* allow vault roleId to come from k8s Secret
Signed-off-by: intrand <intrand@users.noreply.github.com>
* mark RoleID as optional in kubebuilder
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>
* mark RoleRef as optional in kubebuilder
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>
* validate RoleRef through webhook
Signed-off-by: intrand <intrand@users.noreply.github.com>
* chore: make fmt/reviewable vault roleId addition
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
---------
Signed-off-by: intrand <intrand@users.noreply.github.com>
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
Co-authored-by: intrand <intrand@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
support alibaba oidc assume role
---------
Signed-off-by: Maxim Rubchinsky <maxim.rubchinsky@wiz.io>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
Added external id field to struct. Wrote test in AWS provider to check
external ID field in IAM role. Added external id info to current log
when starting an aws session.
Signed-off-by: Cindy <choilmto@gmail.com>
* Added support for standard K8s labels in metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
* Added feature-flag for label metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
---------
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
* wip: basic structure of scaleway provider
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: add some tests for GetAllSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: implement PushSecret
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: improved test fixtures
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: allow finding secrets by project using the path property
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add delete secret method
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* Delete dupplicate of push remote ref test implem
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add capability to use a secret for configuring access token
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: implement GetSecretMap
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: filtering by name and projetc id
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: add test for finding secret by name regexp
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: config validation
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: handle situation where no namespace is specified and we cannot provide a default
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: reference secrets by id or name
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: invalid request caused by pagination handling
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: log the error when failing to access secret version
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: pass context to sdk where missing
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add a cache for reducing AccessSecretVersion() calls
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: use GetSecret with name instead of ListSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: allow using secret name in ExternalSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: use latest_enabled instead of latest
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: optimized PushSecret and improved its test coverage
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: doesConfigDependOnNamespace was always true
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: use new api with refactored name-based endpoints
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* remove useless todo
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: use secret names as key for GetAllSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: support gjson propery lookup
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: e2e tests
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: e2e test using secret to store api key
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: cleanup left over resources on the secret manager before each e2e run
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* doc: add doc for scaleway provider
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: fix lint issues
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: cleanup code in e2e was commented
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: the previous version is disabled when we push to a secret
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* doc: add comments to ScalewayProvider struct to point to console and doc
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add missing e2e env vars for scaleway
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: add scaleway to support/stability table
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: rely on controller backoff/retry instead of static requeue
interval
Fixes#2088
more context in: https://github.com/external-secrets/external-secrets/pull/934
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: respect refreshInterval on delete/retain
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Before this PR it was required that the first PEM block contains the
certificate.
This PR parses all PEM blocks and returns the first certificate found.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* metadata fetch now working in parameterstore
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Little refactory and some tests added
Tags from secretmanager and from parameterstore are not the same structure, thus, the function TagsToJSONString has now two versions (SecretTagsToSJONString & ParametersTagsToJSONString)
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* New test cases
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Refactored to lift some code smells
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Constant for error message added (code smell)
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* L&F
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Lint issue
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* fix: fmt
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
Signed-off-by: Sebastián Gómez <1637983+sebagomez@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: add provider metrics
This adds a counter metric `provider_api_calls_count` that observes
the results of upstream secret provider api calls.
(1) Observability
It allows an user to break down issues by provider and api call by
observing the status=error|success label. More details around the error
can be found in the logs.
(2) Cost Management
Some providers charge by API calls issued. By providing observability
for the number of calls issued helps users to understand the impact of
deploying ESO and fine-tuning `spec.refreshInterval`.
(3) Rate Limiting
Some providers implement rate-limiting for their services. Having
metrics
for success/failure count helps to understand how many requests are
issued by a given ESO deployment per cluster.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: add service monitor for cert-controller and add SLIs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
RBAC allows a user to define a wildcard `*` for a given field in the
Resource Rule. Prefix/Suffix matching or globbing is not supported,
just simple wildcards.
For example the cluster-admin role has a `*` on all
apiVersion/resource/verbs and hence validation would fail.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* add keepersecurity provider
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* 🧹chore: bumps (#1758)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* ✨Feature/push secret (#1315)
Introduces Push Secret feature with implementations for the following providers:
* GCP Secret Manager
* AWS Secrets Manager
* AWS Parameter Store
* Hashicorp Vault KV
Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* Fixing release pipeline for boringssl (#1763)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* chore: bump 0.7.0-rc1 (#1765)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* added documentation
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* added pushSecret first iteration
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* added pushSecret and updated documentation
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* refactor client
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* update code and unit tests
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* fix code smells
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* fix code smells
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* fix custom fields
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* making it reviewable
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fix custom field on secret map
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* Update docs/snippets/keepersecurity-push-secret.yaml
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fixed edge case, improved validation errors and updated docs
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fix logic retrieving secrets
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* Update pkg/provider/keepersecurity/client.go
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* lint code
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* linting code
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* go linter fixed
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fix crds and documentation
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
---------
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
Co-authored-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
* feat: implement referentAuth for aws
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: e2e tests
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Update pkg/provider/aws/provider.go
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
* Update pkg/provider/aws/provider.go
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
* feat: allow each credential to be referent
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
* fix: increment sync_calls_total metric once per reconciliation
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: patch status only if not skipped
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: unit tests
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* gitlab: support for ci/cd group variables
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
* gitlab: support for ci/cd group variables (automatically discover project groups)
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
* gitlab: support for ci/cd group variables (documentation)
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
When using ClusterExternalSecret the controller needs to delete
external-secret resources
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Implement oracle validator
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
* Add more granular OCI error handling
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
* Remove two newlines the linter does not like
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
This commit replaces `os.Setenv` with `t.Setenv` in tests. The
environment variable is automatically restored to its original value
when the test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.Setenv
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
The new functionality is controlled using the newly-introduced
--experimental-enable-vault-token-cache and
--experimental-vault-token-cache-size command-line flags.
Signed-off-by: NicEggert <nicholas.eggert@target.com>
* build(deps): bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.3
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.11.2 to 0.12.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.11.2...v0.12.3)
---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* feat: bump kubernetes 1.24
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: backwards-compatible vault implementation
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: add audiences field to serviceAccountRef
This will be used by aws, azure, gcp, kubernetes & vault providers
in combination with TokenRequest API: it will _append_ audience claims
to provider-specific audiences.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: refactor kubernetes client to match provider/client interfaces
the kubernetes provider mixed up provider and client interfaces which
made it really hard to reason about. This commit separates into two
structs, each implements one interface.
The client struct fields have been renamed and annotated so their use
and scope is clear.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: deprecate expirationSeconds
expirationSeconds is not needed because we generate a
service account token on the fly for a single use.
There will be no replacement for this.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: rename token fetch audiences field
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: generate CRDs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
users of USGovCloud, ChinaCloud, GermanCloud need slightly different
configuration for AADEndpoint and keyvault resource.
This is based on CSI Secret Store Azure KV driver,
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
ConvertKeys is called in the external secrets controller
which takes care of mapping the keys.
Calling it before returning the data is a bug as it
interferes with the new rewrite feature.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
This is for the case when the conversion webhook does not
set the conversionStrategy properly (it doesn't run the Defaulter).
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Use gsed on macos.
Signed-off-by: Marcin Kubica <marcin.kubica@engineerbetter.com>
* Add private_cert support
* Add private_cert support
Co-authored-by: Marcin Kubica <marcin.kubica@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Signed-off-by: Marcin Kubica <marcin.kubica@engineerbetter.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
