1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Commit graph

112 commits

Author SHA1 Message Date
Shuhei Kitagawa
9d17e34942
Refactor the SecretStore client manager (#3419)
* Refactor the SecretStore client manager

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Fix ineffectual assignment to err

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Update docs

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2024-04-29 05:15:21 -03:00
Mykhailo Zahlada
47cc50a9ed
Workloadidentity clientid from secret ref (#3367)
* updates documentation: extends workloadIdentity auth configuration

Signed-off-by: Mykhailo Zahlada <myzahlad@microsoft.com>

* adds and updates tests

Signed-off-by: Mykhailo Zahlada <myzahlad@microsoft.com>

* extends provider configuration to accept clientId and tenantId as auth SecretRef

Signed-off-by: Mykhailo Zahlada <myzahlad@microsoft.com>

* updates service account example

Signed-off-by: Mykhailo Zahlada <myzahlad@microsoft.com>

* updates docs

Signed-off-by: Mykhailo Zahlada <myzahlad@microsoft.com>

---------

Signed-off-by: Mykhailo Zahlada <myzahlad@microsoft.com>
Co-authored-by: Mykhailo Zahlada <myzahlad@microsoft.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2024-04-18 05:09:53 -03:00
Thorben Below
432c6bf9ab
Feat: Add Passbolt Provider (#3334)
* add passbolt provider

Signed-off-by: Thorben Below <56894536+thorbenbelow@users.noreply.github.com>

* Fix: return err for unimplemented methods

Signed-off-by: Thorben Below <56894536+thorbenbelow@users.noreply.github.com>

---------

Signed-off-by: Thorben Below <56894536+thorbenbelow@users.noreply.github.com>
2024-04-18 09:58:25 +02:00
Shuhei Kitagawa
120fedf841
Add NamespaceSelectors field to ClusterExternalSecret (#3268)
https://github.com/external-secrets/external-secrets/issues/3257

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2024-04-05 08:35:08 +09:00
Rodrigo Fior Kuntzer
9ff2354213
fix: introducing support for conversion strategy for PushSecret. (#3292)
* fix: introducing support for conversion strategy for PushSecret.

Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>

* fix: unit tests code quality.

Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>

---------

Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>
2024-04-04 16:31:28 +02:00
Michael Serchenia
84731616f4
GitHub provider (supersedes #3014) (#3115)
* github provider signed, supersedes #3014

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

* tests pass, + crd + docs

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

* fix sonarLint alert

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

* refactoring, replace secretStore with generator

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

* cosmetics + tst + lint pass

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

* docs

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

* clean-up + lint + test

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

* small refactor, fix issues left in comments

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>

---------

Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
2024-04-03 09:19:57 +02:00
Blair Drummond
731c0ed736
feat: add vault auth namespace option (#3157)
* feat: add vault auth namespace option

Signed-off-by: Blair Drummond <blaird@liatrio.com>

* fix: appease the linter

Signed-off-by: Blair Drummond <blaird@liatrio.com>

* feat: add tests for auth namespace

Signed-off-by: Blair Drummond <blaird@liatrio.com>

* fix: add make reviewable output

Signed-off-by: Blair Drummond <blaird@liatrio.com>

---------

Signed-off-by: Blair Drummond <blaird@liatrio.com>
2024-03-27 07:23:34 +01:00
Sulfixx
e57e4b72ca
Integrate Passworddepot (#2799)
* PLAT-1179 | updated to beta1

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Updating External Secrets fixes

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Fix to Passworddepots-crds-generation

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | apiextensionsv1 removal

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* Update apis/externalsecrets/v1beta1/secretstore_passworddeport_types.go

Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Sulfixx <135371229+Sulfixx@users.noreply.github.com>

* Update apis/externalsecrets/v1beta1/secretstore_passworddeport_types.go

Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Sulfixx <135371229+Sulfixx@users.noreply.github.com>

* Update apis/externalsecrets/v1beta1/secretstore_types.go

Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Sulfixx <135371229+Sulfixx@users.noreply.github.com>

* PLAT-1179 | Removed insecureverify and other fixes

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Fixed Linter and Sonar Issues

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Fixed Typo in Passworddepot_api.go

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Resolved go.mod Conflict

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Resolved go.mod conflict typo

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | admission.Warnings error fix

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Added nolint:bodyclose // linters bug

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Removed <= Head arrow from mkdocs.yml

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Added Make Check-Diff Changes

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Changed Error Package, Added Context, API Refactor

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Added const DoRequestError to reduce Codesmell

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Moved defer body close func into ReadAndUnmarshal

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Moved Status Check into ReadAndUnmarshal

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Removed Response.body from ReadAndUnmarshal

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* Update apis/externalsecrets/v1alpha1/secretstore_passworddepot_types.go

Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Sulfixx <135371229+Sulfixx@users.noreply.github.com>

* PLAT-1179 | Go mod tidy and Make generate

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Added empty SecretExists Method

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

* PLAT-1179 | Renamed unsed ctx to _

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>

---------

Signed-off-by: Simon Becker <simon.becker@fastleansmart.com>
Signed-off-by: Sulfixx <135371229+Sulfixx@users.noreply.github.com>
Co-authored-by: Sören Rohweder <soeren.rohweder@fastleansmart.com>
Co-authored-by: Simon Becker <simon.becker@fastleansmart.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2024-03-12 13:33:08 +01:00
Carolin Dohmen
29e5f71d8b
Add PushSecret UpdatePolicy (to replace PR #3100) (#3117)
* Add PushSecret UpdatePolicy

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

* Adjust description of UpdatePolicy in PushSecret Spec

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

* Restructure PushSecret Status

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

* Refactor PushSecret controller method

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

* Add missing methods for new providers

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

* Add missing method to onboardbase client

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

* Add docs on PushSecret UpdatePolicy

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

* Use constant for error message

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>

---------

Signed-off-by: Carolin Dohmen <carodohmen@gmail.com>
2024-03-08 11:17:31 +01:00
Shlomo Zalman Heigh
1d3209da59
Conjur E2E Tests for K8s JWT Authentication (#3217)
Signed-off-by: Shlomo Heigh <shlomo.heigh@cyberark.com>
2024-03-01 17:36:19 +01:00
Aleem Isiaka
52f6655345
Onboardbase (#2697)
* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Run decrypt with error

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Commit and Save

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Pull secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Integrate Onboardbase Into ESO

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Minor Fix And Cleanups

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Attend to review comments

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Install deps

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Improved docs

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Improved docs

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Update hack/crd.generate.sh

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Aleem Isiaka <30846935+limistah@users.noreply.github.com>

* address issues with running the code

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* decrypt library into code

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* add docs to onboardbase provider

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* refactor duplicates

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Address Issues with tests

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Address issues with delete policy and json secrets

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Fix lint errors

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* error out when there is tags in the find field

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* execute delete request with the right data

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* ignore deletion policy

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* improve lint errors

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* remove cryptojs decrypt libs

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* Get secret value if property is set

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* run obb operator

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* 👌 IMPROVE: supports request deadline, esv1beta1 api updates

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* use same timeout

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* fix sonar cloud issues

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* fix sonar cloud issues

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* fix sonar cloud issues

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* fix failing test

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* add improve docs

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

* add improve docs

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>

---------

Signed-off-by: Aleem Isiaka <aleemisiaka@gmail.com>
Signed-off-by: Nasirudeen Olohundare <iamnasirudeen@gmail.com>
Signed-off-by: Aleem Isiaka <30846935+limistah@users.noreply.github.com>
Co-authored-by: Nasirudeen Olohundare <iamnasirudeen@gmail.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2024-02-29 21:28:17 +01:00
David Recuenco
af38fc68d5
ADD sdkms base implementation (#3180)
* ADD sdkms base implementation

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>

* FIX get secret object by name, unmarshalling error formatting

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>

* ADD suport for fortanix secret security objects

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>

* ADD more tests for opaque, secret, new client

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>

* FIX changes required by make reviewable

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>

* ADD missing provider registration

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>

* FIX remove unused error string, add generated assets

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>

---------

Signed-off-by: Recuenco, David <david.recuenco@adidas-group.com>
2024-02-28 10:59:47 +01:00
Gustavo Fernandes de Carvalho
1cf8f68276
Implements Webhook Generator (#3121)
* adding webhook generators

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* bumping bundle

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* linting

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* fixing copy-paste error

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* common webhook functions

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* removing duplicates. Adding tests for generator

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* docs

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

---------

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2024-02-17 06:49:31 -03:00
Engin Diri
dc9b5b7207
feat: add support for Pulumi ESC (#2997)
Signed-off-by: Engin Diri <engin.diri@ediri.de>
2024-02-14 19:56:06 +01:00
Sourav Patnaik
a012f4829c
Implementation of Chef External Secrets Provider (#3127)
* Adding the details for chef provider secret store.

Issue: https://github.com/external-secrets/external-secrets/issues/2905

This commit intends to add the chef provider structure to the existing list of external-secrets providers.
It defines the structure of the SecretStore and ClusterSecretStore for chef Provider.
The yaml resource will contain 3 important parts to identify and connect to chef server to reconcile secrets. They are:
1. serverurl: This is the URL to the chef server.
2. username: The username to connect to the chef server.
3. auth: The password to connect to the chef server. It is a reference to an already existing kubernetes secret containing the password.

This commit also contains the auto generated CRDs using the `make generate` command.

Signed-off-by: Subroto Roy <subrotoroy007@gmail.com>

* Implementation for Chef ESO provided

Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>

* - implemented Chef eso, added required methods
- added unit test cases
- added sample documentation
Issue: https://github.com/external-secrets/external-secrets/issues/2905

Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>

* Added Documentation for Authentication

Signed-off-by: Subroto Roy <subrotoroy007@gmail.com>

* added documentation for Chef eso
Issue: https://github.com/external-secrets/external-secrets/issues/2905

Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>

* Updated chef ESO documentation

Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>

* updated ValidateStore method signature
Issue: https://github.com/external-secrets/external-secrets/issues/2905

Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>

* made changes in chef provider to satisfy 'make docs'

Issue: https://github.com/external-secrets/external-secrets/issues/2905

Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>

* - updated code as per review comment, make reviewable suggestions
Issue: https://github.com/external-secrets/external-secrets/issues/2905

Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>

* modified chef provider code as per review comment

Issue: https://github.com/external-secrets/external-secrets/issues/2905

Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>

---------

Signed-off-by: Subroto Roy <subrotoroy007@gmail.com>
Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
Co-authored-by: Subroto Roy <subrotoroy007@gmail.com>
Co-authored-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>
2024-02-14 09:54:08 +01:00
eso-service-account-app[bot]
41cd1d36a4
chore: update dependencies (#3065)
* update dependencies

Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com>

* fix: re-generate CRDs with new controller-runtime version

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2024-01-22 20:56:06 +01:00
Rodrigo Fior Kuntzer
31cecaa62b
feat: add support for Hashicorp Vault mTLS (#3018)
* feat: adding support for mTLS to the Vault provider

Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>
2024-01-19 00:43:28 +01:00
Gergely Brautigam
d6e24a82bd
feat: add templating to PushSecret (#2926)
* feat: add templating to PushSecret

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* adding unit tests around templating basic concepts and verifying output

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* extracting some of the common functions of the parser

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* remove some more duplication

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* removed commented out code segment

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* added documentation for templating feature

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* simplified the templating for annotations and labels

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2023-12-22 21:45:34 +01:00
Victor Santos
3599384660
feat(fake): deprecate ValueMap to use Value instead (#2884) 2023-12-02 06:57:48 +09:00
Gergely Brautigam
3fbe318582
feat: allow pushing the whole secret to the provider (#2862)
* feat: allow pushing the whole secret to the provider

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* add documentation about pushing a whole secret

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* disabling this feature for the rest of the providers for now

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* added scenario for update with existing property

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2023-11-21 22:00:21 +01:00
Lakhan Jindam
325f36e47d
add validations for the remaining enum values (#2860)
* add validations for the remaining enum values

Signed-off-by: lakhan jindam <lakhanj569@gmail.com>

* generate crd configs using make reviewable cmd and address review comments

Signed-off-by: lakhan jindam <lakhanj569@gmail.com>

---------

Signed-off-by: lakhan jindam <lakhanj569@gmail.com>
2023-11-18 19:55:39 -03:00
Yonatan Koren
d42e19dc70
feat: AWS SecretsManager Config (allow ForceDeleteWithoutRecovery for PushSecret) (#2854)
* Add secretsmanager config.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Fix unit tests.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Update docs, fix validation, tests.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Fix grammatical error in attribute descriptions.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Improve API docs for SecretsManager.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

---------

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>
2023-11-14 18:44:22 -03:00
Anders Swanson
f4a7c95b54
feat: Oracle PushSecret & find implementation (#2840)
Signed-off-by: anders-swanson <anders.swanson@oracle.com>
2023-11-03 21:42:27 +01:00
Moritz Johner
9ff86eab51
fix: remove sourceRef.generatorRef from .data[] (#2735)
fix: deprecate sourceRef.generatorRef from .data[]

A generator is supposed to be used via .dataFrom[]. Usage in .data[]
is not implemented and doesn't make sense, see #2720.

This commit splits the SourceRef into two types:
- one that only defines a secretStoreRef
- one that allows to define either secretStoreRef or generatorRef

The former is used in .data[] and the latter is used in .dataFrom[].

The Deprecated field is going to be removed with v1.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-11-02 14:37:59 +01:00
Anders Swanson
8dd934ceed
feat: Oracle provider service account masquerade (#2817)
* feat: Oracle provider service account masquerade

Signed-off-by: anders-swanson <anders.swanson@oracle.com>
2023-11-02 08:34:18 +01:00
Shuhei Kitagawa
ff0ef2e6d9
Add validations for the enum values (#2819)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-10-30 13:30:04 +01:00
Gergely Brautigam
7fbae000d6
feat: add namespace list selector to ClusterExternalSecrets (#2803)
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2023-10-25 13:58:05 +02:00
Sonny Alves Dias
0a0fd050c0
add directive to apply template on secret names (#2802)
Signed-off-by: Sonny Alves Dias <sonny.dias@superevilmegacorp.com>
2023-10-25 13:45:38 +02:00
Anders Swanson
b1bad77eb3
Oracle: Workload Identity authentication (#2781)
* Oracle: Workload Identity authentication

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Merge main

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Cleanup go.mod

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Lint

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Use mutex for environment variables

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

---------

Signed-off-by: anders-swanson <anders.swanson@oracle.com>
Signed-off-by: Anders Swanson <91502735+anders-swanson@users.noreply.github.com>
2023-10-24 21:48:25 +02:00
Kieran Bristow
d9eaeb40dc
Conjur JWT support (#2591)
* Add JWT Auth to Conjur Provider

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Update docs for Cyberark Conjur Provider

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Update test suite to cover new functionality

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Run make reviewable

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Set MinVersion for tls.Config to satisfy linting

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Move ca bundle config example to a yaml snippet

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* fix: consolidate naming

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: consolidate naming

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: make it a working example

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Remove JWT expiration handling logic

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Run make fmt

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

---------

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-09-25 10:05:17 +02:00
Shuhei Kitagawa
da85f80d97
Support PushSecret metadata (#2600)
* Support PushSecret metadata

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Refactor GCP PushSecret

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-28 23:50:21 +02:00
Moritz Johner
97df83b518
chore: bump dependencies (#2654)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-08-28 11:50:46 +02:00
Shuhei Kitagawa
d5271d0dab
Delete old ClusterExternalSecrets when name changed (#2601)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-25 20:44:01 +02:00
Moritz Johner
416deb3303
chore: bump dependencies (#2568)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-08-02 21:42:03 +02:00
Martin Schuessler
f777a85156
added userPass authentication to the hashicorp vault provider (#2539)
Signed-off-by: Martin Schuessler <1407812+c0ffee@users.noreply.github.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-08-01 14:16:19 +02:00
Michael Sauter
bdf437c2e1
Add support for Delinea DevOps Secrets Vault (#2415)
* Add support for Delinea DevOps Secrets Vault

Closes #1709.

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>

* fix: remove merge conflict

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Improve documentation

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>

---------

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-07-06 18:01:43 +02:00
Shuhei Kitagawa
2fc277236d
Fix ClusterExternalSecret printcolumns (#2451)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-06-27 11:06:05 +02:00
David Hisel
de491a2790
Add Conjur provider (#2412)
* Add Conjur provider

Signed-off-by: David Hisel <David.Hisel@CyberArk.com>

* fix: lint

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: unit tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-21 11:17:00 +02:00
Joel Watson
6a32b982f0
Add lower-kebab name transformer to Doppler provider (#2418)
Signed-off-by: Joel Watson <joel.watson@doppler.com>
2023-06-15 08:16:21 +02:00
Shuhei Kitagawa
9dd4186df1
Set metadata to external secrets managed by cluster external secrets (#2413)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-06-14 23:23:04 +02:00
Nima Fotouhi
e7799e757a
Adding session tags & transitive tags to SecretStore definition (#2372)
* feat: added session tag capability to assume role

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* fix: make build errors (JSON serialization error)

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* removed unnecessary commented out code

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* 📚 Update stability-support.md (#2363)

Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.

Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* feat: ran make reviewable tasks (except for docs)

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

---------

Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
2023-06-01 11:12:02 +02:00
Moritz Johner
54664b43b1
chore: update dependencies (#2348)
* chore: update dependencies

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* chore: get rid of argo dependency to be independent of their k8s
versioning

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-31 09:36:22 +02:00
Moritz Johner
593eb13999
feat: allow to get auth data from vault response (#2325)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-22 10:00:41 +02:00
sdischer-sap
8034079e1d
Feature/pushsecret kubernetes (#2322)
* Add API changes for push secret to k8s

- Property field similar to ExternalSecret

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* rebase: merge commits

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* New Test cases for existing PushSecret Logic

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: replace property if it exists, but differs

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: restrict usage to having a property always

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: refactor delete to work with property only and cleanup whole secret only if it would be empty otherwise

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: refuse to work without property in spec

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: cleanup code, make it more readable

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: add metric calls for kubernetes

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: reorder test cases

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: make property optional to not break compatibility

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* fix: adapt fake impls to include new method to fix tests

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: change status-ref to include property to allow multi property deletes

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: fix make reviewable complains

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* fix: fix imports from merge conflict

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: adapt latest make reviewable suggestions

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* docs: update push secret support for k8s provider

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: add Kubernetes PushSecret docs

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Stephan Discher <stephan.discher@sap.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-18 00:15:18 +02:00
Scott Andrews
2174a67575
Make ExternalSecret a provisioned service (#2263)
The Service Binding for Kubernetes project (servicebinding.io) is a spec
to make it easier for workloads to consume services. At runtime, the
ServiceBinding resource references a service resources and workload
resource to connect to the service. The Secret for a service is
projected into a workload resource at a well known path.

Services can advertise the name of the Secret representing the service
on it's status at `.status.binding.name`. Hosting the name of a Secret
at this location is the Provisioned Service duck type. It has the effect
of decoupling the logical consumption of a service from the physical
Secret holding state.

Using ServiceBindings with ExternalSecrets today requires the user to
directly know and reference the Secret created by the ExternalSecret as
the service reference. This PR adds the name of the Secret to the status
of the ExternalSecret at a well known location where it is be discovered
by a ServiceBinding. With this change, user can reference an
ExternalSecret from a ServiceBinding.

A ClusterRole is also added with a well known label for the
ServiceBinding controller to have permission to watch ExternalSecrets
and read the binding Secret.

ClusterExternalSecret was not modified as ServiceBindings are limited to
the scope of a single namespace.

Signed-off-by: Scott Andrews <andrewssc@vmware.com>
2023-05-16 22:06:55 +02:00
Saumya Shovan Roy (Deep)
08bb2291fe
feat: add controller class on VaultDynamicSecret resources (#2287)
* feat: add generator for vaultdynamicsecret

* Added controllerClass on VaultDynamicSecret

* Added controllerClass on VaultDynamicSecret

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* Fixed lint

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* Fixed hack bash

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented generator controller class support

- Controller class support in VaultDynamicSecret
- Controller class support in Fake

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <dpr0413@gmail.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <dpr0413@gmail.com>

* feat: hoist controller class check to the top

The generator controller class check should be at the very top of the
reconcile function just like the other secretStore class check.

Otherwise we would return an error and as a result set the status field on the es
resource - which is undesirable. The controller should completely
ignore the resource instead.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
Signed-off-by: rdeepc <dpr0413@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Frederic Mereu <frederic.mereu@gaming1.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-16 08:59:26 +02:00
Maikel
6128e1d045
fix: use correct casing in docs for GitLab provider (#2303)
* fix: use correct casing in docs for GitLab provider

Signed-off-by: Maikel Vlasman <git@maikelvlasman.com>

* chore: update helm tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Maikel Vlasman <git@maikelvlasman.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Maikel Vlasman <git@maikelvlasman.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-15 14:12:24 +02:00
Moritz Johner
06cc4bfc39
chore: bump dependencies (#2314) 2023-05-15 11:11:10 +02:00
Brian Dean Richardson
9be0f87794
allow vault roleId to come from k8s Secret (continued) (#2284)
* allow vault roleId to come from k8s Secret

Signed-off-by: intrand <intrand@users.noreply.github.com>

* mark RoleID as optional in kubebuilder

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>

* mark RoleRef as optional in kubebuilder

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>

* validate RoleRef through webhook

Signed-off-by: intrand <intrand@users.noreply.github.com>

* chore: make fmt/reviewable vault roleId addition

Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>

---------

Signed-off-by: intrand <intrand@users.noreply.github.com>
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
Co-authored-by: intrand <intrand@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2023-05-12 07:56:26 -03:00
Gaurav Dasson
7b8fef2c18
Enabling Vault IAM auth (#2208)
* Enabling Vault IAM auth

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding spec

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding test cases and decoupling vault provider from aws for iam auth

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing comments

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing linter issues

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing the check-diff errors

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding support for assumeRole operations when using static creds

Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local>

* Bumping the dependencies to fix the go.mod/go.sum conflicts

Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local>

* Bumping up e2e go mod files

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

---------

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>
2023-05-11 06:10:07 -03:00