mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
199c9103db
* feat: Add component labels to custom resource definitions Prerequisite for restricting the CRDs cached by Informer Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> * feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache The certcontroller watches CRDs and Webhook configurations, and manages CA certificates for conversion webhooks of CRDs and Webhook configurations. Some clusters have a large number of CRDs and Webhook configurations installed. Additionally, some CRDs have large object sizes. Currently, the certcontroller holds all CRDs and Webhook configurations in the Informer cache. Since this includes CRDs not managed by the certcontroller for CA certificates, memory usage tends to be high. This PR adds a label to the CRDs and configures the Informer cache to hold only the CRDs and Webhook configurations restricted by the label selector. It assumes that the CRDs have a label. Depending on how the External Secrets Operator is managed, it may be possible to update the External Secrets Operator without updating the CRDs, so as a precaution, it can be turned on/off via a startup option. It is disabled by default. Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> --------- Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
143 lines
5.3 KiB
YAML
143 lines
5.3 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
labels:
|
|
external-secrets.io/component: controller
|
|
name: webhooks.generators.external-secrets.io
|
|
spec:
|
|
group: generators.external-secrets.io
|
|
names:
|
|
categories:
|
|
- webhook
|
|
kind: Webhook
|
|
listKind: WebhookList
|
|
plural: webhooks
|
|
shortNames:
|
|
- webhookl
|
|
singular: webhook
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
Webhook connects to a third party API server to handle the secrets generation
|
|
configuration parameters in spec.
|
|
You can specify the server, the token, and additional body parameters.
|
|
See documentation for the full API specification for requests and responses.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: WebhookSpec controls the behavior of the external generator.
|
|
Any body parameters should be passed to the server through the parameters
|
|
field.
|
|
properties:
|
|
body:
|
|
description: Body
|
|
type: string
|
|
caBundle:
|
|
description: |-
|
|
PEM encoded CA bundle used to validate webhook server certificate. Only used
|
|
if the Server URL is using HTTPS protocol. This parameter is ignored for
|
|
plain HTTP protocol connection. If not set the system root certificates
|
|
are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate webhook
|
|
server certificate.
|
|
properties:
|
|
key:
|
|
description: The key the value inside of the provider type to
|
|
use, only used with "Secret" type
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret", or
|
|
"ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
headers:
|
|
additionalProperties:
|
|
type: string
|
|
description: Headers
|
|
type: object
|
|
method:
|
|
description: Webhook Method
|
|
type: string
|
|
result:
|
|
description: Result formatting
|
|
properties:
|
|
jsonPath:
|
|
description: Json path of return value
|
|
type: string
|
|
type: object
|
|
secrets:
|
|
description: |-
|
|
Secrets to fill in templates
|
|
These secrets will be passed to the templating function as key value pairs under the given name
|
|
items:
|
|
properties:
|
|
name:
|
|
description: Name of this secret in templates
|
|
type: string
|
|
secretRef:
|
|
description: Secret ref to fill in credentials
|
|
properties:
|
|
key:
|
|
description: The key where the token is found.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being referred
|
|
to.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- name
|
|
- secretRef
|
|
type: object
|
|
type: array
|
|
timeout:
|
|
description: Timeout
|
|
type: string
|
|
url:
|
|
description: Webhook url to call
|
|
type: string
|
|
required:
|
|
- result
|
|
- url
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|