* Support PushSecret Property for GCP
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
* Take over the ownership if the label does not exist
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
---------
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
* Change json.Marshal to Encoder to support special characters
Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>
* Add test for special characters
Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>
* Handle error of encoder
Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>
---------
Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>
* Set metadata to external secrets managed by cluster external secrets (#2413)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
* Pull secret metadata from IBM Secrets Manager
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
* Add lower-kebab name transformer to Doppler provider (#2418)
Signed-off-by: Joel Watson <joel.watson@doppler.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
* Fix E2E test setup on non-linux machines (#2414)
Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
* Removing IncludeSecretMetadata from externalsecret_types.go
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
* Changes to call IBM Secrets Manager once in case of KV Secret
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
* Removing extra parameters to getKVSecret() is not required
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
* Removing linting errors
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
---------
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
Signed-off-by: Joel Watson <joel.watson@doppler.com>
Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Co-authored-by: Shuhei Kitagawa <shuheiktgw@users.noreply.github.com>
Co-authored-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
Co-authored-by: Joel Watson <joel@watsonian.net>
Co-authored-by: Michael Sauter <mail@michaelsauter.net>
* Add more context to error handling for parsing certs in order for
log format to display properly
Signed-off-by: Dusan Nikolic <dusannikolic11@gmail.com>
* Create error instead of string as arg
Signed-off-by: Dusan Nikolic <dusannikolic11@gmail.com>
* fix: unit test
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Dusan Nikolic <dusannikolic11@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Dusan Nikolic <dusannikolic@MacBook-Pro-66.local>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* Add Conjur provider
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
* fix: lint
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: unit tests
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* Fix the test Make task
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
* fix: retry shutdown of testEnv
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: added session tag capability to assume role
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* fix: make build errors (JSON serialization error)
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* removed unnecessary commented out code
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* 📚 Update stability-support.md (#2363)
Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* feat: ran make reviewable tasks (except for docs)
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
---------
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
* chore: update dependencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: get rid of argo dependency to be independent of their k8s
versioning
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* update documentation
Signed-off-by: Luke Arntz <luke@blue42.net>
* default to GetParametersByPathWithContext
Add GetParametersByPathWithContext. To maintain backward compatibility moved the original `findByname` function to `fallbackFindByName` and created a new `findByName` function that uses the `GetParametersByPathWithContext` API call.
In function `findByName`, if we receive an `AccessDeniedException` when calling GetParametersByPathWithContext `return pm.fallbackFindByName(ctx, ref)`.
Signed-off-by: Luke Arntz <luke@blue42.net>
* feat: notify users about ssm permission improvements
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: get parameters recursively and decrypt them
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Luke Arntz <luke@blue42.net>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* IBM Provider: enable ESO to pull secrets by name
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
* document ESO's capability to pull by secret name for IBM provider
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
* correct the metrics instrumentation
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
---------
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
* Add API changes for push secret to k8s
- Property field similar to ExternalSecret
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* rebase: merge commits
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* New Test cases for existing PushSecret Logic
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: replace property if it exists, but differs
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: restrict usage to having a property always
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: refactor delete to work with property only and cleanup whole secret only if it would be empty otherwise
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: refuse to work without property in spec
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: cleanup code, make it more readable
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: add metric calls for kubernetes
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: reorder test cases
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: make property optional to not break compatibility
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* fix: adapt fake impls to include new method to fix tests
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: change status-ref to include property to allow multi property deletes
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: fix make reviewable complains
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* fix: fix imports from merge conflict
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: adapt latest make reviewable suggestions
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* docs: update push secret support for k8s provider
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: add Kubernetes PushSecret docs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
The Service Binding for Kubernetes project (servicebinding.io) is a spec
to make it easier for workloads to consume services. At runtime, the
ServiceBinding resource references a service resources and workload
resource to connect to the service. The Secret for a service is
projected into a workload resource at a well known path.
Services can advertise the name of the Secret representing the service
on it's status at `.status.binding.name`. Hosting the name of a Secret
at this location is the Provisioned Service duck type. It has the effect
of decoupling the logical consumption of a service from the physical
Secret holding state.
Using ServiceBindings with ExternalSecrets today requires the user to
directly know and reference the Secret created by the ExternalSecret as
the service reference. This PR adds the name of the Secret to the status
of the ExternalSecret at a well known location where it is be discovered
by a ServiceBinding. With this change, user can reference an
ExternalSecret from a ServiceBinding.
A ClusterRole is also added with a well known label for the
ServiceBinding controller to have permission to watch ExternalSecrets
and read the binding Secret.
ClusterExternalSecret was not modified as ServiceBindings are limited to
the scope of a single namespace.
Signed-off-by: Scott Andrews <andrewssc@vmware.com>
* feat: add generator for vaultdynamicsecret
* Added controllerClass on VaultDynamicSecret
* Added controllerClass on VaultDynamicSecret
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* Fixed lint
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* Fixed hack bash
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented generator controller class support
- Controller class support in VaultDynamicSecret
- Controller class support in Fake
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <dpr0413@gmail.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <dpr0413@gmail.com>
* feat: hoist controller class check to the top
The generator controller class check should be at the very top of the
reconcile function just like the other secretStore class check.
Otherwise we would return an error and as a result set the status field on the es
resource - which is undesirable. The controller should completely
ignore the resource instead.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
Signed-off-by: rdeepc <dpr0413@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Frederic Mereu <frederic.mereu@gaming1.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* update ibm secrets manager version to v2
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
* update go.mod to point to v2.0.0
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
---------
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
Signed-off-by: Shanti G <81566195+Shanti-G@users.noreply.github.com>
