* Implementation of Certificate Based Authz against Azure Key Vault
Signed-off-by: Luis Schweigard <luis.schweigard@gmail.com>
* Add tests for new Azure certificate auth functionality
Signed-off-by: Luis Schweigard <luis.schweigard@gmail.com>
* Add documentation for Azure Cert based Auth
Signed-off-by: Luis Schweigard <luis.schweigard@gmail.com>
* Generate spec.md
Signed-off-by: Luis Schweigard <luis.schweigard@gmail.com>
* Add changes from code review
Signed-off-by: Luis Schweigard <luis.schweigard@gmail.com>
* Fix naming in test error case
Signed-off-by: Luis Schweigard <luis.schweigard@gmail.com>
---------
Signed-off-by: Luis Schweigard <luis.schweigard@gmail.com>
* Update .helmignore
Signed-off-by: Bob Du <i@bobdu.cc>
* Update .helmignore
Signed-off-by: Bob Du <i@bobdu.cc>
---------
Signed-off-by: Bob Du <i@bobdu.cc>
* issue/3231 - updated helm.tests with latest crds changes for JWT authentication
Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>
* issue/3231 - minor helm.docs adjustment
Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>
---------
Signed-off-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>
Co-authored-by: Benjamin Walterscheid <benjamin.walterscheid@de.ibm.com>
* Adding the details for chef provider secret store.
Issue: https://github.com/external-secrets/external-secrets/issues/2905
This commit intends to add the chef provider structure to the existing list of external-secrets providers.
It defines the structure of the SecretStore and ClusterSecretStore for chef Provider.
The yaml resource will contain 3 important parts to identify and connect to chef server to reconcile secrets. They are:
1. serverurl: This is the URL to the chef server.
2. username: The username to connect to the chef server.
3. auth: The password to connect to the chef server. It is a reference to an already existing kubernetes secret containing the password.
This commit also contains the auto generated CRDs using the `make generate` command.
Signed-off-by: Subroto Roy <subrotoroy007@gmail.com>
* Implementation for Chef ESO provided
Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>
* - implemented Chef eso, added required methods
- added unit test cases
- added sample documentation
Issue: https://github.com/external-secrets/external-secrets/issues/2905
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
* Added Documentation for Authentication
Signed-off-by: Subroto Roy <subrotoroy007@gmail.com>
* added documentation for Chef eso
Issue: https://github.com/external-secrets/external-secrets/issues/2905
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
* Updated chef ESO documentation
Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>
* updated ValidateStore method signature
Issue: https://github.com/external-secrets/external-secrets/issues/2905
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
* made changes in chef provider to satisfy 'make docs'
Issue: https://github.com/external-secrets/external-secrets/issues/2905
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
* - updated code as per review comment, make reviewable suggestions
Issue: https://github.com/external-secrets/external-secrets/issues/2905
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
* modified chef provider code as per review comment
Issue: https://github.com/external-secrets/external-secrets/issues/2905
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
---------
Signed-off-by: Subroto Roy <subrotoroy007@gmail.com>
Signed-off-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>
Signed-off-by: Sourav Patnaik <souravpatnaik123@gmail.com>
Co-authored-by: Subroto Roy <subrotoroy007@gmail.com>
Co-authored-by: vardhanreddy13 <vvv.vardhanreddy@gmail.com>
Update cert-manager certificate duration to 1 year in the Helm chart.
This commit resolves a timing issue in the external-secrets Helm chart,
where the default certificate duration was previously not explicitly
set. This lack of specification led to conflicts with the cert-manager's
lookahead interval. By setting the `webhook.certManager.cert.duration`
to "8760h" (one year), we ensure that cert-manager will renew the
certificate before the external-secrets webhook starts to report issues,
and restarts, due to the certificate nearing expiration (as per the
lookahead interval).
This solution has been discussed in
external-secrets/external-secrets#2519.
Signed-off-by: Thibault Gérondal <tgerondal@emasphere.com>
* feat: add templating to PushSecret
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* adding unit tests around templating basic concepts and verifying output
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* extracting some of the common functions of the parser
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* remove some more duplication
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* removed commented out code segment
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added documentation for templating feature
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* simplified the templating for annotations and labels
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* extra pod spec option added to helm deployment
Signed-off-by: Adrian Robotka <robotka.adrian@gmail.com>
* output of make helm.docs
Signed-off-by: Adrian Robotka <robotka.adrian@gmail.com>
---------
Signed-off-by: Adrian Robotka <robotka.adrian@gmail.com>
* feat: allow pushing the whole secret to the provider
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* add documentation about pushing a whole secret
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* disabling this feature for the rest of the providers for now
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added scenario for update with existing property
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
fix: deprecate sourceRef.generatorRef from .data[]
A generator is supposed to be used via .dataFrom[]. Usage in .data[]
is not implemented and doesn't make sense, see #2720.
This commit splits the SourceRef into two types:
- one that only defines a secretStoreRef
- one that allows to define either secretStoreRef or generatorRef
The former is used in .data[] and the latter is used in .dataFrom[].
The Deprecated field is going to be removed with v1.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Add JWT Auth to Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update docs for Cyberark Conjur Provider
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Update test suite to cover new functionality
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make reviewable
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Set MinVersion for tls.Config to satisfy linting
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Move ca bundle config example to a yaml snippet
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: consolidate naming
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* docs: make it a working example
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Remove JWT expiration handling logic
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
* Run make fmt
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
---------
Signed-off-by: Kieran Bristow <kieran.bristow@absa.africa>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: remove unused servicemonitor-values from helm-chart
The templates for the servicemonitors of the webhook-deployment and the
certController have been removed in
https://github.com/external-secrets/external-secrets/pull/2136. This
commit removes the corresponding values in the values.yaml which are now
obsolete.
Signed-off-by: alexanderwoehler <alexander@woehler.org>
* docs: remove references to deleted servicemonitor-values from docs
Signed-off-by: alexanderwoehler <alexander@woehler.org>
---------
Signed-off-by: alexanderwoehler <alexander@woehler.org>
* Add support for cert-manager managed webhook certs
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* Ran make helm.docs to update README.md
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* Added unittests for chart
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* tidy: Fixed trailing whitespace
Signed-off-by: Eric Stokes <fernferret@gmail.com>
---------
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* Add Conjur provider
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
* fix: lint
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: unit tests
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: David Hisel <David.Hisel@CyberArk.com>
Signed-off-by: David Hisel <132942678+davidh-cyberark@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: allow to set a common set of labels in the helm chart
Signed-off-by: Maxime Guillet <6997681+maximeguillet@users.noreply.github.com>
* fix: update helm snapshot
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Maxime Guillet <6997681+maximeguillet@users.noreply.github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: added session tag capability to assume role
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* fix: make build errors (JSON serialization error)
modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* removed unnecessary commented out code
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* 📚 Update stability-support.md (#2363)
Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* feat: ran make reviewable tasks (except for docs)
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
---------
Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
* chore: update dependencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: get rid of argo dependency to be independent of their k8s
versioning
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
