* Add Conjur provider
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
* fix: lint
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: unit tests
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: allow to set a common set of labels in the helm chart
Signed-off-by: Maxime Guillet <6997681+maximeguillet@users.noreply.github.com>
* fix: update helm snapshot
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Maxime Guillet <6997681+maximeguillet@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: added session tag capability to assume role
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* fix: make build errors (JSON serialization error)
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* removed unnecessary commented out code
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* 📚 Update stability-support.md (#2363)
Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* feat: ran make reviewable tasks (except for docs)
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
---------
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
* chore: update dependencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: get rid of argo dependency to be independent of their k8s
versioning
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Add API changes for push secret to k8s
- Property field similar to ExternalSecret
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* rebase: merge commits
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* New Test cases for existing PushSecret Logic
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: replace property if it exists, but differs
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: restrict usage to having a property always
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: refactor delete to work with property only and cleanup whole secret only if it would be empty otherwise
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: refuse to work without property in spec
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: cleanup code, make it more readable
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: add metric calls for kubernetes
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: reorder test cases
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: make property optional to not break compatibility
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* fix: adapt fake impls to include new method to fix tests
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* feat: change status-ref to include property to allow multi property deletes
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: fix make reviewable complains
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* fix: fix imports from merge conflict
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* chore: adapt latest make reviewable suggestions
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
* docs: update push secret support for k8s provider
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: add Kubernetes PushSecret docs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Stephan Discher <stephan.discher@sap.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
The Service Binding for Kubernetes project (servicebinding.io) is a spec
to make it easier for workloads to consume services. At runtime, the
ServiceBinding resource references a service resources and workload
resource to connect to the service. The Secret for a service is
projected into a workload resource at a well known path.
Services can advertise the name of the Secret representing the service
on it's status at `.status.binding.name`. Hosting the name of a Secret
at this location is the Provisioned Service duck type. It has the effect
of decoupling the logical consumption of a service from the physical
Secret holding state.
Using ServiceBindings with ExternalSecrets today requires the user to
directly know and reference the Secret created by the ExternalSecret as
the service reference. This PR adds the name of the Secret to the status
of the ExternalSecret at a well known location where it is be discovered
by a ServiceBinding. With this change, user can reference an
ExternalSecret from a ServiceBinding.
A ClusterRole is also added with a well known label for the
ServiceBinding controller to have permission to watch ExternalSecrets
and read the binding Secret.
ClusterExternalSecret was not modified as ServiceBindings are limited to
the scope of a single namespace.
Signed-off-by: Scott Andrews <andrewssc@vmware.com>
* feat: add generator for vaultdynamicsecret
* Added controllerClass on VaultDynamicSecret
* Added controllerClass on VaultDynamicSecret
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* Fixed lint
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* Fixed hack bash
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented generator controller class support
- Controller class support in VaultDynamicSecret
- Controller class support in Fake
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <dpr0413@gmail.com>
* feat: Implemented Generator controller class check
Signed-off-by: rdeepc <dpr0413@gmail.com>
* feat: hoist controller class check to the top
The generator controller class check should be at the very top of the
reconcile function just like the other secretStore class check.
Otherwise we would return an error and as a result set the status field on the es
resource - which is undesirable. The controller should completely
ignore the resource instead.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: rdeepc <12953177+rdeepc@users.noreply.github.com>
Signed-off-by: rdeepc <dpr0413@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Frederic Mereu <frederic.mereu@gaming1.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* allow vault roleId to come from k8s Secret
Signed-off-by: intrand <intrand@users.noreply.github.com>
* mark RoleID as optional in kubebuilder
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>
* mark RoleRef as optional in kubebuilder
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: intrand <intrand@users.noreply.github.com>
* validate RoleRef through webhook
Signed-off-by: intrand <intrand@users.noreply.github.com>
* chore: make fmt/reviewable vault roleId addition
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
---------
Signed-off-by: intrand <intrand@users.noreply.github.com>
Signed-off-by: Brian Richardson <brianthemathguy@gmail.com>
Co-authored-by: intrand <intrand@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
* feat(helm): use good securityContext by default
Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com>
* update helm tests in line with default securityContext
Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com>
---------
Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com>
* fix: update helm test fixtures
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: helm workflow should run when CRDs change
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
support alibaba oidc assume role
---------
Signed-off-by: Maxim Rubchinsky <maxim.rubchinsky@wiz.io>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
Added external id field to struct. Wrote test in AWS provider to check
external ID field in IAM role. Added external id info to current log
when starting an aws session.
Signed-off-by: Cindy <choilmto@gmail.com>
* Added support for standard K8s labels in metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
* Added feature-flag for label metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
---------
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
* wip: basic structure of scaleway provider
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: add some tests for GetAllSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: implement PushSecret
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: improved test fixtures
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: allow finding secrets by project using the path property
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add delete secret method
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* Delete dupplicate of push remote ref test implem
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add capability to use a secret for configuring access token
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: implement GetSecretMap
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: filtering by name and projetc id
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: add test for finding secret by name regexp
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: config validation
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: handle situation where no namespace is specified and we cannot provide a default
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: reference secrets by id or name
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: invalid request caused by pagination handling
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: log the error when failing to access secret version
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: pass context to sdk where missing
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add a cache for reducing AccessSecretVersion() calls
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: use GetSecret with name instead of ListSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: allow using secret name in ExternalSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: use latest_enabled instead of latest
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: optimized PushSecret and improved its test coverage
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: doesConfigDependOnNamespace was always true
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: use new api with refactored name-based endpoints
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* remove useless todo
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* fix: use secret names as key for GetAllSecrets
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: support gjson propery lookup
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: e2e tests
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: e2e test using secret to store api key
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: cleanup left over resources on the secret manager before each e2e run
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* doc: add doc for scaleway provider
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* refacto: fix lint issues
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* test: cleanup code in e2e was commented
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: the previous version is disabled when we push to a secret
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* doc: add comments to ScalewayProvider struct to point to console and doc
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
* feat: add missing e2e env vars for scaleway
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: add scaleway to support/stability table
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Julien Loctaux <no.mail@jloc.fr>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: add provider metrics
This adds a counter metric `provider_api_calls_count` that observes
the results of upstream secret provider api calls.
(1) Observability
It allows an user to break down issues by provider and api call by
observing the status=error|success label. More details around the error
can be found in the logs.
(2) Cost Management
Some providers charge by API calls issued. By providing observability
for the number of calls issued helps users to understand the impact of
deploying ESO and fine-tuning `spec.refreshInterval`.
(3) Rate Limiting
Some providers implement rate-limiting for their services. Having
metrics
for success/failure count helps to understand how many requests are
issued by a given ESO deployment per cluster.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: add service monitor for cert-controller and add SLIs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* add keepersecurity provider
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* 🧹chore: bumps (#1758)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* ✨Feature/push secret (#1315)
Introduces Push Secret feature with implementations for the following providers:
* GCP Secret Manager
* AWS Secrets Manager
* AWS Parameter Store
* Hashicorp Vault KV
Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* Fixing release pipeline for boringssl (#1763)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* chore: bump 0.7.0-rc1 (#1765)
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* added documentation
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* added pushSecret first iteration
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* added pushSecret and updated documentation
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* refactor client
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* update code and unit tests
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* fix code smells
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* fix code smells
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* fix custom fields
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
* making it reviewable
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fix custom field on secret map
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* Update docs/snippets/keepersecurity-push-secret.yaml
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fixed edge case, improved validation errors and updated docs
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fix logic retrieving secrets
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* Update pkg/provider/keepersecurity/client.go
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* lint code
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* linting code
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* go linter fixed
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
* fix crds and documentation
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
---------
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Dominic Meddick <dominic.meddick@engineerbetter.com>
Signed-off-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: James Cleveland <james.cleveland@engineerbetter.com>
Signed-off-by: Lilly Daniell <lilly.daniell@engineerbetter.com>
Signed-off-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Signed-off-by: Marcus Dantas <marcus.dantas@engineerbetter.com>
Signed-off-by: Nick Ruffles <nick.ruffles@engineerbetter.com>
Signed-off-by: Pedro Parra Ortega <parraortega.pedro@gmail.com>
Co-authored-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
* feat: add ability to configure `revisionHistoryLimit` for all Deployment resources of the helm chart
This enables to turn ReplicaSet revisions off completely, e.g. when deploying ExternalSecrets with GitOps approach.
Signed-off-by: Marcel Hoyer <mhoyer@pixelplastic.de>
* fix: generate helm docs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Marcel Hoyer <mhoyer@pixelplastic.de>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
