* Add JWT Auth to Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update docs for Cyberark Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update test suite to cover new functionality
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make reviewable
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Set MinVersion for tls.Config to satisfy linting
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Move ca bundle config example to a yaml snippet
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: make it a working example
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Remove JWT expiration handling logic
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make fmt
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
---------
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: remove unused servicemonitor-values from helm-chart
The templates for the servicemonitors of the webhook-deployment and the
certController have been removed in
https://github.com/external-secrets/external-secrets/pull/2136. This
commit removes the corresponding values in the values.yaml which are now
obsolete.
Signed-off-by: alexanderwoehler <alexander@woehler.org>
* docs: remove references to deleted servicemonitor-values from docs
Signed-off-by: alexanderwoehler <alexander@woehler.org>
---------
Signed-off-by: alexanderwoehler <alexander@woehler.org>
* Add support for cert-manager managed webhook certs
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* Ran make helm.docs to update README.md
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* Added unittests for chart
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* tidy: Fixed trailing whitespace
Signed-off-by: Eric Stokes <fernferret@gmail.com>
---------
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* Add Conjur provider
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
* fix: lint
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: unit tests
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: allow to set a common set of labels in the helm chart
Signed-off-by: Maxime Guillet <6997681+maximeguillet@users.noreply.github.com>
* fix: update helm snapshot
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Maxime Guillet <6997681+maximeguillet@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: added session tag capability to assume role
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* fix: make build errors (JSON serialization error)
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* removed unnecessary commented out code
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* 📚 Update stability-support.md (#2363)
Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* feat: ran make reviewable tasks (except for docs)
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
---------
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
* chore: update dependencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: get rid of argo dependency to be independent of their k8s
versioning
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Add API changes for push secret to k8s
- Property field similar to ExternalSecret
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* rebase: merge commits
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* New Test cases for existing PushSecret Logic
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: replace property if it exists, but differs
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: restrict usage to having a property always
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: refactor delete to work with property only and cleanup whole secret only if it would be empty otherwise
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: refuse to work without property in spec
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: cleanup code, make it more readable
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: add metric calls for kubernetes
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: reorder test cases
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: make property optional to not break compatibility
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* fix: adapt fake impls to include new method to fix tests
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: change status-ref to include property to allow multi property deletes
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: fix make reviewable complains
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* fix: fix imports from merge conflict
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: adapt latest make reviewable suggestions
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* docs: update push secret support for k8s provider
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: add Kubernetes PushSecret docs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
The Service Binding for Kubernetes project (servicebinding.io) is a spec
to make it easier for workloads to consume services. At runtime, the
ServiceBinding resource references a service resources and workload
resource to connect to the service. The Secret for a service is
projected into a workload resource at a well known path.
Services can advertise the name of the Secret representing the service
on it's status at `.status.binding.name`. Hosting the name of a Secret
at this location is the Provisioned Service duck type. It has the effect
of decoupling the logical consumption of a service from the physical
Secret holding state.
Using ServiceBindings with ExternalSecrets today requires the user to
directly know and reference the Secret created by the ExternalSecret as
the service reference. This PR adds the name of the Secret to the status
of the ExternalSecret at a well known location where it is be discovered
by a ServiceBinding. With this change, user can reference an
ExternalSecret from a ServiceBinding.
A ClusterRole is also added with a well known label for the
ServiceBinding controller to have permission to watch ExternalSecrets
and read the binding Secret.
ClusterExternalSecret was not modified as ServiceBindings are limited to
the scope of a single namespace.
Signed-off-by: Scott Andrews <andrewssc@vmware.com>
* feat: add generator for vaultdynamicsecret
* Added controllerClass on VaultDynamicSecret
* Added controllerClass on VaultDynamicSecret
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* Fixed lint
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* Fixed hack bash
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented generator controller class support
- Controller class support in VaultDynamicSecret
- Controller class support in Fake
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <dpr0413@gmail.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <dpr0413@gmail.com>
* feat: hoist controller class check to the top
The generator controller class check should be at the very top of the
reconcile function just like the other secretStore class check.
Otherwise we would return an error and as a result set the status field on the es
resource - which is undesirable. The controller should completely
ignore the resource instead.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
Signed-off-by: rdeepc <dpr0413@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Frederic Mereu <frederic.mereu@gaming1.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* allow vault roleId to come from k8s Secret
Signed-off-by: intrand <intrand@users.noreply.github.com>
* mark RoleID as optional in kubebuilder
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>
* mark RoleRef as optional in kubebuilder
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>
* validate RoleRef through webhook
Signed-off-by: intrand <intrand@users.noreply.github.com>
* chore: make fmt/reviewable vault roleId addition
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
---------
Signed-off-by: intrand <intrand@users.noreply.github.com>
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
Co-authored-by: intrand <intrand@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
