* feat: implement a cluster-wide generator
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* remove unneeded function
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* check diff run output
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* alternative implementation of the Generator approach using specs only
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* refactor the extracting code
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* slight modification to the naming of the spec from generatorSpec to simply generator
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* write a unit test for the generator and register it in the scheme
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* add documentation for the cluster generator
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add ability to push expiration date of secret to azure key vault with annotation
Signed-off-by: deggja <danieldagfinrud@gmail.com>
* docs: set example annotation on secret in docs
Signed-off-by: deggja <danieldagfinrud@gmail.com>
* test: added test for updating to new expiration date
Signed-off-by: deggja <danieldagfinrud@gmail.com>
* chore: format
Signed-off-by: deggja <danieldagfinrud@gmail.com>
* chore: clean up go.mod
Signed-off-by: deggja <danieldagfinrud@gmail.com>
* feat: add expiration date for secret as field in metadata block in pushsecret
Signed-off-by: deggja <danieldagfinrud@gmail.com>
* extract the metadata from Kubernetes package and put it into its own package
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: deggja <danieldagfinrud@gmail.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add option to configure topic information for GCM
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fix the comparison logic for updates to include topics
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
This removes the need for an intermediary Kind=ExternalSecret and
Kind=Secret when using a generator.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: update go version of the project to 1.23
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* fixed an absurd amount of linter issues
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: add CAProvider to bitwarden
This change introduces a refactor as well since CAProvider
was used by multiple providers with diverging implementations.
The following providers were affected:
- webhook
- akeyless
- vault
- conjur
- kubernetes
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* refactored the Kubernetes provider to use create ca
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* refactor webhook, vault and kubernetes provider
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* rename CreateCACert to FetchCACertFromSource
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* addressed comments and autodecoding base64 data
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* check if the decoded value is a valid certificate
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* utiliy for comparing byteslice and string
Signed-off-by: himasagaratluri <himasagar.atluri@gmail.com>
* unit test for utility
Signed-off-by: himasagaratluri <himasagar.atluri@gmail.com>
* add validation for StringType
Signed-off-by: himasagaratluri <himasagar.atluri@gmail.com>
* if clause to consider binary
Signed-off-by: himasagaratluri <himasagar.atluri@gmail.com>
* Test case: if clause to consider binary
Signed-off-by: himasagaratluri <himasagar.atluri@gmail.com>
---------
Signed-off-by: himasagaratluri <himasagar.atluri@gmail.com>
* Handle json.RawMessage as a []byte in util.GetByteValue.
This allow Pulimi to extract structured data.
Close: #3307
Signed-off-by: alphayax <alphayax@gmail.com>
* Add test for utils.GetByteValue: TestGetByteValue
Signed-off-by: alphayax <alphayax@gmail.com>
---------
Signed-off-by: alphayax <alphayax@gmail.com>
* fix: support more types in webhook response
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: properly decode json
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Update pkg/provider/webhook/webhook.go
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
* Update pkg/provider/webhook/webhook.go
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
* fix: expose errors
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* feat: allow pushing the whole secret to the provider
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* add documentation about pushing a whole secret
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* disabling this feature for the rest of the providers for now
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
* added scenario for update with existing property
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
---------
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
support alibaba oidc assume role
---------
Signed-off-by: Maxim Rubchinsky <maxim.rubchinsky@wiz.io>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
* build(deps): bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.3
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.11.2 to 0.12.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.11.2...v0.12.3)
---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* feat: bump kubernetes 1.24
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: backwards-compatible vault implementation
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: add audiences field to serviceAccountRef
This will be used by aws, azure, gcp, kubernetes & vault providers
in combination with TokenRequest API: it will _append_ audience claims
to provider-specific audiences.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* feat: refactor kubernetes client to match provider/client interfaces
the kubernetes provider mixed up provider and client interfaces which
made it really hard to reason about. This commit separates into two
structs, each implements one interface.
The client struct fields have been renamed and annotated so their use
and scope is clear.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: deprecate expirationSeconds
expirationSeconds is not needed because we generate a
service account token on the fly for a single use.
There will be no replacement for this.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: rename token fetch audiences field
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* fix: generate CRDs
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
This is for the case when the conversion webhook does not
set the conversionStrategy properly (it doesn't run the Defaulter).
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Currently the oracle vault's secretstore uses a specific user credentials.
This commit introduce a new way to access the vault, using the instance principal.
All user's details moved to "auth" section in the OracleProvider which now is optional.
If "auth" is empty, by default, we use the instance principal, otherwise if specified user's auth details, we use them.
In addition:
- Fixed the fingerprint secret reference which until now used the privatekey secret instead of its reference.
- Bump OCI SDK version.
