* feat: Add component labels to custom resource definitions
Prerequisite for restricting the CRDs cached by Informer
Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
* feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache
The certcontroller watches CRDs and Webhook configurations, and
manages CA certificates for conversion webhooks of CRDs and Webhook
configurations. Some clusters have a large number of CRDs and Webhook
configurations installed. Additionally, some CRDs have large object sizes.
Currently, the certcontroller holds all CRDs and Webhook configurations
in the Informer cache. Since this includes CRDs not managed by the
certcontroller for CA certificates, memory usage tends to be high.
This PR adds a label to the CRDs and configures the Informer cache to hold
only the CRDs and Webhook configurations restricted by the label selector.
It assumes that the CRDs have a label. Depending on how the External Secrets
Operator is managed, it may be possible to update the External Secrets
Operator without updating the CRDs, so as a precaution, it can be turned
on/off via a startup option. It is disabled by default.
Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
---------
Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
* feat: add push secret to e2e tests
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* finally, a fully working example for an e2e flow with push secret
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix value field duplication issue
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
readiness probes are being executed independently from the
leader election status. The current implementation depends on
leader election (client cache etc.) to run properly.
This commit fixes that by short-circuiting the readiness probes
when the mgr is not the leader.
This bug surfaces when `leader-election=true` and cert-controller `replicas>=2`.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Add an exit message when the certificate check triggers a fatal exit
(via cancel()). When cancel() is called, this cancels the main
context which causes the webhook to shutdown.
A return is also added to ensure the message "valid" comes out right
after "invalid" like so:
"certs are not valid at..."
"certs are valid"
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* chore: update dependencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: get rid of argo dependency to be independent of their k8s
versioning
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Added support for standard K8s labels in metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
* Added feature-flag for label metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
---------
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
Objective of this commit is to allow logs to be more readable.
Default log ts encoding in the logger employed (zap) is unix time.
This leads to logs not much human-readable. This change introduces the
possibility to customize the ts with a set of preconfigured encodings:
one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'
Default value does not change
Signed-off-by: RiccardoColella <colella.git@outlook.com>
Signed-off-by: RiccardoColella <colella.git@outlook.com>
* added new crd-names flag to reconcile only installed CRDs in cert controller
Signed-off-by: Steven Bressey <sbressey@bressey.me>
* add guide to disable cluster features
Signed-off-by: Steven Bressey <sbressey@bressey.me>
* fix fmt
Signed-off-by: Steven Bressey <sbressey@bressey.me>
Co-authored-by: Steven Bressey <sbressey@bressey.me>
The new functionality is controlled using the newly-introduced
--experimental-enable-vault-token-cache and
--experimental-vault-token-cache-size command-line flags.
Signed-off-by: NicEggert <nicholas.eggert@target.com>
During our internal security scan, the webhook for external-secrets was
flagged because it supports protocol vulnerable to Sweet32
(https://sweet32.info/). In order to avoid the webhook from being
flagged, we need to restrict the TLS ciphers on controller runtime.
To do this I needed to update the dependency to 0.12.3 and some other
conflicting dependencies.
Signed-off-by: Joao Pedro Silva <jp.silva15@gmail.com>
* hostNetwork for webhook pod
* FailurePolicy for validatingwebhook definition
* Changed webhook port to a configurable value
* Defined default value as 9443
Fixes#944
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
