* feat: add templating to PushSecret
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* adding unit tests around templating basic concepts and verifying output
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* extracting some of the common functions of the parser
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* remove some more duplication
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* removed commented out code segment
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added documentation for templating feature
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* simplified the templating for annotations and labels
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* Docs - add note clarifying how to use filterpem for future readers
Signed-off-by: arnoldrw <arnold.rw@pg.com>
* Update docs/guides/templating.md
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Ryan Arnold <51235300+arnoldrw@users.noreply.github.com>
---------
Signed-off-by: arnoldrw <arnold.rw@pg.com>
Signed-off-by: Ryan Arnold <51235300+arnoldrw@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: allow pushing the whole secret to the provider
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* add documentation about pushing a whole secret
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* disabling this feature for the rest of the providers for now
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added scenario for update with existing property
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
fix: deprecate sourceRef.generatorRef from .data[]
A generator is supposed to be used via .dataFrom[]. Usage in .data[]
is not implemented and doesn't make sense, see #2720.
This commit splits the SourceRef into two types:
- one that only defines a secretStoreRef
- one that allows to define either secretStoreRef or generatorRef
The former is used in .data[] and the latter is used in .dataFrom[].
The Deprecated field is going to be removed with v1.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Whilst implementing integration with Vaultwarden I noticed that the local vault was not being updated. I had to add "force=true" to the sync api call for it to work as expected.
Signed-off-by: Gary Hodgson <gary.s.hodgson@gmail.com>
Add namespace to secretRef.privatekey and secretRef.fingerprint in oracle provider example at full-cluster-secret-store.yaml to avoid confusion like in #2727
Signed-off-by: antoniolago <45375617+antoniolago@users.noreply.github.com>
* Add JWT Auth to Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update docs for Cyberark Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update test suite to cover new functionality
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make reviewable
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Set MinVersion for tls.Config to satisfy linting
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Move ca bundle config example to a yaml snippet
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: make it a working example
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Remove JWT expiration handling logic
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make fmt
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
---------
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* Ensure use of BuildKit in the Docker builds
The builds rely on `TARGETOS` and `TARGETARCH` being set, which is
automatically accomplished by the new builder.
Add the explicit envvar selector in the Makefile, until most users
update to docker 23+.
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
* Update docker build command in developer guide
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
* Introduce RetrySettings support for Hashicorp Vault
Leave default retries to 0 (not the default of the vault sdk of 2),
as this was decided in abec2a64cc .
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
---------
Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
* Integrate Cloak Secrets
Signed-off-by: Ian Purton <ian.purton@gmail.com>
* Fix link
Signed-off-by: Ian Purton <36966+ianpurton@users.noreply.github.com>
---------
Signed-off-by: Ian Purton <ian.purton@gmail.com>
Signed-off-by: Ian Purton <36966+ianpurton@users.noreply.github.com>
* Add Conjur provider
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
* fix: lint
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: unit tests
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* IBM Provider: enable ESO to pull secrets by name
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
* document ESO's capability to pull by secret name for IBM provider
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
* correct the metrics instrumentation
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
---------
Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
I also thought it could be usefull to provide an External Secret that uses the Password from the example
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
* fix: export grafana dashboard properly
The dashboard JSON must be exported via the share UI, instead of the
JSON Model from settings.
This allows a user to select the correct datasource when importing it
via UI.
see here: https://grafana.com/docs/grafana/latest/dashboards/manage-dashboards/#exporting-a-dashboard
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: bump deps
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: add provider metrics
This adds a counter metric `provider_api_calls_count` that observes
the results of upstream secret provider api calls.
(1) Observability
It allows an user to break down issues by provider and api call by
observing the status=error|success label. More details around the error
can be found in the logs.
(2) Cost Management
Some providers charge by API calls issued. By providing observability
for the number of calls issued helps users to understand the impact of
deploying ESO and fine-tuning `spec.refreshInterval`.
(3) Rate Limiting
Some providers implement rate-limiting for their services. Having
metrics
for success/failure count helps to understand how many requests are
issued by a given ESO deployment per cluster.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: add service monitor for cert-controller and add SLIs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
