1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Commit graph

860 commits

Author SHA1 Message Date
Yonatan Koren
d42e19dc70
feat: AWS SecretsManager Config (allow ForceDeleteWithoutRecovery for PushSecret) (#2854)
* Add secretsmanager config.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Fix unit tests.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Update docs, fix validation, tests.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Fix grammatical error in attribute descriptions.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

* Improve API docs for SecretsManager.

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>

---------

Signed-off-by: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>
2023-11-14 18:44:22 -03:00
Shuhei Kitagawa
c9b3f97425
Refactor the PushSecret interface (#2859)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-11-08 06:47:13 +09:00
Moritz Johner
f5cd6816aa
feat: fix cert-controller readiness probe (#2857)
readiness probes are being executed independently from the
leader election status. The current implementation depends on
leader election (client cache etc.) to run properly.
This commit fixes that by short-circuiting the readiness probes
when the mgr is not the leader.

This bug surfaces when `leader-election=true` and cert-controller `replicas>=2`.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-11-07 09:51:27 +01:00
Shuhei Kitagawa
e0c1d93f9b
Support GetAllSecrets for the fake provider (#2844)
* Support GetAllSecrets for the fake provider

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Stop reassigning map keys

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Use a single loop to construct the dataMap

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-11-07 09:48:49 +09:00
Anders Swanson
f4a7c95b54
feat: Oracle PushSecret & find implementation (#2840)
Signed-off-by: anders-swanson <anders.swanson@oracle.com>
2023-11-03 21:42:27 +01:00
Moritz Johner
9ff86eab51
fix: remove sourceRef.generatorRef from .data[] (#2735)
fix: deprecate sourceRef.generatorRef from .data[]

A generator is supposed to be used via .dataFrom[]. Usage in .data[]
is not implemented and doesn't make sense, see #2720.

This commit splits the SourceRef into two types:
- one that only defines a secretStoreRef
- one that allows to define either secretStoreRef or generatorRef

The former is used in .data[] and the latter is used in .dataFrom[].

The Deprecated field is going to be removed with v1.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-11-02 14:37:59 +01:00
Gergely Brautigam
8f3cd55191
ref: cleanup condition handling for objects (#2829)
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2023-11-02 10:19:03 +01:00
Anders Swanson
8dd934ceed
feat: Oracle provider service account masquerade (#2817)
* feat: Oracle provider service account masquerade

Signed-off-by: anders-swanson <anders.swanson@oracle.com>
2023-11-02 08:34:18 +01:00
Minho Ryang
99194e0237
feat: k8s provider can handle all types of secret, fix #2709 (#2792)
Signed-off-by: Minho Ryang <minho@comcom.ai>
2023-11-01 22:42:49 +01:00
Moritz Johner
caa0acd5cc
fix: wrap errors in data[] (#2834)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: HamzaMasood1 <hamzamasood183@gmail.com>
2023-11-01 22:31:56 +01:00
Valentin Torikian
0c76b1ffd3
fix: requeue ExternalSecret based on delta to last refreshTime (#2815)
* Fix skew between refreshInterval and refreshTime that can lead to skipped refresh when backend provider
is slow to answer. See https://github.com/external-secrets/external-secrets/issues/2812.

Signed-off-by: Valentin Torikian <vtorikian@upgrade.com>
2023-10-27 21:41:10 +02:00
Tom Elliot
0612404f64
Add Support for fips regions. (#2805)
Signed-off-by: Tom Elliot <thomas.elliot@acquia.com>
2023-10-26 00:32:59 +02:00
Gergely Brautigam
7fbae000d6
feat: add namespace list selector to ClusterExternalSecrets (#2803)
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2023-10-25 13:58:05 +02:00
Sonny Alves Dias
0a0fd050c0
add directive to apply template on secret names (#2802)
Signed-off-by: Sonny Alves Dias <sonny.dias@superevilmegacorp.com>
2023-10-25 13:45:38 +02:00
Anders Swanson
b1bad77eb3
Oracle: Workload Identity authentication (#2781)
* Oracle: Workload Identity authentication

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Merge main

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Cleanup go.mod

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Lint

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Use mutex for environment variables

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

---------

Signed-off-by: anders-swanson <anders.swanson@oracle.com>
Signed-off-by: Anders Swanson <91502735+anders-swanson@users.noreply.github.com>
2023-10-24 21:48:25 +02:00
Moritz Johner
818eddd220
fix: do not iterate on the raw response value (#2801)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-10-24 12:13:11 +02:00
Shuhei Kitagawa
7b57943c55
Fix the k8s double encoding problem (#2760)
https://github.com/external-secrets/external-secrets/issues/2745

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-10-12 21:45:01 +02:00
Kevin van den Broek
f0ae0e81ee
fix: enable sharedConfigState in AWS auth provider (#2777)
The value `session.SharedConfigDisable` prevented the AWS SDK to use the
default provider chain. By removing this value from the getAWSSession
function the default SDK provider chain is used. This enables the SDK to
use the shared config file:
https://github.com/aws/aws-sdk-go/blob/main/aws/session/env_config.go#L84
as well as the shared credentials file:
https://github.com/aws/aws-sdk-go/blob/main/aws/session/env_config.go#L76

This fixes the code to be correct with the documentation of
NewGeneratorSession which notes that it uses the authentication order:

1. service-account token.
2. static credentials.
3. sdk default provider.

See also the AWS documentation:
https://github.com/aws/aws-sdk-go/blob/main/aws/session/session.go#L158

Signed-off-by: Kevin van den Broek <info@kevinvandenbroek.nl>
2023-10-12 09:18:17 +02:00
Shuhei Kitagawa
5421ec503f
Oracle provider retry (#2762)
* add oracle provider retry capabilities

Signed-off-by: Andrei Ilas <andrei.ilas@oracle.com>

* add oracle provider retry capabilities unit test

Signed-off-by: Andrei Ilas <andrei.ilas@oracle.com>

* Update unit tests for the Oracle provider retry config

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: Andrei Ilas <andrei.ilas@oracle.com>
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Co-authored-by: Andrei Ilas <andrei.ilas@oracle.com>
Co-authored-by: Andrei Ilas <andrei.cva@gmail.com>
2023-10-11 08:49:32 +02:00
Shanti G
583b919cb7
leverage IBM provider's latest API to get the secret by name (#2750) 2023-10-11 07:35:53 +03:00
Florent Viel
24f1a093e5
Scaleway secret path (#2737)
* feat: add path support for scaleway provider

Signed-off-by: Florent Viel <fviel@scaleway.com>

* feat: update scaleway testcases for path support

Signed-off-by: Florent Viel <fviel@scaleway.com>

* docs: update scaleway doc to add path support

Signed-off-by: Florent Viel <fviel@scaleway.com>

* fix: change func signature to make linter pass

Signed-off-by: Florent Viel <fviel@scaleway.com>

---------

Signed-off-by: Florent Viel <fviel@scaleway.com>
2023-09-28 21:00:16 +02:00
Ben Bertrands
cfb629c020
Support PushSecret Property for AWS SM (#2623)
* Support PushSecret Property for AWS SM

Signed-off-by: Ben Bertrands <public@bb-it.dev>

* Support PushSecret Property for AWS SM: leverage the VersionId field to prevent a "LostUpdate" concurrency problem

Signed-off-by: Ben Bertrands <public@bb-it.dev>

* Support PushSecret Property for AWS SM: errors.Join doesn't exist in go 1.19

Signed-off-by: Ben Bertrands <public@bb-it.dev>

* Support PushSecret Property for AWS SM: use an incrementing uuid for the secret version

Signed-off-by: Ben Bertrands <public@bb-it.dev>

---------

Signed-off-by: Ben Bertrands <public@bb-it.dev>
Signed-off-by: Ben Bertrands <8938515+benbertrands@users.noreply.github.com>
2023-09-26 13:18:18 +02:00
Kieran Bristow
d9eaeb40dc
Conjur JWT support (#2591)
* Add JWT Auth to Conjur Provider

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Update docs for Cyberark Conjur Provider

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Update test suite to cover new functionality

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Run make reviewable

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Set MinVersion for tls.Config to satisfy linting

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Move ca bundle config example to a yaml snippet

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* fix: consolidate naming

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: consolidate naming

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: make it a working example

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Remove JWT expiration handling logic

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

* Run make fmt

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>

---------

Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-09-25 10:05:17 +02:00
Shuhei Kitagawa
719e8b1c82
Let ManagedField handle metadata (#2705)
https://github.com/external-secrets/external-secrets/issues/2682

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-09-25 09:33:00 +02:00
Moritz Johner
d59512e604
fix: assign default value to prevent nil panic (#2722)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-09-21 22:01:40 +02:00
Shuhei Kitagawa
150e3dfde1
Use locks for GCP PushSecrets (#2678)
* Use locks for GCP PushSecrets

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Share locks among providers

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-09-21 17:15:16 +02:00
Markus Lackner
a025b77e49
fix: do not recreate secret if deletion timestamp is set (#2718)
Signed-off-by: Markus Lackner <33040521+markuslackner@users.noreply.github.com>
2023-09-20 23:21:47 +02:00
Moritz Johner
9559c2a124
fix: ensure to correctly encode binary data as base64 (#2681)
Also disable HTML escape.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-09-15 19:34:53 +02:00
Moritz Johner
b78ce75218
fix: do not swallow errors when create or update fails (#2693)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-09-15 06:21:34 +02:00
Alexander Kurata
e85b76f1d3
Convert IBM auth struct fields to pointers (#2669)
* Convert SecretStore IBMAuth contents to struct pointers

Signed-off-by: akurata <akurata100@gmail.com>

* update ibm provider logic + tests

Signed-off-by: akurata <akurata100@gmail.com>

* refactor ibm provider validatestore to reduce complexity

Signed-off-by: akurata <akurata100@gmail.com>

* update ibm provider container auth profile check to return an error for a missing profile def

Signed-off-by: akurata <akurata100@gmail.com>

---------

Signed-off-by: akurata <akurata100@gmail.com>
Co-authored-by: Alex Kurata <alexander.kurata@ibm.com>
2023-09-05 12:03:49 +02:00
Florent Viel
012ece2b15
Refacto scaleway provider (#2667)
* replace API calls by ListSecrets

Scalewaw will deprecate soon the Secret Manager endpoints *ByName, the
idea is to use the ListSecrets instead and to filter by name

Signed-off-by: Florent Viel <fviel@scaleway.com>

* allow to filter by name for the fake scw secret api

Signed-off-by: Florent Viel <fviel@scaleway.com>

* improve scaleway fake api

Signed-off-by: Florent Viel <fviel@scaleway.com>

the fake implementation of the ListSecrets for the Scaleway API was too
naive and returns too many secrets based on the input filters

* scaleway: fix calls to the ListSecrets endpoint

Signed-off-by: Florent Viel <fviel@scaleway.com>

* scaleway: fix lint issues

Signed-off-by: Florent Viel <fviel@scaleway.com>

---------

Signed-off-by: Florent Viel <fviel@scaleway.com>
2023-09-04 20:01:38 +02:00
Shuhei Kitagawa
da85f80d97
Support PushSecret metadata (#2600)
* Support PushSecret metadata

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Refactor GCP PushSecret

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-28 23:50:21 +02:00
Shuhei Kitagawa
005fb4d123
Report not ready when no namespace matches (#2582)
* Report not ready when no namespace matches

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Fix flaky a test

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Simplify ClusterExternalSecret status

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-28 12:03:57 +02:00
Moritz Johner
97df83b518
chore: bump dependencies (#2654)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-08-28 11:50:46 +02:00
Alexandre Gaudreault
21928a45b9
fix(externalsecret): infinite reconcile loop with Merge secret (#2525)
* fix(externalsecret): infinite reconcile loop with Merge secret

Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>

* code review

Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>

* lint

Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>

* add unit tests

Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>

* lint

Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>

* Use objectHash instead of value

Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>

---------

Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>
2023-08-28 11:46:38 +02:00
Andrea Stacchiotti
b50415edf0
Introduce RetrySettings support for Hashicorp Vault (#2528)
* Ensure use of BuildKit in the Docker builds

The builds rely on `TARGETOS` and `TARGETARCH` being set, which is
automatically accomplished by the new builder.

Add the explicit envvar selector in the Makefile, until most users
update to docker 23+.

Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>

* Update docker build command in developer guide

Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>

* Introduce RetrySettings support for Hashicorp Vault

Leave default retries to 0 (not the default of the vault sdk of 2),
as this was decided in abec2a64cc .

Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>

---------

Signed-off-by: Andrea Stacchiotti <andreastacchiotti@gmail.com>
2023-08-28 11:45:27 +02:00
Shuhei Kitagawa
d5271d0dab
Delete old ClusterExternalSecrets when name changed (#2601)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-25 20:44:01 +02:00
Shuhei Kitagawa
6afdba88c9
Remove metrics when a resource has been deleted (#2576)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-24 21:57:34 +02:00
Shuhei Kitagawa
3164df0c08
Stop ignoring ExternalSecret reconciliation error (#2583)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-24 20:51:16 +02:00
Shuhei Kitagawa
57dece9b7a
Stop using builder.OnlyMetadata for ExternalSecrets (#2626)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-24 19:28:29 +02:00
Shuhei Kitagawa
ba1caed791
Fix a ClusterExternalSecret flaky test (#2641)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-24 19:28:15 +02:00
Gustavo Fernandes de Carvalho
77a70d08fa
fixing label limits (#2645)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-08-23 13:16:16 -03:00
Shanti G
75726582ad
convert the fetched secret to map to access the properties (#2637)
Signed-off-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com>
Co-authored-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com>
2023-08-22 16:19:25 +03:00
Shuhei Kitagawa
851e6ff66c
Set builder.OnlyMetadata back for Secrets (#2625)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-22 08:05:23 +09:00
Shanti G
bccb12c8ff
handle special case for imported cert secret type (#2629)
Signed-off-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com>
Co-authored-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com>
2023-08-21 11:07:59 +03:00
Gustavo Fernandes de Carvalho
6319977e63
Fixing when orphaned secret deletion when target.Name is not set (#2609)
* Fixing  when orphaned secret deletion when target.Name is not set

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Linting

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Fixing e2e tests

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

---------

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-08-15 07:26:00 -03:00
Gustavo Fernandes de Carvalho
ad111cc180
Fix orphaned secrets logic with CreationPolicy=Merge (#2587)
* Fix orphaned secrets logic with CreationPolicy=Merge

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Fix lint

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

---------

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-08-14 20:44:30 -03:00
Shanti G
45cf966ce2
convert the fetched secret to map to access the properties (#2603)
Signed-off-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com>
Co-authored-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com>
2023-08-14 06:51:48 +03:00
Idan Adar
872ded2290
Revert "convert the fetched secret to map to access the properties (#2597)" (#2602)
This reverts commit 7d91981beb.
2023-08-14 07:13:21 +09:00
Shanti G
7d91981beb
convert the fetched secret to map to access the properties (#2597) 2023-08-13 13:18:57 +02:00
Shuhei Kitagawa
7edb8f6752
Remove paginating namespaces (#2580)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-08 08:26:46 +09:00
Daniel Campos Olivares
9c9bd73e90
feat: Include remove orphans logic (#1389)
* feat: Include remove orphans logic

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* chore: Introduce deletion based on CR Status

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* chore: Simplify exit condition

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* fix: Check-diff and Unit Test

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* fix: Consume PR comments

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* chore: Change test string value for JSON

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* fix: New secret requires new name

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>

* bumping docs

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Adding unit test instead of e2e test for orphaned secrets compatibility

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Improving readability

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Using Label approach

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* fixing lint

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* bumping docs

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Update apis/externalsecrets/v1beta1/externalsecret_types.go

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

---------

Signed-off-by: Daniel Campos Olivares <dacamposol@gmail.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Daniel Campos Olivares <daniel.campos.olivares@sap.com>
Co-authored-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-08-05 10:02:04 -03:00
Moritz Johner
416deb3303
chore: bump dependencies (#2568)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-08-02 21:42:03 +02:00
Shuhei Kitagawa
12a4470949
Support PushSecret Property for GCP (#2465)
* Support PushSecret Property for GCP

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Take over the ownership if the label does not exist

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-08-01 14:38:47 +02:00
Martin Schuessler
f777a85156
added userPass authentication to the hashicorp vault provider (#2539)
Signed-off-by: Martin Schuessler <1407812+c0ffee@users.noreply.github.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-08-01 14:16:19 +02:00
Shuhei Kitagawa
ec81db7a1b
Fix flaky ClusterExternalSecret test (#2558)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-07-31 22:45:47 +02:00
arnouthoebreckx
1e281b92ca
Bug/escape special characters vault (#2537)
* Change json.Marshal to Encoder to support special characters

Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>

* Add test for special characters

Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>

* Handle error of encoder

Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>

---------

Signed-off-by: Arnout Hoebreckx <arnouthoebreckx@gmail.com>
2023-07-26 17:16:25 +02:00
Shuhei Kitagawa
5c2f2ee741
Fix CES problems (#2526)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-07-24 09:02:18 +02:00
Shuhei Kitagawa
59bf53e7a3
Fix ClusterExternalSecret FailedNamespaces and ProvisionedNamespaces (#2506)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-07-19 20:08:09 +02:00
Shuhei Kitagawa
b912c334aa
Remove builder.OnlyMetadata (#2505) 2023-07-17 19:47:38 +02:00
Shuhei Kitagawa
63d1917269
Use PartialObjectMetadata to get ExternalSecret (#2504)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-07-17 19:35:53 +02:00
Shuhei Kitagawa
e5f953bd5f
Refactor ClusterExternalSecretController tests (#2499)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-07-17 09:24:21 +02:00
Shuhei Kitagawa
ce52c98bef
Kick ClusterExternalSecret reconciliation when a Namespace is updated (#2486)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-07-14 20:21:11 +02:00
Michael Sauter
bdf437c2e1
Add support for Delinea DevOps Secrets Vault (#2415)
* Add support for Delinea DevOps Secrets Vault

Closes #1709.

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>

* fix: remove merge conflict

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Improve documentation

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>

---------

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-07-06 18:01:43 +02:00
Moritz Johner
69fe93ea49
fix: make vault provider return NoSecretErr to respect deletionPolicy (#2455)
relates to #1512 #1502

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-07-06 08:22:34 +02:00
Vishal Singha Roy
a755a49422
Add IBM provider metadata to secret labels and/or annotations (#2429)
* Set metadata to external secrets managed by cluster external secrets (#2413)

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

* Pull secret metadata from IBM Secrets Manager

Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

* Add lower-kebab name transformer to Doppler provider (#2418)

Signed-off-by: Joel Watson <joel.watson@doppler.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

* Fix E2E test setup on non-linux machines (#2414)

Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

* Removing IncludeSecretMetadata from externalsecret_types.go

Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

* Changes to call IBM Secrets Manager once in case of KV Secret

Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

* Removing extra parameters to getKVSecret() is not required

Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

* Removing linting errors

Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
Signed-off-by: Joel Watson <joel.watson@doppler.com>
Signed-off-by: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Co-authored-by: Shuhei Kitagawa <shuheiktgw@users.noreply.github.com>
Co-authored-by: Vishal Singha Roy <vishal.singha.roy@ibm.com>
Co-authored-by: Joel Watson <joel@watsonian.net>
Co-authored-by: Michael Sauter <mail@michaelsauter.net>
2023-07-03 08:50:45 +02:00
DusanCar11
298f580d1e
Add more context to error handling for parsing certs in order for log format to display properly (#2428)
* Add more context to error handling for parsing certs in order for
log format to display properly

Signed-off-by: Dusan Nikolic <dusannikolic11@gmail.com>

* Create error instead of string as arg

Signed-off-by: Dusan Nikolic <dusannikolic11@gmail.com>

* fix: unit test

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Dusan Nikolic <dusannikolic11@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Dusan Nikolic <dusannikolic@MacBook-Pro-66.local>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-07-02 22:49:51 +02:00
Jordi Prats
10b15db2b2
Sanitize credentials from AWS client err (#2431)
Signed-off-by: Jordi Prats <jordi.prats@gmail.com>
2023-06-26 13:19:21 +02:00
Shuhei Kitagawa
b58b4505d5
Add status_condition metrics for the secret store controllers (#2404)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-06-21 21:59:23 +02:00
David Hisel
de491a2790
Add Conjur provider (#2412)
* Add Conjur provider

Signed-off-by: David Hisel <David.Hisel@CyberArk.com>

* fix: lint

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: unit tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-21 11:17:00 +02:00
Shuhei Kitagawa
9dd4186df1
Set metadata to external secrets managed by cluster external secrets (#2413)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-06-14 23:23:04 +02:00
Moritz Johner
05803f7aff
feat: add e2e tests for aws role-based auth (#2376)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-12 12:58:29 +02:00
Shuhei Kitagawa
5a6d661c9e
Fix the test Make task (#2381)
* Fix the test Make task

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* fix: retry shutdown of testEnv

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-06 11:25:51 +02:00
Shuhei Kitagawa
36ae1c1a5e
Add status_condition metric for ClusterExternalSecret (#2380)
* Add status_condition metric for ClusterExternalSecret

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Register ClusterExternalSecretCondition metric

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Stop setting namespace for ClusterExternalSecretStatusCondition

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-06-06 09:29:30 +02:00
Shuhei Kitagawa
8a05e2f8ae
Add reconcile_duration metrics (#2382)
* Add reconcile_duration metrics

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* fix: increase dupl threshold

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-06-05 21:26:25 +02:00
Nima Fotouhi
e7799e757a
Adding session tags & transitive tags to SecretStore definition (#2372)
* feat: added session tag capability to assume role

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* fix: make build errors (JSON serialization error)

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* removed unnecessary commented out code

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* 📚 Update stability-support.md (#2363)

Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.

Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* feat: ran make reviewable tasks (except for docs)

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

---------

Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
2023-06-01 11:12:02 +02:00
Gustavo Fernandes de Carvalho
218dd06169
Adds PushSecret property compatibility with Hashicorp vault Provider (#2361)
* Adds PushSecret property compatibility with Hashicorp vault Provider

Increases Test Coverage for Hashicorp Vault provider
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Fixing lint

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* Fixing test property setup

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

---------

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-05-31 04:59:09 -03:00
Moritz Johner
54664b43b1
chore: update dependencies (#2348)
* chore: update dependencies

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* chore: get rid of argo dependency to be independent of their k8s
versioning

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-31 09:36:22 +02:00
Moritz Johner
5fb8758278
fix: implement parameterstore versions (#2352)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-26 01:06:10 +02:00
Luke Arntz
00d66e0bc4
Aws ssm parameterstore issue 1839 (#2350)
* update documentation

Signed-off-by: Luke Arntz <luke@blue42.net>

* default to GetParametersByPathWithContext

Add GetParametersByPathWithContext. To maintain backward compatibility moved the original `findByname` function to `fallbackFindByName` and created a new `findByName` function that uses the `GetParametersByPathWithContext` API call.

In function `findByName`, if we receive an `AccessDeniedException` when calling GetParametersByPathWithContext `return pm.fallbackFindByName(ctx, ref)`.

Signed-off-by: Luke Arntz <luke@blue42.net>

* feat: notify users about ssm permission improvements

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: get parameters recursively and decrypt them

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Luke Arntz <luke@blue42.net>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-26 01:05:59 +02:00
sdischer-sap
1551741c4f
fix(kubernetes):change capabilities to readwrite (#2354)
Signed-off-by: sdischer-sap <129972012+sdischer-sap@users.noreply.github.com>
2023-05-25 13:40:32 +02:00
Shuhei Kitagawa
9182858895
Use closures for ExternalSecretController metrics (#2345)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-05-24 21:31:35 +02:00
Shuhei Kitagawa
d879f37d9e
Add reconcile duration metric for ClusterExternalSecret controller (#2334)
* Add reconcile duration metric for ClusterExternalSecret controller

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* chore: fmt imports

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-22 22:43:23 +02:00
Moritz Johner
593eb13999
feat: allow to get auth data from vault response (#2325)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-22 10:00:41 +02:00
Shanti G
00bc81c8c7
IBM Provider: enable ESO to pull secrets by name (#2326)
* IBM Provider: enable ESO to pull secrets by name

Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>

* document ESO's capability to pull by secret name for IBM provider

Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>

* correct the metrics instrumentation

Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>

---------

Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
2023-05-18 21:02:40 +02:00
sdischer-sap
8034079e1d
Feature/pushsecret kubernetes (#2322)
* Add API changes for push secret to k8s

- Property field similar to ExternalSecret

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* rebase: merge commits

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* New Test cases for existing PushSecret Logic

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: replace property if it exists, but differs

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: restrict usage to having a property always

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: refactor delete to work with property only and cleanup whole secret only if it would be empty otherwise

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: refuse to work without property in spec

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: cleanup code, make it more readable

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: add metric calls for kubernetes

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: reorder test cases

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: make property optional to not break compatibility

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* fix: adapt fake impls to include new method to fix tests

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* feat: change status-ref to include property to allow multi property deletes

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: fix make reviewable complains

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* fix: fix imports from merge conflict

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* chore: adapt latest make reviewable suggestions

Signed-off-by: Stephan Discher <stephan.discher@sap.com>

* docs: update push secret support for k8s provider

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: add Kubernetes PushSecret docs

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Stephan Discher <stephan.discher@sap.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-18 00:15:18 +02:00
Scott Andrews
2174a67575
Make ExternalSecret a provisioned service (#2263)
The Service Binding for Kubernetes project (servicebinding.io) is a spec
to make it easier for workloads to consume services. At runtime, the
ServiceBinding resource references a service resources and workload
resource to connect to the service. The Secret for a service is
projected into a workload resource at a well known path.

Services can advertise the name of the Secret representing the service
on it's status at `.status.binding.name`. Hosting the name of a Secret
at this location is the Provisioned Service duck type. It has the effect
of decoupling the logical consumption of a service from the physical
Secret holding state.

Using ServiceBindings with ExternalSecrets today requires the user to
directly know and reference the Secret created by the ExternalSecret as
the service reference. This PR adds the name of the Secret to the status
of the ExternalSecret at a well known location where it is be discovered
by a ServiceBinding. With this change, user can reference an
ExternalSecret from a ServiceBinding.

A ClusterRole is also added with a well known label for the
ServiceBinding controller to have permission to watch ExternalSecrets
and read the binding Secret.

ClusterExternalSecret was not modified as ServiceBindings are limited to
the scope of a single namespace.

Signed-off-by: Scott Andrews <andrewssc@vmware.com>
2023-05-16 22:06:55 +02:00
Saumya Shovan Roy (Deep)
08bb2291fe
feat: add controller class on VaultDynamicSecret resources (#2287)
* feat: add generator for vaultdynamicsecret

* Added controllerClass on VaultDynamicSecret

* Added controllerClass on VaultDynamicSecret

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* Fixed lint

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* Fixed hack bash

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented generator controller class support

- Controller class support in VaultDynamicSecret
- Controller class support in Fake

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <dpr0413@gmail.com>

* feat: Implemented Generator controller class check

Signed-off-by: rdeepc <dpr0413@gmail.com>

* feat: hoist controller class check to the top

The generator controller class check should be at the very top of the
reconcile function just like the other secretStore class check.

Otherwise we would return an error and as a result set the status field on the es
resource - which is undesirable. The controller should completely
ignore the resource instead.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
Signed-off-by: rdeepc <dpr0413@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Frederic Mereu <frederic.mereu@gaming1.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-16 08:59:26 +02:00
Moritz Johner
bbddc6f902
fix: nil check parameters (#2321)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-16 08:17:01 +02:00
Shuhei Kitagawa
5ef0a44957
Add missing util unit tests (#2313)
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-05-15 17:25:13 +02:00
Yuri Sa
b389570c81
Creating constants file (#2291)
* Creating constants file

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Fixing lints

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

---------

Signed-off-by: Yuri Sa <yurimsa@gmail.com>
2023-05-15 17:22:18 +02:00
Maikel
6128e1d045
fix: use correct casing in docs for GitLab provider (#2303)
* fix: use correct casing in docs for GitLab provider

Signed-off-by: Maikel Vlasman <git@maikelvlasman.com>

* chore: update helm tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Maikel Vlasman <git@maikelvlasman.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Maikel Vlasman <git@maikelvlasman.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-15 14:12:24 +02:00
Shanti G
405c12c314
update ibm secrets manager provider version to v2 (#2254)
* update ibm secrets manager version to v2

Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>

* update go.mod to point to v2.0.0

Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>

---------

Signed-off-by: tanishg6@gmail.com <tanishg6@gmail.com>
Signed-off-by: Shanti G <81566195+Shanti-G@users.noreply.github.com>
2023-05-14 09:18:56 +02:00
Brian Dean Richardson
9be0f87794
allow vault roleId to come from k8s Secret (continued) (#2284)
* allow vault roleId to come from k8s Secret

Signed-off-by: intrand <intrand@users.noreply.github.com>

* mark RoleID as optional in kubebuilder

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>

* mark RoleRef as optional in kubebuilder

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>

* validate RoleRef through webhook

Signed-off-by: intrand <intrand@users.noreply.github.com>

* chore: make fmt/reviewable vault roleId addition

Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>

---------

Signed-off-by: intrand <intrand@users.noreply.github.com>
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
Co-authored-by: intrand <intrand@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2023-05-12 07:56:26 -03:00
Gustavo Fernandes de Carvalho
1cf7c3a6e3
🧹 Bumping GolangciLint version and fixing lint issues (#2304)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-05-12 05:11:33 -03:00
Gaurav Dasson
7b8fef2c18
Enabling Vault IAM auth (#2208)
* Enabling Vault IAM auth

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding spec

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding test cases and decoupling vault provider from aws for iam auth

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing comments

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing linter issues

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Fixing the check-diff errors

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

* Adding support for assumeRole operations when using static creds

Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local>

* Bumping the dependencies to fix the go.mod/go.sum conflicts

Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local>

* Bumping up e2e go mod files

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>

---------

Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>
2023-05-11 06:10:07 -03:00
Dominik Zeiger
035ff38172
🐛 Gitlab: separate gitlab client and provider (#2259)
* Gitlab: separate gitlab client and provider

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* Gitlab: cleanup

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* Gitlab: formatter

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* fix: lint / goheader

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-05-02 20:15:57 +02:00
Iavael
d79b068dd5
Fix scaleway config validation in ClusterSecretStore (#2247)
Signed-off-by: Iavael <iavael@users.noreply.github.com>
2023-04-23 00:14:10 +02:00
Maxim Rubchinsky
59f5759106
Add Alibaba RRSA auth support (#1752)
support alibaba oidc assume role

---------

Signed-off-by: Maxim Rubchinsky <maxim.rubchinsky@wiz.io>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-04-16 14:12:30 +02:00
charan986
5e7184dd26
Added GJSON pkg support extracting secret key value from JSON (#2201)
Signed-off-by: charan986 <51893702+charan986@users.noreply.github.com>
2023-04-12 17:59:38 +02:00
choilmto
5267c6ee5d
Implement and test logic for external id field when assuming IAM role for AWS (#2023)
Added external id field to struct. Wrote test in AWS provider to check
external ID field in IAM role. Added external id info to current log
when starting an aws session.

Signed-off-by: Cindy <choilmto@gmail.com>
2023-04-05 20:08:13 +02:00
kallymsft
fb78d96d8c
Added support for standard K8s labels in metrics (#2064)
* Added support for standard K8s labels in metrics

Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>

* Added feature-flag for label metrics

Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>

---------

Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
2023-04-05 19:58:17 +02:00
Moritz Johner
8edc033fba
fix: vault logging structure (#2180)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-28 22:37:56 +02:00
Gustavo Fernandes de Carvalho
ad67363751
Implements template MergePolicy. Fixes a few template merging bugs (#2115)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-03-20 19:22:30 -03:00
Shuhei Kitagawa
07f237e071
Support MetadataPolicy=Fetch for GCP Secrets Manager (#2111)
* Support MetadataPolicy=Fetch for GCP Secrets Manager

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Use '.' instead of '/' to split metadata

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Support annotations/labels

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
2023-03-20 22:27:59 +01:00
Sebastián Gómez
ee13e61645
Implement fetch metadata for K8s (#2106)
* Implemente fetch metadata for K8s

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
2023-03-20 21:56:17 +01:00
azert9
f181500e98
Feature/scaleway provider (#2086)
* wip: basic structure of scaleway provider

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: add some tests for GetAllSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: implement PushSecret

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: improved test fixtures

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: allow finding secrets by project using the path property

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add delete secret method

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* Delete dupplicate of push remote ref test implem

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add capability to use a secret for configuring access token

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: implement GetSecretMap

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: filtering by name and projetc id

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: add test for finding secret by name regexp

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: config validation

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: handle situation where no namespace is specified and we cannot provide a default

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: reference secrets by id or name

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: invalid request caused by pagination handling

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: log the error when failing to access secret version

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: pass context to sdk where missing

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add a cache for reducing AccessSecretVersion() calls

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* refacto: use GetSecret with name instead of ListSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: allow using secret name in ExternalSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: use latest_enabled instead of latest

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* refacto: optimized PushSecret and improved its test coverage

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: doesConfigDependOnNamespace was always true

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: use new api with refactored name-based endpoints

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* remove useless todo

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* fix: use secret names as key for GetAllSecrets

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: support gjson propery lookup

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: e2e tests

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: e2e test using secret to store api key

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: cleanup left over resources on the secret manager before each e2e run

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* doc: add doc for scaleway provider

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* refacto: fix lint issues

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* test: cleanup code in e2e was commented

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: the previous version is disabled when we push to a secret

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* doc: add comments to ScalewayProvider struct to point to console and doc

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>

* feat: add missing e2e env vars for scaleway

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: add scaleway to support/stability table

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-16 01:03:52 +01:00
Moritz Johner
05dacdc104
chore: update docs for release (#2126)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-13 22:31:29 +01:00
Moritz Johner
7edfff81e3
chore: bump dependencies (#2124)
* chore: bump dependencies

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: msal api breaking change

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-13 22:17:48 +01:00
Kristián Leško
1eca34c94d
feat: Vault dynamic secrets Generator (#2074)
* feat: Vault dynamic secrets Generator

Signed-off-by: Kristián Leško <kristian.lesko@gooddata.com>

* Update pkg/provider/vault/vault.go

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

* feat: Vault dynamic secrets Generator

Signed-off-by: Kristián Leško <kristian.lesko@gooddata.com>

* Update pkg/provider/vault/vault.go

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

* fix: linter

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Kristián Leško <kristian.lesko@gooddata.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-13 16:31:10 +01:00
Moritz Johner
9edc957aef
feat: rely on controller backoff/retry instead of static requeue (#2100)
* feat: rely on controller backoff/retry instead of static requeue
interval

Fixes #2088

more context in: https://github.com/external-secrets/external-secrets/pull/934

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: respect refreshInterval on delete/retain

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-12 16:34:08 +01:00
Moritz Johner
c20fc5b8b3
fix: support parsing PEM from multiple blocks (#2110)
Before this PR it was required that the first PEM block contains the
certificate.
This PR parses all PEM blocks and returns the first certificate found.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-11 13:08:31 +01:00
Sebastián Gómez
da9689ccfd
Included metadataPolicy: Fetch in AWS ParameterStore (#2069)
* metadata fetch now working in parameterstore

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Little refactory and some tests added

Tags from secretmanager and from parameterstore are not the same structure, thus, the function TagsToJSONString has now two versions (SecretTagsToSJONString & ParametersTagsToJSONString)

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* New test cases

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Refactored to lift some code smells

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Constant for error message added (code smell)

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* L&F

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Lint issue

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* fix: fmt

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
Signed-off-by: Sebastián Gómez <1637983+sebagomez@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-10 14:23:39 -03:00
renanaAkeyless
7e5fbb124b
Add CABundle/CAProvider to Akeyless provider (#2092)
* support adding CA Cert in Akeyless provider

Signed-off-by: Docs <renana@akeyless.io>

* update akeyless-go to v3

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* update description

Signed-off-by: Docs <renana@akeyless.io>

* fix comments

Signed-off-by: Docs <renana@akeyless.io>

---------

Signed-off-by: Docs <renana@akeyless.io>
2023-03-07 13:11:02 +01:00
Sebastián Gómez
5b0ff977de
Included metadataPolicy: Fetch in Hashicorp Vault (#2040)
* Implement fetch metadata from Hashicorp Vault (v2)

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
2023-03-06 05:56:31 -03:00
Pedro Parra Ortega
f44f366e05
🧹 remove hostname from keeper configuration (#2071)
* remove hostname from keeper configuration

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
2023-03-02 22:28:35 +01:00
Shuhei Kitagawa
c28707aa52
Support property in fake provider (#2056)
* Support property in fake provider

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* Remove a unused function

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

* fix autogen api/spec.md

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

---------

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-03-02 22:27:24 +01:00
Pedro Parra Ortega
2766c6d5f5
refactor keeper auth configuration (#2052)
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
2023-02-27 23:22:33 +01:00
Kendall Masse
44bb3c4c03
webhook provider: support DeletionPolicy=Delete (external-secrets#1… (#2066)
* feat: DeletionPolicy support for webhook provider (external-secrets#1958)

Signed-off-by: ArtificialQualia <kendall.masse@gmail.com>

* add note to webhook provider docs about deletionPolicy

Signed-off-by: ArtificialQualia <kendall.masse@gmail.com>

---------

Signed-off-by: ArtificialQualia <kendall.masse@gmail.com>
2023-02-27 23:14:53 +01:00
Moritz Johner
6b576fadf1
feat: add provider metrics (#2024)
* feat: add provider metrics

This adds a counter metric `provider_api_calls_count` that observes
the results of upstream secret provider api calls.

(1) Observability
It allows an user to break down issues by provider and api call by
observing the status=error|success label. More details around the error
can be found in  the logs.

(2) Cost Management
Some providers charge by API calls issued. By providing observability
for the number of calls issued helps users to understand the impact of
deploying ESO and fine-tuning `spec.refreshInterval`.

(3) Rate Limiting
Some providers implement rate-limiting for their services. Having
metrics
for success/failure count helps to understand how many requests are
issued by a given ESO deployment per cluster.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: add service monitor for cert-controller and add SLIs

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-02-27 22:56:36 +01:00
Sebastián Gómez
1cfca77b9b
Add MetadataPolicy=Fetch for AWS Secret Manager (#2025)
* Get all the properties

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Add secrets to the cache

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* First set of tests

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Last set of tests added

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Fixed lint issues

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Improved Tags to string mechanism

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

* Fix lint complain

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>

---------

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-02-21 18:55:03 +01:00
Moritz Johner
2acc637106
fix: pass tenantID correctly to acr generator (#2010)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-02-14 21:57:31 +00:00
Moritz Johner
1e04177045
fix: fix validation method in kubernetes provider (#2000)
RBAC allows a user to define a wildcard `*` for a given field in the
Resource Rule. Prefix/Suffix matching or globbing is not supported,
just simple wildcards.
For example the cluster-admin role has a `*` on all
apiVersion/resource/verbs and hence validation would fail.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-02-13 09:33:38 +00:00
Moritz Johner
e72f371294
🐛 fix panic when using jwt without secretRef/saRef (#1980)
Fixes #1957

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-02-03 18:10:56 +00:00
Pedro Parra Ortega
c2054cc1bf
add-keeper-security-provider (#1768)
* add keepersecurity provider

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* 🧹chore: bumps (#1758)

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* Feature/push secret (#1315)

Introduces Push Secret feature with implementations for the following providers:

* GCP Secret Manager
* AWS Secrets Manager
* AWS Parameter Store
* Hashicorp Vault KV

Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* Fixing release pipeline for boringssl (#1763)

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* chore: bump 0.7.0-rc1 (#1765)

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* added documentation

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* added pushSecret first iteration

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* added pushSecret and updated documentation

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* refactor client

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* update code and unit tests

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* fix code smells

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* fix code smells

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* fix custom fields

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>

* making it reviewable

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fix custom field on secret map

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* Update docs/snippets/keepersecurity-push-secret.yaml

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fixed edge case, improved validation errors and updated docs

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fix logic retrieving secrets

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* Update pkg/provider/keepersecurity/client.go

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* lint code

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* linting code

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* go linter fixed

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

* fix crds and documentation

Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>

---------

Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
Co-authored-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2023-02-03 15:27:21 +01:00
Moritz Johner
6da8b96d4d
🐛 remove ability to call env and expandenv in webhook (#1977)
This allows an attacker to exfiltrate environment variables.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-02-03 13:23:03 +01:00
Gustavo Fernandes de Carvalho
a1f8a8adc7
🐛 Fixing PushSecret CRD generation (#1967)
* Fixing PushSecret CRD generation

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* fix: increase hashicorp vault cache size to prevent eviction

Also remove tiny cache size from e2e tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-02-02 00:30:10 +01:00
Thibault Cohen
ff88395c09
Add jsonpath filter support to webhook (#1940)
* Add jsonpath filter support to webhook

Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com>

* Fix tests

Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com>

Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com>
2023-01-24 15:30:20 +01:00
Thibault Cohen
6862c9c637
Support template for webhook jsonpath (#1939)
* Support template for webhook jsonpath

Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com>
2023-01-23 19:43:50 +01:00
Gareth Evans
ac9993f151
📚 use more inclusive language (#1927)
Signed-off-by: Gareth Evans <gareth@bryncynfelin.co.uk>
2023-01-19 13:31:51 -03:00
Moritz Johner
5ef3b23a68
feat: make cache generic, refactor feature flags (#1640)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-01-19 17:25:47 +01:00
Gustavo Fernandes de Carvalho
769efdc391
Feature/deletion policies (#1914)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-01-19 06:37:19 -03:00
Moritz Johner
736b287b6d
implement azure referent auth (#1886)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-01-13 18:30:34 +00:00
Gustavo Fernandes de Carvalho
833658699d
Adds Keyvault PushSecret (#1883)
* Adds Keyvault PushSecret

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-01-13 07:13:37 -03:00
Moritz Johner
5384954f46
aws secretsmanager/parameterstore referent auth (#1884)
* feat: implement referentAuth for aws

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* feat: e2e tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Update pkg/provider/aws/provider.go

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

* Update pkg/provider/aws/provider.go

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

* feat: allow each credential to be referent

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2023-01-13 10:19:25 +01:00
Hiroshi Muraoka
f4e70ddfed
🐛 GCP: prevent goroutine leak on workload identity reconciliation (#1902)
Signed-off-by: Hiroshi Muraoka <h.muraoka714@gmail.com>
2023-01-12 09:27:01 -03:00
Moritz Johner
11c61d8581
feat: referent auth for gcp (#1887)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-01-10 14:40:42 +01:00
cspargo
fdc21faf61
AWS Role Chaining (#1855)
Signed-off-by: cspargo <colinspargo@gmail.com>
2023-01-08 11:49:22 -03:00
Gustavo Fernandes de Carvalho
0d08e0497e
Implements Deletion policy for Hashicorp vault. (#1879)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-01-06 13:40:42 -03:00
Gustavo Fernandes de Carvalho
a051da82cf
🐛 Fixes vault PushSecret logic (#1866)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-01-06 13:17:18 -03:00
Dominik Zeiger
6c7e5cecce
🐛 gitlab: Fallback to wildcard variables and use pagination (bugfix) (#1838)
* gitlab: fallback to wildcard variables when using "GetAllSecrets"

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
2023-01-04 17:58:55 +01:00
Gustavo Fernandes de Carvalho
0bd9ea4dbd
Templates from string (#1748)
* Adds templates from string

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-01-03 19:02:43 -03:00
Gustavo Fernandes de Carvalho
ed173dcf77
chore: bumps (#1852)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2023-01-03 22:11:59 +01:00
Gustavo Fernandes de Carvalho
2f5fe6c594
🧹chore: bumps (#1792)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2022-12-07 14:40:51 -03:00
Moritz Johner
0bdb51a568
fix sync calls metrics & defer patch status (#1770)
* fix: increment sync_calls_total metric once per reconciliation

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: patch status only if not skipped

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: unit tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-12-04 11:41:01 +01:00
Dominik Zeiger
8a0f711e96
gitlab: allow fallback to wildcard variable, when no environment specific value is defined (#1772)
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
2022-12-03 09:35:06 +01:00
Gustavo Fernandes de Carvalho
0cb799b5cf
Feature/push secret (#1315)
Introduces Push Secret feature with implementations for the following providers:

* GCP Secret Manager
* AWS Secrets Manager
* AWS Parameter Store
* Hashicorp Vault KV

Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
2022-11-29 16:04:46 -03:00
Dominik Zeiger
117e93b4ed
gitlab: small documentation updates (#1747)
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
2022-11-24 20:50:35 +01:00
Steven Bressey
b5be79de98
Feature: Add secret metadata templating from secret values (#1740)
* handle template data for secret labels & annotations

Signed-off-by: Steven Bressey <steven.bressey@artifakt.io>
2022-11-23 22:29:59 +01:00
Dominik Zeiger
b7100e27a0
gitlab: support "environment_scope" tag for findAll (#1732)
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
2022-11-23 22:22:35 +01:00
Dominik Zeiger
f38f40a2b4
gitlab: support for CI/CD group variables (#1692)
* gitlab: support for ci/cd group variables

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* gitlab: support for ci/cd group variables (automatically discover project groups)

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* gitlab: support for ci/cd group variables (documentation)

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
2022-11-21 22:26:34 +01:00
Gustavo Fernandes de Carvalho
bd4495814b
🧹Bumping versions (#1708)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2022-11-09 17:44:07 -03:00
Dominik Zeiger
6ec0d2cd95
gitlab: getAllSecrets (#1681)
* gitlab: getAllSecrets

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* Update pkg/provider/gitlab/gitlab.go

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Dominik Zeiger <domizei385@users.noreply.github.com>
Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

* gitlab: added some test coverage

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
Signed-off-by: Dominik Zeiger <domizei385@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2022-11-01 15:09:36 -03:00
Gustavo Fernandes de Carvalho
d1fa28532d
🧹 chore: bumping versions (#1688)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2022-10-31 06:54:52 -03:00
Moritz Johner
dabfa5a589
Feature: initial generator implementation + Github Actions OIDC/AWS (#1539)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
2022-10-29 20:15:50 +02:00
Moritz Johner
411f03ffe1
fix: allow controller to delete delete externalsecrets (#1670)
When using ClusterExternalSecret the controller needs to delete
external-secret resources

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-10-26 23:23:15 +02:00
Gustavo Fernandes de Carvalho
d5cc8b3de5
🐛 Implements new buildPath logic (#1636)
Signed-off-by: Gustavo <gusfcarvalho@gmail.com>
2022-10-26 15:19:25 -03:00
Martin Schimandl
6ca30a762a
Implement oracle validator (#1592)
* Implement oracle validator

Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>

* Add more granular OCI error handling

Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>

* Remove two newlines the linter does not like

Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>

Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
2022-10-25 23:32:40 +02:00
Yannay Hammer
14f5ddf198
Added namespace condition to ClusterSecretStore (#1635)
* Added namespace condition to ClusterSecretStore

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added the new conditions field to the docs

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added tests to ClusterSecretStore namespace conditions

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Added some comments to explain tests better

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Fixed a testcase

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Increased golangci timeout to 10m

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Fixed test to use fakeProvider correctly

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Removed hardcoded timeout from make lint

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Improved error message on non matching namespace

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Modified testCase to use GenericStore interface

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Attempt at generalizing the testcase and reducing code duplication

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* Reduced some diff

Signed-off-by: Yannay Hammer <yannayha@gmail.com>

* fix: tidy e2e mod

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Yannay Hammer <yannayha@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Docs <docs@external-secrets.io>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-10-17 16:40:18 +02:00
dependabot[bot]
27d0cd72f5
chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0 (#1547)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.12.3 to 0.13.0.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.12.3...v0.13.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: remove dependency on crossplane-runtime/pkg/test

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-10-13 20:24:56 +02:00
Eng Zer Jun
0c9efa67b0
test: use T.Setenv to set env vars in tests (#1611)
This commit replaces `os.Setenv` with `t.Setenv` in tests. The
environment variable is automatically restored to its original value
when the test and all its subtests complete.

Reference: https://pkg.go.dev/testing#T.Setenv
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-10-06 22:05:42 +02:00
Nic Eggert
773956f5d3
Add optional caching for Vault clients, including token re-use. (#1537)
The new functionality is controlled using the newly-introduced
--experimental-enable-vault-token-cache and
--experimental-vault-token-cache-size command-line flags.

Signed-off-by: NicEggert <nicholas.eggert@target.com>
2022-09-30 20:41:36 +02:00
Dominik Zeiger
fa38fe1e60
enable configuration of environment_scope for gitlab provider (#1565)
* enable configuration of environment_scope for gitlab provider

Signed-off-by: Dominik Zeiger <dominik@zeiger.biz>
2022-09-27 22:08:38 +02:00
Ryan Blunden
f01e13f21b
Add Doppler provider (#1573)
* Add Doppler provider

Signed-off-by: Ryan Blunden <ryan.blunden@doppler.com>
2022-09-23 22:47:25 +02:00
Sebastián Gómez
cef547e473
fix: unmarshal JSON error when empty secrets in Vault (#1512)
Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
2022-09-14 22:26:10 +02:00
Rhaenys
7397243ca0
New Duration Metric (#1533)
Signed-off-by: Cristina DE DIOS GONZALEZ <cristina.dedios@amadeus.com>
2022-09-12 19:19:45 +02:00
Moritz Johner
af367e9933
chore: refactor provider (#1529)
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-09-12 14:55:46 +02:00
renanaAkeyless
ed59520674
added akeyless k8s auth option (#1531)
* added akeyless k8s auth option

Signed-off-by: Docs <renana@akeyless.io>
2022-09-11 13:25:29 +02:00
Moritz Johner
ed0ceb8d84
fix: aws parameter store json decode, bump go 1.19 (#1525)
* fix: parameter store should decode complex json values

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-09-06 19:46:36 +02:00
Marcel Hoyer
17ece4df8f
flip order of err and nil secret variable check in listSecrets() function of vault provider (#1504)
Signed-off-by: Marcel Hoyer <mhoyer@pixelplastic.de>
2022-08-31 14:35:42 +02:00
dependabot[bot]
67fedc840e
Kubernetes v1.24 upgrade (#1345)
* build(deps): bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.3

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.11.2 to 0.12.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.11.2...v0.12.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* feat: bump kubernetes 1.24

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: backwards-compatible vault implementation

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* feat: add audiences field to serviceAccountRef

This will be used by aws, azure, gcp, kubernetes & vault providers
in combination with TokenRequest API: it will _append_ audience claims
to provider-specific audiences.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* feat: refactor kubernetes client to match provider/client interfaces

the kubernetes provider mixed up provider and client interfaces which
made it really hard to reason about. This commit separates into two
structs, each implements one interface.
The client struct fields have been renamed and annotated so their use
and scope is clear.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: deprecate expirationSeconds

expirationSeconds is not needed because we generate a
service account token on the fly for a single use.
There will be no replacement for this.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: rename token fetch audiences field

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: generate CRDs

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-19 17:32:06 +02:00
Moritz Johner
2d20b5488e
feat: add azkv.environmentType (#1469)
users of USGovCloud, ChinaCloud, GermanCloud need slightly different
configuration for AADEndpoint and keyvault resource.

This is based on CSI Secret Store Azure KV driver,

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-18 00:12:44 +02:00
Moritz Johner
8e245f6073
fix: remove convertKeys from aws providers (#1470)
ConvertKeys is called in the external secrets controller
which takes care of mapping the keys.
Calling it before returning the data is a bug as it
interferes with the new rewrite feature.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-17 15:36:02 +02:00
stephen-dexda
e64acea549
fix: AWS attr. dot check off-by-one error (#1459)
* Fix off-by-one in check for dot in JSON attr. name

Signed-off-by: stephen-dexda <stephen@dexda.io>
2022-08-15 21:44:32 +02:00
dependabot[bot]
bf21843eba
⬆️github.com/akeylesslabs/akeyless-go/v2 from 2.16.8 to 2.17.0 (#1438)
* Bump github.com/akeylesslabs/akeyless-go/v2 from 2.16.8 to 2.17.0

Bumps [github.com/akeylesslabs/akeyless-go/v2](https://github.com/akeylesslabs/akeyless-go) from 2.16.8 to 2.17.0.
- [Release notes](https://github.com/akeylesslabs/akeyless-go/releases)
- [Changelog](https://github.com/akeylesslabs/akeyless-go/blob/master/docs/KmipRenewServerCertificate.md)
- [Commits](https://github.com/akeylesslabs/akeyless-go/compare/v2.16.8...v2.17.0)

---
updated-dependencies:
- dependency-name: github.com/akeylesslabs/akeyless-go/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fixing linting issues

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2022-08-11 14:32:04 -03:00
Kewei Ma
53443eaadf
Fix provisionedNamespaces in Status field of ClusterExternalSecret keeps getting updated non-stop (#1441)
Signed-off-by: Kewei Ma <kewei@indeed.com>
2022-08-09 17:55:34 +02:00
Gustavo Fernandes de Carvalho
b4e7acfaa9
Implements dataFrom key rewrite (#1381)
* Implements dataFrom key rewrite

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* docs: add example to remove invalid characters

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-04 15:24:02 -03:00
Moritz Johner
6593e06561
fix: handle empty conversionStrategy (#1408)
This is for the case when the conversion webhook does not
set the conversionStrategy properly (it doesn't run the Defaulter).

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-01 19:44:09 +02:00
Mike
fdf1f9ce6f
feat: Add support for container auth to IBM provider. (#1177) 2022-07-26 22:48:07 +02:00
david amick
524e33bbeb
🧹Improve 1Password integration and docs (#1340) 2022-07-26 09:07:48 -03:00
Stanislaw Scherban
eb8e614755
retryer implementation to handle throttling exceptions on AWS (#1331)
* awsretryer implemented for AWS providers
2022-07-19 20:00:46 +02:00
Gustavo Fernandes de Carvalho
fa91ba0f6c
Adds DecodingStrategy to ExternalSecrets (#1294)
Fixes #920

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-07-12 09:18:00 -03:00
paul-the-alien[bot]
c42c48911e
Merge pull request #1283 from external-secrets/mj-fix-aws-token-aud
fix: respect aud annotation at IRSA
2022-06-22 14:17:48 +00:00
paul-the-alien[bot]
240b8db4f0
Merge pull request #1244 from albertollamaso/reuse-aws-session
Once the AWS session is created first time, it can be reused
2022-06-22 13:20:37 +00:00
Alberto Llamas
e31a408e1d update 2022-06-22 07:24:26 +02:00
Moritz Johner
8f85e53f17 fix: respect aud annotation at IRSA 2022-06-21 23:33:24 +02:00
Alberto Llamas
629d2f391c fix 2022-06-21 12:14:36 +02:00
Alberto Llamas
5ec222dfd0 update 2022-06-21 11:52:01 +02:00
Alberto Llamas
c3335907ac Fix recommendations from go-lint 2022-06-18 13:05:47 +02:00
Alberto Llamas
ad63b74c9f Reuse AWS session as feature gate that a user has to opt-in in order to use it 2022-06-18 10:54:47 +02:00
paul-the-alien[bot]
94024a144b
Merge pull request #1257 from external-secrets/bug-1137
Azure KeyVault decoding bugs
2022-06-15 21:20:44 +00:00
Moritz Johner
cff9be1664
feat(kubernetes): allow service account auth (#1201)
* feat(kubernetes): allow service account auth

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2022-06-13 21:49:05 +02:00
Alberto Llamas
909d137a83 Removing newlines 2022-06-13 20:36:58 +02:00
Alberto Llamas
cb6f66b5ac Fix aws session logic 2022-06-13 20:24:25 +02:00
Sebastián Gómez
9bc7eb1436 Remove codesmell 2022-06-13 11:56:38 -04:00
Sebastián Gómez
4ae98fc995 Removed code smell and simplified use of tags 2022-06-13 11:40:01 -04:00
Sebastián Gómez
65e93fa992 Code refactoring 2022-06-13 09:28:11 -04:00
Sebastián Gómez
aed1719697 Lint fixes 2022-06-13 09:27:54 -04:00
paul-the-alien[bot]
e4fbc633a1
Merge pull request #1254 from marcincuber/feat/yaml
Adding toYaml fromYaml helper functions
2022-06-11 12:19:50 +00:00
marcincuber
c8f13a0e1a fix test 2022-06-11 12:15:13 +01:00