* feat(generator/uuid): initial version
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* fix(generator/uuid): rename symbols in compliance with lint
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* fix(generator/uuid): rename unused vars to `_` to fix lint
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* docs(generator/uuid): initial documentation for uuid generator
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
---------
Signed-off-by: Alexander Schaber <a.schaber@cuegee.com>
* fix: bitwarden API url to point to the correct default location
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* explicitly remove trailing slashes to prevent not found error
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
use passthrough resolver to be consistent with ycsdk library, and to
work correctly in dual-stack environments until gRPC proposal A61 is
fully implemented in grpc-go
fixes#3837
Signed-off-by: Viktor Oreshkin <imselfish@stek29.rocks>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* Use Conjur API's built in JWT functions
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
* docs: clarify that all Conjur types are supported
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
* docs: add link to Conjur blog post
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
---------
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
* chore: update go version of the project to 1.23
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fixed an absurd amount of linter issues
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add CAProvider to bitwarden
This change introduces a refactor as well since CAProvider
was used by multiple providers with diverging implementations.
The following providers were affected:
- webhook
- akeyless
- vault
- conjur
- kubernetes
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* refactored the Kubernetes provider to use create ca
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* refactor webhook, vault and kubernetes provider
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* rename CreateCACert to FetchCACertFromSource
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* addressed comments and autodecoding base64 data
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* check if the decoded value is a valid certificate
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add prefix definition to all secret keys for aws parameter store
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added a push secret test to verify called parameter has a prefix
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: increase verbosity of error message during validation
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* removing Equal as we do not have the specific error message there
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix: add namespace to path and route construction
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix: use the correct namespace while restoring from auth namespace
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added fix suggestion from Gustavo
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix(vault): Treat tokens expiring in <60s as expired
Without this, it's possible to hit a TOCTOU issue where checkToken()
sees a valid token, but it expires before the actual operation is
performed. This condition is only reachable when the experimental
caching feature is enabled.
60 seconds was chosen as a sane (but arbitrary) value. It should be more
than enough to cover the amount of time between checkToken() and the
actual operation.
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@elastic.co>
* ADOPTERS.md: Add Elastic
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@elastic.co>
---------
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@elastic.co>
Instead of assuming that the data fields are strings that can be
converted to byte array, convert the actual type to a byte array.
fixes#3239
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
* fix: explicitly fetch status subresource due to inconsistencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: bump go
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: add rbac to get status
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
In the vault client library, LookupSelfWithContext calls ParseSecret,
which has a few places where it returns `nil, nil` instead of returning
a proper error. The most common scenario is when the token expires and
the Vault server returns:
{
"errors": [
"permission denied"
]
}
This commit adds an additional check to ensure that a nil response won't
be dereferenced in checkToken().
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@elastic.co>
* feat: Add component labels to custom resource definitions
Prerequisite for restricting the CRDs cached by Informer
Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
* feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache
The certcontroller watches CRDs and Webhook configurations, and
manages CA certificates for conversion webhooks of CRDs and Webhook
configurations. Some clusters have a large number of CRDs and Webhook
configurations installed. Additionally, some CRDs have large object sizes.
Currently, the certcontroller holds all CRDs and Webhook configurations
in the Informer cache. Since this includes CRDs not managed by the
certcontroller for CA certificates, memory usage tends to be high.
This PR adds a label to the CRDs and configures the Informer cache to hold
only the CRDs and Webhook configurations restricted by the label selector.
It assumes that the CRDs have a label. Depending on how the External Secrets
Operator is managed, it may be possible to update the External Secrets
Operator without updating the CRDs, so as a precaution, it can be turned
on/off via a startup option. It is disabled by default.
Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
---------
Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
