != nil { + log.Error(err, "could not reconcile ExternalSecret") + + // TODO: Set ExternalSecret.Status.Conditions + return ctrl.Result{RequeueAfter: requeueAfter}, nil + } return ctrl.Result{}, nil } +func (r *ExternalSecretReconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) { + // TODO: Implement getting ClusterSecretStore + var secretStore esv1alpha1.SecretStore + + ref := types.NamespacedName{ + Name: externalSecret.Spec.SecretStoreRef.Name, + Namespace: externalSecret.Namespace, + } + + err := r.Get(ctx, ref, &secretStore) + if err != nil { + return nil, fmt.Errorf("could not get SecretStore %q, %w", ref.Name, err) + } + + return &secretStore, nil +} + +func (r *ExternalSecretReconciler) getProviderSecretData(ctx context.Context, providerClient provider.Provider, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) { + providerData := make(map[string][]byte) + + for _, remoteRef := range externalSecret.Spec.DataFrom { + secretMap, err := providerClient.GetSecretMap(ctx, remoteRef) + if err != nil { + return nil, fmt.Errorf("key %q from ExternalSecret %q: %w", remoteRef.Key, externalSecret.Name, err) + } + + providerData = Merge(providerData, secretMap) + } + + for _, secretRef := range externalSecret.Spec.Data { + secretData, err := providerClient.GetSecret(ctx, secretRef.RemoteRef) + if err != nil { + return nil, fmt.Errorf("key %q from ExternalSecret %q: %w", secretRef.RemoteRef.Key, externalSecret.Name, err) + } + + providerData[secretRef.SecretKey] = secretData + } + + return providerData, nil +} + func (r *ExternalSecretReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&externalsecretsv1alpha1.ExternalSecret{}). + For(&esv1alpha1.ExternalSecret{}). Complete(r) } diff --git a/controllers/utils.go b/controllers/utils.go new file mode 100644 index 000000000..adf95db09 --- /dev/null +++ b/controllers/utils.go @@ -0,0 +1,22 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +func Merge(src, dst map[string][]byte) map[string][]byte { + for k, v := range dst { + src[k] = v + } + return src +} From 31618e0d0c44c4b04a65650d1b17cc41ff9c9c83 Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Wed, 6 Jan 2021 16:50:35 +0100 Subject: [PATCH 03/11] Add changes to go mod after running `go mod tidy` --- go.mod | 5 ++++- go.sum | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 9ddf8c20b..15b5018ab 100644 --- a/go.mod +++ b/go.mod @@ -4,9 +4,12 @@ go 1.13 require ( github.com/go-logr/logr v0.1.0 + github.com/kr/pretty v0.2.0 // indirect github.com/onsi/ginkgo v1.11.0 github.com/onsi/gomega v1.8.1 - github.com/stretchr/testify v1.4.0 + github.com/stretchr/testify v1.6.1 + gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect + gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c // indirect k8s.io/api v0.17.2 k8s.io/apimachinery v0.17.2 k8s.io/client-go v0.17.2 diff --git a/go.sum b/go.sum index 0a79b4765..ad8083ea8 100644 --- a/go.sum +++ b/go.sum @@ -183,6 +183,8 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= @@ -270,6 +272,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= @@ -397,6 +401,8 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= @@ -412,6 +418,9 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c h1:grhR+C34yXImVGp7EzNk+DTIk+323eIUWOmEevy6bDo= +gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 87ed4ed118219774c8bfacd6043a45754168901b Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Thu, 7 Jan 2021 11:40:37 +0100 Subject: [PATCH 04/11] Watch for owned corev1.Secrets on the ExternalSecret reconciler --- controllers/externalsecret_controller.go | 1 + 1 file changed, 1 insertion(+) diff --git a/controllers/externalsecret_controller.go b/controllers/externalsecret_controller.go index 72c768e74..45b244e2b 100644 --- a/controllers/externalsecret_controller.go +++ b/controllers/externalsecret_controller.go @@ -157,5 +157,6 @@ func (r *ExternalSecretReconciler) getProviderSecretData(ctx context.Context, pr func (r *ExternalSecretReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). For(&esv1alpha1.ExternalSecret{}). + Owns(&corev1.Secret{}). Complete(r) } From 8ee64d918ec699ad0f34ae898e30550430723616 Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Thu, 7 Jan 2021 11:51:16 +0100 Subject: [PATCH 05/11] Enable the New() method on the Prodiver interface to receive a GenericStore instead of a SecretStoreProvider) --- controllers/externalsecret_controller.go | 4 +--- pkg/provider/aws/secretsmanager/secretsmanager.go | 2 +- pkg/provider/fake/fake.go | 8 ++++---- pkg/provider/provider.go | 2 +- pkg/provider/schema/schema_test.go | 2 +- 5 files changed, 8 insertions(+), 10 deletions(-) diff --git a/controllers/externalsecret_controller.go b/controllers/externalsecret_controller.go index 45b244e2b..6fccfb2af 100644 --- a/controllers/externalsecret_controller.go +++ b/controllers/externalsecret_controller.go @@ -79,9 +79,7 @@ func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err return fmt.Errorf("could not get store provider: %w", err) } - // TODO: Does the * work? - // If not, should I change the Provider interface? - providerClient, err := storeProvider.New(ctx, *store.GetProvider(), r.Client, req.Namespace) + providerClient, err := storeProvider.New(ctx, store, r.Client, req.Namespace) if err != nil { return fmt.Errorf("could not get provider client: %w", err) } diff --git a/pkg/provider/aws/secretsmanager/secretsmanager.go b/pkg/provider/aws/secretsmanager/secretsmanager.go index 698129074..7e157ac91 100644 --- a/pkg/provider/aws/secretsmanager/secretsmanager.go +++ b/pkg/provider/aws/secretsmanager/secretsmanager.go @@ -27,7 +27,7 @@ import ( type SecretsManager struct{} // New constructs a SecretsManager Provider. -func (sm *SecretsManager) New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (provider.Provider, error) { +func (sm *SecretsManager) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) { return sm, nil // stub } diff --git a/pkg/provider/fake/fake.go b/pkg/provider/fake/fake.go index 0a3889b1b..1d074f321 100644 --- a/pkg/provider/fake/fake.go +++ b/pkg/provider/fake/fake.go @@ -28,7 +28,7 @@ var _ provider.Provider = &Client{} // Client is a fake client for testing. type Client struct { - NewFn func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, + NewFn func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.Provider, error) GetSecretFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) @@ -45,7 +45,7 @@ func New() *Client { }, } - v.NewFn = func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, string) (provider.Provider, error) { + v.NewFn = func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.Provider, error) { return nil, nil } @@ -84,14 +84,14 @@ func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client } // WithNew wraps the fake provider factory function. -func (v *Client) WithNew(f func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, +func (v *Client) WithNew(f func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.Provider, error)) *Client { v.NewFn = f return v } // New returns a new fake provider. -func (v *Client) New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (provider.Provider, error) { +func (v *Client) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) { client, err := v.NewFn(ctx, store, kube, namespace) if err != nil { return nil, err diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 0e3264c24..df5328d4a 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -25,7 +25,7 @@ import ( // Provider is a common interface for interacting with secret backends. type Provider interface { // New constructs a SecretsManager Provider - New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (Provider, error) + New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (Provider, error) // GetSecret returns a single secret from the provider GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) diff --git a/pkg/provider/schema/schema_test.go b/pkg/provider/schema/schema_test.go index 4cd703d2b..132932402 100644 --- a/pkg/provider/schema/schema_test.go +++ b/pkg/provider/schema/schema_test.go @@ -27,7 +27,7 @@ import ( type PP struct{} // New constructs a SecretsManager Provider. -func (p *PP) New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (provider.Provider, error) { +func (p *PP) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) { return p, nil } From 88f337386da3e5b1286b653a3f066ff23f9ff35c Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Thu, 7 Jan 2021 17:36:25 +0100 Subject: [PATCH 06/11] Add GetNamespacedName to GenericStore interface --- api/v1alpha1/generic_store.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/api/v1alpha1/generic_store.go b/api/v1alpha1/generic_store.go index 85d833aa8..0b4f9475d 100644 --- a/api/v1alpha1/generic_store.go +++ b/api/v1alpha1/generic_store.go @@ -15,6 +15,8 @@ limitations under the License. package v1alpha1 import ( + "fmt" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" ) @@ -30,6 +32,7 @@ type GenericStore interface { runtime.Object metav1.Object GetProvider() *SecretStoreProvider + GetNamespacedName() string } // +kubebuilder:object:root:false @@ -41,6 +44,10 @@ func (c *SecretStore) GetProvider() *SecretStoreProvider { return c.Spec.Provider } +func (c *SecretStore) GetNamespacedName() string { + return fmt.Sprintf("%s/%s", c.Namespace, c.Name) +} + // Copy returns a DeepCopy of the Store. func (c *SecretStore) Copy() GenericStore { return c.DeepCopy() From f57493bcec227ec7a9b3e0dd9066522504910e73 Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Thu, 7 Jan 2021 17:36:39 +0100 Subject: [PATCH 07/11] Move code out of the main reconcile closer function and organise logs --- controllers/externalsecret_controller.go | 41 ++++++++++++------------ 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/controllers/externalsecret_controller.go b/controllers/externalsecret_controller.go index 6fccfb2af..ac8120394 100644 --- a/controllers/externalsecret_controller.go +++ b/controllers/externalsecret_controller.go @@ -50,7 +50,7 @@ type ExternalSecretReconciler struct { func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { ctx := context.Background() - log := r.Log.WithValues("external-secrets", req.NamespacedName) + log := r.Log.WithValues("ExternalSecret", req.NamespacedName) var externalSecret esv1alpha1.ExternalSecret @@ -67,23 +67,27 @@ func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err }, } + store, err := r.getStore(ctx, &externalSecret) + if err != nil { + log.Error(err, "could not get store reference") + return ctrl.Result{RequeueAfter: requeueAfter}, nil + } + + log = log.WithValues("SecretStore", store.GetNamespacedName()) + + storeProvider, err := schema.GetProvider(store) + if err != nil { + log.Error(err, "could not get store provider") + return ctrl.Result{RequeueAfter: requeueAfter}, nil + } + + providerClient, err := storeProvider.New(ctx, store, r.Client, req.Namespace) + if err != nil { + log.Error(err, "could not get provider client") + return ctrl.Result{RequeueAfter: requeueAfter}, nil + } + _, err = ctrl.CreateOrUpdate(ctx, r.Client, secret, func() error { - store, err := r.getStore(ctx, &externalSecret) - if err != nil { - return fmt.Errorf("could not get store reference from ExternalSecret %q: %w", externalSecret.Name, err) - } - - storeProvider, err := schema.GetProvider(store) - if err != nil { - // TODO: add SecretStore name to the log message - return fmt.Errorf("could not get store provider: %w", err) - } - - providerClient, err := storeProvider.New(ctx, store, r.Client, req.Namespace) - if err != nil { - return fmt.Errorf("could not get provider client: %w", err) - } - err = controllerutil.SetControllerReference(&externalSecret, &secret.ObjectMeta, r.Scheme) if err != nil { return fmt.Errorf("could not set ExternalSecret controller reference: %w", err) @@ -92,7 +96,6 @@ func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err secret.Labels = externalSecret.Labels secret.Annotations = externalSecret.Annotations - // TODO: Pass reference to the client (not a copy)? secret.Data, err = r.getProviderSecretData(ctx, providerClient, &externalSecret) if err != nil { return fmt.Errorf("could not get secret data from provider: %w", err) @@ -103,8 +106,6 @@ func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err if err != nil { log.Error(err, "could not reconcile ExternalSecret") - - // TODO: Set ExternalSecret.Status.Conditions return ctrl.Result{RequeueAfter: requeueAfter}, nil } From d1b879aa41d6f0739cd2821e7145e191773dd2d0 Mon Sep 17 00:00:00 2001 From: Jonatas Baldin Date: Thu, 7 Jan 2021 17:48:35 +0100 Subject: [PATCH 08/11] Add comment on _ import on ExternalSecret controller --- controllers/externalsecret_controller.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controllers/externalsecret_controller.go b/controllers/externalsecret_controller.go index ac8120394..479847636 100644 --- a/controllers/externalsecret_controller.go +++ b/controllers/externalsecret_controller.go @@ -30,6 +30,8 @@ import ( esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" + + // Loading registered providers. _ "github.com/external-secrets/external-secrets/pkg/provider/register" "github.com/external-secrets/external-secrets/pkg/provider/schema" ) From 3227e730f122cbbd48fd70f2446bb2dab7c46059 Mon Sep 17 00:00:00 2001 From: Lucas Severo Alves Date: Wed, 27 Jan 2021 12:08:28 +0100 Subject: [PATCH 09/11] Change dir structure and adapt --- Dockerfile | 4 +- PROJECT | 1 + api/v1alpha1/groupversion_info.go | 42 ------ apis/doc.go | 18 +++ apis/externalsecrets/doc.go | 17 +++ .../externalsecrets/v1alpha1/doc.go | 13 +- .../v1alpha1/externalsecret_types.go | 8 +- .../v1alpha1/generic_store.go | 34 ++++- apis/externalsecrets/v1alpha1/register.go | 67 +++++++++ .../v1alpha1/secretstore_awssm_types.go | 8 +- .../v1alpha1/secretstore_types.go | 29 +++- .../v1alpha1/zz_generated.deepcopy.go | 78 +++++++--- apis/meta/doc.go | 16 ++ apis/meta/v1/doc.go | 17 +++ apis/meta/v1/types.go | 30 ++++ apis/meta/v1/zz_generated.deepcopy.go | 41 +++++ ...ternal-secrets.io_clustersecretstores.yaml | 140 ++++++++++++++++++ .../external-secrets.io_externalsecrets.yaml | 4 +- .../external-secrets.io_secretstores.yaml | 39 ++++- deploy/charts/external-secrets/.helmignore | 26 ++++ deploy/charts/external-secrets/Chart.yaml | 14 ++ deploy/charts/external-secrets/README.md | 63 ++++++++ .../charts/external-secrets/README.md.gotmpl | 38 +++++ .../external-secrets/ci/main-values.yaml | 2 + .../external-secrets/templates/NOTES.txt | 7 + .../external-secrets/templates/_helpers.tpl | 62 ++++++++ .../external-secrets/templates/crds/README.md | 4 + .../templates/deployment.yaml | 74 +++++++++ .../external-secrets/templates/rbac.yaml | 101 +++++++++++++ .../external-secrets/templates/service.yaml | 20 +++ .../templates/serviceaccount.yaml | 12 ++ deploy/charts/external-secrets/values.yaml | 68 +++++++++ .../externalsecret_controller.go | 7 +- .../controllers/externalsecret}/suite_test.go | 8 +- .../secretstore}/secretstore_controller.go | 14 +- pkg/controllers/secretstore/suite_test.go | 81 ++++++++++ .../aws/secretsmanager/secretsmanager.go | 2 +- pkg/provider/fake/fake.go | 10 +- pkg/provider/provider.go | 2 +- pkg/provider/schema/schema.go | 6 +- pkg/provider/schema/schema_test.go | 30 ++-- {controllers => pkg/utils}/utils.go | 5 +- 42 files changed, 1127 insertions(+), 135 deletions(-) delete mode 100644 api/v1alpha1/groupversion_info.go create mode 100644 apis/doc.go create mode 100644 apis/externalsecrets/doc.go rename api/v1alpha1/meta_types.go => apis/externalsecrets/v1alpha1/doc.go (74%) rename {api => apis/externalsecrets}/v1alpha1/externalsecret_types.go (96%) rename {api => apis/externalsecrets}/v1alpha1/generic_store.go (64%) create mode 100644 apis/externalsecrets/v1alpha1/register.go rename {api => apis/externalsecrets}/v1alpha1/secretstore_awssm_types.go (82%) rename {api => apis/externalsecrets}/v1alpha1/secretstore_types.go (70%) rename {api => apis/externalsecrets}/v1alpha1/zz_generated.deepcopy.go (90%) create mode 100644 apis/meta/doc.go create mode 100644 apis/meta/v1/doc.go create mode 100644 apis/meta/v1/types.go create mode 100644 apis/meta/v1/zz_generated.deepcopy.go create mode 100644 config/crd/bases/external-secrets.io_clustersecretstores.yaml create mode 100644 deploy/charts/external-secrets/.helmignore create mode 100644 deploy/charts/external-secrets/Chart.yaml create mode 100644 deploy/charts/external-secrets/README.md create mode 100644 deploy/charts/external-secrets/README.md.gotmpl create mode 100644 deploy/charts/external-secrets/ci/main-values.yaml create mode 100644 deploy/charts/external-secrets/templates/NOTES.txt create mode 100644 deploy/charts/external-secrets/templates/_helpers.tpl create mode 100644 deploy/charts/external-secrets/templates/crds/README.md create mode 100644 deploy/charts/external-secrets/templates/deployment.yaml create mode 100644 deploy/charts/external-secrets/templates/rbac.yaml create mode 100644 deploy/charts/external-secrets/templates/service.yaml create mode 100644 deploy/charts/external-secrets/templates/serviceaccount.yaml create mode 100644 deploy/charts/external-secrets/values.yaml rename {controllers => pkg/controllers/externalsecret}/externalsecret_controller.go (95%) rename {controllers => pkg/controllers/externalsecret}/suite_test.go (90%) rename {controllers => pkg/controllers/secretstore}/secretstore_controller.go (74%) create mode 100644 pkg/controllers/secretstore/suite_test.go rename {controllers => pkg/utils}/utils.go (95%) diff --git a/Dockerfile b/Dockerfile index 74eb9d741..3b770ef57 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,8 +11,8 @@ RUN go mod download # Copy the go source COPY main.go main.go -COPY api/ api/ -COPY controllers/ controllers/ +COPY apis/ apis/ +COPY pkg/ pkg/ # Build RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go diff --git a/PROJECT b/PROJECT index 20647a6b6..cac16ecf0 100644 --- a/PROJECT +++ b/PROJECT @@ -1,4 +1,5 @@ domain: io +multigroup: true repo: github.com/external-secrets/external-secrets resources: - group: external-secrets diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go deleted file mode 100644 index 90f82e5f2..000000000 --- a/api/v1alpha1/groupversion_info.go +++ /dev/null @@ -1,42 +0,0 @@ -/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package v1alpha1 contains API Schema definitions for the external-secrets v1alpha1 API group -// +kubebuilder:object:generate=true -// +groupName=external-secrets.io -package v1alpha1 - -import ( - "reflect" - - "k8s.io/apimachinery/pkg/runtime/schema" - "sigs.k8s.io/controller-runtime/pkg/scheme" -) - -var ( - // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "external-secrets.io", Version: "v1alpha1"} - - // SchemeBuilder is used to add go types to the GroupVersionKind scheme. - SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} - - // AddToScheme adds the types in this group-version to the given scheme. - AddToScheme = SchemeBuilder.AddToScheme -) - -// SecretStore type metadata. -var ( - SecretStoreKind = reflect.TypeOf(SecretStore{}).Name() - SecretStoreKindAPIVersion = SecretStoreKind + "." + GroupVersion.String() -) diff --git a/apis/doc.go b/apis/doc.go new file mode 100644 index 000000000..d2482c14e --- /dev/null +++ b/apis/doc.go @@ -0,0 +1,18 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +// +domain=external-secrets.io + +package apis diff --git a/apis/externalsecrets/doc.go b/apis/externalsecrets/doc.go new file mode 100644 index 000000000..760bd4841 --- /dev/null +++ b/apis/externalsecrets/doc.go @@ -0,0 +1,17 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +groupName=external-secrets.io + +package externalsecrets diff --git a/api/v1alpha1/meta_types.go b/apis/externalsecrets/v1alpha1/doc.go similarity index 74% rename from api/v1alpha1/meta_types.go rename to apis/externalsecrets/v1alpha1/doc.go index 4e8bfbc6a..a327e1186 100644 --- a/api/v1alpha1/meta_types.go +++ b/apis/externalsecrets/v1alpha1/doc.go @@ -12,13 +12,8 @@ See the License for the specific language governing permissions and limitations under the License. */ +// Package v1alpha1 contains resources for external-secrets +// +kubebuilder:object:generate=true +// +groupName=external-secrets.io +// +versionName=v1alpha1 package v1alpha1 - -// Refers to a Secret in Kubernetes. -type SecretKeySelector struct { - Name string `json:"name"` - Key string `json:"key"` - - // +optional - Namespace *string `json:"namespace,omitempty"` -} diff --git a/api/v1alpha1/externalsecret_types.go b/apis/externalsecrets/v1alpha1/externalsecret_types.go similarity index 96% rename from api/v1alpha1/externalsecret_types.go rename to apis/externalsecrets/v1alpha1/externalsecret_types.go index 076aaee01..eaf423b9c 100644 --- a/api/v1alpha1/externalsecret_types.go +++ b/apis/externalsecrets/v1alpha1/externalsecret_types.go @@ -174,7 +174,7 @@ type ExternalSecretStatus struct { // +kubebuilder:object:root=true -// ExternalSecret is the Schema for the externalsecrets API. +// ExternalSecret is the Schema for the external-secrets API. type ExternalSecret struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` @@ -185,13 +185,9 @@ type ExternalSecret struct { // +kubebuilder:object:root=true -// ExternalSecretList contains a list of ExternalSecret. +// ExternalSecretList contains a list of ExternalSecret resources. type ExternalSecretList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []ExternalSecret `json:"items"` } - -func init() { - SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{}) -} diff --git a/api/v1alpha1/generic_store.go b/apis/externalsecrets/v1alpha1/generic_store.go similarity index 64% rename from api/v1alpha1/generic_store.go rename to apis/externalsecrets/v1alpha1/generic_store.go index 0b4f9475d..a45fd5edc 100644 --- a/api/v1alpha1/generic_store.go +++ b/apis/externalsecrets/v1alpha1/generic_store.go @@ -31,7 +31,9 @@ import ( type GenericStore interface { runtime.Object metav1.Object - GetProvider() *SecretStoreProvider + + GetObjectMeta() *metav1.ObjectMeta + GetSpec() *SecretStoreSpec GetNamespacedName() string } @@ -39,16 +41,38 @@ type GenericStore interface { // +kubebuilder:object:generate:false var _ GenericStore = &SecretStore{} -// GetProvider returns the underlying provider. -func (c *SecretStore) GetProvider() *SecretStoreProvider { - return c.Spec.Provider +func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta { + return &c.ObjectMeta +} + +func (c *SecretStore) GetSpec() *SecretStoreSpec { + return &c.Spec } func (c *SecretStore) GetNamespacedName() string { return fmt.Sprintf("%s/%s", c.Namespace, c.Name) } -// Copy returns a DeepCopy of the Store. func (c *SecretStore) Copy() GenericStore { return c.DeepCopy() } + +// +kubebuilder:object:root:false +// +kubebuilder:object:generate:false +var _ GenericStore = &ClusterSecretStore{} + +func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta { + return &c.ObjectMeta +} + +func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec { + return &c.Spec +} + +func (c *ClusterSecretStore) Copy() GenericStore { + return c.DeepCopy() +} + +func (c *ClusterSecretStore) GetNamespacedName() string { + return fmt.Sprintf("%s/%s", c.Namespace, c.Name) +} diff --git a/apis/externalsecrets/v1alpha1/register.go b/apis/externalsecrets/v1alpha1/register.go new file mode 100644 index 000000000..ba994aa3c --- /dev/null +++ b/apis/externalsecrets/v1alpha1/register.go @@ -0,0 +1,67 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "reflect" + + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + Group = "external-secrets.io" + Version = "v1alpha1" +) + +var ( + // SchemeGroupVersion is group version used to register these objects. + SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme. + SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} + AddToScheme = SchemeBuilder.AddToScheme +) + +// ExternalSecret type metadata. +var ( + ExtSecretKind = reflect.TypeOf(ExternalSecret{}).Name() + ExtSecretGroupKind = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String() + ExtSecretKindAPIVersion = ExtSecretKind + "." + SchemeGroupVersion.String() + ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind) +) + +// SecretStore type metadata. +var ( + SecretStoreKind = reflect.TypeOf(SecretStore{}).Name() + SecretStoreGroupKind = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String() + SecretStoreKindAPIVersion = SecretStoreKind + "." + SchemeGroupVersion.String() + SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind) +) + +// ClusterSecretStore type metadata. +var ( + ClusterSecretStoreKind = reflect.TypeOf(ClusterSecretStore{}).Name() + ClusterSecretStoreGroupKind = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String() + ClusterSecretStoreKindAPIVersion = ClusterSecretStoreKind + "." + SchemeGroupVersion.String() + ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind) +) + +func init() { + SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{}) + SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{}) + SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{}) +} diff --git a/api/v1alpha1/secretstore_awssm_types.go b/apis/externalsecrets/v1alpha1/secretstore_awssm_types.go similarity index 82% rename from api/v1alpha1/secretstore_awssm_types.go rename to apis/externalsecrets/v1alpha1/secretstore_awssm_types.go index 6c526e8f5..e0a1fd1a8 100644 --- a/api/v1alpha1/secretstore_awssm_types.go +++ b/apis/externalsecrets/v1alpha1/secretstore_awssm_types.go @@ -14,6 +14,10 @@ limitations under the License. package v1alpha1 +import ( + esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" +) + type AWSSMAuth struct { SecretRef AWSSMAuthSecretRef `json:"secretRef"` } @@ -21,11 +25,11 @@ type AWSSMAuth struct { type AWSSMAuthSecretRef struct { // The AccessKeyID is used for authentication // +optional - AccessKeyID SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"` + AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"` // The SecretAccessKey is used for authentication // +optional - SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"` + SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"` } // Configures a store to sync secrets using the AWS Secret Manager provider. diff --git a/api/v1alpha1/secretstore_types.go b/apis/externalsecrets/v1alpha1/secretstore_types.go similarity index 70% rename from api/v1alpha1/secretstore_types.go rename to apis/externalsecrets/v1alpha1/secretstore_types.go index 22d6b08d8..72291d764 100644 --- a/api/v1alpha1/secretstore_types.go +++ b/apis/externalsecrets/v1alpha1/secretstore_types.go @@ -88,7 +88,10 @@ type SecretStoreStatus struct { // +kubebuilder:object:root=true -// SecretStore is the Schema for the secretstores API. +// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss type SecretStore struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` @@ -99,13 +102,31 @@ type SecretStore struct { // +kubebuilder:object:root=true -// SecretStoreList contains a list of SecretStore. +// SecretStoreList contains a list of SecretStore resources. type SecretStoreList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []SecretStore `json:"items"` } -func init() { - SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{}) +// +kubebuilder:object:root=true + +// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css +type ClusterSecretStore struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec SecretStoreSpec `json:"spec,omitempty"` +} + +// +kubebuilder:object:root=true + +// ClusterSecretStoreList contains a list of ClusterSecretStore resources. +type ClusterSecretStoreList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ClusterSecretStore `json:"items"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go similarity index 90% rename from api/v1alpha1/zz_generated.deepcopy.go rename to apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go index 62a63a2de..dee3e865c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go @@ -71,6 +71,64 @@ func (in *AWSSMProvider) DeepCopy() *AWSSMProvider { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore. +func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore { + if in == nil { + return nil + } + out := new(ClusterSecretStore) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterSecretStore) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterSecretStore, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList. +func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList { + if in == nil { + return nil + } + out := new(ClusterSecretStoreList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) { *out = *in @@ -287,26 +345,6 @@ func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMeta return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) { - *out = *in - if in.Namespace != nil { - in, out := &in.Namespace, &out.Namespace - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. -func (in *SecretKeySelector) DeepCopy() *SecretKeySelector { - if in == nil { - return nil - } - out := new(SecretKeySelector) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretStore) DeepCopyInto(out *SecretStore) { *out = *in diff --git a/apis/meta/doc.go b/apis/meta/doc.go new file mode 100644 index 000000000..8ad027322 --- /dev/null +++ b/apis/meta/doc.go @@ -0,0 +1,16 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package meta contains meta types for external-secret APIs. +package meta diff --git a/apis/meta/v1/doc.go b/apis/meta/v1/doc.go new file mode 100644 index 000000000..317234b72 --- /dev/null +++ b/apis/meta/v1/doc.go @@ -0,0 +1,17 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package meta contains meta types for external-secrets APIs +// +kubebuilder:object:generate=true +package v1 diff --git a/apis/meta/v1/types.go b/apis/meta/v1/types.go new file mode 100644 index 000000000..cc087b656 --- /dev/null +++ b/apis/meta/v1/types.go @@ -0,0 +1,30 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +// A reference to a specific 'key' within a Secret resource, +// In some instances, `key` is a required field. +type SecretKeySelector struct { + // The name of the Secret resource being referred to. + Name string `json:"name"` + // Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + // to the namespace of the referent. + // +optional + Namespace *string `json:"namespace,omitempty"` + // The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + // defaulted, in others it may be required. + // +optional + Key string `json:"key,omitempty"` +} diff --git a/apis/meta/v1/zz_generated.deepcopy.go b/apis/meta/v1/zz_generated.deepcopy.go new file mode 100644 index 000000000..cc2c5684a --- /dev/null +++ b/apis/meta/v1/zz_generated.deepcopy.go @@ -0,0 +1,41 @@ +// +build !ignore_autogenerated + +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1 + +import () + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) { + *out = *in + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. +func (in *SecretKeySelector) DeepCopy() *SecretKeySelector { + if in == nil { + return nil + } + out := new(SecretKeySelector) + in.DeepCopyInto(out) + return out +} diff --git a/config/crd/bases/external-secrets.io_clustersecretstores.yaml b/config/crd/bases/external-secrets.io_clustersecretstores.yaml new file mode 100644 index 000000000..133bfa625 --- /dev/null +++ b/config/crd/bases/external-secrets.io_clustersecretstores.yaml @@ -0,0 +1,140 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: clustersecretstores.external-secrets.io +spec: + group: external-secrets.io + names: + categories: + - externalsecrets + kind: ClusterSecretStore + listKind: ClusterSecretStoreList + plural: clustersecretstores + shortNames: + - css + singular: clustersecretstore + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSecretStore represents a secure external location for + storing secrets, which can be referenced as part of `storeRef` fields. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SecretStoreSpec defines the desired state of SecretStore. + properties: + controller: + description: 'Used to select the correct KES controller (think: ingress.ingressClassName) + The KES controller is instantiated with a specific controller name + and filters ES based on this property' + type: string + provider: + description: Used to configure the provider. Only one provider may + be set + maxProperties: 1 + minProperties: 1 + properties: + awssm: + description: AWSSM configures this store to sync secrets using + AWS Secret Manager provider + properties: + auth: + description: Auth defines the information necessary to authenticate + against AWS + properties: + secretRef: + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. + type: string + required: + - name + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. + type: string + required: + - name + type: object + type: object + required: + - secretRef + type: object + region: + description: AWS Region to be used for the provider + type: string + role: + description: Role is a Role ARN which the SecretManager provider + will assume + type: string + required: + - auth + - region + type: object + type: object + required: + - provider + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/external-secrets.io_externalsecrets.yaml b/config/crd/bases/external-secrets.io_externalsecrets.yaml index 926af685c..b5c8488aa 100644 --- a/config/crd/bases/external-secrets.io_externalsecrets.yaml +++ b/config/crd/bases/external-secrets.io_externalsecrets.yaml @@ -1,5 +1,3 @@ - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -19,7 +17,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ExternalSecret is the Schema for the externalsecrets API. + description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation diff --git a/config/crd/bases/external-secrets.io_secretstores.yaml b/config/crd/bases/external-secrets.io_secretstores.yaml index 24daa26fa..8dc60713f 100644 --- a/config/crd/bases/external-secrets.io_secretstores.yaml +++ b/config/crd/bases/external-secrets.io_secretstores.yaml @@ -1,5 +1,3 @@ - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -10,16 +8,25 @@ metadata: spec: group: external-secrets.io names: + categories: + - externalsecrets kind: SecretStore listKind: SecretStoreList plural: secretstores + shortNames: + - ss singular: secretstore scope: Namespaced versions: - - name: v1alpha1 + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 schema: openAPIV3Schema: - description: SecretStore is the Schema for the secretstores API. + description: SecretStore represents a secure external location for storing + secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -61,26 +68,44 @@ spec: description: The AccessKeyID is used for authentication properties: key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. type: string name: + description: The name of the Secret resource being + referred to. type: string namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. type: string required: - - key - name type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it + may be required. type: string name: + description: The name of the Secret resource being + referred to. type: string namespace: + description: Namespace of the resource being referred + to. Ignored if referent is not cluster-scoped. + cluster-scoped defaults to the namespace of + the referent. type: string required: - - key - name type: object type: object @@ -130,6 +155,8 @@ spec: type: object served: true storage: true + subresources: + status: {} status: acceptedNames: kind: "" diff --git a/deploy/charts/external-secrets/.helmignore b/deploy/charts/external-secrets/.helmignore new file mode 100644 index 000000000..855edc3fb --- /dev/null +++ b/deploy/charts/external-secrets/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# CRD README.md +templates/crds/README.md diff --git a/deploy/charts/external-secrets/Chart.yaml b/deploy/charts/external-secrets/Chart.yaml new file mode 100644 index 000000000..ad13f1042 --- /dev/null +++ b/deploy/charts/external-secrets/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: external-secrets +description: External secret management for Kubernetes +type: application +version: "0.1.0" +appVersion: "0.1.0" +kubeVersion: ">= 1.11.0" +keywords: + - kubernetes-external-secrets + - secrets +home: https://github.com/external-secrets/external-secrets +maintainers: + - name: mcavoyk + email: kellinmcavoy@gmail.com diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md new file mode 100644 index 000000000..c3ef4544f --- /dev/null +++ b/deploy/charts/external-secrets/README.md @@ -0,0 +1,63 @@ +# external-secrets + +[//]: # (README.md generated by gotmpl. DO NOT EDIT.) + +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) + +External secret management for Kubernetes + +## TL;DR +```bash +helm repo add external-secrets https://external-secrets.github.io/external-secrets +helm install external-secrets/external-secrets +``` + +## Installing the Chart +To install the chart with the release name `external-secrets`: +```bash +helm install external-secrets external-secrets/external-secrets +``` + +### Custom Resources +By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value. + +## Uninstalling the Chart +To uninstall the `external-secrets` deployment: +```bash +helm uninstall external-secrets +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration +Read through the external-secrets [values.yaml](https://github.com/external-secrets/external-secrets/blob/master/deploy/charts/external-secrets/values.yaml) +file. It has several commented out suggested values. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| extraArgs | object | `{}` | | +| extraEnv | list | `[]` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | +| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | +| imagePullSecrets | list | `[]` | | +| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. | +| leaderElect | bool | `true` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podLabels | object | `{}` | | +| podSecurityContext | object | `{}` | | +| prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics | +| prometheus.service.port | int | `8080` | | +| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | +| tolerations | list | `[]` | | diff --git a/deploy/charts/external-secrets/README.md.gotmpl b/deploy/charts/external-secrets/README.md.gotmpl new file mode 100644 index 000000000..1762e4b1d --- /dev/null +++ b/deploy/charts/external-secrets/README.md.gotmpl @@ -0,0 +1,38 @@ +{{- $valuesYAML := "https://github.com/external-secrets/external-secrets/blob/master/deploy/charts/external-secrets/values.yaml" -}} +{{- $chartRepo := "https://external-secrets.github.io/external-secrets" -}} +{{- $org := "external-secrets" -}} +{{ template "chart.header" . }} + +[//]: # (README.md generated by gotmpl. DO NOT EDIT.) + +{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +## TL;DR +```bash +helm repo add {{ $org }} {{ $chartRepo }} +helm install {{ $org }}/{{ template "chart.name" . }} +``` + +## Installing the Chart +To install the chart with the release name `{{ template "chart.name" . }}`: +```bash +helm install {{ template "chart.name" . }} {{ $org }}/{{ template "chart.name" . }} +``` + +### Custom Resources +By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value. + +## Uninstalling the Chart +To uninstall the `{{ template "chart.name" . }}` deployment: +```bash +helm uninstall {{ template "chart.name" . }} +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration +Read through the {{ template "chart.name" . }} [values.yaml]({{ $valuesYAML }}) +file. It has several commented out suggested values. + +{{ template "chart.valuesSection" . }} diff --git a/deploy/charts/external-secrets/ci/main-values.yaml b/deploy/charts/external-secrets/ci/main-values.yaml new file mode 100644 index 000000000..75eb234e3 --- /dev/null +++ b/deploy/charts/external-secrets/ci/main-values.yaml @@ -0,0 +1,2 @@ +image: + tag: main diff --git a/deploy/charts/external-secrets/templates/NOTES.txt b/deploy/charts/external-secrets/templates/NOTES.txt new file mode 100644 index 000000000..4fd716993 --- /dev/null +++ b/deploy/charts/external-secrets/templates/NOTES.txt @@ -0,0 +1,7 @@ +external-secrets has been deployed successfully! + +In order to begin using ExternalSecrets, you will need to set up a SecretStore +or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore). + +More information on the different types of SecretStores and how to configure them +can be found in our Github: {{ .Chart.Home }} diff --git a/deploy/charts/external-secrets/templates/_helpers.tpl b/deploy/charts/external-secrets/templates/_helpers.tpl new file mode 100644 index 000000000..23c759fe2 --- /dev/null +++ b/deploy/charts/external-secrets/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "external-secrets.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "external-secrets.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "external-secrets.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "external-secrets.labels" -}} +helm.sh/chart: {{ include "external-secrets.chart" . }} +{{ include "external-secrets.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "external-secrets.selectorLabels" -}} +app.kubernetes.io/name: {{ include "external-secrets.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "external-secrets.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "external-secrets.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/deploy/charts/external-secrets/templates/crds/README.md b/deploy/charts/external-secrets/templates/crds/README.md new file mode 100644 index 000000000..6761190f7 --- /dev/null +++ b/deploy/charts/external-secrets/templates/crds/README.md @@ -0,0 +1,4 @@ +# CRD Template Directory +the CRDs are generated in pipeline during helm package. To install the CRDs please set `installCRDS: true`. + +The latest CRDs in the repository are located [here](../../../../../config/crd/bases) diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml new file mode 100644 index 000000000..a54ca1700 --- /dev/null +++ b/deploy/charts/external-secrets/templates/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "external-secrets.fullname" . }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "external-secrets.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "external-secrets.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "external-secrets.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.leaderElect }} + - --enable-leader-election=true + {{- end }} + {{- range $key, $value := .Values.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.prometheus.service.port }} + protocol: TCP + {{- with .Values.extraEnv }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/deploy/charts/external-secrets/templates/rbac.yaml b/deploy/charts/external-secrets/templates/rbac.yaml new file mode 100644 index 000000000..a72568d6b --- /dev/null +++ b/deploy/charts/external-secrets/templates/rbac.yaml @@ -0,0 +1,101 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "external-secrets.fullname" . }}-controller + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "secretstores" + - "clustersecretstores" + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + - "externalsecrets/status" + verbs: + - "update" + - "patch" + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" + - apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "external-secrets.fullname" . }}-controller + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "external-secrets.fullname" . }}-controller +subjects: + - name: {{ include "external-secrets.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "external-secrets.fullname" . }}-leaderelection + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - "configmaps" + resourceNames: + - "external-secrets-controller" + verbs: + - "get" + - "update" + - "patch" + - apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "create" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "external-secrets.fullname" . }}-leaderelection + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "external-secrets.fullname" . }}-leaderelection +subjects: + - kind: ServiceAccount + name: {{ include "external-secrets.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/deploy/charts/external-secrets/templates/service.yaml b/deploy/charts/external-secrets/templates/service.yaml new file mode 100644 index 000000000..6c95edd05 --- /dev/null +++ b/deploy/charts/external-secrets/templates/service.yaml @@ -0,0 +1,20 @@ +{{- if .Values.prometheus.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "external-secrets.fullname" . }}-metrics + labels: + {{- include "external-secrets.labels" . | nindent 4 }} + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.service.port | quote }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.prometheus.service.port }} + targetPort: {{ .Values.prometheus.service.port }} + protocol: TCP + selector: + {{- include "external-secrets.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/deploy/charts/external-secrets/templates/serviceaccount.yaml b/deploy/charts/external-secrets/templates/serviceaccount.yaml new file mode 100644 index 000000000..911638fb4 --- /dev/null +++ b/deploy/charts/external-secrets/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "external-secrets.serviceAccountName" . }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml new file mode 100644 index 000000000..419b06473 --- /dev/null +++ b/deploy/charts/external-secrets/values.yaml @@ -0,0 +1,68 @@ +replicaCount: 1 + +image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: IfNotPresent + # -- The image tag to use. The default is the chart appVersion. + tag: "" + +# -- If set, install and upgrade CRDs through helm chart. +installCRDs: true + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- If true, external-secrets will perform leader election between instances to ensure no more +# than one instance of external-secrets operates at a time. +leaderElect: false + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + +rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + +## -- Extra environment variables to add to container. +extraEnv: [] + +## -- Map of extra arguments to pass to container. +extraArgs: {} + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + +prometheus: + # -- Specifies whether to expose Service resource for collecting Prometheus metrics + enabled: false + service: + port: 8080 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/controllers/externalsecret_controller.go b/pkg/controllers/externalsecret/externalsecret_controller.go similarity index 95% rename from controllers/externalsecret_controller.go rename to pkg/controllers/externalsecret/externalsecret_controller.go index 479847636..9c2dc2ad6 100644 --- a/controllers/externalsecret_controller.go +++ b/pkg/controllers/externalsecret/externalsecret_controller.go @@ -12,7 +12,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package externalsecret import ( "context" @@ -28,8 +28,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" + utils "github.com/external-secrets/external-secrets/pkg/utils" // Loading registered providers. _ "github.com/external-secrets/external-secrets/pkg/provider/register" @@ -140,7 +141,7 @@ func (r *ExternalSecretReconciler) getProviderSecretData(ctx context.Context, pr return nil, fmt.Errorf("key %q from ExternalSecret %q: %w", remoteRef.Key, externalSecret.Name, err) } - providerData = Merge(providerData, secretMap) + providerData = utils.Merge(providerData, secretMap) } for _, secretRef := range externalSecret.Spec.Data { diff --git a/controllers/suite_test.go b/pkg/controllers/externalsecret/suite_test.go similarity index 90% rename from controllers/suite_test.go rename to pkg/controllers/externalsecret/suite_test.go index 38c8ea3ea..7c73e2e94 100644 --- a/controllers/suite_test.go +++ b/pkg/controllers/externalsecret/suite_test.go @@ -12,7 +12,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package externalsecret import ( "path/filepath" @@ -28,7 +28,7 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) // These tests use Ginkgo (BDD-style Go testing framework). Refer to @@ -59,10 +59,10 @@ var _ = BeforeSuite(func(done Done) { Expect(err).ToNot(HaveOccurred()) Expect(cfg).ToNot(BeNil()) - err = externalsecretsv1alpha1.AddToScheme(scheme.Scheme) + err = esv1alpha1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) - err = externalsecretsv1alpha1.AddToScheme(scheme.Scheme) + err = esv1alpha1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) // +kubebuilder:scaffold:scheme diff --git a/controllers/secretstore_controller.go b/pkg/controllers/secretstore/secretstore_controller.go similarity index 74% rename from controllers/secretstore_controller.go rename to pkg/controllers/secretstore/secretstore_controller.go index 58033ab3c..81c9abbbb 100644 --- a/controllers/secretstore_controller.go +++ b/pkg/controllers/secretstore/secretstore_controller.go @@ -12,7 +12,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package secretstore import ( "context" @@ -22,11 +22,11 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) -// SecretStoreReconciler reconciles a SecretStore object. -type SecretStoreReconciler struct { +// Reconciler reconciles a SecretStore object. +type Reconciler struct { client.Client Log logr.Logger Scheme *runtime.Scheme @@ -35,7 +35,7 @@ type SecretStoreReconciler struct { // +kubebuilder:rbac:groups=external-secrets.io,resources=secretstores,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=external-secrets.io,resources=secretstores/status,verbs=get;update;patch -func (r *SecretStoreReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { +func (r *Reconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { _ = context.Background() _ = r.Log.WithValues("secretstore", req.NamespacedName) @@ -44,8 +44,8 @@ func (r *SecretStoreReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) return ctrl.Result{}, nil } -func (r *SecretStoreReconciler) SetupWithManager(mgr ctrl.Manager) error { +func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&externalsecretsv1alpha1.SecretStore{}). + For(&esv1alpha1.SecretStore{}). Complete(r) } diff --git a/pkg/controllers/secretstore/suite_test.go b/pkg/controllers/secretstore/suite_test.go new file mode 100644 index 000000000..422c9f4b5 --- /dev/null +++ b/pkg/controllers/secretstore/suite_test.go @@ -0,0 +1,81 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package secretstore + +import ( + "path/filepath" + "testing" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + "sigs.k8s.io/controller-runtime/pkg/envtest/printer" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var cfg *rest.Config +var k8sClient client.Client +var testEnv *envtest.Environment + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecsWithDefaultAndCustomReporters(t, + "Controller Suite", + []Reporter{printer.NewlineReporter{}}) +} + +var _ = BeforeSuite(func(done Done) { + logf.SetLogger(zap.LoggerTo(GinkgoWriter, true)) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, + } + + var err error + cfg, err = testEnv.Start() + Expect(err).ToNot(HaveOccurred()) + Expect(cfg).ToNot(BeNil()) + + err = esv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = esv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + // +kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + Expect(err).ToNot(HaveOccurred()) + Expect(k8sClient).ToNot(BeNil()) + + close(done) +}, 60) + +var _ = AfterSuite(func() { + By("tearing down the test environment") + err := testEnv.Stop() + Expect(err).ToNot(HaveOccurred()) +}) diff --git a/pkg/provider/aws/secretsmanager/secretsmanager.go b/pkg/provider/aws/secretsmanager/secretsmanager.go index 7e157ac91..7c568c30e 100644 --- a/pkg/provider/aws/secretsmanager/secretsmanager.go +++ b/pkg/provider/aws/secretsmanager/secretsmanager.go @@ -18,7 +18,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" "github.com/external-secrets/external-secrets/pkg/provider/schema" ) diff --git a/pkg/provider/fake/fake.go b/pkg/provider/fake/fake.go index 1d074f321..c6f82fcf8 100644 --- a/pkg/provider/fake/fake.go +++ b/pkg/provider/fake/fake.go @@ -19,7 +19,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" "github.com/external-secrets/external-secrets/pkg/provider/schema" ) @@ -28,7 +28,7 @@ var _ provider.Provider = &Client{} // Client is a fake client for testing. type Client struct { - NewFn func(context.Context, esv1alpha1.GenericStore, client.Client, + NewFn func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, string) (provider.Provider, error) GetSecretFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) @@ -45,7 +45,7 @@ func New() *Client { }, } - v.NewFn = func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.Provider, error) { + v.NewFn = func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, string) (provider.Provider, error) { return nil, nil } @@ -84,14 +84,14 @@ func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client } // WithNew wraps the fake provider factory function. -func (v *Client) WithNew(f func(context.Context, esv1alpha1.GenericStore, client.Client, +func (v *Client) WithNew(f func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, string) (provider.Provider, error)) *Client { v.NewFn = f return v } // New returns a new fake provider. -func (v *Client) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) { +func (v *Client) New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (provider.Provider, error) { client, err := v.NewFn(ctx, store, kube, namespace) if err != nil { return nil, err diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index df5328d4a..e42a3cb72 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -19,7 +19,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" ) // Provider is a common interface for interacting with secret backends. diff --git a/pkg/provider/schema/schema.go b/pkg/provider/schema/schema.go index 3978a892c..82e5e308c 100644 --- a/pkg/provider/schema/schema.go +++ b/pkg/provider/schema/schema.go @@ -19,7 +19,7 @@ import ( "fmt" "sync" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" ) @@ -71,8 +71,8 @@ func GetProviderByName(name string) (provider.Provider, bool) { // GetProvider returns the provider from the generic store. func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) { - provider := s.GetProvider() - storeName, err := getProviderName(provider) + spec := s.GetSpec() + storeName, err := getProviderName(spec.Provider) if err != nil { return nil, fmt.Errorf("store error for %s: %w", s.GetName(), err) } diff --git a/pkg/provider/schema/schema_test.go b/pkg/provider/schema/schema_test.go index 132932402..a399e3e37 100644 --- a/pkg/provider/schema/schema_test.go +++ b/pkg/provider/schema/schema_test.go @@ -20,14 +20,14 @@ import ( "github.com/stretchr/testify/assert" "sigs.k8s.io/controller-runtime/pkg/client" - esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1" + esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" ) type PP struct{} // New constructs a SecretsManager Provider. -func (p *PP) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) { +func (p *PP) New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (provider.Provider, error) { return p, nil } @@ -44,11 +44,23 @@ func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretData func TestRegister(t *testing.T) { p, ok := GetProviderByName("awssm") assert.Nil(t, p) - assert.False(t, ok) - ForceRegister(&PP{}, &esv1alpha1.SecretStoreProvider{ - AWSSM: &esv1alpha1.AWSSMProvider{}, - }) - p, ok = GetProviderByName("awssm") - assert.NotNil(t, p) - assert.True(t, ok) + assert.False(t, ok, "provider should not be registered") + + testProvider := &PP{} + secretStore := &esv1alpha1.SecretStore{ + Spec: esv1alpha1.SecretStoreSpec{ + Provider: &esv1alpha1.SecretStoreProvider{ + AWSSM: &esv1alpha1.AWSSMProvider{}, + }, + }, + } + + ForceRegister(testProvider, secretStore.Spec.Provider) + p1, ok := GetProviderByName("awssm") + assert.True(t, ok, "provider should be registered") + assert.Equal(t, testProvider, p1) + + p2, err := GetProvider(secretStore) + assert.Nil(t, err) + assert.Equal(t, testProvider, p2) } diff --git a/controllers/utils.go b/pkg/utils/utils.go similarity index 95% rename from controllers/utils.go rename to pkg/utils/utils.go index adf95db09..7ed9d1b2d 100644 --- a/controllers/utils.go +++ b/pkg/utils/utils.go @@ -2,9 +2,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -12,8 +10,9 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controllers +package utils +// Merge maps func Merge(src, dst map[string][]byte) map[string][]byte { for k, v := range dst { src[k] = v From 8c79f1458ca441807588e963c05a35c0fe36d3ea Mon Sep 17 00:00:00 2001 From: Lucas Severo Alves Date: Wed, 27 Jan 2021 12:26:58 +0100 Subject: [PATCH 10/11] Fix reconciler name typo --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 8a5b97a14..00922af21 100644 --- a/main.go +++ b/main.go @@ -73,7 +73,7 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "SecretStore") os.Exit(1) } - if err = (&externalsecret.Reconciler{ + if err = (&externalsecret.ExternalSecretReconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("ExternalSecret"), Scheme: mgr.GetScheme(), From 60aaecf76b69e21d6eee7b7ce5356ade5b3d012a Mon Sep 17 00:00:00 2001 From: Lucas Severo Alves Date: Wed, 27 Jan 2021 12:41:22 +0100 Subject: [PATCH 11/11] Linter fixes --- main.go | 2 +- .../externalsecret/externalsecret_controller.go | 14 +++++++------- pkg/provider/fake/fake.go | 8 ++++---- pkg/provider/schema/schema_test.go | 2 +- pkg/utils/utils.go | 2 +- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/main.go b/main.go index 00922af21..8a5b97a14 100644 --- a/main.go +++ b/main.go @@ -73,7 +73,7 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "SecretStore") os.Exit(1) } - if err = (&externalsecret.ExternalSecretReconciler{ + if err = (&externalsecret.Reconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("ExternalSecret"), Scheme: mgr.GetScheme(), diff --git a/pkg/controllers/externalsecret/externalsecret_controller.go b/pkg/controllers/externalsecret/externalsecret_controller.go index 5bc5fcfc1..0e26d6f4f 100644 --- a/pkg/controllers/externalsecret/externalsecret_controller.go +++ b/pkg/controllers/externalsecret/externalsecret_controller.go @@ -30,11 +30,11 @@ import ( esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1" "github.com/external-secrets/external-secrets/pkg/provider" - "github.com/external-secrets/external-secrets/pkg/utils" // Loading registered providers. _ "github.com/external-secrets/external-secrets/pkg/provider/register" - "github.com/external-secrets/external-secrets/pkg/provider/schema" + schema "github.com/external-secrets/external-secrets/pkg/provider/schema" + utils "github.com/external-secrets/external-secrets/pkg/utils" ) const ( @@ -42,7 +42,7 @@ const ( ) // ExternalSecretReconciler reconciles a ExternalSecret object. -type ExternalSecretReconciler struct { +type Reconciler struct { client.Client Log logr.Logger Scheme *runtime.Scheme @@ -51,7 +51,7 @@ type ExternalSecretReconciler struct { // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets/status,verbs=get;update;patch -func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { +func (r *Reconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { ctx := context.Background() log := r.Log.WithValues("ExternalSecret", req.NamespacedName) @@ -115,7 +115,7 @@ func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err return ctrl.Result{}, nil } -func (r *ExternalSecretReconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) { +func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) { // TODO: Implement getting ClusterSecretStore var secretStore esv1alpha1.SecretStore @@ -132,7 +132,7 @@ func (r *ExternalSecretReconciler) getStore(ctx context.Context, externalSecret return &secretStore, nil } -func (r *ExternalSecretReconciler) getProviderSecretData(ctx context.Context, providerClient provider.Provider, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) { +func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.Provider, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) { providerData := make(map[string][]byte) for _, remoteRef := range externalSecret.Spec.DataFrom { @@ -156,7 +156,7 @@ func (r *ExternalSecretReconciler) getProviderSecretData(ctx context.Context, pr return providerData, nil } -func (r *ExternalSecretReconciler) SetupWithManager(mgr ctrl.Manager) error { +func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). For(&esv1alpha1.ExternalSecret{}). Owns(&corev1.Secret{}). diff --git a/pkg/provider/fake/fake.go b/pkg/provider/fake/fake.go index c6f82fcf8..7eea2f798 100644 --- a/pkg/provider/fake/fake.go +++ b/pkg/provider/fake/fake.go @@ -28,7 +28,7 @@ var _ provider.Provider = &Client{} // Client is a fake client for testing. type Client struct { - NewFn func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, + NewFn func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.Provider, error) GetSecretFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) @@ -45,7 +45,7 @@ func New() *Client { }, } - v.NewFn = func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, string) (provider.Provider, error) { + v.NewFn = func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.Provider, error) { return nil, nil } @@ -84,14 +84,14 @@ func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client } // WithNew wraps the fake provider factory function. -func (v *Client) WithNew(f func(context.Context, esv1alpha1.SecretStoreProvider, client.Client, +func (v *Client) WithNew(f func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.Provider, error)) *Client { v.NewFn = f return v } // New returns a new fake provider. -func (v *Client) New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (provider.Provider, error) { +func (v *Client) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) { client, err := v.NewFn(ctx, store, kube, namespace) if err != nil { return nil, err diff --git a/pkg/provider/schema/schema_test.go b/pkg/provider/schema/schema_test.go index a399e3e37..6cfc55047 100644 --- a/pkg/provider/schema/schema_test.go +++ b/pkg/provider/schema/schema_test.go @@ -27,7 +27,7 @@ import ( type PP struct{} // New constructs a SecretsManager Provider. -func (p *PP) New(ctx context.Context, store esv1alpha1.SecretStoreProvider, kube client.Client, namespace string) (provider.Provider, error) { +func (p *PP) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) { return p, nil } diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index 7ed9d1b2d..824b6dd51 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -12,7 +12,7 @@ limitations under the License. package utils -// Merge maps +// Merge maps. func Merge(src, dst map[string][]byte) map[string][]byte { for k, v := range dst { src[k] = v