mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
199c9103db
* feat: Add component labels to custom resource definitions Prerequisite for restricting the CRDs cached by Informer Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> * feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache The certcontroller watches CRDs and Webhook configurations, and manages CA certificates for conversion webhooks of CRDs and Webhook configurations. Some clusters have a large number of CRDs and Webhook configurations installed. Additionally, some CRDs have large object sizes. Currently, the certcontroller holds all CRDs and Webhook configurations in the Informer cache. Since this includes CRDs not managed by the certcontroller for CA certificates, memory usage tends to be high. This PR adds a label to the CRDs and configures the Informer cache to hold only the CRDs and Webhook configurations restricted by the label selector. It assumes that the CRDs have a label. Depending on how the External Secrets Operator is managed, it may be possible to update the External Secrets Operator without updating the CRDs, so as a precaution, it can be turned on/off via a startup option. It is disabled by default. Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> --------- Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
687 lines
32 KiB
YAML
687 lines
32 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
labels:
|
|
external-secrets.io/component: controller
|
|
name: clusterexternalsecrets.external-secrets.io
|
|
spec:
|
|
group: external-secrets.io
|
|
names:
|
|
categories:
|
|
- externalsecrets
|
|
kind: ClusterExternalSecret
|
|
listKind: ClusterExternalSecretList
|
|
plural: clusterexternalsecrets
|
|
shortNames:
|
|
- ces
|
|
singular: clusterexternalsecret
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.externalSecretSpec.secretStoreRef.name
|
|
name: Store
|
|
type: string
|
|
- jsonPath: .spec.refreshTime
|
|
name: Refresh Interval
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterExternalSecret is the Schema for the clusterexternalsecrets
|
|
API.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
|
|
properties:
|
|
externalSecretMetadata:
|
|
description: The metadata of the external secrets to be created
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
externalSecretName:
|
|
description: The name of the external secrets to be created defaults
|
|
to the name of the ClusterExternalSecret
|
|
type: string
|
|
externalSecretSpec:
|
|
description: The spec for the ExternalSecrets to be created
|
|
properties:
|
|
data:
|
|
description: Data defines the connection between the Kubernetes
|
|
Secret keys and the Provider data
|
|
items:
|
|
description: ExternalSecretData defines the connection between
|
|
the Kubernetes Secret key (spec.data.<key>) and the Provider
|
|
data.
|
|
properties:
|
|
remoteRef:
|
|
description: |-
|
|
RemoteRef points to the remote secret and defines
|
|
which secret (version/property/..) to fetch.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
key:
|
|
description: Key is the key used in the Provider, mandatory
|
|
type: string
|
|
metadataPolicy:
|
|
default: None
|
|
description: Policy for fetching tags/labels from provider
|
|
secrets, possible options are Fetch, None. Defaults
|
|
to None
|
|
enum:
|
|
- None
|
|
- Fetch
|
|
type: string
|
|
property:
|
|
description: Used to select a specific property of the
|
|
Provider value (if a map), if supported
|
|
type: string
|
|
version:
|
|
description: Used to select a specific version of the
|
|
Provider value, if supported
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
secretKey:
|
|
description: |-
|
|
SecretKey defines the key in which the controller stores
|
|
the value. This is the key in the Kind=Secret
|
|
type: string
|
|
sourceRef:
|
|
description: |-
|
|
SourceRef allows you to override the source
|
|
from which the value will pulled from.
|
|
maxProperties: 1
|
|
properties:
|
|
generatorRef:
|
|
description: |-
|
|
GeneratorRef points to a generator custom resource.
|
|
|
|
|
|
Deprecated: The generatorRef is not implemented in .data[].
|
|
this will be removed with v1.
|
|
properties:
|
|
apiVersion:
|
|
default: generators.external-secrets.io/v1alpha1
|
|
description: Specify the apiVersion of the generator
|
|
resource
|
|
type: string
|
|
kind:
|
|
description: Specify the Kind of the resource, e.g.
|
|
Password, ACRAccessToken etc.
|
|
type: string
|
|
name:
|
|
description: Specify the name of the generator resource
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
storeRef:
|
|
description: SecretStoreRef defines which SecretStore
|
|
to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
required:
|
|
- remoteRef
|
|
- secretKey
|
|
type: object
|
|
type: array
|
|
dataFrom:
|
|
description: |-
|
|
DataFrom is used to fetch all properties from a specific Provider data
|
|
If multiple entries are specified, the Secret keys are merged in the specified order
|
|
items:
|
|
properties:
|
|
extract:
|
|
description: |-
|
|
Used to extract multiple key/value pairs from one secret
|
|
Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
key:
|
|
description: Key is the key used in the Provider, mandatory
|
|
type: string
|
|
metadataPolicy:
|
|
default: None
|
|
description: Policy for fetching tags/labels from provider
|
|
secrets, possible options are Fetch, None. Defaults
|
|
to None
|
|
enum:
|
|
- None
|
|
- Fetch
|
|
type: string
|
|
property:
|
|
description: Used to select a specific property of the
|
|
Provider value (if a map), if supported
|
|
type: string
|
|
version:
|
|
description: Used to select a specific version of the
|
|
Provider value, if supported
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
find:
|
|
description: |-
|
|
Used to find secrets based on tags or regular expressions
|
|
Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
name:
|
|
description: Finds secrets based on the name.
|
|
properties:
|
|
regexp:
|
|
description: Finds secrets base
|
|
type: string
|
|
type: object
|
|
path:
|
|
description: A root path to start the find operations.
|
|
type: string
|
|
tags:
|
|
additionalProperties:
|
|
type: string
|
|
description: Find secrets based on tags.
|
|
type: object
|
|
type: object
|
|
rewrite:
|
|
description: |-
|
|
Used to rewrite secret Keys after getting them from the secret Provider
|
|
Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
|
|
items:
|
|
properties:
|
|
regexp:
|
|
description: |-
|
|
Used to rewrite with regular expressions.
|
|
The resulting key will be the output of a regexp.ReplaceAll operation.
|
|
properties:
|
|
source:
|
|
description: Used to define the regular expression
|
|
of a re.Compiler.
|
|
type: string
|
|
target:
|
|
description: Used to define the target pattern
|
|
of a ReplaceAll operation.
|
|
type: string
|
|
required:
|
|
- source
|
|
- target
|
|
type: object
|
|
transform:
|
|
description: |-
|
|
Used to apply string transformation on the secrets.
|
|
The resulting key will be the output of the template applied by the operation.
|
|
properties:
|
|
template:
|
|
description: |-
|
|
Used to define the template to apply on the secret name.
|
|
`.value ` will specify the secret name in the template.
|
|
type: string
|
|
required:
|
|
- template
|
|
type: object
|
|
type: object
|
|
type: array
|
|
sourceRef:
|
|
description: |-
|
|
SourceRef points to a store or generator
|
|
which contains secret values ready to use.
|
|
Use this in combination with Extract or Find pull values out of
|
|
a specific SecretStore.
|
|
When sourceRef points to a generator Extract or Find is not supported.
|
|
The generator returns a static map of values
|
|
maxProperties: 1
|
|
properties:
|
|
generatorRef:
|
|
description: GeneratorRef points to a generator custom
|
|
resource.
|
|
properties:
|
|
apiVersion:
|
|
default: generators.external-secrets.io/v1alpha1
|
|
description: Specify the apiVersion of the generator
|
|
resource
|
|
type: string
|
|
kind:
|
|
description: Specify the Kind of the resource, e.g.
|
|
Password, ACRAccessToken etc.
|
|
type: string
|
|
name:
|
|
description: Specify the name of the generator resource
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
storeRef:
|
|
description: SecretStoreRef defines which SecretStore
|
|
to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
refreshInterval:
|
|
default: 1h
|
|
description: |-
|
|
RefreshInterval is the amount of time before the values are read again from the SecretStore provider
|
|
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
|
|
May be set to zero to fetch and create it once. Defaults to 1h.
|
|
type: string
|
|
secretStoreRef:
|
|
description: SecretStoreRef defines which SecretStore to fetch
|
|
the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
target:
|
|
default:
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
description: |-
|
|
ExternalSecretTarget defines the Kubernetes Secret to be created
|
|
There can be only one target per ExternalSecret.
|
|
properties:
|
|
creationPolicy:
|
|
default: Owner
|
|
description: |-
|
|
CreationPolicy defines rules on how to create the resulting Secret
|
|
Defaults to 'Owner'
|
|
enum:
|
|
- Owner
|
|
- Orphan
|
|
- Merge
|
|
- None
|
|
type: string
|
|
deletionPolicy:
|
|
default: Retain
|
|
description: |-
|
|
DeletionPolicy defines rules on how to delete the resulting Secret
|
|
Defaults to 'Retain'
|
|
enum:
|
|
- Delete
|
|
- Merge
|
|
- Retain
|
|
type: string
|
|
immutable:
|
|
description: Immutable defines if the final secret will be
|
|
immutable
|
|
type: boolean
|
|
name:
|
|
description: |-
|
|
Name defines the name of the Secret resource to be managed
|
|
This field is immutable
|
|
Defaults to the .metadata.name of the ExternalSecret resource
|
|
type: string
|
|
template:
|
|
description: Template defines a blueprint for the created
|
|
Secret resource.
|
|
properties:
|
|
data:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
engineVersion:
|
|
default: v2
|
|
description: |-
|
|
EngineVersion specifies the template engine version
|
|
that should be used to compile/execute the
|
|
template specified in .data and .templateFrom[].
|
|
enum:
|
|
- v1
|
|
- v2
|
|
type: string
|
|
mergePolicy:
|
|
default: Replace
|
|
enum:
|
|
- Replace
|
|
- Merge
|
|
type: string
|
|
metadata:
|
|
description: ExternalSecretTemplateMetadata defines metadata
|
|
fields for the Secret blueprint.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
templateFrom:
|
|
items:
|
|
properties:
|
|
configMap:
|
|
properties:
|
|
items:
|
|
items:
|
|
properties:
|
|
key:
|
|
type: string
|
|
templateAs:
|
|
default: Values
|
|
enum:
|
|
- Values
|
|
- KeysAndValues
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
name:
|
|
type: string
|
|
required:
|
|
- items
|
|
- name
|
|
type: object
|
|
literal:
|
|
type: string
|
|
secret:
|
|
properties:
|
|
items:
|
|
items:
|
|
properties:
|
|
key:
|
|
type: string
|
|
templateAs:
|
|
default: Values
|
|
enum:
|
|
- Values
|
|
- KeysAndValues
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
name:
|
|
type: string
|
|
required:
|
|
- items
|
|
- name
|
|
type: object
|
|
target:
|
|
default: Data
|
|
enum:
|
|
- Data
|
|
- Annotations
|
|
- Labels
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
namespaceSelector:
|
|
description: |-
|
|
The labels to select by to find the Namespaces to create the ExternalSecrets in.
|
|
Deprecated: Use NamespaceSelectors instead.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaceSelectors:
|
|
description: A list of labels to select by to find the Namespaces
|
|
to create the ExternalSecrets in. The selectors are ORed.
|
|
items:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
namespaces:
|
|
description: Choose namespaces by name. This field is ORed with anything
|
|
that NamespaceSelectors ends up choosing.
|
|
items:
|
|
type: string
|
|
type: array
|
|
refreshTime:
|
|
description: The time in which the controller should reconcile its
|
|
objects and recheck namespaces for labels.
|
|
type: string
|
|
required:
|
|
- externalSecretSpec
|
|
type: object
|
|
status:
|
|
description: ClusterExternalSecretStatus defines the observed state of
|
|
ClusterExternalSecret.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
properties:
|
|
message:
|
|
type: string
|
|
status:
|
|
type: string
|
|
type:
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
externalSecretName:
|
|
description: ExternalSecretName is the name of the ExternalSecrets
|
|
created by the ClusterExternalSecret
|
|
type: string
|
|
failedNamespaces:
|
|
description: Failed namespaces are the namespaces that failed to apply
|
|
an ExternalSecret
|
|
items:
|
|
description: ClusterExternalSecretNamespaceFailure represents a
|
|
failed namespace deployment and it's reason.
|
|
properties:
|
|
namespace:
|
|
description: Namespace is the namespace that failed when trying
|
|
to apply an ExternalSecret
|
|
type: string
|
|
reason:
|
|
description: Reason is why the ExternalSecret failed to apply
|
|
to the namespace
|
|
type: string
|
|
required:
|
|
- namespace
|
|
type: object
|
|
type: array
|
|
provisionedNamespaces:
|
|
description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
|
|
has secrets
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|