* feat: enable concurrent reconciling for push secret reconciler
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* add cluster secret store concurrent option as well
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* Fixed Keeper Security custom record type name in docs
Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
* Fixed Keeper records lookup in PushSecret
Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
* Improved Keeper record lookup to search only for records of the expected type
Improved PushSecret and DeleteSecret
Fixed "nil pointer dereference" errors
Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
* Fixed tests
Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
* chore(helm): Add extra labels to the validating webhooks (#4074)
It should add a bunch of app.kubernetes.io labels
Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
* Added tests for secrets with multiple matches
Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
---------
Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com>
Co-authored-by: Tete17 <miguel_tete17@hotmail.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add AWS STS Session token generator
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* version update for the generated CRD
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add option to configure topic information for GCM
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix the comparison logic for updates to include topics
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* Make findSecretByRef not return an error when it cant find a matching secret. Added error checks for missing secret in SecretExists and DeleteSecret.
Signed-off-by: Anders Olsson <anders.olsson@digitalist.se>
* Added check for missing secret in `GetSecret`
Signed-off-by: Anders Olsson <anders.olsson@digitalist.se>
---------
Signed-off-by: Anders Olsson <anders.olsson@digitalist.se>
Co-authored-by: Anders Olsson <anders.olsson@digitalist.se>
This removes the need for an intermediary Kind=ExternalSecret and
Kind=Secret when using a generator.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: pin to the right version for azure keyvault
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* update the fake and the test
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* Added Previder Vault Provider and tests
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Set go version back to 1.23
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Updates after "make reviewable"
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Fixed methods to naming convention
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Added Previder to stability support doc
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Added installation documentation and Previder logo
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Altered last test name for naming convention
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Adds Previder provider to api-docs/mkdocs.yml
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Ran make check-diff
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Updated Tiltfile to check for new default image used in helm chart
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Added optional tag to PreviderAuth struct
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Removed toolchain
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
* Updated to go 1.23.1 for CVE; Updated previder/vault-cli to 0.1.2 for CVE fix also
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
---------
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
Signed-off-by: Gijs Middelkamp <17021438+gkwmiddelkamp@users.noreply.github.com>
* Squash changes to prep for manual testing
Signed-off-by: Nick Knowlson <nick.knowlson@alayacare.com>
* remove commented out test data
Signed-off-by: Nick Knowlson <nick.knowlson@alayacare.com>
* update e2e test file
Signed-off-by: Nick Knowlson <nick.knowlson@alayacare.com>
---------
Signed-off-by: Nick Knowlson <nick.knowlson@alayacare.com>
Co-authored-by: Gustavo Fernandes de Carvalho <17139678+gusfcarvalho@users.noreply.github.com>
* feat(generator/uuid): initial version
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* fix(generator/uuid): rename symbols in compliance with lint
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* fix(generator/uuid): rename unused vars to `_` to fix lint
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* docs(generator/uuid): initial documentation for uuid generator
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
---------
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* fix: bitwarden API url to point to the correct default location
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* explicitly remove trailing slashes to prevent not found error
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
use passthrough resolver to be consistent with ycsdk library, and to
work correctly in dual-stack environments until gRPC proposal A61 is
fully implemented in grpc-go
fixes#3837
Signed-off-by: Viktor Oreshkin <imselfish@stek29.rocks>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* Use Conjur API's built in JWT functions
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
* docs: clarify that all Conjur types are supported
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
* docs: add link to Conjur blog post
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
---------
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
* chore: update go version of the project to 1.23
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fixed an absurd amount of linter issues
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add CAProvider to bitwarden
This change introduces a refactor as well since CAProvider
was used by multiple providers with diverging implementations.
The following providers were affected:
- webhook
- akeyless
- vault
- conjur
- kubernetes
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* refactored the Kubernetes provider to use create ca
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* refactor webhook, vault and kubernetes provider
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* rename CreateCACert to FetchCACertFromSource
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* addressed comments and autodecoding base64 data
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* check if the decoded value is a valid certificate
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add prefix definition to all secret keys for aws parameter store
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added a push secret test to verify called parameter has a prefix
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: increase verbosity of error message during validation
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* removing Equal as we do not have the specific error message there
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix: add namespace to path and route construction
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix: use the correct namespace while restoring from auth namespace
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added fix suggestion from Gustavo
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix(vault): Treat tokens expiring in <60s as expired
Without this, it's possible to hit a TOCTOU issue where checkToken()
sees a valid token, but it expires before the actual operation is
performed. This condition is only reachable when the experimental
caching feature is enabled.
60 seconds was chosen as a sane (but arbitrary) value. It should be more
than enough to cover the amount of time between checkToken() and the
actual operation.
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@elastic.co>
* ADOPTERS.md: Add Elastic
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@elastic.co>
---------
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@elastic.co>