* wip: basic structure of scaleway provider
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: add some tests for GetAllSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: implement PushSecret
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: improved test fixtures
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: allow finding secrets by project using the path property
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add delete secret method
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* Delete dupplicate of push remote ref test implem
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add capability to use a secret for configuring access token
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: implement GetSecretMap
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: filtering by name and projetc id
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: add test for finding secret by name regexp
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: config validation
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: handle situation where no namespace is specified and we cannot provide a default
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: reference secrets by id or name
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: invalid request caused by pagination handling
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: log the error when failing to access secret version
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: pass context to sdk where missing
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add a cache for reducing AccessSecretVersion() calls
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: use GetSecret with name instead of ListSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: allow using secret name in ExternalSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: use latest_enabled instead of latest
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: optimized PushSecret and improved its test coverage
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: doesConfigDependOnNamespace was always true
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: use new api with refactored name-based endpoints
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* remove useless todo
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: use secret names as key for GetAllSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: support gjson propery lookup
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: e2e tests
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: e2e test using secret to store api key
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: cleanup left over resources on the secret manager before each e2e run
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* doc: add doc for scaleway provider
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: fix lint issues
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: cleanup code in e2e was commented
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: the previous version is disabled when we push to a secret
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* doc: add comments to ScalewayProvider struct to point to console and doc
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add missing e2e env vars for scaleway
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: add scaleway to support/stability table
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: rely on controller backoff/retry instead of static requeue
interval
Fixes#2088
more context in: https://github.com/external-secrets/external-secrets/pull/934
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: respect refreshInterval on delete/retain
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Before this PR it was required that the first PEM block contains the
certificate.
This PR parses all PEM blocks and returns the first certificate found.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* metadata fetch now working in parameterstore
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Little refactory and some tests added
Tags from secretmanager and from parameterstore are not the same structure, thus, the function TagsToJSONString has now two versions (SecretTagsToSJONString & ParametersTagsToJSONString)
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* New test cases
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Refactored to lift some code smells
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Constant for error message added (code smell)
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* L&F
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* Lint issue
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* fix: fmt
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
Signed-off-by: Sebastián Gómez <1637983+sebagomez@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
I've added my recent live session about ESO from the AWS Container from the Couch YouTube channel
Signed-off-by: Emin Alemdar <77338109+eminalemdar@users.noreply.github.com>
* deps: remove awkward k8s.io/client-go version
PR #1525 accidentally assumed that k8s.io/client-go followed semvar and
update the lib to the latest 1.x release. Unfortunately, that project
doesn't follow semvar on major versions so this actually _downgraded_
the package to one ~15 months earlier. This was subsequently fixed with
replace statements but the go mod file is easier to reason about if we
correct this
Signed-off-by: Steve Mitchell <steve@sgmitchell.net>
* deps: remove unncessary replace statements
PR #1990 attempted to bump the version of some dependencies but missed
the versions being set in the replace statements. This caused some of
the deps to not actually get updated (as can be seen by the contents of
the go.sum file). It turns out most of these replace statements are for
libraries that aren't currently being imported, so I cleaned up the
whole block.
The resulting changes can be seen in the go.sum file
Signed-off-by: Steve Mitchell <steve@sgmitchell.net>
---------
Signed-off-by: Steve Mitchell <steve@sgmitchell.net>
* feat: add provider metrics
This adds a counter metric `provider_api_calls_count` that observes
the results of upstream secret provider api calls.
(1) Observability
It allows an user to break down issues by provider and api call by
observing the status=error|success label. More details around the error
can be found in the logs.
(2) Cost Management
Some providers charge by API calls issued. By providing observability
for the number of calls issued helps users to understand the impact of
deploying ESO and fine-tuning `spec.refreshInterval`.
(3) Rate Limiting
Some providers implement rate-limiting for their services. Having
metrics
for success/failure count helps to understand how many requests are
issued by a given ESO deployment per cluster.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: add service monitor for cert-controller and add SLIs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: bump dependencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: disable flow logs in EKS testbed
This causes issues in the way we set up the trust relationship between
GHA and AWS; We see a HTTP 400 when tf tries to assume this role.
Because
we don't need this we can disable it.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
RBAC allows a user to define a wildcard `*` for a given field in the
Resource Rule. Prefix/Suffix matching or globbing is not supported,
just simple wildcards.
For example the cluster-admin role has a `*` on all
apiVersion/resource/verbs and hence validation would fail.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
