1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Commit graph

34 commits

Author SHA1 Message Date
Tsubasa Nagasawa
199c9103db
feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache (#3588)
* feat: Add component labels to custom resource definitions

Prerequisite for restricting the CRDs cached by Informer

Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>

* feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache

The certcontroller watches CRDs and Webhook configurations, and
manages CA certificates for conversion webhooks of CRDs and Webhook
configurations. Some clusters have a large number of CRDs and Webhook
configurations installed. Additionally, some CRDs have large object sizes.
Currently, the certcontroller holds all CRDs and Webhook configurations
in the Informer cache. Since this includes CRDs not managed by the
certcontroller for CA certificates, memory usage tends to be high.
This PR adds a label to the CRDs and configures the Informer cache to hold
only the CRDs and Webhook configurations restricted by the label selector.
It assumes that the CRDs have a label. Depending on how the External Secrets
Operator is managed, it may be possible to update the External Secrets
Operator without updating the CRDs, so as a precaution, it can be turned
on/off via a startup option. It is disabled by default.

Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>

---------

Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
2024-06-16 12:52:10 +02:00
Shuhei Kitagawa
43a7a16baf
Update Go and golangci-lint version (#3396)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2024-04-25 06:36:11 -03:00
Gergely Brautigam
02f941b0a0
Revert "3012 - Probes for external-secrets (#3131)" (#3213)
This reverts commit 7eebfa027c.

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2024-03-01 13:22:35 +01:00
Benjamin Walterscheid
7eebfa027c
3012 - Probes for external-secrets (#3131)
* issue/3012 - introduced livenessProbe for core controller

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - updated livenessprobe for core controller

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - updated failing tests for controller_test.yaml

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - liveness probes with missing LivenessEndpointName and liveAddr flag

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - added missing live-addr core controller flag

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - removed obsolete align

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - added missing livenessProbe to README

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - updated docu for livenessProbes

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>

* issue/3012 - corrected description within values.yaml for check-diff

Signed-off-by: Benjamin Walterscheid <git@berlking.io>

* issue/3012 - minor README corrections

Signed-off-by: Benjamin Walterscheid <git@berlking.io>

* issue/3012 - updated snapshots for fortanix and onboardbase

Signed-off-by: Benjamin Walterscheid <git@berlking.io>

---------

Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>
Signed-off-by: Benjamin Walterscheid <52604859+fdberlking@users.noreply.github.com>
Signed-off-by: Benjamin Walterscheid <git@berlking.io>
Co-authored-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>
2024-03-01 08:57:45 +01:00
Gergely Brautigam
e726087851
feat: add push secret to e2e tests (#3017)
* feat: add push secret to e2e tests

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* finally, a fully working example for an e2e flow with push secret

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fix value field duplication issue

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2024-02-12 16:44:45 +01:00
Moritz Johner
f5cd6816aa
feat: fix cert-controller readiness probe (#2857)
readiness probes are being executed independently from the
leader election status. The current implementation depends on
leader election (client cache etc.) to run properly.
This commit fixes that by short-circuiting the readiness probes
when the mgr is not the leader.

This bug surfaces when `leader-election=true` and cert-controller `replicas>=2`.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-11-07 09:51:27 +01:00
Moritz Johner
97df83b518
chore: bump dependencies (#2654)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-08-28 11:50:46 +02:00
Moritz Johner
05803f7aff
feat: add e2e tests for aws role-based auth (#2376)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-12 12:58:29 +02:00
Eric
fb944d599d
Fix exit with no error when cert violates lookahead (#2395)
Add an exit message when the certificate check triggers a fatal exit
(via cancel()). When cancel() is called, this cancels the main
context which causes the webhook to shutdown.

A return is also added to ensure the message "valid" comes out right
after "invalid" like so:

"certs are not valid at..."
"certs are valid"

Signed-off-by: Eric Stokes <fernferret@gmail.com>
2023-06-07 21:27:17 +02:00
Shuhei Kitagawa
8a05e2f8ae
Add reconcile_duration metrics (#2382)
* Add reconcile_duration metrics

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* fix: increase dupl threshold

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-05 21:26:25 +02:00
Moritz Johner
54664b43b1
chore: update dependencies (#2348)
* chore: update dependencies

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* chore: get rid of argo dependency to be independent of their k8s
versioning

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-31 09:36:22 +02:00
Shuhei Kitagawa
d879f37d9e
Add reconcile duration metric for ClusterExternalSecret controller (#2334)
* Add reconcile duration metric for ClusterExternalSecret controller

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* chore: fmt imports

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-22 22:43:23 +02:00
kallymsft
fb78d96d8c
Added support for standard K8s labels in metrics (#2064)
* Added support for standard K8s labels in metrics

Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>

* Added feature-flag for label metrics

Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>

---------

Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
2023-04-05 19:58:17 +02:00
Moritz Johner
5ef3b23a68
feat: make cache generic, refactor feature flags (#1640)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-01-19 17:25:47 +01:00
Riccardo Colella
131bd617aa
[FEATURE] Customizable encoding of logging timestamp (#1808)
Objective of this commit is to allow logs to be more readable.

Default log ts encoding in the logger employed (zap) is unix time.
This leads to logs not much human-readable. This change introduces the
possibility to customize the ts with a set of preconfigured encodings:
one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'

Default value does not change

Signed-off-by: RiccardoColella <colella.git@outlook.com>

Signed-off-by: RiccardoColella <colella.git@outlook.com>
2022-12-13 21:01:07 +01:00
Steven Bressey
7416a84b2a
Add flag to set CRD names in cert controller (#1811)
* added new crd-names flag to reconcile only installed CRDs in cert controller

Signed-off-by: Steven Bressey <sbressey@bressey.me>

* add guide to disable cluster features

Signed-off-by: Steven Bressey <sbressey@bressey.me>

* fix fmt

Signed-off-by: Steven Bressey <sbressey@bressey.me>
Co-authored-by: Steven Bressey <sbressey@bressey.me>
2022-12-13 20:56:30 +01:00
Gustavo Fernandes de Carvalho
0cb799b5cf
Feature/push secret (#1315)
Introduces Push Secret feature with implementations for the following providers:

* GCP Secret Manager
* AWS Secrets Manager
* AWS Parameter Store
* Hashicorp Vault KV

Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
2022-11-29 16:04:46 -03:00
Moritz Johner
dabfa5a589
Feature: initial generator implementation + Github Actions OIDC/AWS (#1539)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2022-10-29 20:15:50 +02:00
Nic Eggert
773956f5d3
Add optional caching for Vault clients, including token re-use. (#1537)
The new functionality is controlled using the newly-introduced
--experimental-enable-vault-token-cache and
--experimental-vault-token-cache-size command-line flags.

Signed-off-by: NicEggert <nicholas.eggert@target.com>
2022-09-30 20:41:36 +02:00
Moritz Johner
ed0ceb8d84
fix: aws parameter store json decode, bump go 1.19 (#1525)
* fix: parameter store should decode complex json values

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-09-06 19:46:36 +02:00
João Silva
744309abfa
Add webhook tls options (#1466)
During our internal security scan, the webhook for external-secrets was
flagged because it supports protocol vulnerable to Sweet32
(https://sweet32.info/). In order to avoid the webhook from being
flagged, we need to restrict the TLS ciphers on controller runtime.

To do this I needed to update the dependency to 0.12.3 and some other
conflicting dependencies.

Signed-off-by: Joao Pedro Silva <jp.silva15@gmail.com>
2022-08-31 18:18:45 +02:00
Gustavo Fernandes de Carvalho
4369b507e3
🐛Configure cache and throttle options (#1380)
* Adding configuration of Secrtets/Configmap caching behavior

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

* Adding client-sided qps/burst configuration

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-07-23 19:56:02 -03:00
Gustavo Fernandes de Carvalho
ccea3d532f
🐛 Adds ability to configure cert lookahead interval for webhook pod. (#1304)
Fixes #1249

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-07-12 06:25:16 -03:00
Alberto Llamas
5ec222dfd0 update 2022-06-21 11:52:01 +02:00
Merlin
4820cc9165 Ignore ExternalSecret processing if the store is not usuable (e.g.
NotReady).
2022-04-13 23:24:39 +02:00
Gustavo Carvalho
26a824fb2a Updated default ports to 10250
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-04-12 07:27:16 -03:00
Gustavo Carvalho
b5220fa618 Adding some options for webhook deployment:
* hostNetwork for webhook pod
 * FailurePolicy for validatingwebhook definition
 * Changed webhook port to a configurable value
 * Defined default value as 9443
Fixes #944

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-04-11 15:16:20 -03:00
Eric Chan
8dd8ca4d92 add new flags to control both cluster store and cluster external secret reconciler 2022-03-24 23:55:08 +10:00
Eric Chan
da6e457b50 skip processing cluster secret store 2022-03-24 23:55:00 +10:00
Eric Chan
553d99a456 Add the ability to support scoped RBAC with a scoped namespace 2022-03-24 23:54:46 +10:00
Daniel Hix
324c7def06
feat: implement ClusterExternalSecret (#542)
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2022-03-20 09:32:27 +01:00
Moritz Johner
8fc4484cc6 feat: implement validating webhook
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-03-01 21:25:15 +01:00
Gustavo Carvalho
847b95e4fd Merge branch 'main' into feature/conversion-webhook
Disabled secrets cache for cert controller.

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-02-17 09:35:20 -03:00
Gustavo Carvalho
2e6017dd4b Using cobra commands instead of several binaries
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-02-15 08:52:52 -03:00