1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Commit graph

179 commits

Author SHA1 Message Date
Anders Swanson
b1bad77eb3
Oracle: Workload Identity authentication (#2781)
* Oracle: Workload Identity authentication

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Merge main

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Cleanup go.mod

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Lint

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Use mutex for environment variables

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

---------

Signed-off-by: anders-swanson <anders.swanson@oracle.com>
Signed-off-by: Anders Swanson <91502735+anders-swanson@users.noreply.github.com>
2023-10-24 21:48:25 +02:00
Kieran Bristow
d9eaeb40dc
Conjur JWT support (#2591)
* Add JWT Auth to Conjur Provider

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Update docs for Cyberark Conjur Provider

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Update test suite to cover new functionality

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Run make reviewable

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Set MinVersion for tls.Config to satisfy linting

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Move ca bundle config example to a yaml snippet

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* fix: consolidate naming

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: consolidate naming

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: make it a working example

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Remove JWT expiration handling logic

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Run make fmt

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

---------

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-09-25 10:05:17 +02:00
Alexander Kurata
e85b76f1d3
Convert IBM auth struct fields to pointers (#2669)
* Convert SecretStore IBMAuth contents to struct pointers

Signed-off-by: akurata <akurata100@gmail.com>

* update ibm provider logic + tests

Signed-off-by: akurata <akurata100@gmail.com>

* refactor ibm provider validatestore to reduce complexity

Signed-off-by: akurata <akurata100@gmail.com>

* update ibm provider container auth profile check to return an error for a missing profile def

Signed-off-by: akurata <akurata100@gmail.com>

---------

Signed-off-by: akurata <akurata100@gmail.com>
Co-authored-by: Alex Kurata <alexander.kurata@ibm.com>
2023-09-05 12:03:49 +02:00
Shuhei Kitagawa
da85f80d97
Support PushSecret metadata (#2600)
* Support PushSecret metadata

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Refactor GCP PushSecret

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-28 23:50:21 +02:00
Shuhei Kitagawa
005fb4d123
Report not ready when no namespace matches (#2582)
* Report not ready when no namespace matches

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Fix flaky a test

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Simplify ClusterExternalSecret status

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-28 12:03:57 +02:00
Moritz Johner
97df83b518
chore: bump dependencies (#2654)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-08-28 11:50:46 +02:00
Shuhei Kitagawa
d5271d0dab
Delete old ClusterExternalSecrets when name changed (#2601)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-25 20:44:01 +02:00
Daniel Campos Olivares
9c9bd73e90
feat: Include remove orphans logic (#1389)
* feat: Include remove orphans logic

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* chore: Introduce deletion based on CR Status

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* chore: Simplify exit condition

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* fix: Check-diff and Unit Test

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* fix: Consume PR comments

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* chore: Change test string value for JSON

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* fix: New secret requires new name

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* bumping docs

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Adding unit test instead of e2e test for orphaned secrets compatibility

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Improving readability

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Using Label approach

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* fixing lint

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* bumping docs

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Update apis/externalsecrets/v1beta1/externalsecret_types.go

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

---------

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Daniel Campos Olivares <daniel.campos.olivares@sap.com>
Co-authored-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-08-05 10:02:04 -03:00
Martin Schuessler
f777a85156
added userPass authentication to the hashicorp vault provider (#2539)
Signed-off-by: Martin Schuessler <1407812+c0ffee@users.noreply.github.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-08-01 14:16:19 +02:00
Michael Sauter
bdf437c2e1
Add support for Delinea DevOps Secrets Vault (#2415)
* Add support for Delinea DevOps Secrets Vault

Closes #1709.

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>

* fix: remove merge conflict

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Improve documentation

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>

---------

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-07-06 18:01:43 +02:00
Shuhei Kitagawa
2fc277236d
Fix ClusterExternalSecret printcolumns (#2451)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-06-27 11:06:05 +02:00
David Hisel
de491a2790
Add Conjur provider (#2412)
* Add Conjur provider

Signed-off-by: David Hisel <David.Hisel@CyberArk.com>

* fix: lint

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: unit tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-21 11:17:00 +02:00
Joel Watson
6a32b982f0
Add lower-kebab name transformer to Doppler provider (#2418)
Signed-off-by: Joel Watson <joel.watson@doppler.com>
2023-06-15 08:16:21 +02:00
Shuhei Kitagawa
9dd4186df1
Set metadata to external secrets managed by cluster external secrets (#2413)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-06-14 23:23:04 +02:00
Nima Fotouhi
e7799e757a
Adding session tags & transitive tags to SecretStore definition (#2372)
* feat: added session tag capability to assume role

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* fix: make build errors (JSON serialization error)

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* removed unnecessary commented out code

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* 📚 Update stability-support.md (#2363)

Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.

Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* feat: ran make reviewable tasks (except for docs)

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

---------

Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
2023-06-01 11:12:02 +02:00
Moritz Johner
54664b43b1
chore: update dependencies (#2348)
* chore: update dependencies

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* chore: get rid of argo dependency to be independent of their k8s
versioning

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-31 09:36:22 +02:00
sdischer-sap
8034079e1d
Feature/pushsecret kubernetes (#2322)
* Add API changes for push secret to k8s

- Property field similar to ExternalSecret

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* rebase: merge commits

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* New Test cases for existing PushSecret Logic

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: replace property if it exists, but differs

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: restrict usage to having a property always

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: refactor delete to work with property only and cleanup whole secret only if it would be empty otherwise

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: refuse to work without property in spec

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: cleanup code, make it more readable

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: add metric calls for kubernetes

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: reorder test cases

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: make property optional to not break compatibility

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* fix: adapt fake impls to include new method to fix tests

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: change status-ref to include property to allow multi property deletes

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: fix make reviewable complains

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* fix: fix imports from merge conflict

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: adapt latest make reviewable suggestions

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* docs: update push secret support for k8s provider

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: add Kubernetes PushSecret docs

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Stephan Discher <stephan.discher@sap.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-18 00:15:18 +02:00
Scott Andrews
2174a67575
Make ExternalSecret a provisioned service (#2263)
The Service Binding for Kubernetes project (servicebinding.io) is a spec
to make it easier for workloads to consume services. At runtime, the
ServiceBinding resource references a service resources and workload
resource to connect to the service. The Secret for a service is
projected into a workload resource at a well known path.

Services can advertise the name of the Secret representing the service
on it's status at `.status.binding.name`. Hosting the name of a Secret
at this location is the Provisioned Service duck type. It has the effect
of decoupling the logical consumption of a service from the physical
Secret holding state.

Using ServiceBindings with ExternalSecrets today requires the user to
directly know and reference the Secret created by the ExternalSecret as
the service reference. This PR adds the name of the Secret to the status
of the ExternalSecret at a well known location where it is be discovered
by a ServiceBinding. With this change, user can reference an
ExternalSecret from a ServiceBinding.

A ClusterRole is also added with a well known label for the
ServiceBinding controller to have permission to watch ExternalSecrets
and read the binding Secret.

ClusterExternalSecret was not modified as ServiceBindings are limited to
the scope of a single namespace.

Signed-off-by: Scott Andrews <andrewssc@vmware.com>
2023-05-16 22:06:55 +02:00
Saumya Shovan Roy (Deep)
08bb2291fe
feat: add controller class on VaultDynamicSecret resources (#2287)
* feat: add generator for vaultdynamicsecret

* Added controllerClass on VaultDynamicSecret

* Added controllerClass on VaultDynamicSecret

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* Fixed lint

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* Fixed hack bash

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented generator controller class support

- Controller class support in VaultDynamicSecret
- Controller class support in Fake

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <dpr0413@gmail.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <dpr0413@gmail.com>

* feat: hoist controller class check to the top

The generator controller class check should be at the very top of the
reconcile function just like the other secretStore class check.

Otherwise we would return an error and as a result set the status field on the es
resource - which is undesirable. The controller should completely
ignore the resource instead.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
Signed-off-by: rdeepc <dpr0413@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Frederic Mereu <frederic.mereu@gaming1.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-16 08:59:26 +02:00
Maikel
6128e1d045
fix: use correct casing in docs for GitLab provider (#2303)
* fix: use correct casing in docs for GitLab provider

Signed-off-by: Maikel Vlasman <git@maikelvlasman.com>

* chore: update helm tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Maikel Vlasman <git@maikelvlasman.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Maikel Vlasman <git@maikelvlasman.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-15 14:12:24 +02:00
Brian Dean Richardson
9be0f87794
allow vault roleId to come from k8s Secret (continued) (#2284)
* allow vault roleId to come from k8s Secret

Signed-off-by: intrand <intrand@users.noreply.github.com>

* mark RoleID as optional in kubebuilder

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>

* mark RoleRef as optional in kubebuilder

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>

* validate RoleRef through webhook

Signed-off-by: intrand <intrand@users.noreply.github.com>

* chore: make fmt/reviewable vault roleId addition

Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>

---------

Signed-off-by: intrand <intrand@users.noreply.github.com>
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
Co-authored-by: intrand <intrand@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2023-05-12 07:56:26 -03:00
Gustavo Fernandes de Carvalho
1cf7c3a6e3
🧹 Bumping GolangciLint version and fixing lint issues (#2304)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-05-12 05:11:33 -03:00
Gaurav Dasson
7b8fef2c18
Enabling Vault IAM auth (#2208)
* Enabling Vault IAM auth

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding spec

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding test cases and decoupling vault provider from aws for iam auth

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing comments

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing linter issues

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing the check-diff errors

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding support for assumeRole operations when using static creds

Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local>

* Bumping the dependencies to fix the go.mod/go.sum conflicts

Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local>

* Bumping up e2e go mod files

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

---------

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>
2023-05-11 06:10:07 -03:00
Maxim Rubchinsky
59f5759106
Add Alibaba RRSA auth support (#1752)
support alibaba oidc assume role

---------

Signed-off-by: Maxim Rubchinsky <maxim.rubchinsky@wiz.io>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-04-16 14:12:30 +02:00
choilmto
5267c6ee5d
Implement and test logic for external id field when assuming IAM role for AWS (#2023)
Added external id field to struct. Wrote test in AWS provider to check
external ID field in IAM role. Added external id info to current log
when starting an aws session.

Signed-off-by: Cindy <choilmto@gmail.com>
2023-04-05 20:08:13 +02:00
Gustavo Fernandes de Carvalho
ad67363751
Implements template MergePolicy. Fixes a few template merging bugs (#2115)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-03-20 19:22:30 -03:00
azert9
f181500e98
Feature/scaleway provider (#2086)
* wip: basic structure of scaleway provider

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: add some tests for GetAllSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: implement PushSecret

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: improved test fixtures

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: allow finding secrets by project using the path property

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add delete secret method

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* Delete dupplicate of push remote ref test implem

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add capability to use a secret for configuring access token

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: implement GetSecretMap

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: filtering by name and projetc id

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: add test for finding secret by name regexp

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: config validation

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: handle situation where no namespace is specified and we cannot provide a default

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: reference secrets by id or name

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: invalid request caused by pagination handling

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: log the error when failing to access secret version

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: pass context to sdk where missing

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add a cache for reducing AccessSecretVersion() calls

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* refacto: use GetSecret with name instead of ListSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: allow using secret name in ExternalSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: use latest_enabled instead of latest

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* refacto: optimized PushSecret and improved its test coverage

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: doesConfigDependOnNamespace was always true

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: use new api with refactored name-based endpoints

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* remove useless todo

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: use secret names as key for GetAllSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: support gjson propery lookup

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: e2e tests

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: e2e test using secret to store api key

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: cleanup left over resources on the secret manager before each e2e run

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* doc: add doc for scaleway provider

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* refacto: fix lint issues

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: cleanup code in e2e was commented

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: the previous version is disabled when we push to a secret

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* doc: add comments to ScalewayProvider struct to point to console and doc

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add missing e2e env vars for scaleway

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: add scaleway to support/stability table

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-16 01:03:52 +01:00
renanaAkeyless
7e5fbb124b
Add CABundle/CAProvider to Akeyless provider (#2092)
* support adding CA Cert in Akeyless provider

Signed-off-by: Docs <renana@akeyless.io>

* update akeyless-go to v3

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* fix comments

Signed-off-by: Docs <renana@akeyless.io>

---------

Signed-off-by: Docs <renana@akeyless.io>
2023-03-07 13:11:02 +01:00
Pedro Parra Ortega
f44f366e05
🧹 remove hostname from keeper configuration (#2071)
* remove hostname from keeper configuration

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
2023-03-02 22:28:35 +01:00
Pedro Parra Ortega
2766c6d5f5
refactor keeper auth configuration (#2052)
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
2023-02-27 23:22:33 +01:00
Moritz Johner
4e4992f0e2
🧹 bump dependencies (#2061)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-02-27 12:15:11 +00:00
Pedro Parra Ortega
c2054cc1bf
add-keeper-security-provider (#1768)
* add keepersecurity provider

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* 🧹chore: bumps (#1758)

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* Feature/push secret (#1315)

Introduces Push Secret feature with implementations for the following providers:

* GCP Secret Manager
* AWS Secrets Manager
* AWS Parameter Store
* Hashicorp Vault KV

Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* Fixing release pipeline for boringssl (#1763)

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* chore: bump 0.7.0-rc1 (#1765)

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* added documentation

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* added pushSecret first iteration

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* added pushSecret and updated documentation

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* refactor client

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* update code and unit tests

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* fix code smells

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* fix code smells

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* fix custom fields

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* making it reviewable

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fix custom field on secret map

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* Update docs/snippets/keepersecurity-push-secret.yaml

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fixed edge case, improved validation errors and updated docs

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fix logic retrieving secrets

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* Update pkg/provider/keepersecurity/client.go

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* lint code

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* linting code

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* go linter fixed

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fix crds and documentation

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

---------

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
Co-authored-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-02-03 15:27:21 +01:00
cspargo
fdc21faf61
AWS Role Chaining (#1855)
Signed-off-by: cspargo <colinspargo@gmail.com>
2023-01-08 11:49:22 -03:00
Gustavo Fernandes de Carvalho
0bd9ea4dbd
Templates from string (#1748)
* Adds templates from string

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-01-03 19:02:43 -03:00
Gustavo Fernandes de Carvalho
0cb799b5cf
Feature/push secret (#1315)
Introduces Push Secret feature with implementations for the following providers:

* GCP Secret Manager
* AWS Secrets Manager
* AWS Parameter Store
* Hashicorp Vault KV

Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
2022-11-29 16:04:46 -03:00
Dominik Zeiger
f38f40a2b4
gitlab: support for CI/CD group variables (#1692)
* gitlab: support for ci/cd group variables

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* gitlab: support for ci/cd group variables (automatically discover project groups)

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* gitlab: support for ci/cd group variables (documentation)

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
2022-11-21 22:26:34 +01:00
Moritz Johner
dabfa5a589
Feature: initial generator implementation + Github Actions OIDC/AWS (#1539)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2022-10-29 20:15:50 +02:00
Yannay Hammer
14f5ddf198
Added namespace condition to ClusterSecretStore (#1635)
* Added namespace condition to ClusterSecretStore

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added the new conditions field to the docs

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added tests to ClusterSecretStore namespace conditions

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added some comments to explain tests better

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Fixed a testcase

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Increased golangci timeout to 10m

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Fixed test to use fakeProvider correctly

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Removed hardcoded timeout from make lint

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Improved error message on non matching namespace

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Modified testCase to use GenericStore interface

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Attempt at generalizing the testcase and reducing code duplication

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Reduced some diff

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* fix: tidy e2e mod

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Yannay Hammer <yannayha@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Docs <docs@external-secrets.io>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-10-17 16:40:18 +02:00
Dominik Zeiger
fa38fe1e60
enable configuration of environment_scope for gitlab provider (#1565)
* enable configuration of environment_scope for gitlab provider

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
2022-09-27 22:08:38 +02:00
Ryan Blunden
f01e13f21b
Add Doppler provider (#1573)
* Add Doppler provider

Signed-off-by: Ryan Blunden <ryan.blunden@doppler.com>
2022-09-23 22:47:25 +02:00
renanaAkeyless
ed59520674
added akeyless k8s auth option (#1531)
* added akeyless k8s auth option

Signed-off-by: Docs <renana@akeyless.io>
2022-09-11 13:25:29 +02:00
Moritz Johner
ed0ceb8d84
fix: aws parameter store json decode, bump go 1.19 (#1525)
* fix: parameter store should decode complex json values

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-09-06 19:46:36 +02:00
dependabot[bot]
67fedc840e
Kubernetes v1.24 upgrade (#1345)
* build(deps): bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.3

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.11.2 to 0.12.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.11.2...v0.12.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* feat: bump kubernetes 1.24

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: backwards-compatible vault implementation

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* feat: add audiences field to serviceAccountRef

This will be used by aws, azure, gcp, kubernetes & vault providers
in combination with TokenRequest API: it will _append_ audience claims
to provider-specific audiences.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* feat: refactor kubernetes client to match provider/client interfaces

the kubernetes provider mixed up provider and client interfaces which
made it really hard to reason about. This commit separates into two
structs, each implements one interface.
The client struct fields have been renamed and annotated so their use
and scope is clear.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: deprecate expirationSeconds

expirationSeconds is not needed because we generate a
service account token on the fly for a single use.
There will be no replacement for this.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: rename token fetch audiences field

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: generate CRDs

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-19 17:32:06 +02:00
Moritz Johner
2d20b5488e
feat: add azkv.environmentType (#1469)
users of USGovCloud, ChinaCloud, GermanCloud need slightly different
configuration for AADEndpoint and keyvault resource.

This is based on CSI Secret Store Azure KV driver,

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-18 00:12:44 +02:00
Nandor Magyar
a0055100d9
clean: typo (clister) in azurekv_types (#1442)
Signed-off-by: Nandor Magyar <nandormagyar.it@gmail.com>

Signed-off-by: Nandor Magyar <nandormagyar.it@gmail.com>
2022-08-10 20:02:31 +02:00
Helena Steck
2b5710d8d5
add missing default values for spec.target (#1431)
Add missing default values for ExternalSecretTarget on CRD definition
Fixes #1233

Signed-off-by: Helena Steck <steckhelena@gmail.com>
2022-08-08 21:27:13 +02:00
Gustavo Fernandes de Carvalho
b4e7acfaa9
Implements dataFrom key rewrite (#1381)
* Implements dataFrom key rewrite

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* docs: add example to remove invalid characters

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-04 15:24:02 -03:00
Moritz Johner
4affcb7345
🐛Clarify CAProvider usage in struct annotations (#1397)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-07-27 18:44:23 -03:00
Mike
fdf1f9ce6f
feat: Add support for container auth to IBM provider. (#1177) 2022-07-26 22:48:07 +02:00
Gareth Evans
7eff8db532
feat: additional columns for kubectl output (#1359) 2022-07-19 20:48:37 +02:00