The `scope` parameter used to be the ACR url foobar.azurecr.io, but
this stopped working. Turns out that you need to use the management
endpoint as `scope` in order to authenticate with ACR.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Docs - add note clarifying how to use filterpem for future readers
Signed-off-by: arnoldrw <arnold.rw@pg.com>
* Update docs/guides/templating.md
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Ryan Arnold <51235300+arnoldrw@users.noreply.github.com>
---------
Signed-off-by: arnoldrw <arnold.rw@pg.com>
Signed-off-by: Ryan Arnold <51235300+arnoldrw@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* docs: Recommend use of Workload Identity for Azure Key Vault
Mentions AAD Pod Identity is deprecated and updates overview
of supported authentication modes for Azure Key Vault.
This removes "should use aad-pod-identity" wording, see
https://github.com/external-secrets/external-secrets/discussions/2901
Signed-off-by: Mateusz Łoskot <mateusz@loskot.net>
* docs: Fix missing link to Multi-Tenancy Guide
Signed-off-by: Mateusz Łoskot <mateusz@loskot.net>
* docs: Fix typos
Capitalise own names.
Signed-off-by: Mateusz Łoskot <mateusz@loskot.net>
---------
Signed-off-by: Mateusz Łoskot <mateusz@loskot.net>
* feat: allow pushing the whole secret to the provider
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* add documentation about pushing a whole secret
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* disabling this feature for the rest of the providers for now
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added scenario for update with existing property
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
fix: deprecate sourceRef.generatorRef from .data[]
A generator is supposed to be used via .dataFrom[]. Usage in .data[]
is not implemented and doesn't make sense, see #2720.
This commit splits the SourceRef into two types:
- one that only defines a secretStoreRef
- one that allows to define either secretStoreRef or generatorRef
The former is used in .data[] and the latter is used in .dataFrom[].
The Deprecated field is going to be removed with v1.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Whilst implementing integration with Vaultwarden I noticed that the local vault was not being updated. I had to add "force=true" to the sync api call for it to work as expected.
Signed-off-by: Gary Hodgson <gary.s.hodgson@gmail.com>
* feat: add path support for scaleway provider
Signed-off-by: Florent Viel <fviel@scaleway.com>
* feat: update scaleway testcases for path support
Signed-off-by: Florent Viel <fviel@scaleway.com>
* docs: update scaleway doc to add path support
Signed-off-by: Florent Viel <fviel@scaleway.com>
* fix: change func signature to make linter pass
Signed-off-by: Florent Viel <fviel@scaleway.com>
---------
Signed-off-by: Florent Viel <fviel@scaleway.com>
Add namespace to secretRef.privatekey and secretRef.fingerprint in oracle provider example at full-cluster-secret-store.yaml to avoid confusion like in #2727
Signed-off-by: antoniolago <45375617+antoniolago@users.noreply.github.com>
* Add JWT Auth to Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update docs for Cyberark Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update test suite to cover new functionality
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make reviewable
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Set MinVersion for tls.Config to satisfy linting
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Move ca bundle config example to a yaml snippet
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: make it a working example
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Remove JWT expiration handling logic
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make fmt
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
---------
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* Report not ready when no namespace matches
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
* Fix flaky a test
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
* Simplify ClusterExternalSecret status
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
---------
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
* Ensure use of BuildKit in the Docker builds
The builds rely on `TARGETOS` and `TARGETARCH` being set, which is
automatically accomplished by the new builder.
Add the explicit envvar selector in the Makefile, until most users
update to docker 23+.
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
* Update docker build command in developer guide
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
* Introduce RetrySettings support for Hashicorp Vault
Leave default retries to 0 (not the default of the vault sdk of 2),
as this was decided in abec2a64cc .
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
---------
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
